home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Eagles Nest BBS 5
/
Eagles_Nest_Mac_Collection_Disc_5.TOAST
/
Other Non-Macintosh Text
/
DoJText
/
DoJ Archive.txt
Wrap
Text File
|
1993-04-01
|
52KB
|
1,178 lines
The US Department of Justice recently released for comment proposed
changes in
the US Sentencing Guidelines for the computer Fraud and Abuse Act of
1988. The
new guideline practically guarantees some period of confinement, even
for first offenders who plead guilty.
This archive, compiled by the Society For Electronic Access, includes an
introduction to this issue by Jack King, the text of the proposed changes,
the text
of the Computer Fraud and Abuse Act of 1988, and the Comments filed
with the
Department of Justice on the 15th of May by Computer Professionals for
Social
Responsibility, the Electronic Frontier Foundation, and the Society for
Electronic
Access. The Department of Justice is due to send a report on the new
Guidelines to
Congress on May 1.
INDEX
This index is just the topic sentences of the relevant texts, copied and
numbered
here. For text-based searching, the different texts are separated with
"====" and
numbered ^1, ^2, and so on. Individual arguments are numbered (~1), (~2),
and so on.
CPSR organized their Comment into two broad sections, which
organization I tried
to reflect in this index.
^1-(~1) Introduction by Jack King
^2-The Proposed Amendment Itself
(~2) Synopsis of the Amendment
(~3) Actual language of proposed amendments
(~4) Notes and Commentary from the Department of Justice
^3-Text of the Computer Fraud and Abuse Act of 1988
(~5) Crime
(~6) Punishment
(~7) The Secret Service
(~8) Definitions for the purpose of the Law
^4-The Comment Filed by CPSR
(~9) Introduction
(~10) The Proposed Guidelines Will have a Chilling Effect on
Constitutionally
Protected Activities
(~10a) The proposed amendment would treat as an aggravating factor
the
alteration, obtaining, or disclosure of "Protected information."
(~10b) The proposed guidelines would also treat as an aggravating
factor the
alteration of public record information
(~10c) The proposed amendment would also discourage the publication
of
information in electronic environments.
(~11) CPSR comment on current guidelines
(~12) Conclusion
^5-The Comment Filed by EFF
(~13) Introduction
(~14) The Proposed Guideline Is Too Harsh
(~15) There Is Not Yet Enough Caselaw to Warrant a Guideline.
(~16) Judges Must Be Permitted to Craft Their Own Sentences for Cases
Involving
Special Circumstances.
(~17) Conclusion
^6-The Comment Filed by SEA
(~18) Introduction
(~19) These amendments violate due process by providing harsher
penalties for activities more properly related to computing than
to crime
(~20) These amendments violate due process by including overly
broad standards for determining the severity of a crime.
(~21) These amendments violate due process by mandating overly
harsh punishments.
(~22) Conclusion
^1 ===============================================================
Revised Computer Crime Sentencing Guidelines
From Jack King
(~1) The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically
addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with
a
base offense level of 6 and enhancements of 4 to 6 levels for violations of
specific provisions of the statute.
The new guideline practically guarantees some period of confinement,
even
for first offenders who plead guilty.
For example, the guideline would provide that if the defendant obtained
``protected'' information (defined as ``private information, non-public
government information, or proprietary commercial information), the
offense
level would be increased by two; if the defendant disclosed protected
information to any person, the offense level would be increased by four
levels, and if the defendant distributed the information by means of ``a
general distribution system,'' the offense level would go up six levels.
The proposed commentary explains that a ``general distribution system''
includes ``electronic bulletin board and voice mail systems, newsletters
and other publications, and any other form of group dissemination, by any
means.''
So, in effect, a person who obtains information from the computer of
another, and gives that information to another gets a base offense level of
10; if he used a 'zine or BBS to disseminate it, he would get a base
offense level of 12. The federal guidelines prescribe 6-12 months in jail
for a
first offender with an offense level of 10, and 10-16 months for same
with
an offense level of 12. Pleading guilty can get the base offense level
down by two levels; probation would then be an option for the first
offender
with an offense level of 10 (reduced to 8). But remember: there is no
more
federal parole. The time a defendant gets is the time s/he serves (minus a
couple days a month "good time").
If, however, the offense caused an economic loss, the offense level would
be increased according to the general fraud table (Sec. 2F1.1). The
proposed commentary explains that computer offenses often cause
intangible
harms,
such as individual privacy rights or by impairing computer operations,
property values not readily translatable to the general fraud table. The
proposed commentary also suggests that if the defendant has a prior
conviction for ``similar misconduct that is not adequately reflected in the
criminal history score, an upward departure may be warranted.'' An upward
departure may also be warranted, DOJ suggests, if ``the defendant's
conduct
has affected or was likely to affect public service or confidence'' in
``public interests'' such as common carriers, utilities, and institutions.
