1 STEIN JA : I agree with Studdert J. In particular, I endorse his Honour's remarks about the seriousness of the offences. They were carried out with conscious malice and intended to cause significant harm to AUSNet and its customers. In fact, the offences did cause significant damage to the Company. The maximum penalty of 10 years imprisonment is indicative of the seriousness with which the Legislature views such crime. There is little doubt about the crucial role which computer technology plays in today's society. Considerations of deterrence are required, both for the offender and other hackers who might be tempted, not always for reasons of monetary gain but sometimes sheer maliciousness. Plainly the sentence passed by her Honour Judge Backhouse was not excessive.
2 Leave to appeal should be granted but the appeal dismissed.
3 STUDDERT J: This is an application for leave to appeal against a sentence imposed in the District Court on 27 March 1998.
4 The applicant, Skeeve Stevens, pleaded guilty to a charge concerning computer abuse and a number of further offences were brought into account pursuant to s 16BA of the Commonwealth Crimes Act. Her Honour Judge Backhouse QC sentenced the applicant to a total term of imprisonment of three years but directed his release on recognizance for a term of eighteen months at the expiration of eighteen months in custody, which period in custody was to commence on 27 March 1998 and to expire on 26 September 1999.
5 The indictment presented and in respect of which the applicant made his plea charged the applicant with an offence under s 76E(a) of the Commonwealth Crimes Act which, so far as is relevant, provides:
"A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority or lawful excuse:
(a) …inserts data into a computer…
is guilty of an offence.
Penalty: Imprisonment for 10 years."
6 The indictment charged the applicant with having:
"On 17 April 1995 at Waverley in the State of New South Wales intentionally, by means of a facility provided by a carrier, namely Telstra Corporation, insert[ed] data into a computer, namely a computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Limited."
7 Her Honour found that the applicant regarded himself at relevant times as an Internet consultant. AUSNet Services Pty Limited conducted a business for which it had a computer network with computer sites in Sydney and Melbourne, and its technical director, who gave evidence before her Honour, was Mr Ernst Van Oeveren.
8 A statement of facts was tendered before her Honour without objection and the judge drew on this in reciting the relevant facts in her remarks on sentence. It suffices for present purposes that I refer to the judgment to record the objective facts.
9 On 17 April 1995 the applicant utilised Mr Van Oeveren's user account and password details to gain access to the file that controlled the appearance and content of AUSNet's home page on the World Wide Web. He proceeded then to alter the information on that file to display in a permanent fashion the following message:
"Did you know that AUSNETS clients credit cards details are all sitting readable on their system?!?!?! We ave the file of card numbers, and it has already been distributed to many hackers and carders around the world. so don't be surprised if all you cards have millions of dollars of shit on them AUSNET is a disgusting network…and should be shut down and sued by all their users! hehe REMEMBER…. TOO MANY SECRETS!!!!!!!!!"
The additional offences
10 The offences taken into account pursuant to s 16BA (and I shall describe these as the "additional offences") also related to the applicant's computer activities. These offences comprised two offences under s 76D(2)(b)(viii), and six offences under s 76D(1) of the Commonwealth Crimes Act. Section 76D, so far as is relevant, provides as follows:
"76D. (1) A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority obtains access to data stored in a computer, is guilty of an offence.
Penalty: Imprisonment for 6 months.
(2) A person who…
(b) by means of such facility, intentionally and without authority obtains access to data stored in a computer, being data that the person knows or ought reasonably to know relates to…
(viii) commercial information the disclosure of which could cause advantage or disadvantage to any person;
is guilty of an offence.
Penalty: Imprisonment for 2 years."
