The US Department of Justice recently released for comment proposed changes in the US Sentencing Guidelines for the computer Fraud and Abuse Act of 1988. The new guideline practically guarantees some period of confinement, even for first offenders who plead guilty. This archive, compiled by the Society For Electronic Access, includes an introduction to this issue by Jack King, the text of the proposed changes, the text of the Computer Fraud and Abuse Act of 1988, and the Comments filed with the Department of Justice on the 15th of May by Computer Professionals for Social Responsibility, the Electronic Frontier Foundation, and the Society for Electronic Access. The Department of Justice is due to send a report on the new Guidelines to Congress on May 1. INDEX This index is just the topic sentences of the relevant texts, copied and numbered here. For text-based searching, the different texts are separated with "====" and numbered ^1, ^2, and so on. Individual arguments are numbered (~1), (~2), and so on. CPSR organized their Comment into two broad sections, which organization I tried to reflect in this index. ^1-(~1) Introduction by Jack King ^2-The Proposed Amendment Itself (~2) Synopsis of the Amendment (~3) Actual language of proposed amendments (~4) Notes and Commentary from the Department of Justice ^3-Text of the Computer Fraud and Abuse Act of 1988 (~5) Crime (~6) Punishment (~7) The Secret Service (~8) Definitions for the purpose of the Law ^4-The Comment Filed by CPSR (~9) Introduction (~10) The Proposed Guidelines Will have a Chilling Effect on Constitutionally Protected Activities (~10a) The proposed amendment would treat as an aggravating factor the alteration, obtaining, or disclosure of "Protected information." (~10b) The proposed guidelines would also treat as an aggravating factor the alteration of public record information (~10c) The proposed amendment would also discourage the publication of information in electronic environments. (~11) CPSR comment on current guidelines (~12) Conclusion ^5-The Comment Filed by EFF (~13) Introduction (~14) The Proposed Guideline Is Too Harsh (~15) There Is Not Yet Enough Caselaw to Warrant a Guideline. (~16) Judges Must Be Permitted to Craft Their Own Sentences for Cases Involving Special Circumstances. (~17) Conclusion ^6-The Comment Filed by SEA (~18) Introduction (~19) These amendments violate due process by providing harsher penalties for activities more properly related to computing than to crime (~20) These amendments violate due process by including overly broad standards for determining the severity of a crime. (~21) These amendments violate due process by mandating overly harsh punishments. (~22) Conclusion ^1 =============================================================== Revised Computer Crime Sentencing Guidelines From Jack King (~1) The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a base offense level of 6 and enhancements of 4 to 6 levels for violations of specific provisions of the statute. The new guideline practically guarantees some period of confinement, even for first offenders who plead guilty. For example, the guideline would provide that if the defendant obtained ``protected'' information (defined as ``private information, non-public government information, or proprietary commercial information), the offense level would be increased by two; if the defendant disclosed protected information to any person, the offense level would be increased by four levels, and if the defendant distributed the information by means of ``a general distribution system,'' the offense level would go up six levels. The proposed commentary explains that a ``general distribution system'' includes ``electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means.'' So, in effect, a person who obtains information from the computer of another, and gives that information to another gets a base offense level of 10; if he used a 'zine or BBS to disseminate it, he would get a base offense level of 12. The federal guidelines prescribe 6-12 months in jail for a first offender with an offense level of 10, and 10-16 months for same with an offense level of 12. Pleading guilty can get the base offense level down by two levels; probation would then be an option for the first offender with an offense level of 10 (reduced to 8). But remember: there is no more federal parole. The time a defendant gets is the time s/he serves (minus a couple days a month "good time"). If, however, the offense caused an economic loss, the offense level would be increased according to the general fraud table (Sec. 2F1.1). The proposed commentary explains that computer offenses often cause intangible harms, such as individual privacy rights or by impairing computer operations, property values not readily translatable to the general fraud table. The proposed commentary also suggests that if the defendant has a prior conviction for ``similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted.'' An upward departure may also be warranted, DOJ suggests, if ``the defendant's conduct has affected or was likely to affect public service or confidence'' in ``public interests'' such as common carriers, utilities, and institutions. Based on the way U.S. Attorneys and their computer experts have guesstimated economic "losses" in a few prior cases, a convicted tamperer can get whacked with a couple of years in the