Sophos Cloud Optix
A man, having trouble in his marriage, worries about his wife’s fidelity. He decides to snoop on her online activity to see if she’s flirting with anyone via email, IM or social network.
Not good, but a fairly common story, and not too serious so far.
He decides to snoop on her by attaching a hardware keylogger to her PC. He goes after her work machine. She works at the county courthouse, and her work system is used for sensitive court work, including payment processing.
This is rapidly getting much more serious – he’s using some hardcore kit, and attaching it to a system which should be considered way more important than your average home laptop.
The man himself is the County Sheriff, a position of considerable authority. That seems to make it all so much worse – this is someone people should be able to trust to uphold the law.
In the end he is caught, of course, and after repeated denials ends up admitting to his crimes and resigning from his job. At trial, prosecutors push for a strong sentence, citing both the man’s position of trust and the sensitive nature of the system he compromised.
But, thanks to an otherwise good record, strong support from the community, and the mitigating personal circumstances, he is let off fairly lightly – 2 years probation, plus a $1000 fine. The judge suggests that merely having lost his job was enough punishment.
The location is Clay County, West Virginia. The man’s name, Miles Slack. The target of his snooping, Lisa, is now his ex-wife, but seems to remain supportive. The events took place in April 2013, with the keylogging device in place for around two weeks before being spotted by a technician. The sentence was passed just before Christmas.
But was it the right sentence?
The US Attorney prosecuting the case seemed to have some good points. Law enforcement agents have to be held up to higher standards than normal people.
It’s much worse if a trained restaurant chef with a certificate in food safety gives you food poisoning than if you get sick from eating a burger your mum grilled up for you. If a clumsy friend accidentally puts a hole in your wall while helping you with some DIY, you’ll accept their gushing apology and still be friends; if your builder does the same, you might be less forgiving.
By the same reasoning, cops really, really shouldn’t do crimes, and if they do, one might expect it to be treated more seriously.
It doesn’t always seem to work that way though. Law enforcement looks after its own, as the movies love to tell us, but maybe there are other, less morally dubious mitigating factors.
Police work must make people used to snooping and monitoring as an everyday part of life. We see regular stories of cops overstepping boundaries, like the NYPD officer who hacked into colleagues’ mail accounts and phones, or the Canadian policeman who planted spyware on his wife’s mobile phone – he was also let off pretty lightly.
There seems to be a theme of emotional or marital problems here, but ordering spyware online or sneaking into a building and planting a keylogging device are hardly spur-of-the-moment things, they can’t really be justified as crimes of passion.
There’s also the question of the system Mr Slack attached his keylogger to. This was a government machine, owned by and connected to the network of the West Virginia Supreme Court. There’s going to be all kinds of sensitive information on that network, and by compromising one of the nodes, Slack risked compromising the security of the entire network.
So what do you think? Does the punishment fit the crime, or is it so light that it hardly discourages people from snooping on their nearest and dearest?
Does the fact that Slack was a senior police officer make his crime worse, or does it not really matter? Is it important that the computer he bugged was on the Supreme Court network, even if he was only interested in his wife’s chat logs?
I know where I stand. A small fine plus probation may seem appropriate for someone who bugs a family member’s PC, but this case is considerably more than that.
Given the hefty sentences being bandied about for other types of cyber offences, this sort of thing seems to be routinely treated as no more than innocent high-jinks.
And that seems wrong to me.
IANAL, but my impression of the law in this area is that it’s not very well developed. I think officers of the court should be given similar punishments to any other citizen, given that they didn’t commit the crime as part of their job (which is the case here), and I don’t at all buy the argument that his losing his job should be considered part of the punishment. If he were an unemployed recent college grad who spied on his wife by hacking court computers he would still not be employed by a police officer after it.
But… I’m not sure that two years probation isn’t the going rate for hacking a court computer without the intent of compromising the court process or actual monetary damages.
My experience has been that it’s really hard to prosecute computer crimes that don’t result in direct monetary loss.
I’d guess he got the skills to use the keylogger as part of his job, maybe even the actual device. But, it does seem likely that there are no special punishment laws for cops – it’s up to the lawyers and judges to decide if they’re worth extra punishment (or, as in this case, almost no punishment).
Certainly true that money is usually the reason for higher sentences, but doesn’t always have to be “direct” loss – remember the Anonymous guy who got a huge fine for a tiny part in ddos’ing some company website, based on them having hired someone to look into the problem for a crazy fee? Not very “direct” there.
