Nearly 21 years ago, well-known hacker Kevin Mitnick was released from prison on the condition that he not access the internet or any computers or cell phones during a three-year probation period that lasted until 2003. The rules for Mitnick’s probation even prohibited from holding a job that involved any computer use or “access to computers or computer-related equipment or software.” Even in 2000, it was hard to think of a lot of jobs that would meet those criteria or even a lot of jobs that a person would be able to apply for without any access to a computer. Cutting someone off from computers didn’t just mean preventing them from becoming a programmer or white-collar office worker—it also meant they couldn’t attend school, work in retail, or apply for any jobs that used online applications. Mitnick’s grandmother told MSNBC at the time that he wasn’t permitted by his probation officer to go to school or even work at a 7-Eleven because the cash register was technically a computer.
More than two decades later, cutting someone off from the internet is an even more extreme means of isolating them from professional and social opportunities. It also doesn’t much sense as a way of trying to rehabilitate small-scale cybercriminals, much less trying to make use of their unique skillset and harness it toward more productive ends than petty cybercrime.
And yet, just last week, 18-year-old Graham Clark received a similar sentence to Mitnick’s: He agreed to serve three years in a juvenile prison followed by three years of probation during which he will not be permitted to use computers without law enforcement permission or supervision. Clark pleaded guilty to compromising a set of high-profile Twitter accounts in 2020, including those belonging to Barack Obama, Kanye West, and Bill Gates, and using them to tweet out a fraudulent cryptocurrency donation link and a message promising that everyone who contributed Bitcoins at the given link would receive twice their money back. Apparently, people gave more than $100,000 worth of cryptocurrency to Clark before Twitter shut down the compromised accounts and alerted users to the problem.
It was a stupid crime and also a relatively technologically sophisticated one—usually, when a celebrity’s account starts sending out spam you would expect that someone had stolen their log-in credentials through phishing or guessing common passwords. But Clark and his alleged collaborators managed to compromise the accounts by finding vulnerabilities in Twitter’s internal account management systems that allowed them to control people’s accounts even without their credentials. They first used that access to sell popular Twitter handles and then switched to sending out the fraudulent messages from celebrity accounts.
I’ve written before about the importance of not being overly harsh in sentencing people (especially young people) who commit small-scale cybercrimes as they begin exploring cyberspace and hunting around for interesting vulnerabilities. If that sounds like a dismissive way to describe Clark’s crimes, I would emphasize that he did not directly steal any money or distribute any malware via the compromised accounts—everyone who contributed cryptocurrency to the link posted by celebrities and cryptocurrency companies did so voluntarily. But then, we rarely get to arrest and try the really malicious cybercriminals because they tend to stay in jurisdictions where they know they are safely beyond the reach of U.S. law enforcement. So instead, the judicial system makes examples of people like Clark in hopes that his sentence will serve as a warning to other tech-savvy teenagers.
It’s not clear how often people on probation are subject to these restrictions, but people convicted of computer hacking aren’t the only ones who are sometimes required to stay offline. It’s also a condition set for some people convicted of receiving digital child pornography or committing sex crimes in which they identified victims using online services and platforms. In both cases—cybercriminals and sex offenders—the rationale seems to be that access to computers and the internet provides them with the necessary tools to continue conducting similar criminal activity. But what Clark did is a far cry from trafficking in child pornography, both in terms of its severity and the technical skills involved, and it is profoundly strange to punish these two types of crimes in the same way. Moreover, in the case of sex offenders, it may be possible to more narrowly tailor these restrictions because there are very particular types of services and content that law enforcement may want to restrict them from accessing while still potentially being able to allow them to use the internet for a wide variety of other purposes, like reading the news, applying for jobs, or shopping. For people like Clark, it can be much trickier to identify exactly what types of websites or services they should be blocked from accessing to avoid continued criminal activity, leading to much broader and more restrictive bans.
Internet bans also raise logistical questions. First and foremost: How do you keep someone off the internet for three years? The answer to that seems to depend largely on the specifics of the terms of the probation and the particular probationary officer in charge of overseeing the sentence. For instance, the U.S. Courts website offers some sample language for computer and internet restrictions for probation and supervised release conditions. The proposed restrictions range all the way from “You must not possess and/or use computers … or other electronic communications or data storage devices or media” and “You must not access the Internet” to “You must allow the probation officer to install computer monitoring software on any computer … you use” or “you must allow the probation officer to conduct initial and periodic unannounced searches of any computers.” The implementation section of that guide suggests that “probation officers should ascertain information from the defendant and the defendant’s social network about: (1) what types of computer equipment they own or have access to at their residence and place of employment; (2) what Internet service providers they have on home and employment computers; (3) what web pages they operate or maintain; and (4) if a computer search or monitoring condition is in effect, what e-mail addresses, screen names, and passwords they use.” But the actual enforcement seems to rely primarily on monitoring tools that provide probation officers with information about every website a person visits, every email they send, or even, every key they hit on the keyboard.
People do, of course, manage to evade these restrictions, by hiding their devices from law enforcement, using friends’ devices, or even figuring out ways around the monitoring software installed by their probation officers (one downside to trying to use technical controls to monitor cybercriminals is they may often know more than their probation officers about how those tools work). But if they’re caught breaking these rules, they can wind up in prison, so many people on probation go to great lengths to abide by them, as inconvenient as they may be for modern life. For instance, convicted cybercriminal Higinio Ochoa was forbidden to so much as touch an internet-connected device during his parole. In order to do his work as a programmer, Ochoa wrote code on a computer without an internet connection and then printed it out and mailed it to his boss, according to a 2015 interview with the podcast Reply All.
What good do these probationary measures do? In some specific cases—people convicted of accessing online child pornography, for instance, or using websites to initiate sex crimes—it may be reasonable to try to limit their online activity in very specific ways, for instance by restricting access to certain websites. But none of these measures are foolproof and many are clearly foolish when it comes to cybercriminals like Clark whose restrictions have not been tailored to their criminal activity in any meaningful way.
Courts have differed in how tailored they think these restrictions should be—many have allowed broad bans of all devices and internet access but others have pointed out just how far-reaching the consequences of such a ban are. In 2002, while Mitnick was still on probation, Gregory Sofsky, who had been convicted of accessing child pornography on his computer and sentenced to 10 years in prison, challenged the three-year probation period during which he would be forbidden from using the internet. The 2nd Circuit agreed that the restriction was overly broad given the central importance of the Internet to daily life (in 2002!) and held that an internet ban “inflicts a greater deprivation on Sofsky’s liberty than is reasonably necessary.”
In Sofsky’s case, the government had argued the ban needed to be broad because “a restriction limited to accessing pornography would be extremely difficult for the probation officer to enforce without constant monitoring of Sofsky’s use of his computer.” That is probably even more true of trying to monitor Clark’s online activity for any signs of potential criminal activity since cybercrime is presumably even trickier to spot than pornography. That challenge could be a reason for Clark’s probation officers to severely limit his permitted uses of computers, for fear that they might fail to catch some early signs of criminal activity. But if they’re wise, the people overseeing Clark’s probation will keep the restrictions narrow and tailored to his crime. (I would suggest: no accessing cryptocurrency sites, but then, I think that would probably be a good blanket ban for all of us …) Keeping young, technologically talented people offline is ultimately a losing battle, an, above all, it’s no way to combat cybercrime.