slammer, a whopping fine, full "restitution" and one to two years of supervised release (which is like going to a parole officer). (Actually, it *is* going to a parole officer, because although there is no more federal parole, they didn't get rid of all those parole officers. They have them supervise convicts' return to society.) This, and other proposed sentencing guidelines, can be found at 57 Fed Reg 62832-62857 (Dec. 31, 1992). ^2 ================================================================== == TEXT OF THE PROPOSED REVISIONS at 57 Fed Reg 62832-62857 (Dec. 31, 1992). Proposed revisions to Sentencing Guidelines for Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030) (~2) 59. Synopsis of Amendment: This amendment creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030). Violations of this statute are currently subject to the fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of loss caused to the victim. Computer offenses, however, commonly protect against harms that cannot be adequately quantified by examining dollar losses. Illegal access to consumer credit reports, for example, which may have little monetary value, nevertheless can represent a serious intrusion into privacy interests. Illegal intrusions in the computers which control telephone systems may disrupt normal telephone service and present hazards to emergency systems, neither of which are readily quantifiable. This amendment proposes a new Section 2F2.1, which provides sentencing guidelines particularly designed for this unique and rapidly developing area of the law. (~3) Proposed Amendment: Part F is amended by inserting the following section, numbered S. 2F2.1, and captioned "Computer Fraud and Abuse," immediately following Section 2F1.2: "S. 2F2.1. Computer Fraud and Abuse (a) Base Offense Level: 6 (b) Specific Offense Characteristics (1) Reliability of data. If the defendant altered information, increase by 2 levels; if the defendant altered protected information, or public records filed or maintained under law or regulation, increase by 6 levels. (2) Confidentiality of data. If the defendant obtained protected information, increase by 2 levels; if the defendant disclosed protected information to any person, increase by 4 levels; if the defendant disclosed protected information to the public by means of a general distribution system, increase by 6 levels. Provided that the cumulative adjustments from (1) and (2), shall not exceed 8. (3) If the offense caused or was likely to cause (A) interference with the administration of justice (civil or criminal) or harm to any person's health or safety, or (B) interference with any facility (public or private) or communications network that serves the public health or safety, increase by 6 levels. (4) If the offense caused economic loss, increase the offense level according to the tables in S. 2F1.1 (Fraud and Deceit). In using those tables, include the following: (A) Costs of system recovery, and (B) Consequential losses from trafficking in passwords. (5) If an offense was committed for the purpose of malicious destruction or damage, increase by 4 levels. (c) Cross References (1) If the offense is also covered by another offense guideline section, apply that offense guideline section if the resulting level is greater. Other guidelines that may cover the same conduct include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2 (Receiving, Transporting, Transferring, Transmitting, or Possessing Stolen Property), and S. 2H3.1 (Interception of Communications or Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an Election or Registration), S. 2J1.2 (Obstruction of Justice), and S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1 (Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft). (~4) Commentary Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6) Application Notes: 1. This guideline is necessary because computer offenses often harm intangible values, such as privacy rights or the unimpaired operation of networks, more than the kinds of property values which the general fraud table measures. See S. 2F1.1, Note 10. If the defendant was previously convicted of similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted. 2. The harms expressed in paragraph (b)(1) pertain to the reliability and integrity of data; those in (b)(2) concern the confidentiality and privacy of data. Although some crimes will cause both harms, it is possible to cause either one alone. Clearly a defendant can obtain or distribute protected information without altering it. And by launching a virus, a defendant may alter or destroy data without ever obtaining it. For this reason, the harms are listed separately and are meant to be cumulative. 3. The terms "information," "records," and "data" are interchangeable. 4. The term "protected information" means private information, non-public government information, or proprietary commercial information. 5. The term "private information" means confidential information (including medical, financial, educational, employment, legal, and tax information) maintained under law, regulation, or other duty (whether held by public agencies or privately) regarding the history or status of any person, business, corporation, or other organization. 