
                           -------------------------

                           *  O  P  I  N  I  O  N  *

                           -------------------------


This is in response to the comments made by the British Computer Society in the
"Features"   section.  It's  by   Peter   J   Denning,  in  an  Editorial  from
Communications of the ACM, a US  equivalent of the BCS.



                               SENDING A SIGNAL


In January 1990, Robert Morris Jr was convicted under the 1986 Federal Computer
Abuse  Act for  releasing  a  worm  program  into  the  Research Internet. That
program entered  approximately 3000 computers, and interrupted service on them,
but did no damage. In  March 1990,  the judges sentenced Morris to a three-year
suspended jail term, a fine  of   $10,000  and  400 hours of community service.
Morris also had to pay all attorney fee  associated with the case, estimated to
be at least $150,000.
    This affair has caused continual  attention  among  computer people. In the
months   following  the   worm's   attack,   several   organisations  or  their
representatives issued strong  statements  deploring  the  incident and calling
for new standards of responsible  behaviour   among  computer users. Many of us
watched every step as the case inched  it's  way through  the court system, and
the sentencing has not stilled the discussion.
    From my own samplings of opinion, I  have the impression that most computer
people  feel Morris's sentence was  appropriate,  given  that the worm actually
did no damage to any of  the  systems  it  invaded and given that Morris had no
intention of causing any harm or  disruption.  A sizeable minority say that the
penalty was not severe enough: a jail  term should  have been included. Some of
those who felt that the  penalty  was  too  lenient  are advocating  new policy
positions that would affect future computer abusers. I would like to comment on
this.
    One policy proposal is that the  professional societies should take a stand
that  employers should refuse to  hire  anyone,  such  as  Morris, who has been
convicted of  computer crime. A  recent  illustration comes from Gene Spafford,
who figured prominently in  unraveling the mystery of the worm. He is quoted as
saying that consumer pressure can help   the  computing community rid itself of
hackers: members can refuse to do  business  with  any  firm that employ a know
hacker. He says that such an action  would  signal that good security  jobs can
be had simply by breaking into  computers.  Hiring Morris, said Spafford, would
be like  "hiring a know arsonist to install a fire alarm. Just because he knows
how to set a fire doesn't   mean  he  knows  how to extinguish one." I disagree
with Gene on this one:  hacker  do  no   constitute an identifiable or cohesive
community and employers ought to  be  free  to  take  risks  on whom they hire;
moreover, it makes a false analogy  between  someone  who intends to do  damage
and Morris, who did not. Spafford  is  not  alone  in his position. Others have
asked the  ACM officers to endorse it,  and  thus far, to their credit, the ACM
officers have declined.
    I have asked several advocates of a  stiffer  penalty or of ACM action what
underlies  their exhoratations. "Sending a  signal"  is the usual response. "We
need to make clear to  others who  perform similar acts that the community will
not such tolerate such  acts  any  longer.   Severe  penalties  endorsed by the
community will discourage them. A  jail  term  for  Morris would  have done the
job."
    I am intrigued by this reasoning.  It  shows  up frequently in news reports
about court  actions in many domains.  One  editorialist says" "This is a happy
day. The court's action  will   send  a  signal  to  others  who might consider
similar crimes. We  can  look  for  fewer  of  these   crimes  in  the future."
Regarding the same verdict, another editorialist says, "This is a sad day.  The
court has sent the wrong signal  to  those  who might consider similar acts. We
can look for  more of these crimes in future." This reasoning is not limited to
the public-policy  consequences of private court cases. It shows up daily in at
the Federal level- for example,  Congress  is  urged to pass economic sanctions
against some nation in order to "send a  signal"  to the leaders of the country
that "the American people will no  longer  tolerate their  behaviour". The call
for sending signals persist and  become  louder  each  year. What started as  a
metaphor is becomaing an accepted truth: our job is only to decide what signals
to send,  rather than to question  wheter  the  idea  of sending a signal means
anything, whether anyone   can  tell  whether  the  signals  were  received, or
whether inncoent bystanders were injured by  the sanctions.
    Against this background, the  argument  about  choosing  penalties to "send
signals" is   especially  beguiling.  it  can  easily  entice  us  to  forget a
fundamental principle of jurisprudence:   that  the  punishment  should fit the
crime. The signal-senders ask the  judge  (and  the  rest of us)  to substitute
another sentence, directed not at the person convicted, but at someone else. In
my opinion, this line of argument  is  an  affront to American traditions. [And
another more  universal tradition known as Human Rights! -EGBSS]
    Morris must learn to live his life with a Federal conviction on his record.
When he has  fulfilled all the  terms  of  his sentence, he will have completed
more community service than  most of us.


                 --------------------------------------------