11 The additional offences described in the Schedule and a short statement of the relevant facts I now record.
12 Additional Offence 1: "Between 6 April 1995 and 11 April 1995 by means of a facility provided by a carrier, namely Telstra Corporation, intentionally and without authority obtain access to data namely the computer files 'cisco-cs' and 'NewUser.WC.log', stored in a computer namely the computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Ltd, being data which he knew related to commercial information the disclosure of which could cause advantage or disadvantage to a person (s 76D(2)(b)(viii) Crimes Act 1914)."
13 Additional Offence 5: "On 8 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data namely the user account 'mitnick' stored in a computer namely the computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Ltd (s 76D(1) Crimes Act 1914)"
14 Her Honour recorded these facts in relation to additional offences 1 and 5 which it is convenient to address together:
"On 8 April 1995 at around midnight, the [applicant] used the 'admin' user account and connected on to the Melbourne site ('melb.world.net'). Using Van Oeveren's user account and user password, he proceeded to 'download' or transfer on to his own equipment the files 'newuserwc-log' and 'cisco-sc'. Coincidentally at around that time Van Oeveren happened to connect to AUSNet from a computer terminal at his home and came across the 'admin' user account accessing 'melb.world.net'. Van Oeveren confirmed that it was not Ferrett accessing the site and terminated the connection. Van Oeveren observed that the connection had come without authority through the AUSNet computer known as 'syd.sc1'. Van Oeveren proceeded to cancel the 'admin' user account and removed the password files which had allowed 'admin' to access the 'melb.world.net'. As Van Oeveren was unaware that his user name and password had been obtained, he believed that once he had terminated the 'admin' account, the Melbourne site remained secure and that any unauthorised person could no longer access the site again.
On about 10 April 1995 the [applicant] contacted Anthony Healey, Managing Director of Healey Communications, via the Internet and proceeded to have an 'IRC' or 'Internet relay Chat' conversation. …this novel medium permits users connected via the Internet to communicate or 'chat' in real time with each other via their computer terminals by typing messages via the keyboard, not unlike using a CB radio. During this conversation the [applicant] told him that he was 'playing around via a hacked account at Monash' and had stolen information such as credit card details and passwords from AUSNet. The [applicant] added, 'This information will seriously nearly put them out of business (and) most likely make front page of the newspapers'.
On 11 April 1995, the [applicant] had a telephone conversation with Tony Sarno, a journalist from the Sydney Morning Herald. The [applicant] offered Sarno a story relating to security holes in Internet Service Providers.
On 15 April 1995 the [applicant] contacted Steven Harrison and offered him the credit card details he obtained from the AUSNet 'newuserwc-log' file. Harrison declined the information."
15 Additional Offence 2: "On 15 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data namely the computer files 'cisco-cs' and 'NewUser.WC.log', stored in a computer namely the computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Ltd, being data which he knew related to commercial information the disclosure of which could cause advantage or disadvantage to a person (s 76D(2)(b)(viii) Crimes Act 1914)"
16 The facts relating to this offence her Honour expressed as follows:
"On 15 April 1995, Sarno met the [applicant] at his office located in the Fairfax Building, 210 Sussex Street, Sydney. During this meeting the [applicant] provided a detailed description of how it was possible to break into the AUSNet computer system and to obtain customer credit card details. The [applicant] produced a floppy diskette and, using Sarno's computer terminal, demonstrated this. The [applicant] told Sarno he was 'using the technical director's password.' Sarno then watched as the [applicant] retrieved credit card information which appeared on his terminal screen. At the time Sarno was unsure if the [applicant] had actually accessed the AUSNet site."
17 Additional Offence 3: "Between 1 March 1995 and 24 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data namely the user account 'tgl', stored in a computer namely the computer described as 'ozemail.com.au' owned and operated by Ozemail Pty Ltd. (s 76D(1) Crimes Act 1914)
18 Her Honour recorded these facts in relation to this offence:
"In the presence of Sarno, the [applicant] accessed the AUSNet computer network using Internet account 'tgl@ozemail.com.au' This is an account with the Internet Service Operator, Ozemail. The [applicant] described to Sarno that this was a 'hacked' Ozemail account which belonged to Thomas Liddle, a journalist then employed by Australian Consolidated Press Pty Ltd. [The applicant] had obtained Liddle's account and password in July 1994 in an unrelated incident solely for the purposes of the [applicant] installing software for Liddle. Liddle did not provide his account and password details to anyone else. Liddle would later identify, from his account records, that there were approximately 36 unauthorised connections between 1 March 1995 to 24 April 1995."