Based on the way U.S. Attorneys and their computer experts have
guesstimated economic "losses" in a few prior cases, a convicted
tamperer
can get whacked with a couple of years in the slammer, a whopping fine,
full
"restitution" and one to two years of supervised release (which is like
going to a parole officer). (Actually, it *is* going to a parole officer,
because although there is no more federal parole, they didn't get rid of all
those parole officers. They have them supervise convicts' return to
society.)
This, and other proposed sentencing guidelines, can be found at 57 Fed Reg
62832-62857 (Dec. 31, 1992).
^2
==================================================================
==
TEXT OF THE PROPOSED REVISIONS at 57 Fed Reg 62832-62857 (Dec. 31,
1992).
Proposed revisions to Sentencing Guidelines for Computer Fraud and Abuse
Act of 1988 (18 U.S.C. 1030)
(~2) 59. Synopsis of Amendment: This amendment creates a new guideline
applicable to violations of the Computer Fraud and Abuse Act of 1988
(18 U.S.C. 1030). Violations of this statute are currently subject
to the fraud guidelines at S. 2F1.1, which rely heavily on the
dollar amount of loss caused to the victim. Computer offenses,
however, commonly protect against harms that cannot be adequately
quantified by examining dollar losses. Illegal access to consumer
credit reports, for example, which may have little monetary value,
nevertheless can represent a serious intrusion into privacy
interests. Illegal intrusions in the computers which control
telephone systems may disrupt normal telephone service and present
hazards to emergency systems, neither of which are readily
quantifiable. This amendment proposes a new Section 2F2.1, which
provides sentencing guidelines particularly designed for this unique
and rapidly developing area of the law.
(~3) Proposed Amendment: Part F is amended by inserting the following
section, numbered S. 2F2.1, and captioned "Computer Fraud and
Abuse," immediately following Section 2F1.2:
"S. 2F2.1. Computer Fraud and Abuse
(a) Base Offense Level: 6
(b) Specific Offense Characteristics
(1) Reliability of data. If the defendant altered information,
increase by 2 levels; if the defendant altered protected
information, or public records filed or maintained under law or
regulation, increase by 6 levels.
(2) Confidentiality of data. If the defendant obtained protected
information, increase by 2 levels; if the defendant disclosed
protected information to any person, increase by 4 levels; if the
defendant disclosed protected information to the public by means of
a general distribution system, increase by 6 levels.
Provided that the cumulative adjustments from (1) and (2), shall
not exceed 8.
(3) If the offense caused or was likely to cause
(A) interference with the administration of justice (civil or
criminal) or harm to any person's health or safety, or
(B) interference with any facility (public or private) or
communications network that serves the public health or safety,
increase by 6 levels.
(4) If the offense caused economic loss, increase the offense
level according to the tables in S. 2F1.1 (Fraud and Deceit). In
using those tables, include the following:
(A) Costs of system recovery, and
(B) Consequential losses from trafficking in passwords.
(5) If an offense was committed for the purpose of malicious
destruction or damage, increase by 4 levels.
(c) Cross References
(1) If the offense is also covered by another offense guideline
section, apply that offense guideline section if the resulting level
is greater. Other guidelines that may cover the same conduct
include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering
National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1
(Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2
(Receiving, Transporting, Transferring, Transmitting, or Possessing
Stolen
Property), and S. 2H3.1 (Interception of Communications or
Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and
Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of
Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an
Election or Registration), S. 2J1.2 (Obstruction of Justice), and
S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1
(Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other
Forms of Theft).
(~4) Commentary
Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)
Application Notes:
1. This guideline is necessary because computer offenses often
harm intangible values, such as privacy rights or the unimpaired
operation of networks, more than the kinds of property values which
the general fraud table measures. See S. 2F1.1, Note 10. If the
defendant was previously convicted of similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.
2. The harms expressed in paragraph (b)(1) pertain to the
reliability and integrity of data; those in (b)(2) concern the
confidentiality and privacy of data. Although some crimes will cause
both harms, it is possible to cause either one alone. Clearly a
defendant can obtain or distribute protected information without
altering it. And by launching a virus, a defendant may alter or
destroy data without ever obtaining it. For this reason, the harms
are listed separately and are meant to be cumulative.
3. The terms "information," "records," and "data" are
interchangeable.
4. The term "protected information" means private information,
non-public government information, or proprietary commercial
information.
5. The term "private information" means confidential information
(including medical, financial, educational, employment, legal, and
tax information) maintained under law, regulation, or other duty
(whether held by public agencies or privately) regarding the history
or status of any person, business, corporation, or other
organization.
6. The term "non-public government information" means
unclassified information which was maintained by any government
agency, contractor or agent; which had not been released to the
public; and which was related to military operations or readiness,
foreign relations or intelligence, or law enforcement investigations
or operations.
7. The term "proprietary commercial information" means non-public
business information, including information which is sensitive,
confidential, restricted, trade secret, or otherwise not meant for
public distribution. If the proprietary information has an
ascertainable value, apply paragraph (b) (4) to the economic loss
rather than (b) (1) and (2), if the resulting offense level is
greater.
