Estimating Penalties

December 01, 2011 by Gabe | [mmd] |

What’s an appropriate penalty for large scale data theft?[1]

I’m not a lawyer, nor do I claim to be an expert in a legal field. I’m a U.S. citizen that lives daily with the understanding that there are penalties for breaking contracts and laws. We live in a country where a corporation is considered to have the rights of an individual so I’d like to examine a few laws and their associated penalties for individuals and then come to an estimate for how these same laws should be applied to corporations.

Felony and Misdemeanor laws vary across the country so I need a basis for comparison to have any meaningful conclusion. I’ll use Connecticut as a prototype[2] to establish some relative penalties.

  • A Speeding ticket in Connecticut is between $150-$400
  • Disturbing the peace is up to $500
  • Forgery has a penalty up to $250,000
  • In Connecticut a false statement to procure credit card is accompanied by a fine up to $2,000
  • The range of penalties for possession of credit card numbers fraudulently is $1000 - $10,000

But I look at this issue with CarrierIQ as theft. Not identity theft, since most states define that as requiring an intent to use the information to commit fraud. So what kind of benchmark can I set for the data theft committed by the telecom carriers and CarrierIQ?

Now I’m getting somewhere. The penalty for theft is somewhere between $500 and $80,000. That’s quite a range.

But let’s say it’s just plain old larceny. Sticking with Connecticut as our state, a good rule of thumb is that the penalty for a person is about equal to the value of what was stolen. How can I put a price tag on entirety of data an Android user taps into their phone?

At the low end, we have the Sony root kit settlement. If I offered you $7.50 and a free CD would you let me put a root kit on your computer? No? Too low? Yeah.

How do these large corporations value their own data. Well, SAP paid $1.3bn to Oracle for stealing data and then using that data to steal customers. A UK court fined former employees roughly $60,000 for stealing data from their parent company. The maximum penalty for the pair that stole subscriber data from AT&T is set as $250,000.

So if I put a price tag on everything that an AT&T Android user entered into their phone (passwords, private messages, phone numbers, social security numbers, etc.) I’d guess $2000, but that still seems low. If I were to sell my information , I would ask for more than $2000. How about if I say that’s a lower limit? If I apply the standard in the ECPA then $1000 is the very least that should be paid so I’m good with $2000 as a lower boundary for each incident.

Now for some math. AT&T has about 1M Android users. If they were fined for every phone:

1M android customers x $2000 = $2bn[4]

That looks like a number comparable to the Oracle SAP settlement at the very least. It also sounds like a good deterrent for future indiscretions. If this turns out to involve more phones (like the iPhone 4), that number could increase dramatically (Sorry, that's just a stupid statement. Basic math means more phones multiplied by $2000 means a larger product.) I have no doubt that this will involve more phones than 1M.

There are plenty of laws protecting one individual from another. For example, the identity theft penalty act. There are also specific laws that appear to protect carriers from fraud.

In my opinion, we need to level the relative penalties for crimes so that the law can be equally applied. How about corporations pay the same penalties an individual is threatened with? Treat each instance as a crime and fine AT&T, Sprint and CarrierIQ accordingly. If I don’t see at least a $1bn penalty come out of this, I will be disappointed. I expect to be disappointed.

  1. In my opinion it’s data theft. It was done without permission, on a grand scale and without regard for the sensitivity of the data. I’m sure the carriers knew what would happen if they handed a phone to a potential customer and said “here, this one also has a new feature where it records everything you do and everywhere you go and sends it all back to us to use as we see fit”.
  2. No special reason. It’s a nice state.
  3. Unfortunately (or fortunately) there is no data for Connecticut. But RIAA would likely push the same penalty in any state.
  4. I’m sure the users would much rather have the cash but that is never going to happen. Best case scenario, they’ll get $7.50 and a free app.