Casual readers of this blog (are there any other kinds) know that we handle various types of criminal cases here in Atlanta, throughout Georgia, and in federal court throughout the country. More and more of these cases in these various courts involve crimes that relate in one way or another to use (or misuse) of computers. One issue that comes up a lot in these cases concerns how much “damage” a person truly caused when he or she got into a website without authorization. A case in the Eastern District of California, discussed in this post here, has some valuable lessons, and also some contrasts with a matter I am handling now in a Georgia court. First to the California case, then we’ll pivot over to the comparisons to my case.
A journalist named Matthew Keys was charged with giving login credentials to hackers with the group Anonymous. Those online saboteurs supposedly went on the website of the Los Angeles Times newspaper, and changed a headline. It was about 40 minutes or so before anyone noticed the hack, and the headline was changed back to the original form. The feds took the case, and charged Mr. Keys with one count of conspiring to make changes to Tribune’s website and damage its computer systems, one count of transmitting damaging code and one count of attempting to transmit damaging code. The jury found him guilty.
As we talk about all the time on this blog and on our own website, the sentencing process in federal court is very formalized, arising from the wickedly complex Federal Sentencing Guidelines. First off, a Federal Probation Officer (or “USPO”) interviews the Defendant, gets information from the prosecutor, and then files the first version of the very important “Presentence Report”, sometimes called the “PSR”. In the PSR, the Probation Officer makes recommendations as to how the sentencing judge should apply the Sentencing Guidelines. If either side is unhappy with the Probation Officer’s recommendations, that party can file Objections, which the Judge then has to hash out and rule on at the final sentencing hearing, unless the Probation Officer agrees to change the final PSR in a manner acceptable to the objecting party.
In Mr. Keys’ case, the USPO suggested that the hack caused damages exceeding $250,000. If the Judge agrees, this results in a 12-level increase under the scoring mechanism used by the Guidelines. Defense Counsel objected, arguing that the increase should only be around $5,000 for a 40-minute change to the online site of a newspaper. What struck me is that that the objections by the defense team were filed on the open docket, meaning the public gets to see what can sometimes be private information that forms the basis of issues arising in a PSR.
My case here in Georgia is being handled within the state court system (although it was originally investigated by the FBI). One difference is that Georgia has a “Computer Trespass” law that makes it a crime to engage in unauthorized access of a computer system if the person merely “alters” the system. Obviously, even the smallest change could result in an “alteration” and thus lead to a criminal charge.
Sentences for State cases in Georgia are not constrained by any specific guidelines or ranges, such as those found in federal cases. The judge can do just about anything he or she wants, so long as it is within the overall ranges set out by the legislature (and even then, other Georgia laws allow a Judge to impose a non-custodial sentence in the vast majority of situations). Another difference from the California case involving Mr. Keys and our practice is that, generally, most of our objections to a PSR are handled by private and non-public communications between the lawyers and the USPO. I am always reluctant to file anything in a public forum that deals with private information relating to my client, unless of course I feel that the risk is worth the gamble.
While there are obvious differences between Mr. Keys’ case and the matter I am handling here in Atlanta, the similarities struck me. More and more large organizations are highly protective of their computer systems, and even the smallest intrusion results in that company running to law enforcement. Even a relatively minor change can result in serious potential penalties. If you or someone you know has done anything similar to this, it is wise to stop it, and then get advice from a competent criminal defense lawyer who handles these difficult situations.