Extra? What he did was far worse than what Aaron Schwarz did; he should be facing the same penalties Aaron was. Seriously. And I do think cops who break the law should be punished more harshly than the rest of us.
Neither should face what Aaron Schwarz faced but I get the point: what the sheriff did was far worse.
Chris, in all likelihood his job was an essential ingredient in the crime, because the average Joe Citizen would not be able to get access to the computer to be able to install the keylogger. So there was abuse of position involved, beyond the crime itself.
One question that remains unanswered from the report, did he lose his law enforcement credentials? I would hope so, he certainly should have, and that is significant punishment beyond the slap on the wrist from the guilty plea.
Despite that, I think he got off very lightly. Incarceration of former law enforcement officers is tough, for some reason prison management seems to think there are risks associated with having them in the general prison population, but with all the contract prisons needing to be filled there must be a cell for him somewhere. He should be spending some time there.
He lost his law enforcement creditional for life.
«My experience has been that it’s really hard to prosecute computer crimes that don’t result in direct monetary loss.»
Tell that to Aaron Swartz.
A hack is a hack. The punishment should be even more severe, because he used a position of privilege to access an otherwise (supposedly) secure system.
NSA does it all the time and they get off
Did you notice how they avoid using the word “hacked”? Thats becuase these days hacking a system will get you more time than a pedofile, just look at the group of anons who were apart of anonymous, they were facing 15+ years.
I think I speak for many in this age of NSA spying that it would be nice if you posted an article about what to watch out for when it comes to hardware keystroke loggers. Diagrams, photos, etc so others can recognize when they have their hardware hacked. Thanks
The problem here is that electronics have got to the point where you’d be unlikely to spot many of these devices unless you knew what you were looking for. See the recent Russian Kettles with hidden WiFi and the recent point of sale terminals that had an “adapter” sitting on the keyboard port that was actually a logging device.
About the only thing you can do is resort to nail polish, and regularly check to see if the seal’s been cracked and/or the polish glitter pattern has changed. This of course won’t protect against software attacks.
Or, just assume that people have installed such things, and behave accordingly while using computing devices.
Laws vary considerably by state, but this was certainly lenient given the fact that private citizens in Texas have gotten four year prison terms for less.
The higher people are up in society , the harder they should be punished.
For whatever crime it might be.
He likely put it on the wife’s work computer not even thinking about the other data that would be on there. There was probably no intent to use whatever else he scooped up and no evidence that he did. As intent is a large part of a crime, all he was (intending) doing was snooping on his wife. Illegal? Yes? Fit for punishment? Yes. His career is gone and he likely will not get another job if all he knows is being a cop. He figured his wife was cheating and wanted to know. Cops are human too.
Chris, is there evidence he used his position to gain access to the device or being the employee spouse allowed access. Also, as a retired officer, we are snoopers, but within the law! Like following someone is not illegal, like Zimmerman did, but we usually have reasons for doing so.
Yes, I’m sure he lost any kind of police work as this is a felony, he lost any credentials and everything else police related. I don’t think he could get a job as a security officer with a felony on his rap sheet. So he’s no a civilian.
I agree with most that a term is jail is the best practice, but how can you hold someone ‘more’ lawful? Like legislators that violate the law are rarely given jail time and they are worse than a policeman, since they for sure know what they are doing, not like he didn’t.
Jack
I note that this happened in the USA, so the legal environment is different to here in the UK. I suspect that he would have been charged in the UK with the crime of ‘misdemeanour in a public office’,. which carries a sentence of up to 10 years imprisonment.
Such an action is viewed very seriously in the UK and some police officers or justice employees have not only lost their employment but their freedom as well.
Such breaches of trust should be punished properly and in my view probation does not fit the crime well enough.
We are equal under the law. Doesn’t matter if you are a Sheriff or a store clerk. Lets not have elite classes or different levels of citizens.
Was there a need to notify all the people invovled in the breach – anyone that had their court records comprimised? If the keylogger was on a POS terminal, he would be in jail and full disclosure would have to be conducted.
He should have followed police protocol, by informing his boss of her possible crime, as he is too close to the subject and should withdraw from the case… no crime no harm !
Hmmm… If the system contained sensitive court information why was it connected to the Internet and apps like IM and social networks?
I can understand email as long as it went through a good quality filter system, but don’t the other communication applications present a risk to the information if they are not owned / leased and reviewed by the system manager?
Well done to the technician for spotting the keylogger.