This week, Terry Childs, the [San Francisco Sys Admin who refused to turn over passwords to the city network to his superiors because he felt they were incapable of properly managing it[(http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case/?fp=&fpid=&pf=1), was found guilty of felony denial of computer services. First off, I think Mr. Childs is absolutely guilty of his crime. I've never worked in a place where I was the only one with key access to core systems. Hell, I usually insisted on a password sheet (or a USB key with password data) stored in the company safety deposit box. Of course, I still wanted to know what the definitions in the case were, so I had to go to California's Penal Code, who's website is pretty awful, so I'm just going to quote here:
502. (a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.
The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.
...
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
...
(5) Knowingly and without permission disrupts or causes thedisruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
...
(d) (1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.
Okay, whew. Section 502 in the California Penal Code is kind of interesting, though I hate that computer crime has a seperate set of statutes than other crimes. Is 'denial of computer access' really any different than, say, boarding up all the doors and windows of a persons home (or place of business, so there is a more obvious financial burden), denying them access to that resource? I don't think so, and I don't think computer crime should be treated differently. Mr. Childs absolutely denied access to his superiors, who absolutely (though the Jury did debate this) was authorized to use the system.
My issues with this case, aside from the double standard of computer versus physical crime, is with how it was handled. Mr. Childs was held on $5 million in bail. Five million dollars. Incidentally, child molestors, arsonists and kidnappers in San Francisco, have their bail based at a mere one million dollars, at least in San Francisco in 2008, the time at which Mr. Childs bail was set. Of course, since he's been in Jail for almost two years, his sentencing should offer credit for time served, and his additional time in jail should be very short, if any at all. And given that he's been imprisoned since 2008, I would be surprised if, under Section 502, he recieved an additional fine.
But we'll see. I have no idea what the legal basis for $5,000,000 in bail was, though this is certainly not something that was on the bail schedule. I just fear that the over-reaction in setting his bail is going to translate into an over-reaction in his sentencing.
Sys-Admins have a tendency to feel like gods of their own little domains, and Childs' actions are highly indicative of that. I do have a small amount of respect for the sheer level of conviction displayed by the man, but it was misplaced. And now, he's lost nearly two years of his life to that misplaced conviction. Does he really need to lose any more?