'

Securing a brave new e-world

With the new economy and e-crime booming, President Clinton's plan to protect computer systems could impact everything from national defence to privacy to free speech

For Dennis Moran Jr., a k a Coolio, the Net has more than enough laws.

The 17-year-old hacker from Wolfeboro, N.H., could serve up to 15 years on a variety of charges that stem from his alleged vandalising of three Web sites, including the anti-drug group Drug Abuse Resistance Education, or DARE. Federal and state prosecutors are slapping Moran with violating the Computer Abuse and Fraud Act and laws that apply to real-world vandalism. In addition, DARE is citing $18,000 (£11,160) in damages.

Yet, law enforcement officials believe the Internet is still too much like the wild, wild west -- and not a safe enough marketplace for e-commerce.

And several lawmakers agree.

Next: Death penalty for hacking?

Citing the seriousness of computer hacking in today's world of e-commerce, Sen. Kay Bailey Hutchinson, R-Texas, proposed in mid-February to double the penalties for computer hacking from five years to 10 years for the first offense and 10 years to 20 years for the second offense.

"Our economy has entered a new stage, and we need to insure that our laws are keeping pace," said Hutchinson in a statement. "It has become necessary to treat computer crimes more seriously." The enhanced sentences would modify section of the US criminal code created by the Computer Fraud and Abuse Act.

The Hutchinson announcement came in the wake of attacks on the Web sites belonging to Yahoo!, eBay, E*Trade, Buy.com, ZDNet, Amazon.com, Time Warner's CNN.com and Micsoroft's MSN.com. The servers of those eight sites were flooded with data and access attempts, burying the services under a deluge of data at different times during the three day assault.

Called a distributed Denial-of-Service attack, the data flood slowed or halted access to the sites, as their servers could not keep up with the false attempts at access.

Less anonymity on the Net At the end of February, Senator Charles E. Schumer, D-N.Y., proposed his own response.

At a joint hearing of the Senate and House Judiciary Committees, Schumer offered legislation that would give investigators and prosecutors of cybercrimes more tools to pursue their suspects.

The legislation would modify the Computer Crimes and Abuse Act in four major ways:

  • Allow a judge to authorize a "trap-and-trace" -- which tracks a signal back to its origin -- that crosses one or more state lines. Currently, investigators have to get authorization from each state.

  • Lower the limit on monetary damages needed to pursue a criminal investigation. Currently, $5,000 is the lower limit.

  • Allow judges to sentence convicted violators to less than six months. Some prosecutors have not pursued investigations because a six-month term seems excessive.

  • Make juveniles aged 15 years or older eligible for federal prosecution for serious violations.

"These are just the first steps in a very long fight against cybercrime that many of us will wage for years to come," Schumer said in a statement.

The Hutchinson and Schumer bills come as no surprise to policy watchers. Law enforcement officials have long lobbied for more extensive prosecutorial and investigative powers over the Net.

In the latest plea, a report created by a committee headed by US Attorney General Janet Reno asked for a review of several laws protecting civil rights to decide whether such protections as anonymity on the Internet, electronic privacy and first amendment protections of online publishers were outmoded in the Internet Age.

At a speech unveiling a controversial report, Reno said, "The Internet is providing criminals a vast inexpensive and potentially anonymous way to commit crime."

The writing on the wall The mood is a far cry from China's death penalty for hacking, but technologists and civil-rights advocates are still worried.

"Very few people on the Hill understand technology," said David Farber, professor of the University of Pennsylvania and a well-known Internet visionary. "It's something they don't understand and their reactions tend towards panic."

James X. Dempsey, senior staff counsel for the Center for Democracy and Technology, a Washington D.C.-based think tank, pointed out several holes in the proposed legislation.

"The federal government doesn't prosecute bank robbers that steal less than $5,000 (£3,100) and it doesn't prosecute people who fraud for less than $5,000," he said. "Why should it prosecute a vandal on the Web for less than that?"

In addition, the attorney warns that today's judges rubber stamp trap-and-trace requests without reviewing the specifics of the case. Until a precise definition of how such a request -- which normally only allows the investigator to receive the phone number of the person that originated a call -- applies to the Internet, such a law should be delayed, Dempsey said.

"If any legislation is going to be enacted it needs to be narrow and balanced with better privacy protections," he said.

Others agree. "In the real world, (vandalism) is a small crime," said Susan Brenner, associate dean and professor of law at the University of Dayton, Ohio, who likened Coolio's crime to spraying graffiti on an electronic wall. "It is just incomprehensible to think that anyone would go away for 5- to 6-years in the real world for writing on a wall."

Brenner warned of another problem with the increasing rate of proposed hacking legislation. "One thing that is seldom talked about is the problem of resources," she said. "We have to have a model that is enforceable."

The law professor and her students have created a model penal code for crimes on the Internet. The problem is equivalent to speeding, she explained. Police can't catch all speeders, so they catch a few and hope it deters others.

Brenner imagines that hacking on the Web will be similar, once businesses properly secure their sites and servers.

"We can pass as many laws as we want on the Internet, but who is going to police it?" she asked.

"One could argue that (people and businesses) don't have to live in the cyber world. There's a certain assumption of risk when you do, and, if you want security on the Internet then, by God, establish it yourself."

What do you think? Tell the Mailroom. And read what others have said.

Take me to Hackers