6. The term "non-public government information" means unclassified information which was maintained by any government agency, contractor or agent; which had not been released to the public; and which was related to military operations or readiness, foreign relations or intelligence, or law enforcement investigations or operations. 7. The term "proprietary commercial information" means non-public business information, including information which is sensitive, confidential, restricted, trade secret, or otherwise not meant for public distribution. If the proprietary information has an ascertainable value, apply paragraph (b) (4) to the economic loss rather than (b) (1) and (2), if the resulting offense level is greater. 8. Public records protected under paragraph (b) (1) must be filed or maintained under a law or regulation of the federal government, a state or territory, or any of their political subdivisions. 9. The term "altered" covers all changes to data, whether the defendant added, deleted, amended, or destroyed any or all of it. 10. A "general distribution system" includes electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means. 11. The term "malicious destruction or damage" includes injury to business and personal reputations. 12. Costs of system recovery: Include the costs accrued by the victim in identifying and tracking the defendant, ascertaining the damage, and restoring the system or data to its original condition. In computing these costs, include material and personnel costs, as well as losses incurred from interruptions of service. If several people obtained unauthorized access to any system during the same period, each defendant is responsible for the full amount of recovery or repair loss, minus any costs which are clearly attributable only to acts of other individuals. 13. Consequential losses from trafficking in passwords: A defendant who trafficked in passwords by using or maintaining a general distribution system is responsible for all economic losses that resulted from the use of the password after the date of his or her first general distribution, minus any specific amounts which are clearly attributable only to acts of other individuals. The term "passwords" includes any form of personalized access identification, such as user codes or names. 14. If the defendant's acts harmed public interests not adequately reflected in these guidelines, an upward departure may be warranted. Examples include interference with common carriers, utilities, and institutions (such as educational, governmental, or financial institutions), whenever the defendant's conduct has affected or was likely to affect public service or confidence". * * * ^3 ============================================================== TEXT OF THE COMPUTER FRAUD AND ABUSE ACT OF 1988 (~5) *** THIS SECTION IS CURRENT THROUGH P.L. 102-439, 10/23/92 *** TITLE 18. CRIMES AND CRIMINAL PROCEDURE PART I. CRIMES CHAPTER 47. FRAUD AND FALSE STATEMENTS 18 USC Sec. 1030 (1993) Sec. 1030. Fraud and related activity in connection with computers (a) Whoever-- (1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y [.] [(y)] of section 11 of the Atomic Energy Act of 1954 [42 USCS sec. 2014(y)], with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation; (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (3) intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer; (4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer; (5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby-- (A) causes loss to one or more others of a value aggregating $ 1,000 or more during any one year period; or (B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if-- (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; shall be punished as provided in subsection (c) of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (~6) (c) The punishment for an offense under subsection (a) or (b) of this section is-- (1) (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under such subsection; or an attempt to commit an offense punishable under this subparagraph; and (2) (A) a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (3) (A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph. ( (~7) (d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General. (~8) (e) As used in this section-- (1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term "Federal interest computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or (B) which is one of two or more computers used in committing the offense, not all of which are located in the same State; (3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States; (4) the term "financial institution" means-- (A) an institution, with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) a credit union with accounts insured by the National Credit Union Administration; (D) a member of the Federal home loan bank system and any home loan bank; (E) any institution of the Farm Credit System under the Farm Credit Act of 1971; (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934 [15 USCS sec. 78.]; (G) the Securities Investor Protection Corporation; (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978 [12 USCS sec. 3101(1), (3)]); and (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act. (5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution; (6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; and (7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive department enumerated in section 101 of title 