8. Public records protected under paragraph (b) (1) must be filed
or maintained under a law or regulation of the federal government, a
state or territory, or any of their political subdivisions.
9. The term "altered" covers all changes to data, whether the
defendant added, deleted, amended, or destroyed any or all of it.
10. A "general distribution system" includes electronic bulletin
board and voice mail systems, newsletters and other publications,
and any other form of group dissemination, by any means.
11. The term "malicious destruction or damage" includes injury to
business and personal reputations.
12. Costs of system recovery: Include the costs accrued by the
victim in identifying and tracking the defendant, ascertaining the
damage, and restoring the system or data to its original condition.
In computing these costs, include material and personnel costs, as
well as losses incurred from interruptions of service. If several
people obtained unauthorized access to any system during the same
period, each defendant is responsible for the full amount of
recovery or repair loss, minus any costs which are clearly
attributable only to acts of other individuals.
13. Consequential losses from trafficking in passwords: A
defendant who trafficked in passwords by using or maintaining a
general distribution system is responsible for all economic losses
that resulted from the use of the password after the date of his or
her first general distribution, minus any specific amounts which are
clearly attributable only to acts of other individuals. The term
"passwords" includes any form of personalized access identification,
such as user codes or names.
14. If the defendant's acts harmed public interests not
adequately reflected in these guidelines, an upward departure may be
warranted. Examples include interference with common carriers,
utilities, and institutions (such as educational, governmental, or
financial institutions), whenever the defendant's conduct has
affected or was likely to affect public service or confidence".
* * *
^3 ==============================================================
TEXT OF THE COMPUTER FRAUD AND ABUSE ACT OF 1988
(~5) *** THIS SECTION IS CURRENT THROUGH P.L. 102-439, 10/23/92 ***
TITLE 18. CRIMES AND CRIMINAL PROCEDURE
PART I. CRIMES
CHAPTER 47. FRAUD AND FALSE STATEMENTS
18 USC Sec. 1030 (1993)
Sec. 1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) knowingly accesses a computer without authorization or exceeds
authorized access, and by means of such conduct obtains information that
has been determined by the United States Government pursuant to an
Executive order or statute to require protection against unauthorized
disclosure for reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y [.] [(y)] of section 11 of
the Atomic Energy Act of 1954 [42 USCS sec. 2014(y)], with the intent
or reason to believe that such information so obtained is to be used to
the injury of the United States, or to the advantage of any foreign
nation;
(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains information contained in
a financial record of a financial institution, or of a card issuer as
defined in section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are defined in
the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(3) intentionally, without authorization to access any computer of a
department or agency of the United States, accesses such a computer of
that department or agency that is exclusively for the use of the
Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United
States and such conduct affects the use of the Government's operation of
such computer;
(4) knowingly and with intent to defraud, accesses a Federal interest
computer without authorization, or exceeds authorized access, and by
means of such conduct furthers the intended fraud and obtains anything
of value, unless the object of the fraud and the thing obtained consists
only of the use of the computer;
(5) intentionally accesses a Federal interest computer without
authorization, and by means of one or more instances of such conduct
alters, damages, or destroys information in any such Federal interest
computer, or prevents authorized use of any such computer or
information, and thereby--
(A) causes loss to one or more others of a value aggregating $ 1,000
or more during any one year period; or
(B) modifies or impairs, or potentially modifies or impairs, the
medical examination, medical diagnosis, medical treatment, or medical
care of one or more individuals; or
(6) knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through which a
computer may be accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of this
section shall be punished as provided in subsection (c) of this section.
(~6) (c) The punishment for an offense under subsection (a) or (b) of this
section is--
(1) (A) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(1) of
this section which does not occur after a conviction for another offense
under such subsection, or an attempt to commit an offense punishable
under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty
years, or both, in the case of an offense under subsection (a)(1) of
this section which occurs after a conviction for another offense under
such subsection; or an attempt to commit an offense punishable under
this subparagraph; and
(2) (A) a fine under this title or imprisonment for not more than one
year, or both, in the case of an offense under subsection (a)(2), (a)(3)
or (a)(6) of this section which does not occur after a conviction for
another offense under such subsection, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(2),
(a)(3) or (a)(6) of this section which occurs after a conviction for
another offense under such subsection, or an attempt to commit an
offense punishable under this subparagraph; and
(3) (A) a fine under this title or imprisonment for not more than
five years, or both, in the case of an offense under subsection (a)(4)
or (a)(5) of this section which does not occur after a conviction for
another offense under such subsection, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(4) or
(a)(5) of this section which occurs after a conviction for another
offense under such subsection, or an attempt to commit an offense
punishable under this subparagraph.
(
(~7) (d) The United States Secret Service shall, in addition to any other
agency having such authority, have the authority to investigate offenses
under this section. Such authority of the United States Secret Service
shall be exercised in accordance with an agreement which shall be
entered into by the Secretary of the Treasury and the Attorney General.
