Are hacking sanctions proportional to the crime?

Scotland Yard has caught LulzSec’s Topiary, their biggest scalp to date. Topiary has been identified as Jake Davis, an 18 year-old from the Shetland Islands (pictured here looking like a poster child for teenage hackers, including Neo-wannabe shades). He appeared in court earlier today and was released on bail, under condition that he should have a night-time curfew at his family home, and a ban on using the Internet on any computer or mobile device. Evidence against Mr Davis looks incriminating, his computer was found to have an encrypted hard drive running hundreds of virtual machines, and even one file with login details and passwords of 750,000 random Internet users.

If evidence is found that Davis is indeed Topiary, his prospects are not particularly good as he is being charged with five offences. According to PC World, the charges are:

• Unauthorized access to a computer system, contrary to Section 3 of the Computer Misuse Act 1990.
• Encouraging / assisting offences, contrary to S46 of the Serious Crime Act 2007.
• Conspiracy with others to carry out a Distributed Denial of Service Attack on the Web site of the Serious and Organised Crime Agency contrary to S1 Criminal Law Act 1977.
• Conspiracy to commit offences of section 3 Computer Misuse Act 1990, contrary to S1 Criminal Law Act 1977.
• Conspiracy between the defendant and others to commit offences of section 3 Computer Misuse Act 1990 contrary to S1 Criminal Law Act 1977.

Just take the Computer Misuse Act charge on its own, which carries sentences of a maximum of 12 months if treated as a minor offence (a summary conviction by a Magistrate’s Court), or a maximum sentence of 10 years if indicted. The other four charges relate to encouraging and assisting an offence (5 years maximum order), and three conspiracy charges, which could carry maximum of 10 years as well as the penalties are given in accordance to the gravity of the offence committed.

Firstly, let me make one thing absolutely clear, this post is in no way an apology for Anonymous and LulzSec. There cannot be any doubt that these groups have committed crimes in several jurisdictions, any individual who has been properly identified, tried and convicted in a court of law as a member of LulzSec will almost certainly have to suffer the consequences for his actions. These people knew that what they were doing was illegal, yet continued under the assumption that they would not be caught. Topiary himself said in an interview that “we are always one step ahead”, such childish bravado and staggering hubris was waiting for a legal response.

Nonetheless, one has to wonder about the severity of anti-hacking legislation. The UK’s Computer Misuse Act lacks granularity to identify various types of offences. It seems like the sections serve to cover crimes as dissimilar as stealing credit card details and defacing a website. Most of LulzSec’s actions were rather benign from a technical standpoint, some websites were brought down and/or defaced, the extent of the damage was some down time. Despite claims to the contrary, it does not seem like LulzSec was able to hack anything important during their limited run. If this is the case, why should the law contemplate sanctions of up to ten years? If we believe that most of the actions taken by Anonymous and LulzSec are politically motivated, perhaps it is time that we should consider these acts of hacking more in line with political protest in general. Having said that, there seems to be a clear difference between a DDoS attack to a website, and blocking an office building with placards, or organising a sit-in. Nonetheless, the balance seems wrong at the moment, and hopefully judges will use whatever discretion they possess in order to deliver proportionate sentences.

Topiary’s Twitter feed has only one entry just before his arrest, which paraphrases V for Vendetta. It says “You cannot arrest an idea.” That may be true, but unfortunately, they can arrest him.