5. (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States. HISTORY: (Added Oct. 12, 1984, P.L. 98-473, Title II, Ch XXI, @ 2102(a), 98 Stat. 2190; Oct. 16, 1986, P.L. 99-474, @ 2, 100 Stat. 1213; Nov. 18, 1988, P.L. 100-690, Title VII, Subtitle B, @ 7065, 102 Stat. 4404; Aug. 9, 1989, P.L. 101-73, Title IX, Subtitle F, @ 962(a)(5), 103 Stat. 502; Nov. 29, 1990, P.L. 101-647, Title XII, @ 1205(e), Title XXV, Subtitle I, @ 2597(j), Title XXXV, @ 3533, 104 Stat. 4831, 4910, 4925.) OTHER PROVISIONS: Attorney General's report. Act Oct. 12, 1984, P.L. 98-473, Title II, Ch XXI, @ 2103, 98 Stat. 2192, provides: "The Attorney General shall report to the Congress annually, during the first three years following the date of the enactment of this joint resolution [enacted Oct. 12, 1984], concerning prosecutions under the sections of title 18 of the United States Code added by this chapter [this section].". ^4 ============================================================== (~9) COMMENTS OF COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY REGARDING PROPOSED CHANGES TO FEDERAL SENTENCING GUIDELINES FOR COMPUTER FRAUD March 15, 1993 Chairman William W. Wilkins, Jr. US Sentencing Commission One Columbus Circle, NE Suite 2-500 South Lobby Washington, DC 20002-8002 Dear Mr. Chairman: We are writing to you regarding the proposed amendments to sentencing guidelines, policy statements, and commentary announced in the Federal Register, December 31, 1992 (57 FR 63832). We are specifically interested in addressing item 59, regarding the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030). CPSR is national membership organization of professionals in the computing field. We have a particular interest in information technology, including the protection of civil liberties and privacy. We have sponsored a number of public conferences to explore the issues involving computers, freedom, and privacy. We have also testified before the House of Representatives and the Senate regarding the federal computer crime law. It is our position that the government must be careful not to extend broad criminal sanctions to areas where technology is rapidly evolving and terms are not well defined. We believe that such efforts, if not carefully considered, may ultimately jeopardize the use of new information technology to promote education, innovation, commerce, and public life. We also remain concerned that criminal sanctions involving the use of information technologies may unnecessarily threaten important personal freedoms, such as speech, assembly, and privacy. It is the experience of the computing profession that misguided criminal investigation and the failure of law enforcement to fully understand the use of computer technology will have a detrimental impact on the entire community of computer users. For example, you may wish to review the recent decision of Steve Jackson Games v. Secret Service, involving a challenge to the government's conduct of a particular computer crime investigation. The court found that the Secret Service's conduct "resulted in the seizure of property, products, business records, business documents, and electronic communications equipment of a corporation and four individuals that the statutes were intended to protect." The court, clearly concerned about the government's conduct, recommended "better education, investigation, and strict compliance with the statutes as written." Clearly, the decisions made by the Sentencing Commission regarding those factors that may increase or decrease a criminal sentence will have an important impact on how computer crime is understood and how the government conducts investigations. We therefore appreciate the opportunity to express our views on the propose changes to the guidelines for 18 U.S.C. 1030. For the reasons stated below, it our belief that the proposed guidelines regarding the Computer Fraud and Abuse Act now under consideration by the Sentencing Commission place emphasis upon the wrong factors, and may discourage the use of computer technology for such purposes as publication, communication, and access to government information. For these reasons, CPSR hopes that the current proposal will not be adopted. (~10) The Proposed Guidelines Will have a Chilling Effect on Constitutionally Protected Activities (~10a) The proposed amendment would treat as an aggravating factor the alteration, obtaining, or disclosure of "Protected information." This term is defined in the proposed guidelines as "private information, non-public government information, or proprietary commercial information." The term is nowhere mentioned in the statute passed Congress. We oppose this addition. It has been the experience of the computer profession that efforts to create new categories of information restriction invariably have a chilling impact on the open exchange of computerized data. For example, National Security Decision Directive 145, which gave the government authority to peruse computer databases for so-called "sensitive but unclassified information," was widely opposed by the computing community, as well as many organizations including the Information Industry Association and the American Library Association. The reason was that the new designation allowed the government to extend classification authority and to restrict the free flow of information and ideas. Clearly, this proposal to increase the sentence for a violation of a