« "Harsh Punishment Backfires, Researcher Says" | Main | Lots of good reading in NYU Center's "Prosecution Notes" »

February 17, 2010

Does everyone agree the guideline sentence recommended for mass credit card hacker "ludicrous"?

The question in the title of this post is prompted by this new (and new age?) sentencing story, which is headlined "Hacker Sentenced To Prison for Credit Card Scam."  Here are the interesting basics:

A San Francisco man who had more than 1.8 million stolen bank and credit card numbers on his home computers was sentenced Friday to 13 years in federal prison and ordered to repay $27.5 million to the banks and credit card companies he victimized.

Max Ray Vision, who legally changed his last name from Butler, had pleaded guilty in June to his role in an online clearinghouse where identity thieves shared stolen information.  A self-taught computer whiz who fell in love with the devices as an 8-year-old boy in his father's computer store, Vision told Senior U.S. District Judge Maurice B. Cohill Jr. that he was mesmerized by "the thrill of hacking, being addicted to it."

Bespectacled, soft-spoken and articulate, the 37-year-old Vision told the judge he had changed and realizes what he did was wrong. "You probably hear that a lot, but it's absolutely true," he said.

Cohill's sentence was based on a joint recommendation by federal prosecutors and Vision's public defender, Michael Novara.  Federal sentencing guidelines suggested a sentence of 30 years to life, which Novara called "ludicrous."

Still, Assistant U.S. Attorney Luke Dembosky said serious punishment was merited because of the scale of Vision's crimes. Dembosky agreed to the lesser sentence because Vision has continued to work with the government under terms that remain sealed.  All Dembosky would say is, "It could relate to a whole range of things."

Before his arrest in 2007, Vision had developed software to prevent hacking and had even worked as a volunteer who helped the FBI understand and prevent cyber crimes.  Dembosky agreed that Vision wasn't mean-spirited, but was more "wide-eyed" and "curious" about what he could accomplish behind a keyboard.  "Unfortunately, that curiosity took a dark turn and that's why we're here today," Dembosky said. "The amount of damage a person can cause with a keyboard in this day and age is astronomical."

Visa, MasterCard, American Express and Discover tracked more than $86 million in fraudulent purchases to the account numbers found on Vision's computers.  In all, 10,000 financial institutions were victimized, Dembosky said.  Vision was charged in Pittsburgh because he sold more than 100 credit card numbers and related information to a western Pennsylvania resident who cooperated with the investigation of a Web site called cardersmarket.com.  About 4,500 people worldwide could trade or access stolen credit information on the Web site from 2005 until it was shut down in 2007....

Although authorities found 1.8 million stolen credit card numbers on his computers, they said they were confident that Vision had obtained 1.1 million directly, Dembosky said.  The others might have come from other sources. Vision's $27.5 million restitution was calculated by multiplying the 1.1 million by the roughly $25 it costs banks and credit card companies to replace each stolen credit card number, Dembosky said. "No one should think that's the amount of money Max gained as a result of this misadventure," said Novara, who claims Vision likely netted less than $1 million from selling the numbers.

Given the facts of this case and the reality that, in the words of the prosecutor here, the "amount of damage a person can cause with a keyboard in this day and age is astronomical," I am not so ready or eager to assert that the guideline-recommended sentence of 30 to life really was "ludicrous."  Let me explain.

First, though maybe it is unfair to compare Max Ray Vision to Bernie Madoff, I do think it is reasonable to suppose that Vision may be among the "worst of the worst" financial hackers.  If the "worst of the worst" Ponzi schemer earned himself 150 years in prison, is 30 years for the "worst of the worst" financial hacker really so out of whack?  Moreover, I think the need for, and potential value of, general deterrence in this setting is pretty strong, especially with respect to others who may be inclined to join an "online clearinghouse where identity thieves shared stolen information." 