(~8) (e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device performing
logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating in
conjunction with such device, but such term does not include an
automated typewriter or typesetter, a portable hand held calculator, or
other similar device;
(2) the term "Federal interest computer" means a computer--
(A) exclusively for the use of a financial institution or the United
States Government, or, in the case of a computer not exclusively for
such use, used by or for a financial institution or the United States
Government and the conduct constituting the offense affects the use of
the financial institution's operation or the Government's operation of
such computer; or
(B) which is one of two or more computers used in committing the
offense, not all of which are located in the same State;
(3) the term "State" includes the District of Columbia, the
Commonwealth of Puerto Rico, and any other commonwealth, possession or
territory of the United States;
(4) the term "financial institution" means--
(A) an institution, with deposits insured by the Federal Deposit
Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including
any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union
Administration;
(D) a member of the Federal home loan bank system and any home loan
bank;
(E) any institution of the Farm Credit System under the Farm Credit
Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act of
1934
[15 USCS sec. 78.];
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined
in paragraphs (1) and (3) of section 1(b) of the International Banking
Act of 1978 [12 USCS sec. 3101(1), (3)]); and
(I) an organization operating under section 25 or section 25(a) of the
Federal Reserve Act.
(5) the term "financial record" means information derived from any
record held by a financial institution pertaining to a customer's
relationship with the financial institution;
(6) the term "exceeds authorized access" means to access a computer
with authorization and to use such access to obtain or alter information
in the computer that the accesser is not entitled so to obtain or alter;
and
(7) the term "department of the United States" means the legislative
or judicial branch of the Government or one of the executive department
enumerated in section 101 of title 5.
(f) This section does not prohibit any lawfully authorized
investigative, protective, or intelligence activity of a law enforcement
agency of the United States, a State, or a political subdivision of a
State, or of an intelligence agency of the United States.
HISTORY: (Added Oct. 12, 1984, P.L. 98-473, Title II, Ch XXI, @
2102(a), 98 Stat. 2190; Oct. 16, 1986, P.L. 99-474, @ 2, 100 Stat.
1213; Nov. 18, 1988, P.L. 100-690, Title VII, Subtitle B, @ 7065, 102
Stat. 4404; Aug. 9, 1989, P.L. 101-73, Title IX, Subtitle F, @
962(a)(5), 103 Stat. 502; Nov. 29, 1990, P.L. 101-647, Title XII, @
1205(e), Title XXV, Subtitle I, @ 2597(j), Title XXXV, @ 3533, 104 Stat.
4831, 4910, 4925.)
OTHER PROVISIONS:
Attorney General's report. Act Oct. 12, 1984, P.L. 98-473, Title
II, Ch XXI, @ 2103, 98 Stat. 2192, provides: "The Attorney General
shall report to the Congress annually, during the first three years
following the date of the enactment of this joint resolution [enacted
Oct. 12, 1984], concerning prosecutions under the sections of title 18
of the United States Code added by this chapter [this section].".
^4 ==============================================================
(~9) COMMENTS OF COMPUTER PROFESSIONALS FOR SOCIAL
RESPONSIBILITY
REGARDING PROPOSED CHANGES TO FEDERAL SENTENCING GUIDELINES FOR
COMPUTER FRAUD
March 15, 1993
Chairman William W. Wilkins, Jr.
US Sentencing Commission
One Columbus Circle, NE
Suite 2-500
South Lobby
Washington, DC 20002-8002
Dear Mr. Chairman:
We are writing to you regarding the proposed amendments to
sentencing
guidelines, policy statements, and commentary announced in the Federal
Register, December 31, 1992 (57 FR 63832). We are specifically
interested
in addressing item 59, regarding the Computer Fraud and Abuse Act of
1988
(18 U.S.C. 1030).
CPSR is national membership organization of professionals in the
computing
field. We have a particular interest in information technology, including
the protection of civil liberties and privacy. We have sponsored a number
of public conferences to explore the issues involving computers, freedom,
and privacy.
We have also testified before the House of Representatives and the
Senate
regarding the federal computer crime law. It is our position that the
government must be careful not to extend broad criminal sanctions to
areas
where technology is rapidly evolving and terms are not well defined. We
believe that such efforts, if not carefully considered, may ultimately
jeopardize the use of new information technology to promote education,
innovation, commerce, and public life.
We also remain concerned that criminal sanctions involving the use
of
information technologies may unnecessarily threaten important personal
freedoms, such as speech, assembly, and privacy. It is the experience of
the computing profession that misguided criminal investigation and the
failure of law enforcement to fully understand the use of computer
technology will have a detrimental impact on the entire community of
computer users.
For example, you may wish to review the recent decision of Steve
Jackson
Games v. Secret Service, involving a challenge to the government's
conduct
of a particular computer crime investigation. The court found that the
Secret Service's conduct "resulted in the seizure of property, products,
business records, business documents, and electronic communications
equipment of a corporation and four individuals that the statutes were
intended to protect." The court, clearly concerned about the government's
conduct, recommended "better education, investigation, and strict
compliance
with the statutes as written."