19 Additional Offence 4: "Between 1 April 1995 and 3 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data namely the user account 'admin' stored in a computer namely the computer described as 'melbourne.world.net' owned and operated by AUSNet Services Pty Ltd (s 76(1) Crimes Act 1914)
20 The relevant facts expressed in the remarks on sentence were these:
"On 23 March the [applicant] accessed the Internet and proceeded to 'hack' (or improperly access without authority) into AUSNet's Sydney site at 'sydney2.world.net', its security having been weakened from Van Oeveren's previous maintenance. The [applicant] proceeded to create an on-line AUSNet user account on this site which he entitled 'admin'. He provided fictitious customer and credit card details in order to register 'admin' as an active account. The [applicant] would later provide the 'admin' user account details to two other Internet users, Kimberley Cunningham and Stephen Harrison.
In the course of the next four weeks the [applicant] used the 'admin' user account to access the Sydney site ('sydney2.world.net'). He discovered he was able to gain unauthorised access to the Melbourne site ('melb.world.net') and the files contained therein. The [applicant] accessed these sites from computer terminals from his home and at Monash University, the latter he used during a trip to Melbourne in March/April 1995 when he utilised his student's user account name and password which he had previously obtained.
After having 'hacked' into the system, the [applicant] discovered Van Oeveren's user name and password from the file titled 'web-reg-wc.log'. By using passwords he had obtained from the 'cisco-cs' file he was able to avoid leaving a traceable trail of his hacking activities. Unless AUSNet staff happened upon the connection when the hacker was actually connected to the Melbourne site, it was conceivable that he would remain undetected.
On or about 4 April the [applicant] spoke with a Monash university student, Thea Baker, whilst at Monash University. The [applicant] informed Baker that he had broken into the AUSNet computer system and was in possession of AUSNet's customer credit card details. The [applicant] told Baker that he was going to do something that would ensure AUSNet did not keep their clients."
21 Additional Offence 6: "Between 15 April 1995 and 17 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without any authority obtain access to data namely the user account 'mitnick' stored in a computer namely the computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Ltd (s 76D(1) Crimes Act 1914)
22 After the events outlined in paragraph 13 in relation to the second additional offence, the applicant then demonstrated to Sarno how he created a false Internet user account by utilising a fake credit card generating programme. Her Honour recorded these facts:
"The [applicant] connected onto the AUSNet computer network. Sarno watched as he completed the on-line registration form and used the name 'Kevin Mitnick' and used a false billing address and bogus credit card number. The [applicant] recorded the password, 'tomanysecrets'. It was later confirmed by AUSNet that this account was created on 15 April 1995, and used on 16 and 17 April 1995 for a total of 133 minutes. The bill for this usage remains unpaid."
23 Additional Offence 7: "On 18 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data stored in a computer namely the computer described as 'sydney2.world.net' owned and operated by AUSNet Services Pty Ltd (s 76D(1) Crimes Act 1914)"
24 Additional Offence 8: "On 18 April 1995 by means of a facility provided by a carrier namely Telstra Corporation, intentionally and without authority obtain access to data namely the user account 'optik' stored in a computer namely the computer described as 'ozemail.com.au' owned and operated by Ozemail Pty Ltd (s 76D(1) Crimes Act 1914)
25 The facts as recorded by her Honour in relation to these two additional offences I now set out:
"…the [applicant] posted an electronic mail message using the pseudonym 'Optik Surfer' from Van Oeveren's user account. The message was addressed to other Australian Internet Service Providers, journalists (Tony Sarno from the Sydney Morning Herald and Thomas Liddle from the Australian Consolidated Press) and to himself. The message appeared in the following terms (reproduced verbatim):
'The mail you are now reading is an account from AUSNet, that has been hacked.