particular federal statute is not as sweeping as a Presidential order. Nonetheless, we believe that the problems posed by efforts to create new categories of computer-based information for the purpose of criminal sentencing will raise similar concerns as did NSDD-145. It is not in the interest of those who rely on information systems for the purpose of public dissemination to encourage the development of such classifications. (~10b) The proposed guidelines would also treat as an aggravating factor the alteration of public record information. This proposal may go directly against efforts to promote public access to electronic information and to encourage the use of computer networks for the conduct of government activities. For example, computer bulletin boards have been established by agencies, such as the Department of Commerce and Environmental Protection Agency, precisely for the purpose of encouraging public use of on-line services and to facilitate the administration of agency business. Much of the problem may well be with the use of the term "alter" without any further discussion of the nature of the alteration. Computer systems are by nature interactive. Any user of a computer system "alters" the data on the system. System operators may control the status of a particular file by designating it as a "read only" file or a "read-write" file. When a file is "read only," a user may access the file but is technically unable to alter the files contents. However a file that is "read-write" may allow users to both review files and to alter them. Certainly, there are many other factors that relate to computer system security, but this particular example demonstrates that in many instances altering a public file may in fact be the intended outcome of a system operator. Failing to distinguish between permissible and impermissible alterations of a computer file in the sentencing guidelines misses entirely the operation of many computer systems. (~10c) The proposed amendment would also discourage the publication of information in electronic environments. The amendment recommends that the sentence be increased by 4 levels where "the defendant disclosed protected information to any person" and by six levels where "the defendant disclosed protected information to the public by means of a general distribution system." Both of these proposals would punish the act of publication where there is no economic advantage to the defendant nor any specific harm indicated. Such provisions could be used to discourage whistle-blowing in the first instance, and subsequent dissemination of computer messages by system operators in the second. For this reason, we strongly oppose the inclusion of comment 10 which states that a "general distribution system" includes electronic bulletin boards and voice mail systems. This particular comment could clearly have a chilling effect on operators of electronic bulletin boards who may become reluctant to disseminate information where such dissemination could be considered an aggravating factor for the purpose of the federal computer crime law. (~11) Current guidelines It is our view that the current guidelines are a reasonably fair articulation of the specific harms that might warrant additional stringency, at least in the area of computer crime. We believe that it is appropriate to impose additional sanction where there is "more than minimal planning" or "scheme to defraud more than one victim," as currently stated in the Guidelines. One of our concerns with the application of 18 U.S.C. 1030 after the decision in U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) is that the provision does not adequately distinguish between those acts where harm is intended and those where it is not. For this reason, provisions in the sentencing guidelines which help to identify specific harms, and not simply the disclosure of computerized information, may indeed be helpful to prosecutors who are pursuing computer fraud cases and to operators of electronic distribution systems. For similar reasons, we support the current $2F1.1(4) which allows an upward departure where the offense involves the "conscious or reckless risk of serious bodily injury." Again, it is appropriate to impose a greater penalty where there is risk of physical harm (~12) The Commission may wish to consider at some future date a provision which would allow an upward departure for the disclosure of personally identifiable data that is otherwise protected by federal or state statute. We believe that privacy violations remain an important non-economic harm that the Commission could address. For instance, the disclosure of credit reports, medical records, and criminal history records, by means of an unauthorized computer use (or where use exceeds authorization) may be an appropriate basis for the imposition of additional sanctions. We suggest that the Commission also consider whether a downward departure may be appropriate for those defendants who provide technical information about computer security that may diminish the risk of subsequent violations of the computer fraud statute. Such a provision may lead to improvements in computer security and the reduced likelihood of computer-related crime. We recognize that the Commission is currently considering factors that should be considered in the imposition of federal sentencing, and that this process should