Clearly, the decisions made by the Sentencing Commission regarding
those
factors that may increase or decrease a criminal sentence will have an
important impact on how computer crime is understood and how the
government
conducts investigations. We therefore appreciate the opportunity to
express
our views on the propose changes to the guidelines for 18 U.S.C. 1030.
For the reasons stated below, it our belief that the proposed
guidelines
regarding the Computer Fraud and Abuse Act now under consideration by
the
Sentencing Commission place emphasis upon the wrong factors, and may
discourage the use of computer technology for such purposes as
publication,
communication, and access to government information. For these reasons,
CPSR hopes that the current proposal will not be adopted.
(~10) The Proposed Guidelines Will have a Chilling Effect on
Constitutionally
Protected Activities
(~10a) The proposed amendment would treat as an aggravating factor
the
alteration,
obtaining, or disclosure of
"Protected information." This term is defined in the proposed guidelines
as
"private information, non-public government information, or proprietary
commercial information." The term is nowhere mentioned in the statute
passed Congress.
We oppose this addition. It has been the experience of the computer
profession that efforts to create new categories of information
restriction
invariably have a chilling impact on the open exchange of computerized
data.
For example, National Security Decision Directive 145, which gave the
government authority to peruse computer databases for so-called
"sensitive
but unclassified information," was widely opposed by the computing
community, as well as many organizations including the Information
Industry
Association and the American Library Association. The reason was that
the
new designation allowed the government to extend classification
authority
and to restrict the free flow of information and ideas.
Clearly, this proposal to increase the sentence for a violation of a
particular federal statute is not as sweeping as a Presidential order.
Nonetheless, we believe that the problems posed by efforts to create new
categories of computer-based information for the purpose of criminal
sentencing will raise similar concerns as did NSDD-145. It is not in the
interest of those who rely on information systems for the purpose of
public
dissemination to encourage the development of such classifications.
(~10b) The proposed guidelines would also treat as an aggravating factor
the
alteration of public record information. This proposal may go directly
against efforts to promote public access to electronic information and to
encourage the use of computer networks for the conduct of government
activities. For example, computer bulletin boards have been established by
agencies, such as the Department of Commerce and Environmental
Protection
Agency, precisely for the purpose of encouraging public use of on-line
services and to facilitate the administration of agency business.
Much of the problem may well be with the use of the term "alter"
without
any further discussion of the nature of the alteration. Computer systems
are by nature interactive. Any user of a computer system "alters" the data
on the system. System operators may control the status of a particular
file
by designating it as a "read only" file or a "read-write" file. When a file
is "read only," a user may access the file but is technically unable to
alter the files contents. However a file that is "read-write" may allow
users to both review files and to alter them.
Certainly, there are many other factors that relate to computer
system
security, but this particular example demonstrates that in many instances
altering a public file may in fact be the intended outcome of a system
operator. Failing to distinguish between permissible and impermissible
alterations of a computer file in the sentencing guidelines misses entirely
the operation of many computer systems.
(~10c) The proposed amendment would also discourage the publication
of
information
in electronic environments. The amendment recommends that the
sentence be
increased by 4 levels where "the defendant disclosed protected
information
to any person" and by six levels where "the defendant disclosed protected
information to the public by means of a general distribution system."
Both of these proposals would punish the act of publication where
there is
no economic advantage to the defendant nor any specific harm indicated.
Such provisions could be used to discourage whistle-blowing in the first
instance, and subsequent dissemination of computer messages by system
operators in the second.
For this reason, we strongly oppose the inclusion of comment 10
which
states that a "general distribution system" includes electronic bulletin
boards and voice mail systems. This particular comment could clearly
have a
chilling effect on operators of electronic bulletin boards who may become
reluctant to disseminate information where such dissemination could be
considered an aggravating factor for the purpose of the federal computer
crime law.
(~11) Current guidelines
It is our view that the current guidelines are a reasonably fair
articulation of the specific harms that might warrant additional
stringency,
at least in the area of computer crime. We believe that it is appropriate
to impose additional sanction where there is "more than minimal planning"
or
"scheme to defraud more than one victim," as currently stated in the
Guidelines. One of our concerns with the application of 18 U.S.C. 1030
after the decision in U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) is that
the provision does not adequately distinguish between those acts where
harm
is intended and those where it is not. For this reason, provisions in the
sentencing guidelines which help to identify specific harms, and not
simply
the disclosure of computerized information, may indeed be helpful to
prosecutors who are pursuing computer fraud cases and to operators of
electronic distribution systems.
For similar reasons, we support the current $2F1.1(4) which allows
an
upward departure where the offense involves the "conscious or reckless
risk
of serious bodily injury." Again, it is appropriate to impose a greater
penalty where there is risk of physical harm
(~12) The Commission may wish to consider at some future date a
provision which
would allow an upward departure for the disclosure of personally
identifiable data that is otherwise protected by federal or state statute.