This mail contains details of Ausnets lack security, and the way they left the credit card details of all their users, out on the open which anyone could have picked up.
This is the stages of the Ausnet hack.
*registered a fake account at Ausnet
*logged into melbourne.world.net shell server
*sydney2.world net (main fileserver) was mounted on the melbourne machine for complete access to any user.
*the 'newuser' account which was used to register the credit details and make peopels accounts, was wide open. In that directory contained a number of files which contained the credit card details of all 1 thousand or more clients of Ausnet.
*this file has been accessed, and distributed by hackers, and Ccers all over the world.
*in an attempt to alert people to this crime of stupidity by Ausnet I contacted some people that may be able to assist in getting publicized, and Ausnet brought to be responsible for their screw up.
*I let a journalist film my access into Ausnet and some other sites, to prove it, incase, like many other times, the company has denied it. I will leave it up to the journalist concerned to decide what he will do with that film.
*The afternoon of the easter monday, I hacked Ausnets web server, in an attempt to alert their clients myself…, it seems thou they were quick to find and fix the situation.
*Below is an extract of the Credit card log on Ausnet.'
Personal information of 26 customers were then listed, including the AUSNet customer's name, address, telephone number, credit card number and credit card expiry date. The message then continued:
'well thats a sample. There is 1 thousand or more details, and almost all of those will be used for carding.
Ausnet has a lot to answer for.
I cannot be contacted for further information about this, I hope you will make proper use of this information.
If more informatio is needed..please post a message to the aus.org.efa newgroup with the subject "Help needed" and no body. And if I think it is worth it, I will contact the author.
Remember - Too many Secrets.
for the sake of it you can refer to me as "Optik Surfer"
bye for now.'
On 19 April 1995, the [applicant] used the 'optik' user account and published five of the credit card numbers and other AUSNet customer details which he had obtained from the 'newuserwc-log' files on the Internet in an Internet Relay Chat (IRC) session."
26 Her Honour found that there was considerable harm done to the business of AUSNet by reason of the applicant's unlawful activities, basing those findings upon the statements tendered in evidence. Those statements came from the former general manager of AUSNet Services Pty Ltd, Amanda Wilson, and from the former managing director of that company, Tom Koltai. It will be necessary to make some closer reference to this finding and the evidence on which it was based in considering one of the challenges to the approach to sentence taken by the judge.
27 The applicant was born on 12 December 1971 so that he was twenty-six years of age at the time he was sentenced. He is a married man. Evidence was presented in the form of reports from a psychologist, Ms Devlin, and from a psychiatrist, Dr Blows. Her Honour addressed the detail of that evidence at considerable length. It appears that the applicant has a personality disorder which called for supportive psychotherapy.
28 The applicant had an earlier conviction for a computer offence. This related to obtaining access to a Commonwealth computer which the applicant broke into at the Australian National University. The applicant was convicted for that offence in 1993 and was punished by way of fine.
29 I now turn to address the various matters which have been raised on behalf of the applicant by Mr Stratton.
Ground 1: Her Honour erred in finding that AUSNet had gone out of business
Ground 2: Her Honour erred in finding that the activities of the appellant caused great damage to AUSNet
30 It is convenient to deal with Grounds 1 and 2 together.
31 The applicant applied to this Court to introduce fresh evidence intended to prove that AUSNet Services Pty Ltd did not go out of business. This Court, having heard argument concerning the proposed fresh evidence, received by consent as Exhibit A a diagram which traced the history of AUSNet Services Pty Ltd. It changed its name in July 1997 to World.Net.Holdings Pty Ltd and that company in turn owns more than fifty percent of World Net Services Pty Ltd.