Finally, and perhaps most important, the threat of decades in prison no doubt was a primary reason Max Ray Vision was willing to plead guilty and has "continued to work with the government" to help bring down other financial hackers and identity thieves.  Though few are eager to either admit or endorse the value of extreme guideline sentences to induce pleas and cooperation, the threat of extreme sentences always serves to grease the wheels of the criminal justice system.

I absolutely do not mean this post to be a general defense of the guidelines' general approach to financial offenses, which I think are flawed in so many ways.  But, in light of the unique facts of this Vision case, I do wonder if others agree with the assertion that the guideline range suggested here was truly  "ludicrous."

February 17, 2010 at 12:04 PM | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Does everyone agree the guideline sentence recommended for mass credit card hacker "ludicrous"?:


A new Dutch report values places a three million dollar value on *each* stolen passport. Since we know that the Mossad (most likely) just used 11 stolen passports to kill a Hamas leader that places the value of a life at roughly $33 million. Since this guy is accused of stealing $27 million it would seem that 30 years to life is a reasonable sentence.

Posted by: Daniel | Feb 17, 2010 12:20:04 PM

We could debate precisely what word describes it, but 30 years is definitely the wrong number, and it is at least arguably ludicrous.

Doug mentioned general deterrence. I suspect that the set of people who would be deterred by a sentence of 30 years, but not by 13, is very small. So to the extent that the purpose of Max Ray’s sentence is general deterrence, 13 years is enough.

For a man of Max Ray’s age, 30 years is pretty close to Life, which is a penalty that I think ought to be reserved for those who are considered irredeemable. This guy doesn’t seem to fit that mold.

Bernie Madoff’s 150-year sentence was largely symbolic. There was no legitimate penal interest in that particular number. It could have been 15; it could have been 1,500. It did not matter.

The one drawback of Madoff’s sentence is that it makes practically all other white collar sentences look short, which in reality they aren’t. I don’t know how you feel about it, but to me the prospect of even one year in prison, not to mention the collateral consequences of conviction, seems pretty daunting.

I suspect that only those who live a life of crime from childhood, or are exposed to such a life (through family or friends), are conditioned to think of any prison term as brief.

Posted by: Marc Shepherd | Feb 17, 2010 1:02:26 PM

I'm more interested by the restitution order. Were the banks really the only -- or even the primary -- victims here? Not the owners of the stolen card numbers? Maybe the crime was somehow only against the banks, based on facts not included in this report (say, if these were unissued numbers), but if not then I'm skeptical of the way they calculated the restitution amount and chose its recipients.

Posted by: JD | Feb 17, 2010 2:37:47 PM

my only problem with it is there were no charges filed against the credit card copanies who's criminal negligence allowed it to happen in the first place.

Posted by: rodsmith3510 | Feb 18, 2010 12:20:50 AM

. . . and Mr. Ewing received some 8+ years for each of the three golf clubs he stole . . . .

Posted by: alan chaset | Feb 18, 2010 10:47:53 AM

To JD: typically, the credit card holder is not held liable for charges made on his credit card if it is stolen or if the number is stolen. The issuing bank eats those losses. Works the same if someone steals your debit card. If you notify the bank in a timely manner of the theft, the bank will reimburse your account and then go after the thief as the primary victim.

Posted by: Talitha | Feb 18, 2010 12:06:31 PM

The idea the Butler is the worst of the worst is laughable. There are groups (almost all overseas) that make more in a month than Butler likely did in his whole career.

IANAL, and I don't know very much about sentencing norms, but 13 years seems like a reasonable sentence to me. 30 seems overly long, but that may be because it sounds like longer than many violence criminals get.

Posted by: Nick42 | Feb 18, 2010 4:52:26 PM

Years and years in prison for this schmuck cost the taxpsayer millions. If we are to sentence someone based on the cost to banks let us figure in the cost to those taxpayers who pay his cost of living. Cannot the banks pay some of this freight?

Posted by: mpb | Feb 18, 2010 10:56:45 PM

Post a comment

In the body of your email, please indicate if you are a professor, student, prosecutor, defense attorney, etc. so I can gain a sense of who is reading my blog. Thank you, DAB