We believe that privacy violations remain an important non-economic
harm
that the Commission could address. For instance, the disclosure of credit
reports, medical records, and criminal history records, by means of an
unauthorized computer use (or where use exceeds authorization) may be an
appropriate basis for the imposition of additional sanctions.
We suggest that the Commission also consider whether a downward
departure
may be appropriate for those defendants who provide technical
information
about computer security that may diminish the risk of subsequent
violations
of the computer fraud statute. Such a provision may lead to improvements
in
computer security and the reduced likelihood of computer-related crime.
We recognize that the Commission is currently considering factors
that
should be considered in the imposition of federal sentencing, and that this
process should not be equated with the creation of new criminal acts.
Nonetheless, the decisions of the Commission in this area may well
influence
subsequent legislation, and the ability of computer users to make use of
information systems, to access government information, and to
disseminate
electronic records and files. It is for these reasons that we hope the
Sentencing Commission will give careful consideration as to potential
impact
on the user community of these proposed changes to the federal
sentencing
guidelines.
We appreciate the opportunity to provide these comments to the
Commission
and
would be pleased to answer any questions you might have. Please contact
me
directly at 202/544-9240.
Sincerely yours,
Marc Rotenberg,
director
CPSR Washington
office
Enclosure
^5 ================================================================
TEXT OF THE COMMENT FROM THE ELECTRONIC FRONTIER FOUNDATION
(~13) United States Sentencing Commission
One Columbus Circle, NE
Suite 2-500, South Lobby
Washington, DC 20002-9002
Attention: Public Information
Re: Proposed Amendment #59 to the Sentencing Guidelines for
United States Courts, which creates a new guideline applicable
to violations of the Computer Fraud and Abuse Act of 1988 (18
U.S.C. 1030)
Dear Commissioners:
(4) The Electronic Frontier Foundation (EFF) writes to state our opposition
to
the new proposed sentencing guideline applicable to violations of the
Computer Fraud and Abuse Act of 1988, 18 U.S.C. 1030 (CFAA). We
believe
that, while the proposed guideline promotes the Justice Department's
interest in punishing those who engage in computer fraud and abuse, the
guideline is much too harsh for first time offenders and those who
perpetrate offenses under the statute without malice aforethought. In
addition, promulgation of a sentencing guideline at the present time is
premature, as there have been very few published opinions where judges
have
issued sentences for violations of the CFAA. Finally, in this developing
area of the law, judges should be permitted to craft sentences that are
just in relation to the facts of the specific cases before them.
(~14) The Proposed Guideline Is Too Harsh.
The proposed CFAA sentencing guideline, with a base offense level of six
and innumerable enhancements, would impose strict felony liability for
harms that computer users cause through sheer inadvertence. This
guideline
would require imprisonment for first time offenders who caused no real
harm
and meant none. EFF is opposed to computer trespass and theft, and we do
not condone any unauthorized tampering with computers -- indeed, EFF's
unequivocal belief is that the security of private computer systems and
networks is both desirable and necessary to the maintenance of a free
society. However, it is entirely contrary to our notions of justice to
brand a computer user who did not intend to do harm as a felon. Under the
proposed guideline, even a user who painstakingly attempts to avoid
causing
harm, but who causes harm nonetheless, will almost assuredly be
required to
serve some time in prison.
The proposed guideline, where the sentencing judge is given no discretion
for crafting a just sentence based on the facts of the case, is too harsh
on less culpable defendants, particularly first time offenders. As the
Supreme Court has stated, the notion that a culpable mind is a necessary
component of criminal guilt is "as universal and persistent in mature
systems of law as belief in freedom of the human will and a consequent
ability and duty of the normal individual to choose between good and evil."
Morissette v. United States, 342 U.S. 246, 250 (1952). In the words of
another court, "[u]sually the stigma of criminal conviction is not visited
upon citizens who are not morally to blame because they did not know
they
were doing wrong." United States v. Marvin, 687 F.2d 1221, 1226 (8th Cir.
1982), cert. denied, 460 U.S. 1081 (1983).
(~15) There Is Not Yet Enough Caselaw to Warrant a Guideline.
The Sentencing Commission itself has recognized the importance of
drafting
guidelines based on a large number of reported decisions. In the
introduction to the Sentencing Commission's Guidelines Manual, the
Commission states:
The Commission emphasizes that it drafted the initial guidelines with
considerable caution. It examined the many hundreds of criminal statutes
in the United States Code. It began with those that were the basis for a
significant number of prosecutions and sought to place them in a rational
order. It developed additional distinctions relevant to the application of
these provisions, and it applied sentencing ranges to each resulting
category. In doing so, it relied upon pre-guidelines sentencing practice
as revealed by its own statistical analyses based on summary reports of
some 40,000 convictions, a sample of 10,000 augmented pre-sentence
reports,
the parole guidelines, and policy judgments.
United States Sentencing Commission, Guidelines Manual, Chap. 1, Part A
(1991).
At the present time, there are only five reported decisions that mention
the court's sentencing for violations of the Computer Fraud and Abuse
Act.