32 The significance of the diagram is to establish that AUSNet Services Pty Ltd did not "go out of business" or into liquidation.
33 Mr Stratton took this Court to various references in the transcript, submitting that the sentencing judge was inadvertently misled by the Crown Prosecutor into believing that the applicant's hacking resulted in AUSNet going out of business, and he submitted further that this misdirected the judge as to the damage caused to the company by the applicant's conduct.
34 The transcript of proceedings on 6 February 1998 records that the Crown Prosecutor did not seek a finding that the company went out of business because of the applicant's conduct. It is true that in the remarks on sentence her Honour recorded that Mr Ierace advised the court that AUSNet as a provider ultimately ceased to exist. However, her Honour went on (AB 145):
"…but he did not seek a finding that the activities of the [applicant] brought about the demise of the company. I do find, however, that the [applicant] intended to do harm to the company and that his activities seriously damaged the company."
35 Whether or not the company "ceased to exist" did not bear upon the sentence imposed as her Honour's remarks indicate. What was significant for sentencing purposes was that the applicant's conduct seriously damaged the company. It seems to me that a finding to that effect was plainly open to her Honour having regard to the evidence tendered in statement form from the former general manager, Ms Wilson, and from the former managing director, Mr Koltai.
36 According to Ms Wilson's statement, AUSNet was running with a very positive cash flow "prior to the hack in April 1995". Directly after the hack Ms Wilson said that the impact was dramatic and staff were occupied in taking a large number of telephone calls from angry customers. The hack, she said, compromised approximately 1225 of the customers' credit cards and the company's own bank lost confidence in the company's credit facilities. AUSNet's agreement with Westpac was cancelled a few months after the hack and some 500 credit cards were cancelled immediately as a result of the hack. Ms Wilson said that the hack had a detrimental effect on the growth of AUSNet's business and was a constant topic of discussion in Internet newsgroups over many months.
37 Mr Koltai described AUSNet as a rapidly growing company with a bright future before the hacking in April 1995 but subsequently the sales figures dropped and users who were contacted by AUSNet staff indicated they would no longer be using AUSNet. Mr Koltai said that the company had bad press as a result of the hack and he too said that staff were inundated with calls from customers cancelling or querying their user accounts. He explained that technical staff and sales staff were taken off normal duties and assigned to counter the effects of the hack. By October 22, 1995 approximately two-thirds of AUSNet's pre-hack customer base had been terminated. However, with the advent of new customers there were 6000 customers by November 1995. Her Honour referred to the evidence to that effect.
38 Notwithstanding the later increase in customer numbers, there was ample justification on the evidence for the sentencing judge to find that the applicant's activities seriously damaged the business of AUSNet.
39 The first and second grounds of challenge fail.
Ground 3: Her Honour erred in finding that damage of great proportion was caused to the customers
40 In her sentencing remarks her Honour recorded that the prosecution submitted it was not possible to determine the extent of the damage to customers but the judge was invited to find that damage had been caused to credit card holders and the evidence justified a finding to this effect. In her statement Ms Wilson said:
"Approximately thirty to forty of the customers complained that their credit cards were used in the USA without their authority."
41 In his statement Mr Koltai said:
"I recall a number of complaints that staff of AUSNet received was from AUSNet customers that had their credit cards used overseas due to the credit card numbers being advertised on the Internet."
42 Her Honour addressed the question of damage consequent upon the applicant's hacking in considerable detail at pp 21-25 of the judgment. The judge made a finding:
"Approximately 30 to 40 of these customers complained that their credit cards were used in the USA without authority."
43 That finding was justified by the evidence from Ms Wilson. Mr Stratton has not, in my opinion, made good the submission that the judge erred in her finding concerning damage to customers and this ground fails.