not be equated with the creation of new criminal acts. Nonetheless, the decisions of the Commission in this area may well influence subsequent legislation, and the ability of computer users to make use of information systems, to access government information, and to disseminate electronic records and files. It is for these reasons that we hope the Sentencing Commission will give careful consideration as to potential impact on the user community of these proposed changes to the federal sentencing guidelines. We appreciate the opportunity to provide these comments to the Commission and would be pleased to answer any questions you might have. Please contact me directly at 202/544-9240. Sincerely yours, Marc Rotenberg, director CPSR Washington office Enclosure ^5 ================================================================ TEXT OF THE COMMENT FROM THE ELECTRONIC FRONTIER FOUNDATION (~13) United States Sentencing Commission One Columbus Circle, NE Suite 2-500, South Lobby Washington, DC 20002-9002 Attention: Public Information Re: Proposed Amendment #59 to the Sentencing Guidelines for United States Courts, which creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030) Dear Commissioners: (4) The Electronic Frontier Foundation (EFF) writes to state our opposition to the new proposed sentencing guideline applicable to violations of the Computer Fraud and Abuse Act of 1988, 18 U.S.C. 1030 (CFAA). We believe that, while the proposed guideline promotes the Justice Department's interest in punishing those who engage in computer fraud and abuse, the guideline is much too harsh for first time offenders and those who perpetrate offenses under the statute without malice aforethought. In addition, promulgation of a sentencing guideline at the present time is premature, as there have been very few published opinions where judges have issued sentences for violations of the CFAA. Finally, in this developing area of the law, judges should be permitted to craft sentences that are just in relation to the facts of the specific cases before them. (~14) The Proposed Guideline Is Too Harsh. The proposed CFAA sentencing guideline, with a base offense level of six and innumerable enhancements, would impose strict felony liability for harms that computer users cause through sheer inadvertence. This guideline would require imprisonment for first time offenders who caused no real harm and meant none. EFF is opposed to computer trespass and theft, and we do not condone any unauthorized tampering with computers -- indeed, EFF's unequivocal belief is that the security of private computer systems and networks is both desirable and necessary to the maintenance of a free society. However, it is entirely contrary to our notions of justice to brand a computer user who did not intend to do harm as a felon. Under the proposed guideline, even a user who painstakingly attempts to avoid causing harm, but who causes harm nonetheless, will almost assuredly be required to serve some time in prison. The proposed guideline, where the sentencing judge is given no discretion for crafting a just sentence based on the facts of the case, is too harsh on less culpable defendants, particularly first time offenders. As the Supreme Court has stated, the notion that a culpable mind is a necessary component of criminal guilt is "as universal and persistent in mature systems of law as belief in freedom of the human will and a consequent ability and duty of the normal individual to choose between good and evil." Morissette v. United States, 342 U.S. 246, 250 (1952). In the words of another court, "[u]sually the stigma of criminal conviction is not visited upon citizens who are not morally to blame because they did not know they were doing wrong." United States v. Marvin, 687 F.2d 1221, 1226 (8th Cir. 1982), cert. denied, 460 U.S. 1081 (1983). (~15) There Is Not Yet Enough Caselaw to Warrant a Guideline. The Sentencing Commission itself has recognized the importance of drafting guidelines based on a large number of reported decisions. In the introduction to the Sentencing Commission's Guidelines Manual, the Commission states: The Commission emphasizes that it drafted the initial guidelines with considerable caution. It examined the many hundreds of criminal statutes in the United States Code. It began with those that were the basis for a significant number of prosecutions and sought to place them in a rational order. It developed additional distinctions relevant to the application of these provisions, and it applied sentencing ranges to each resulting category. In doing so, it relied upon pre-guidelines sentencing practice as revealed by its own statistical analyses based on summary reports of some 40,000 convictions, a sample of 10,000 augmented pre-sentence reports, the parole guidelines, and policy judgments. United States Sentencing Commission, Guidelines Manual, Chap. 1, Part A (1991). At the present time, there are only five reported decisions that mention the court's sentencing for violations of the Computer Fraud and Abuse Act. See, United States v. Lewis, 872 F.2d 1030 (6th Cir. 1989); United States v. Morris, 928 F.2d 504 (2d Cir. 1991), cert. denied, 112 S. Ct. 72 (1991); United States v. Carron, 1991 U.S. App. LEXIS 4838 (9th Cir. 1991); United States v. Rice, 1992 U.S. App. LEXIS 9562 (1992); and United States v. DeMonte, 1992 U.S. App. LEXIS 11392 (6th Cir. 