Cracking Down

By Philip Elmer-DeWitt

Hackers face tough new laws

State and federal officials are trying to stem a rising tide of computer mischief. But they are finding it hard to make their punishments fit the crimes. Many of the best-publicized pranks have been committed by minors who are protected from the full force of the law. Moreover, the laws are often inadequate to deal with the complexities of the new technology. In March two members of Milwaukee's 414 Gang of computer whiz kids, which last summer broke into computers at the Memorial Sloan-Kettering Cancer Center and the Los Alamos National Laboratory, pleaded guilty to misdemeanor charges of making obscene or harassing phone calls. Maximum sentence for each charge: six months in jail and a $500 fine.

The trouble is that Wisconsin, like most states, is trying to fight 20th century crime with 19th century laws. Electronic mail, automatic funds-transfer systems and interlocking networks of high-speed computers are protected by legal concepts that were developed to safeguard paper documents. "In the old days, you needed a fast gun and a fast horse," says Richard Guilmette, manager of corporate security for Prime Computer. "Now you need fast fingers and a small computer."

In the absence of specific federal laws aimed at computer criminals, nearly two dozen states have passed a series of conflicting and ineffective statutes. "It's a terrible patchwork of law," says Donn Parker, a computer-crime expert at SRI International. "Sometimes the results have been disastrous." According to a recent estimate, only one in 33 reported computer crimes results in a conviction.

Now, however, laws tailored to punish high-tech criminals are beginning to make their way onto the books. The Massachusetts legislature is considering a model measure, prepared with the help of local computer experts, that spells out crimes in precise technical terms and calls for tough penalties: for example, $5,000 fines and up to a year in jail for hackers who crack security codes just for the fun of it, triple damages for persons found guilty of malicious tampering. The California legislature is considering a bill that would strengthen its pioneering computer-crime law, enacted in 1979, by stiffening penalties for browsing through a computer system without permission.

Most state laws are aimed at malefactors who use computers to commit such conventional crimes as robbery and embezzlement. The Massachusetts and California bills are directed primarily at computer trespassers and criminals who deal in data, not dollars. These misdeeds range from changing school grades to deleting invoices in stores and altering credit-rating information. Other data-based crimes involve the theft of mailing lists, which can be copied and then sold, and the pilfering of oil-company drilling results, which can be worth millions to a competing firm. Today on some computer networks, credit card numbers are traded like baseball cards, along with telephone codes that let people tie into computer systems all across the country without paying long-distance charges. Estimates of the cost of such crimes range from hundreds of millions to several billions of dollars each year.

Even when they can be traced, computer trespassing and data theft are particularly difficult to prosecute. Most states have no specific laws against breaking into computers via telephone lines or even deleting information stored within the machines. Says SRI's Parker: "If someone merely gained access to a computer and you could not prove malicious intent, he probably would not be prosecuted." Laws written years ago to deal with tangible property do not cover cases in which information is stolen from a computer data base, copied and then returned.

Some observers fear that youthful computer enthusiasts, discovering that their pranks are largely beyond the reach of existing laws, may be graduating from mischief to misfeasance. Ronald Austin, 20, a U.C.L.A. student who told the press last year that he had cracked a Defense Department computer network, was arraigned in Los Angeles last month. Caught with $1,600 worth of illegally ordered airline tickets stashed under a rug, he is being charged under California's new laws with twelve counts of maliciously accessing a computer and one count of concealing stolen goods. Maximum sentence: nearly eight years and $10,000 for each count.

-- By Philip Elmer-DeWitt. Reported by Adam Cohen/Boston

With reporting by ADAM COHEN