Ground 4: Her Honour erred in finding that the appellant's motive was malicious and was motivated by his offer of employment being rejected
44 Her Honour did find that the applicant
"intended to do harm to the company…to that extent, in my view, the [applicant's] motive was malicious and was apparently motivated by resentment of his offer of employment being rejected."
45 There was evidence that the applicant had sought employment with AUSNet in January 1995 but his application was rejected. The statement of facts tendered also discloses that in February 1995 he sought but was denied free access to the AUSNet computer network. Nevertheless the Crown Prosecutor conceded in the District Court that it could not be proved beyond reasonable doubt that the applicant's behaviour had been motivated by resentment because the company had not employed him. Her Honour's expression set out above was inconsistent with that concession. However, it seems to me that what was important in the above finding was that the applicant had acted intending to harm the company and in so doing was motivated by malice. Her Honour's findings to such effect were warranted by the evidence. There was the very language of the hack itself. The applicant's behaviour, not only in what he did but in what he said, was relevant to the finding of malice. For example, I draw attention to what he said to Mr Healey (recorded in paragraph 12 above):
"This information will seriously nearly put them out of business [and] most likely front page of the newspapers."
46 Then he told the university student, Ms Baker (see paragraph 18 above):
"that he was going to do something that would ensure AUSNet did not keep their clients."
47 In my opinion then the judge was entitled to find that the applicant's behaviour was motivated by malice and to approach her sentencing task accordingly.
Ground 5: The sentence was manifestly excessive
48 It is to be observed that the maximum penalty provided for the type of offence charged in the indictment was imprisonment for ten years. That reflects the seriousness with which the legislature intended that the offences created by s 76E(a) were to be regarded.
49 What the applicant did he did maliciously, as her Honour found and what the applicant did was causative of significant harm. Moreover the offence was not an isolated incident and her Honour was called upon to take into account a course of conduct reflected in the eight other offences that involved computer abuse.
50 This Court was referred to the earlier decision in this court in the matter of R v Caldwell (unreported, 3 March 1993). That was a case in which the applicant pleaded guilty to a computer offence under the New South Wales Crimes Act of erasing data stored in a computer intentionally and without authority or lawful excuse. The sentence imposed in that case was a minimum term of nine months penal servitude and an additional term of three months. It is to be observed that the maximum penalty under the State Act in respect of the category of offence for which Caldwell was convicted was ten years imprisonment, that is to say the same term as is provided for an offence in the nature of that charged in the present indictment.
51 The other cases to which reference was made were unreported decisions of the Victorian County Court in R v Even-Sham & Woodcock and in R v Dedio. Those Victorian cases all involved offences under Pt VIA of the Commonwealth Crimes Act and each of the offenders was dealt with much more leniently than the present applicant. It is to be observed though that there were distinguishing features both as to the objective circumstances and the subjective circumstances in those Victorian cases as compared with the present case.
52 It does not seem to me that ultimately this Court is greatly assisted by a consideration of those earlier decisions. In my opinion Judge Backhouse was correct in observing that no pattern of sentencing has been established to date in relation to offences committed under Pt VIA of the Commonwealth Crimes Act.
53 Her Honour's task was to heed the maximum penalty provided for by the statute, and then to determine what sentence was appropriate having regard to the objective and subjective features of this particular case, and bringing into account the additional offences.
54 The applicant's offences must be regarded as grave. Computer technology plays an important role in modern society. The potential for harm by computer abuse of the type that occurred in this case, in a society which is becoming increasingly dependent upon computers, requires that considerations of deterrence, not only of the offender but of others who might be tempted to offend in a similar way, should be adequately reflected when it comes to sentence.
55 I am not persuaded that error has been demonstrated in the sentence which was fixed by the judge in this case. Having regard to all the circumstances both objective and subjective, it has not been established that this sentence was manifestly excessive.
56 I would propose that leave to appeal be granted but that the appeal be dismissed.
57 SMART AJ: I agree with Studdert J.