The report, authored by attorney and electronic privacy advocate David Banisar, and based on data obtained under the Freedom of Information Act by the Transactional Records Access Clearinghouse, appears in this week's Criminal Justice Weekly. It's believed to be the first independent analysis of the government's war on computer crime.
In all, investigators from the FBI and other agencies offered 419 computer crime cases to federal prosecutors in 1998, up 43 percent from 1997, and more than three times as many as in 1992. At the same time, prosecutors filed charges in only 83 cases.
That ratio of referrals to prosecutions, approximately 5 to 1, is significantly lower than the overall rate for federal prosecutions in all categories. In 1998, Banisar said, there were 132,772 referrals at the federal level, and 82,071 prosecutions, or about one prosecution for every 1.6 referrals.
FBI: Hard to prove
"Computer crime is terribly hard to prove," says FBI spokesperson Debbie Weierman. "Every one is handled on a case by case basis, and I can't give you a general reason for the difference in figures."
According to the report, each year between 1992 and 1998, the Department of Justice has declined to prosecute between 64 percent and 78 percent of the cases brought to them. Forty percent of the rejected cases cited lack of evidence of criminal intent, weak or insufficient admissible evidence, or no evident federal offense. Another 15 percent were referred to state authorities for prosecution. The remaining cases may be outstanding, or reclassified under another category.
A former assistant United States attorney said he is not surprised by the results, and that in many ways computer crime cases are unique.
"There are serious evidentiary questions and jurisdictional questions in these cases," says Mark Rasch, a former computer crime prosecutor, now working as a computer security consultant for Global Integrity, based in Virginia. "Law enforcement may be presenting you with a perfectly good case, against a defendant in Kuala Lumpur."
Moreover, he said, "Juveniles are frequently the ones that get caught. So while the FBI may be able to put together a perfectly cohesive case against a juvenile, that's the kind of case that may be declined by the United States Attorney's office by their discretion."
Justice officials hadn't reviewed the statistics, but agreed that there are unique challenges to prosecuting computer crime.
In 1998, the average sentence for those convicted was five months, with over half of the defendants receiving no jail time. Since 1992, 196 people have been convicted and 84 imprisoned in cases classified as federal computer crimes.
Only 57 cases reached disposition last year, 47 ending in convictions, primarily in plea agreements, and 10 ending with the status of "not successful" -- a category that includes dismissals and not-guilty verdicts.
Of the cases that ended in 1998, the FBI initiated the most, with 21 convictions, and eight unsuccessful prosecutions. The Secret Service, Treasury Department and IRS claim the remaining 26 convictions and two failed prosecutions, says Banisar, a columnist for the legal journal, and co-author of The Electronic Privacy Papers.
Because referrals can take years to become prosecutions, direct correlation from year to year is a tricky matter, Banisar cautioned. But he said the overall statistics are telling.
"For an issue that the federal government is making such a major deal out of, trying to stop computer crime and information warfare, there's remarkably few prosecutions," he said.
Kevin Poulsen writes a weekly column for ZDTV's CyberCrime.