He Did the Crime; He’ll Do the Time
Glenn Mangham, a 26 year old student who lives in England, is described by his lawyer as a “computer nerd” and “ethical hacker.” And now he’s in British jail for eight months after admitting to using a computer in his bedroom to hack a vacationing Facebook employee’s account in April and May 2011. It’s unclear what he took or did with the information he hacked, but according to the judge it could have destroyed the entire “enterprise” and caused grave concerns that Facebook was the victim of industrial espionage. Once Facebook discovered he breach in a routine audit, it notified the United States Federal Bureau of Investigation (FBI) whereupon the FBI and British authorities raided Mangham’s suburban home and arrested him.
In the all too typical hacker defense, unemployed Mangham, describing himself as a security consultant, claimed he was trying to identify vulnerabilities in Facebook’s system so he could contact the company and help them fix the bugs. Interestingly, he volunteered that he also hacked Yahoo! for the same reason.
While the Judge found that Mangham had no motivation to disclose any information to third parties and had no plans to make any money exploiting the information, the judge said Mangham’s actions were nonetheless “utterly disastrous” for Facebook. A spokesman for Facebook admitted no personal user data had been compromised but that Facebook takes “…any attempt to gain unauthorized access to our network very seriously.” Indeed.
According to testimony, the hack cost Facebook more that $200,000 to discover and address. According to public filings by Facebook in connection with its plans to go public with an initial public offering, Facebook made $4 billion in profits in 2011. So the hacking by Mangham represented .005% of Facebook’s annual earnings.
There is no question that Mangham had no right to do what he did. It was a clear violation of the terms and conditions dictated by Facebook for users. While Mangham’s lawyers questioned whether violating U.S. law from a bedroom in Great Britain is something that should be prosecuted across borders, the fact remains that in most jurisdictions, including the United States and Great Britain, what he admitted he did is a crime. And as some might say, “he did the crime so now he’s doing the time.”
But the sentence in this case recalls the never ending debate over what’s justified when a violator is motivated by a misguided believe they’re doing “good” and not by a desire to extort money or cause any personal injury to anyone. Granted, it cost Facebook hundreds of thousands of dollars. And granted what Mangham did was a crime. And let’s not forget that hacking is a very serious problem that is costing commerce billions a year and compromising very personal information.
In such circumstances, what is a fair sentence? Described most favorably to Mangham, what he did cost Facebook less than rounding off error, was motivated by altruism, and hurt no individuals. On the other hand, he committed a crime the likes of which plague the Internet and put all of us a risk that the next hacker will have ill intent motivated by extortion or worse and cause serious and irreparable damage.
It reminds me of the old debate on sentencing in drug cases where possession of a small amount of a drug for personal use drew the same jail time as someone who reaped in thousands or more selling illegal drugs to addicts. While extreme injustice in sentencing was relatively rare, there’s no question that some defendants were sent to prison for decades for merely smoking a joint, sitting side-by-side with drug kings, rapists and murderers.
So in the case of Mangham, what was fair? If one looks at the crime in isolation, limited only to what Mangham did, buy into his ethical hacker intent, and what it cost Facebook, eight months in jail is pretty harsh. But if you look at what he did as representative of the disastrous impact of hacking throughout the Internet ecosphere – ethical or otherwise – he got off lightly. Indeed, if the court was intent on making an example of Mangham so other misguided do-gooders would pause before over hacking into what is not theirs, he might have been sentenced to eight years, not eight months (assuming the court had the right to do so).
As more sentences for ethical hacking are imposed by courts throughout the world, we’ll witness an interesting balancing act, particularly in cases like Mangham’s where the crime is perpetrated over international borders from jurisdictions with similar laws. One cannot help but wonder, however, how prosecutors and courts operating under developed laws and regimes will deal with hackers based in countries that don’t have extradition treaties or laws that appreciate the risks for website operators and users.
Doug Wood, We Expert