Prosecutors for the U.S. Attorney’s Office for the Central District of California on Tuesday announced they had reached a plea agreement with Ryan Collins, a Pennsylvania resident, over charges that he hacked Apple and Google email accounts of more than 100 people back in 2014.
The allegations stemmed from the official investigation into the hacking case dubbed “Celebgate,” because most of the victims were celebrities whose nude photos were leaked to the Internet. However, the investigators were unable to secure evidence linking Collins to the actual leaks, and found no proof that he uploaded the information to the Web or otherwise shared it.
Collins agreed to plead guilty to a felony violation of the Computer Fraud and Abuse Act. The prosecutors agreed to recommend an 18-month prison term, but the sentencing judge has leeway to impose a statutory maximum of five years.
Collins was charged in Los Angeles, but the parties agreed to transfer the case to Harrisburg, hear Collins’ home, for the entry of his plea and sentencing.
A Case of Celebrity Fever?
“Is it me, or is the legal system worried about the wrong thing?” asked Mark Sangster, VP of marketing at eSentire. “Why protect the economy when some compromising pictures of celebs have been stolen?”
There should be convictions on “major cases attacking companies and stealing valuable data,” Sangster told TechNewsWorld. “Has anyone been convicted on Sony or Target? Or biopharma, tech, or business email compromise fraud? These attacks cost us trillions.”
Target will pay out US$10 million to compensate the 40 million people whose credit and debit card records were exposed when it was hacked in 2013.
No Deterrent at All
“I doubt the plea will have any significant effect on discouraging phishing attacks,” commented Chenxi Wang, chief strategy officer at Twistlock.
Cybercriminals are behind many phishing campaigns, she noted, but “this particular case is an individual acting on his own.”
It therefore “will have very little, if any, impact on the extent of those campaigns or attacks,” Wang told TechNewsWorld.
“We see murderers being put to death for their crimes, but that hasn’t stopped people,” observed Dodi Glenn, VP of cybersecurity at PC Pitstop. “Hackers want the notoriety and their 15 minutes of fame.”
Collins actually might come out ahead after his conviction, judging from previous cases, he said.
“More than likely, once his term is served, he’ll get a job in the security industry,” Glenn told TechNewsWorld.
Still, the plea bargain is a good move, Wang contended, because the victims’ private information would be disclosed and discussed in court proceedings if the case had gone to jury trial.
More Teeth Needed
“I think they should make an example out of [Collins],” remarked Daniel Castro, vice president at the Information Technology and Innovation Foundation.
“We’ve seen a number of celebrities making public statements about how this was more of a sex crime than anything else, and the law should reflect that,” he told TechNewsWorld. “Look at what they were trying to get Aaron Swartz on for downloading documents from MIT. They were going after him a lot harder.”
Swartz, a computer programmer and Internet activist, was hit with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act for downloading academic journals from MIT’s JSTOR digital repository. Facing potential penalties including $1 million in fines, 35 years in prison and asset forfeiture, as well as other pressures, he committed suicide.
“Federal judges are required to consult the U.S. sentencing guidelines prior to sentencing a defendant,” pointed out Thom Mrozek, a spokesperson for the U.S. Attorney’s office.
“The guidelines in this, as we view them, call for a sentence of six to 12 months. Mr. Collins has agreed to an 18-month sentence,” Mrozek told TechNewsWorld.
The ITIF has called for a stronger law on data breaches, Castro said.
“You need a law that makes this type of activity criminal and makes it easier to prosecute based on those images being shared without permission,” Castro suggested.
Prosecution is possible under the CFAA, “but they have to prove how you access the data,” Castro said. “If you take an image, the act of sharing it without permission and with the intent to cause harm would be better.”