Everyone agrees there need to be consequences for bad behavior, but you also have to have some sense of perspective.
Unauthorized access, exceeding your access, identity theft, wire fraud and obstruction of justice are all serious felonies. I have ruined people who engaged in such criminal activity. However, I usually stopped once their business was destroyed and everyone was out of work. I didn't go after their homes.
The mismatch between the crime and the punishment is what surprises me about the case of David Kernell. Bank robbers can get 20 year sentences for their first offense. A 50-year sentence requires additional factors like a prior criminal record, or the use of a firearm. That should put a potential 50-year federal sentence in perspective. David Kernell is looking at possibly serving that kind of time for compromising someone else's Yahoo! account. Something is wrong with this picture.
You may remember a brief sideshow during the election when Sarah Palin's e-mail account on Yahoo! was compromised. Basically, a teenager learned of her email account through the media and attempted to log in by guessing her password. Unable to do that, he correctly guessed her security question: "Where did you and your husband meet?" Kernell either guessed "Wasilla" or "Wasilla High" or some appropriate variation on that not terribly secret answer.
Just because technologically challenged talking heads call someone a "hacker" doesn't make them one. Admittedly, I'm "old school" so I prefer the RFC 1392 definition
hacker
A person who delights in having an intimate understanding of the
internal workings of a system, computers and computer networks in
particular. The term is often misused in a pejorative context,
where "cracker" would be the correct term. See also: cracker.
As the original definition indicates, "cracker" is more appropriate in most of the cases.
cracker
A cracker is an individual who attempts to access computer systems without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system. See also: hacker, Computer Emergency Response Team, Trojan Horse, virus, worm.
The difference is more than semantic. Hackers gain administrative privileges and have the opportunity of wreaking wholesale havoc. Crackers tend to wreak havoc on the retail level. They represent qualitatively different threats because the potential consequences are very different.
This brings us to David Kernell and his unauthorized access to the gov.palin Yahoo! account. He is currently convicted of wire fraud, identity theft, obstruction of justice, unauthorized access and exceeding his authorized access. Those are all serious felonies. The televangelist, Jim Bakker, was originally sentenced to 45 years in federal prison for wire fraud. Identity theft is a multi-billion dollar industry making more money for organized crime syndicates than drug dealing in some jurisdictions. Obstruction of justice is at the heart of the Plame case. However, guessing someone's password on a free email account that is not under the user's administrative control hardly rises to that level.
There is nothing mysterious about Yahoo! accounts. Children routinely create their own Yahoo! accounts. The fact the governor of Alaska needed to have an employee create this private account for her raises questions about her basic competence. The fact she was conducting official business over a personal free e-mail account on a public network raises questions about her judgment. The fact this account continued to be used after the governor became a vice-presidential candidate for a major political party during a national campaign raises profoundly troubling questions about her judgment. Using it after the existence of the account was revealed crosses the line from poor judgment to outright negligence. At that point, the email account becomes what Cliff Stoll called a honeypot. One definition that seems to capture their essence is the following:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
The purpose of a honeypot is to catch criminals and knaves. It's an age-old idea used by police whenever they put decoys out on the street. Obviously, Sarah Palin and her security team were not using her email account for this purpose. I've never seen any evidence she was that insightful or competent. However, someone working for her should have pointed this problem out to her. Someone vetting her should have asked about it as part of the standard inventory of items they needed to review. Someone responsible for her security should have inquired about it as part of their inventory of assets needing protection. The Secret Service is no stranger to this area. It's part of their core mission. If they did ask her and she neglected to inform people of this account, her failure to inform them compromised their ability to protect her and her family.
At the same time this was all going on, another candidate was famous for living on his Blackberry. In fact, when that candidate became president there was a tremendous amount of consternation and thought put into meeting his need for continued access without compromising his operational security. Those problems were handled properly. During the campaign, they were also handled properly. The point being, it is possible to manage this problem appropriately without compromising your ability to conduct business, run a national political campaign and communicate with friends and family in private. Barack Obama demonstrated that.
A glaring problem for Sarah Palin's expectation of privacy is the fact she was using a public system with weak authentication and validation. Moreover, this information was being shared with other people using the same system with even fewer constraints. Some of them were actively engaged in broadcasting their questionable behavior through other social network systems. It was clear that no one using this system was thinking much about maintaining privacy. They just assumed it was taken care of. That is a bad assumption. Bad assumptions lead to bad consequences as surely as night follows day.
Being stupid doesn't justify making you a target. Damages are real regardless of how stupid you are. This raises a legitimate question in this case. What was the damage to Palin? The Secret Service, alerted to this problem, forced her and her entire family to surrender their cell phones. Personal material was made public. Threatening phone calls were received. People were harrassed.
Those are real problems. The person responsible for enabling this deserves to be punished. But handing out a sentence on par with a criminal mastermind makes a mockery of this system. It demonstrates a lack of proportion. Hopefully, the sentence he receives will reflect a proper sense of proportion. It would be a shame if the prosecution in this case took this low-hanging fruit and tried to turn it into a cause celebre.
The victim in this case, Sarah Palin, has said
I think there needs to be consequences for bad behavior.
I agree. There should be consequences. One obvious consequence is there should be lessons learned -- for all parties. One lesson learned from this is that Yahoo! needs to revisit its authentication and validation scheme. Another lesson learned is that if you are a public figure, you need to be circumspect in your communications. If you are a protectee, you need to be forthcoming with all relevant information so the people tasked with your security can do their job. These problems will not go away any time soon. Crucifying a kid for being an idiot is no way to solve them. If that is all that comes from this case, count on it happening again -- to the same people.