Analysis It’s rare - one might say even unprecedented - when both sides are equally happy with the outcome of a criminal case. But that’s what happened in court five at London’s Southwark Crown Court on Tuesday afternoon when a teenage hacker who caused a major security alert at a US Department of Energy research lab escaped jail.
Joseph McElroy, 18, from Woodford Green in East London, showed signs of relief after Judge Andrew Goymer sentenced him to 200 hours community service for breaking into an unclassified network at Fermilab, a US high-energy physics research lab. Doubtless this spirit was helped by the judge’s decision to refuse a £21,215 compensation application against McElroy on the grounds he had no means to pay the clean-up bill.
For police, the verdict successfully brought to an end a year-long case during which McElroy had readily helped them in their investigations. There was no desire to see the 18 year-old sent to prison. Police even expressed the hope that the probation service might find work for McElroy which allowed him to apply his IT skills, as opposed to cleaning graffiti from buildings. McElroy is a first-year Internet engineering student at the University of Exeter.
Anatomy of an offence
In court the full particulars of McElroy's offence were explained.
McElroy had sought to establish an online storage facility with high-bandwidth connections on which he could store music, video and game software for use by himself and his mates. He used readily available hacking tools in order to gain control of vulnerable systems.
Once he'd broken into what he reckoned was an academic network, McElroy sectioned off areas of the compromised system and password protected them so they could be used exclusively by himself and his file trading buddies.
Unfortunately for McElroy this resource turned out to be owned by the Department of Energy. Gigabytes of warez slowed backup operations to a crawl and raised concerns that something was amiss.
The lab's computer systems had to be shut down for three days once the intrusion - which triggered a full-scale alert - was discovered. Fermilab, part of the US Department of Energy, runs both classified and non-classified networks.
The DoE is responsible for the integrity and safety of America's nuclear weapons; so it was no surprise that in the first instance the breach was treated as a possible terrorist effort, Prosecutor Sean Larkin told Southwark Crown Court.
All parties in court were keen to downplay any suggestion that the DoE had over-reacted.
Department of Energy Investigators determined that the breach was restricted to 17 computers on Fermilab's unclassified network. These systems cost approx. £21,000 to repair and there was also delays accessing data; so the true cost of the intrusion is probably much greater than the clean-up compensation which Fermilab sought from McElroy.
US investigators tracked the intrusion to the UK before passing the case over to Scotland Yard's Computer Crime Unit; it in turn tracked McElroy to his parent’s home in east London. McElroy was arrested in July last year. He readily admitted his guilt. Thereafter his case proceeding slowly through the magistrates court system until arriving before Judge Goymer late on Tuesday afternoon (Feb 3, 2004).
An innocent in the dock
McElroy (a slightly-built, bespectacled youth) cut an unassuming character in court. Quietly-spoken, he remained impassive throughout proceedings leading up to the judge's summing up. He seemed slightly more relaxed after the threat of jail was lifted from him but beforehand showed few of the signs of nervousness that typically accompany these occasions. Convicted virus writer Simon Vallor (of which more later) turned visibly blue when he was sentenced to jail on computer crime offences last year.
Perhaps McElroy knew he was going to escape prison even though there were times during the judge's summing up when the rest of the court was not so sure.
Judge Goymer said: "not to send [cyber criminals] to prison sends the wrong message" and "if anybody has the idea hacking is a joke or an eccentric hobby they should put that idea right out of their minds", before weighing up the circumstances of the case and deciding McElroy didn't deserve to go to jail.
Hangings too good for ‘em
The outcome of the case has provoked howls of indignation from the 'hang 'em high' lobby which reckons the sentence was unduly lenient. This lobby include sections of the security community, some of whom argue that the court's actions gave a green light to other cyber-criminals.
David Williamson, director of sales at security specialist Ubizen, neatly sums up this line of opinion.
"It is very worrying that appropriate compensation or a custodial sentence has not been issued in this case," he said. "Hacking is still illegal and as a self-confessed serial hacker, McElroy and the hacker community at large will view this outcome as a green light to break the law."
Alternatively, check out Silicon.com's silly, mean-spirited leader which claims that "British justice is a laughing stock," because of this decision.
We don't agree, and neither did the judge in the case who deserves credit for weighing the gravity of McElroy's offence against the merits of any punishment he might impose.
In sentencing, Judge Goymer was at pains to say that only the special circumstances of the case prevented him from imposing a custodial sentence.
McElroy had obtained numerous character witnesses who testified to his good character. He pleaded guilty at the earliest opportunity and helped the police throughout their investigation. He didn't gain financially from his hacking escapades.
The Crown did not dispute defence arguments that McElroy had no malicious intent. Nor did the defence dispute the prosecution's submission that McElroy had caused huge inconvenience and sparked a major alert at the Department of Energy facility.
Also, McElroy was only 16 at the time of his offence.
Judge Goymer took into account that McElroy's offence was "low-level" on the scale of computer crime offences, and the fact that McElroy had never obtained access to classified materials.
McElroy was convicted of unauthorised modification offences under the UK's Computer Misuse Act 1990 that carry a maximum punishment of five years in jail. Taking all these factors into account, Judge Goymer decided it was not in the public interest to send the 18 year-old to jail.
"You've only just escaped going to jail but anyone else coming before me would not be treated so leniently," Judge Goymer told McElroy. "You can count yourself lucky."
Judge Goymer warned McElroy that he would have no hesitation in sending him to prison for any subsequent offence.
Computer crime offences are still rare. When such cases do come to court there's often a desire to make an example of someone for the deterrent value this might have on other would-be criminals.
Last year, Simon Vallor was sent to prison for two years after pleading guilty to releasing three viruses into the wild, again offences against section 3 of the UK's Computer Crime Act.
Vallor was 21 at the time of his offences. McElroy who was only 16. Both pleaded guilty but McElroy was charged with one offence whereas Vallor was charged with three separate offences. Judge Geoffrey Rivlin, presiding in the Vallor case, said this "pattern of criminal behaviour" was an aggravating factor when he sentenced Vallor to two years imprisonment.
McElroy's age and the isolated and uncalculated nature of his offences counted in his favour but he can still consider himself fortunate to be a free man. He'll even get his PCs - wiped of all the illicit files he obtained - returned to him.
A crime involves computers. So what?
Years after their first appearance, computer viruses are still considered as a phenomenon. We don't understand why.
Similarly there's fear and uncertainty about computer crimes whose seriousness needs to be measured against the particulars of an offence and the criminal character of a miscreant, as with any other offence.
The resolution of the McElroy case is a victory for commonsense. We don't think it's necessary to jail someone simply to establish that something is wrong.
Prison ought to be the last resort. It's expensive and of dubious efficacy. Better to keep prison places reserved for punishing the real menaces to society (violent and recidivist offenders) than the Joseph McElroys or Kevin Mitnicks of this world. ®
John Leyden spent two years as a crime reporter in Manchester in the early 1990s covering many high-profile cases, including the Strangways’ prison riot, drug dealing, arson, rape and murder trials. "From this," he says, "I think I know the difference between a miscreant and the really bad guys.
Sponsored: Webcast: Ransomware has gone nuclear