1992). New communications technologies, in their earliest infancy, are becoming the subject of precedent-setting litigation. Overly strict sentences imposed for computer-related fraud and abuse may have the effect of chilling these technologies even as they develop. Five decisions are not enough on which to base a guideline to be used in such an important and growing area of the law. The Commission itself has recognized that certain areas of federal criminal law and procedure are so new that policy statements, rather than inflexible guidelines, are preferable. See, e.g., United States Sentencing Commission, Guidelines Manual, Chap. 7, Part A (1990) (stating the Commission's choice to promulgate policy statements, rather than guidelines, for revocation of probation and supervised release "until federal judges, probation officers, practitioners, and others have the opportunity to evaluate and comment. . . ."). A flexible policy statement, rather than a specific sentencing guideline, is a more appropriate way to handle sentencing under the Computer Fraud and Abuse Act until there has been enough litigation on which to base a guideline. (~16) Judges Must Be Permitted to Craft Their Own Sentences for Cases Involving Special Circumstances. Individual sentencing decisions are best left to the discretion of the sentencing judge, who presumably is most familiar with the facts unique to each case. To promulgate an inflexible sentencing guideline, which would cover all crimes that could conceivably be prosecuted under the Computer Fraud and Abuse Act, is premature at this time. As discussed above, there have only been five reported decisions where the Computer Fraud and Abuse Act has been applied. In three of these reported CFAA cases, the judges involved used their discretion and fashioned unique sentences for the defendants based on the special facts of the case. See, Morris, 928 F.2d at 506 (where the judge placed Defendant Morris on probation for three years to perform 400 hours of community service, ordered him to pay fines of $10,050, and ordered him to pay for the cost of his supervision at a rate of $91 a month); Carron at 3 (where the judge found that Defendant Carron's criminal history justified a sentence of 12 months incarceration followed by 12 months of supervised release and restitution to the two injured credit card companies); and DeMonte at 4 (where the trial court judge held that Defendant DeMonte's "extraordinary and unusual level of cooperation" warranted a sentence of three years probation with no incarceration). Judges must be permitted to continue fashioning sentences that are just, based on the facts of a specific case. (~17) Computer communications are still in their infancy. Legal precedents, particularly the application of a sentencing guideline to violations of the Computer Fraud and Abuse Act, can radically affect the course of the computer technology's future, and with it the fate of an important tool for the exchange of ideas in a democratic society. When the law limits or inhibits the use of new technologies, a grave injustice is being perpetrated. The Electronic Frontier Foundation respectfully asks the Commission to hold off promulgating a sentencing guideline for the Computer Fraud and Abuse Act until there are enough prosecutions on which to base a guideline. Thank you in advance for your thoughtful consideration of our concerns. We would be pleased to provide the Commission with any further information that may be needed. Sincerely yours, Shari Steele Staff Attorney The Electronic Frontier Foundation is a privately funded, tax-exempt, nonprofit organization concerned with the civil liberties, technical and social problems posed by the applications of new computing and telecommunications technology. Its founders include Mitchell Kapor, a leading pioneer in computer software development who founded the Lotus Development Corporation and developed the Lotus 1-2-3 Spreadsheet software. ^6 ============================================== TEXT OF THE COMMENT OF THE SOCIETY FOR ELECTRONIC ACCESS (~18) Before the UNITED STATES SENTENCING COMMISSION One Columbus Circle, N.E., Suite 2-500 Washington DC 20002-8002 Attention: Public Information In the Matter of Proposed Amendment of the Sentencing Guidelines for the United States, Section 2F2.1, Applicable to Violations of the Computer Fraud and Abuse Act TO: The Commission COMMENTS OF THE SOCIETY FOR ELECTRONIC ACCESS The Society for Electronic Access ("SEA") submits these comments in the above-captioned proceeding, which concerns the proposed amendments to the United States Sentencing Guidelines ("U.S.S.G.") concerning Computer Fraud and Abuse [57 Fed. Reg. 62832 (1992) (to be codified at U.S.S.G sec. 2F2.1) (proposed Dec. 31, 1992)]. We strongly urge you not to adopt these amendments because the penalties specified therein are unduly harsh, overly broad, and vague. (~19) These amendments violate due process by providing harsher penalties for activities more properly related to computing than to crime. For example, proposed U.S.S.G. sec. 2F2.1.b.1 states: "If the defendant altered information, increase by 2 levels" where alteration is defined in Commentary #9 as including: "...all changes to data, whether the defendant added, deleted, amended or destroyed any or all of it." It is almost impossible to use a computer without performing one or more of these