See, United States v. Lewis, 872 F.2d 1030 (6th Cir. 1989); United States
v. Morris, 928 F.2d 504 (2d Cir. 1991), cert. denied, 112 S. Ct. 72 (1991);
United States v. Carron, 1991 U.S. App. LEXIS 4838 (9th Cir. 1991); United
States v. Rice, 1992 U.S. App. LEXIS 9562 (1992); and United States v.
DeMonte, 1992 U.S. App. LEXIS 11392 (6th Cir. 1992). New
communications
technologies, in their earliest infancy, are becoming the subject of
precedent-setting litigation. Overly strict sentences imposed for
computer-related fraud and abuse may have the effect of chilling these
technologies even as they develop. Five decisions are not enough on which
to base a guideline to be used in such an important and growing area of the
law.
The Commission itself has recognized that certain areas of federal
criminal
law and procedure are so new that policy statements, rather than
inflexible
guidelines, are preferable. See, e.g., United States Sentencing
Commission, Guidelines Manual, Chap. 7, Part A (1990) (stating the
Commission's choice to promulgate policy statements, rather than
guidelines, for revocation of probation and supervised release "until
federal judges, probation officers, practitioners, and others have the
opportunity to evaluate and comment. . . ."). A flexible policy statement,
rather than a specific sentencing guideline, is a more appropriate way to
handle sentencing under the Computer Fraud and Abuse Act until there has
been enough litigation on which to base a guideline.
(~16) Judges Must Be Permitted to Craft Their Own Sentences for Cases
Involving
Special Circumstances.
Individual sentencing decisions are best left to the discretion of the
sentencing judge, who presumably is most familiar with the facts unique
to
each case. To promulgate an inflexible sentencing guideline, which would
cover all crimes that could conceivably be prosecuted under the Computer
Fraud and Abuse Act, is premature at this time.
As discussed above, there have only been five reported decisions where
the
Computer Fraud and Abuse Act has been applied. In three of these
reported
CFAA cases, the judges involved used their discretion and fashioned
unique
sentences for the defendants based on the special facts of the case. See,
Morris, 928 F.2d at 506 (where the judge placed Defendant Morris on
probation for three years to perform 400 hours of community service,
ordered him to pay fines of $10,050, and ordered him to pay for the cost
of
his supervision at a rate of $91 a month); Carron at 3 (where the judge
found that Defendant Carron's criminal history justified a sentence of 12
months incarceration followed by 12 months of supervised release and
restitution to the two injured credit card companies); and DeMonte at 4
(where the trial court judge held that Defendant DeMonte's "extraordinary
and unusual level of cooperation" warranted a sentence of three years
probation with no incarceration). Judges must be permitted to continue
fashioning sentences that are just, based on the facts of a specific case.
(~17) Computer communications are still in their infancy. Legal
precedents,
particularly the application of a sentencing guideline to violations of the
Computer Fraud and Abuse Act, can radically affect the course of the
computer technology's future, and with it the fate of an important tool
for
the exchange of ideas in a democratic society. When the law limits or
inhibits the use of new technologies, a grave injustice is being
perpetrated. The Electronic Frontier Foundation respectfully asks the
Commission to hold off promulgating a sentencing guideline for the
Computer
Fraud and Abuse Act until there are enough prosecutions on which to base
a
guideline.
Thank you in advance for your thoughtful consideration of our concerns.
We would be pleased to provide the Commission with any further
information
that may be needed.
Sincerely yours,
Shari Steele
Staff Attorney
The Electronic Frontier Foundation is a privately funded, tax-exempt,
nonprofit organization concerned with the civil liberties, technical and
social problems posed by the applications of new computing and
telecommunications technology. Its founders include Mitchell Kapor, a
leading pioneer in computer software development who founded the Lotus
Development Corporation and developed the Lotus 1-2-3 Spreadsheet
software.
^6 ==============================================
TEXT OF THE COMMENT OF THE SOCIETY FOR ELECTRONIC ACCESS
(~18) Before the
UNITED STATES SENTENCING COMMISSION
One Columbus Circle, N.E., Suite 2-500
Washington DC 20002-8002
Attention: Public Information
In the Matter of
Proposed Amendment of the Sentencing
Guidelines for the United States, Section
2F2.1, Applicable to Violations of the
Computer Fraud and Abuse Act
TO: The Commission
COMMENTS OF THE SOCIETY FOR ELECTRONIC ACCESS
The Society for Electronic Access ("SEA") submits these
comments in the above-captioned proceeding, which concerns the
proposed amendments to the United States Sentencing Guidelines
("U.S.S.G.") concerning Computer Fraud and Abuse [57 Fed. Reg.
62832 (1992) (to be codified at U.S.S.G sec. 2F2.1) (proposed
Dec. 31, 1992)]. We strongly urge you not to adopt these
amendments because the penalties specified therein are unduly
harsh, overly broad, and vague.
