A California district judge recently ordered infamous spammer Sanford Wallace to pay $711 million in damages to Facebook for his extensive spamming activity on the site. Wallace is bankrupt, so the price tag may not be very tangible to him, but that doesn’t mean he’s in the clear; the district judge has also requested that Wallace be prosecuted for criminal contempt, which could result in jail time from which no degree of poverty can save him. The Facebook legal department seems optimistic that the contempt charge will result in more meaningful punishment than the damages award. But is that our justice system’s only response to someone who attacked such a beloved institution and violated the trust of the 1000+ one-time acquaintances we call friends? Not if Sarah Palin lore and the U.S. criminal code have anything to say about it. You may recall the story of David Kernell, son of Tennessee State Representative and Democrat Mike Kernell, who in September of 2008 hacked into Sarah Palin’s Yahoo! Mail account in order to “derail her campaign.” He gained access to the count by researching personal information on Palin to answer Yahoo’s “forgot your password?” questions. A long story about the wisdom of multiple proxies made short, Kernell is now facing criminal charges based on 18 U.S.C. § 1030(a)(2)(C) and § 2701, which pertain to unlawful access to stored communications and intentionally accessing a computer without authorization across state lines, respectively.
A 20-year prison sentence for inconveniencing social-network junkies seems excessive when many violent criminals serve shorter terms.
Wallace, also known as the Spam King, committed very similar actions by accessing people’s Facebook accounts without their permission and using that access to send unauthorized wall posts and messages. He gained access to the accounts by “phishing” – communicating with account holders with the goal of gaining information about and access to their accounts, typically under the guise of a legitimate agent of the account organization. While most of the coverage of this case has focused on the mega-bucks award under the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), which focuses on spam, this is only half of the potential legal action that Wallace faces. And as far as racking up jail time, the phishing aspect of Sanford’s crime may be more significant, or at least more direct, than the spamming aspect. Sanford’s unauthorized access to Facebook accounts may expose him to 18 U.S.C. §1030(a)(2)(C), even though he didn’t direct his attack against any government official or sensitive U.S. information. This provides for the prosecution of anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” Sanford also had accomplices, and if he shared the phished account passwords with them, sub-section (a)(6)(A) is also relevant. This allows the prosecution of anyone who “knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization,” if “such trafficking affects interstate or foreign commerce.” The “traffics” requirement here, as defined in §1029, means only that he transferred the information to another person. The maximum jail sentence for violation of either sub-section of §1030 is 10 years.
18 U.S.C. §2701(a) may also be applicable to Sanford. This requires only that a person intentionally accesses without authorization, or exceeding their authorization, a facility through which an electronic communication service is provided and obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in the system. The maximum prison term for the first violation of §2701 is 5 years when, as with Sanford, the conduct was motivated by commercial advantage or personal commercial gain. Furthermore, Sanford’s previous legal problems may qualify him for the maximum 10 year prison term for the second violation of §2701.
So while the CAN-SPAM litigation went about as far in punishing Wallace as possible (although Facebook originally asked for over $7 billion in damages) the illusory damages award could be supplemented by further criminal prosecution. To most, a 20-plus-year prison term for inconveniencing social network junkies probably seems excessive when many violent criminals serve shorter terms. But there’s always the chance that a vocal, wired minority could change their mind. Facebook group, anyone?
Comments
Post new comment