functions. Merely logging on to another computer fits this definition of alteration because this changes the information kept in its system logs, even if the user never requested that a specific file or record be accessed. Furthermore, the effect of these data alterations may not be directly related to severity of a crime: if a voyeur looks at protected files and leaves a note telling that he or she was there, that is very different from a vandal's deletion of a credit file. Yet, under these amendments both situations are treated as activities of equal seriousness. It is absurd to think that the alteration itself, absent other factors, requires an increase in the severity of the minimum sentence, or that all alterations affect criminality equally. (~20) These amendments violate due process by including overly broad standards for determining the severity of a crime. For example, proposed U.S.S.G. sec. 2F2.1.b.5 states: "If an offense was committed for the purpose of malicious destruction or damage, increase by 4 levels." where malicious destruction or damage, as defined in Commentary #11: ". . . includes injury to business and personal reputations." The effect of so broad a category of activity being contained in a single sentencing adjustment would be to group the trivial with the heinous, and punish them equally. Breaking into a person's computer account and publicly posting information which disrupts his or her ability to conduct business is very different matter from copying and publicly posting materials from that person's account that simply make the person look foolish, yet the amendment groups these actions together as offenses of equal seriousness. Furthermore, this language allows for the punishment of speech without requiring a determination that the speech does not enjoy the protection of the First Amendment. The Supreme Court has always erected extremely stringent standards for the kinds of speech that can be found unprotected by the First Amendment, and these amendments to the Sentencing Guidelines err by allowing speech to be punished if it is found to damage someone's "personal reputation" under less stringent standards of proof, which would be introduced at the sentencing, rather than at the trial itself. (~21) These amendments violate due process by mandating overly harsh punishments. To use an example derived from the recent past (see Salinger v. Random House, 811 F.2d 90 (2d Cir.), cert. denied, 484 U.S. 890 (1987)), if a defendant (willfully and for the purposes of commercial advantage or private financial gain) wrote something for publication which included sections of J.D. Salinger's private correspondence, the defendant could be convicted of criminal copyright infringement, and fined. See 17 U.S.C. sec. 506 and 18 U.S.C. sec. 2319. It stretches the imagination, however, to suggest that if the defendant had either obtained or distributed these materials electronically, no matter how limited the scope of the distribution, this copyright infringement would be transformed into a crime so severe that the defendant would, as a first time offender, face a sentence of fifteen to twenty-one (15-21) months in prison. Proposed U.S.S.G. sec. 2F2.1.b.2 states: "...if the defendant disclosed protected information to the public by means of a general distribution system, increase by six levels." where the definition of "general distribution system" as defined in Commentary #10 includes: "...electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means." These amendments suggest that crimes for which the trial judge has heretofore had the latitude to impose probationary sentences or fines or both must now receive minimum sentences harsher than those mandated by the Federal Sentencing Guidelines for assault where the use of a dangerous weapon was threatened [U.S.S.G. sec. 2A2.3.a.1], sexual abuse of a ward [U.S.S.G. sec. 2A3.3.9.a] or trespassing on government property with a firearm [U.S.S.G. sec. 2B2.3.B.1 - .2]. Of all the potential violations of due process contained in these amendments, this potential for mandating unduly harsh sentences is the most shocking and the most clear. (~22) In President Clinton's statement, "Technology for America's Economic Growth: A New Direction to Build Economic Strength" he says "Government telecommunication and information policy has not kept pace with new developments in telecommunications and computer technology. As a result, government regulations have tended to inhibit competition and delay deployment of new technology." These amendments are part of that problem. By simultaneously rendering the Guidelines both harsher and more vague, these amendments would create a chilling effect on perfectly legal uses of computers by private citizens, by creating an environment in which the potential criminality of an action would be impossible to ascertain in advance. Therefore, the SEA strongly urges you not to adopt the amendments to United States Sentencing Guidelines proposed at 57 Fed. Reg. 62832. Respectfully submitted, Society for Electronic Access c/o Steven E. Barber 595 West End Avenue, Apt. 9D New York, New York 10024 (212) 787-8421 Simona Nass, President Alexis Rosen, Vice-President Daniel Lieberman, Treasurer Steven E. Barber, Secretary Board of Directors: Stacy Horn, Chair Joseph King John McMullen Simona Nass E. Lance Rose Alexis Rosen Paul Wallich Date: March 15, 1993