(~19) These amendments violate due process by providing harsher
penalties for activities more properly related to computing than
to crime. For example, proposed U.S.S.G. sec. 2F2.1.b.1 states:
"If the defendant altered information, increase by 2 levels"
where alteration is defined in Commentary #9 as including:
"...all changes to data, whether the defendant added,
deleted, amended or destroyed any or all of it."
It is almost impossible to use a computer without performing
one or more of these functions. Merely logging on to another
computer fits this definition of alteration because this changes
the information kept in its system logs, even if the user never
requested that a specific file or record be accessed.
Furthermore, the effect of these data alterations may not be
directly related to severity of a crime: if a voyeur looks at
protected files and leaves a note telling that he or she was
there, that is very different from a vandal's deletion of a
credit file. Yet, under these amendments both situations are
treated as activities of equal seriousness. It is absurd to
think that the alteration itself, absent other factors, requires
an increase in the severity of the minimum sentence, or that all
alterations affect criminality equally.
(~20) These amendments violate due process by including overly
broad standards for determining the severity of a crime. For
example, proposed U.S.S.G. sec. 2F2.1.b.5 states:
"If an offense was committed for the purpose of malicious
destruction or damage, increase by 4 levels."
where malicious destruction or damage, as defined in Commentary
#11:
". . . includes injury to business and personal
reputations."
The effect of so broad a category of activity being contained in
a single sentencing adjustment would be to group the trivial with
the heinous, and punish them equally. Breaking into a person's
computer account and publicly posting information which disrupts
his or her ability to conduct business is very different matter
from copying and publicly posting materials from that person's
account that simply make the person look foolish, yet the
amendment groups these actions together as offenses of equal
seriousness.
Furthermore, this language allows for the punishment of
speech without requiring a determination that the speech does not
enjoy the protection of the First Amendment. The Supreme Court
has always erected extremely stringent standards for the kinds of
speech that can be found unprotected by the First Amendment, and
these amendments to the Sentencing Guidelines err by allowing
speech to be punished if it is found to damage someone's
"personal reputation" under less stringent standards of proof,
which would be introduced at the sentencing, rather than at the
trial itself.
(~21) These amendments violate due process by mandating overly
harsh punishments. To use an example derived from the recent
past (see Salinger v. Random House, 811 F.2d 90 (2d Cir.), cert.
denied, 484 U.S. 890 (1987)), if a defendant (willfully and for
the purposes of commercial advantage or private financial gain)
wrote something for publication which included sections of J.D.
Salinger's private correspondence, the defendant could be
convicted of criminal copyright infringement, and fined. See 17
U.S.C. sec. 506 and 18 U.S.C. sec. 2319. It stretches the
imagination, however, to suggest that if the defendant had either
obtained or distributed these materials electronically, no matter
how limited the scope of the distribution, this copyright
infringement would be transformed into a crime so severe that the
defendant would, as a first time offender, face a sentence of
fifteen to twenty-one (15-21) months in prison.
Proposed U.S.S.G. sec. 2F2.1.b.2 states:
"...if the defendant disclosed protected information to the
public by means of a general distribution system, increase
by six levels."
where the definition of "general distribution system" as defined
in Commentary #10 includes:
"...electronic bulletin board and voice mail systems,
newsletters and other publications, and any other form of
group dissemination, by any means."
These amendments suggest that crimes for which the trial
judge has heretofore had the latitude to impose probationary
sentences or fines or both must now receive minimum sentences
harsher than those mandated by the Federal Sentencing Guidelines
for assault where the use of a dangerous weapon was threatened
[U.S.S.G. sec. 2A2.3.a.1], sexual abuse of a ward [U.S.S.G. sec.
2A3.3.9.a] or trespassing on government property with a firearm
[U.S.S.G. sec. 2B2.3.B.1 - .2]. Of all the potential violations
of due process contained in these amendments, this potential for
mandating unduly harsh sentences is the most shocking and the
most clear.
(~22) In President Clinton's statement, "Technology for America's
Economic Growth: A New Direction to Build Economic Strength" he
says "Government telecommunication and information policy has not
kept pace with new developments in telecommunications and
computer technology. As a result, government regulations have
tended to inhibit competition and delay deployment of new
technology." These amendments are part of that problem.
By simultaneously rendering the Guidelines both harsher and
more vague, these amendments would create a chilling effect on
perfectly legal uses of computers by private citizens, by
creating an environment in which the potential criminality of an
action would be impossible to ascertain in advance. Therefore,
the SEA strongly urges you not to adopt the amendments to United
States Sentencing Guidelines proposed at 57 Fed. Reg. 62832.
Respectfully submitted,
Society for Electronic Access
c/o Steven E. Barber
595 West End Avenue, Apt. 9D
New York, New York 10024
(212) 787-8421
Simona Nass, President
Alexis Rosen, Vice-President
Daniel Lieberman, Treasurer
Steven E. Barber, Secretary
Board of Directors:
Stacy Horn, Chair
Joseph King
John McMullen
Simona Nass
E. Lance Rose
Alexis Rosen
Paul Wallich
<additional signatures go here>
Date: March 15, 1993