276 lines
13 KiB
Plaintext
276 lines
13 KiB
Plaintext
Revised Computer Crime Sentencing Guidelines
|
|
From Jack King (gjk@well.sf.ca.us)
|
|
|
|
The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
|
|
promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically
|
|
addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a
|
|
base offense level of 6 and enhancements of 4 to 6 levels for violations of
|
|
specific provisions of the statute. The new guideline practically
|
|
guarantees some period of confinement, even for first offenders who plead
|
|
guilty.
|
|
|
|
For example, the guideline would provide that if the defendant obtained
|
|
``protected'' information (defined as ``private information, non-public
|
|
government information, or proprietary commercial information), the offense
|
|
level would be increased by two; if the defendant disclosed protected
|
|
information to any person, the offense level would be increased by four
|
|
levels, and if the defendant distributed the information by means of ``a
|
|
general distribution system,'' the offense level would go up six levels.
|
|
|
|
The proposed commentary explains that a ``general distribution system''
|
|
includes ``electronic bulletin board and voice mail systems, newsletters
|
|
and other publications, and any other form of group dissemination, by any
|
|
means.''
|
|
|
|
So, in effect, a person who obtains information from the computer of
|
|
another, and gives that information to another gets a base offense level of
|
|
10; if he used a 'zine or BBS to disseminate it, he would get a base
|
|
offense level of 12. The federal guidelines prescribe 6-12 months in jail
|
|
for a first offender with an offense level of 10, and 10-16 months for same
|
|
with an offense level of 12. Pleading guilty can get the base offense
|
|
level down by two levels; probation would then be an option for the first
|
|
offender with an offense level of 10 (reduced to 8). But remember: there
|
|
is no more federal parole. The time a defendant gets is the time s/he
|
|
serves (minus a couple days a month "good time").
|
|
|
|
If, however, the offense caused an economic loss, the offense level would
|
|
be increased according to the general fraud table (Sec. 2F1.1). The
|
|
proposed commentary explains that computer offenses often cause intangible
|
|
harms, such as individual privacy rights or by impairing computer
|
|
operations, property values not readily translatable to the general fraud
|
|
table. The proposed commentary also suggests that if the defendant has a
|
|
prior conviction for ``similar misconduct that is not adequately reflected
|
|
in the criminal history score, an upward departure may be warranted.'' An
|
|
upward departure may also be warranted, DOJ suggests, if ``the defendant's
|
|
conduct has affected or was likely to affect public service or confidence''
|
|
in ``public interests'' such as common carriers, utilities, and
|
|
institutions. Based on the way U.S. Attorneys and their computer experts
|
|
have guesstimated economic "losses" in a few prior cases, a convicted
|
|
tamperer can get whacked with a couple of years in the slammer, a whopping
|
|
fine, full "restitution" and one to two years of supervised release (which
|
|
is like going to a parole officer). (Actually, it *is* going to a parole
|
|
officer, because although there is no more federal parole, they didn't get
|
|
rid of all those parole officers. They have them supervise convicts' return
|
|
to society.)
|
|
|
|
This, and other proposed sentencing guidelines, can be found at 57 Fed Reg
|
|
62832-62857 (Dec. 31, 1992).
|
|
|
|
The U.S. Sentencing Commission wants to hear from YOU. Write: U.S.
|
|
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington
|
|
DC 20002-8002, Attention: Public Information. Comments must be received by
|
|
March 15, 1993.
|
|
|
|
* * *
|
|
|
|
Actual text of relevant amendments:
|
|
|
|
UNITED STATES SENTENCING COMMISSION
|
|
AGENCY: United States Sentencing Commission.
|
|
57 FR 62832
|
|
|
|
December 31, 1992
|
|
|
|
Sentencing Guidelines for United States Courts
|
|
|
|
ACTION: Notice of proposed amendments to sentencing guidelines, policy
|
|
statements, and commentary. Request for public comment.
|
|
Notice of hearing.
|
|
|
|
SUMMARY: The Commission is considering promulgating certain amendments
|
|
to the sentencing guidelines, policy statements, and commentary. The
|
|
proposed amendments and a synopsis of issues to be addressed are set
|
|
forth below. The Commission may report amendments to the Congress on or
|
|
before May 1, 1993. Comment is sought on all proposals, alternative
|
|
proposals, and any other aspect of the sentencing guidelines, policy
|
|
statements, and commentary.
|
|
|
|
DATES: The Commission has scheduled a public hearing on these proposed
|
|
amendments for March 22, 1993, at 9:30 a.m. at the Ceremonial Courtroom,
|
|
United States Courthouse, 3d and Constitution Avenue, NW., Washington,
|
|
DC 20001.
|
|
|
|
Anyone wishing to testify at this public hearing should notify
|
|
Michael Courlander, Public Information Specialist, at (202) 273-4590 by
|
|
March 1, 1993.
|
|
|
|
Public comment, as well as written testimony for the hearing, should
|
|
be received by the Commission no later than March 15, 1993, in order to
|
|
be considered by the Commission in the promulgation of amendments due to
|
|
the Congress by May 1, 1993.
|
|
|
|
ADDRESSES: Public comment should be sent to: United States Sentencing
|
|
Commission, One Columbus Circle, NE., suite 2-500, South Lobby,
|
|
Washington, DC 20002-8002, Attention: Public Information.
|
|
|
|
FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public Information
|
|
Specialist, Telephone: (202) 273-4590.
|
|
|
|
|
|
* * *
|
|
|
|
59. Synopsis of Amendment: This amendment creates a new guideline
|
|
applicable to violations of the Computer Fraud and Abuse Act of 1988 (18
|
|
U.S.C. 1030). Violations of this statute are currently subject to the
|
|
fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of
|
|
loss caused to the victim. Computer offenses, however, commonly protect
|
|
against harms that cannot be adequately quantified by examining dollar
|
|
losses. Illegal access to consumer credit reports, for example, which
|
|
may have little monetary value, nevertheless can represent a serious
|
|
intrusion into privacy interests. Illegal intrusions in the computers
|
|
which control telephone systems may disrupt normal telephone service and
|
|
present hazards to emergency systems, neither of which are readily
|
|
quantifiable. This amendment proposes a new Section 2F2.1, which
|
|
provides sentencing guidelines particularly designed for this unique and
|
|
rapidly developing area of the law.
|
|
|
|
Proposed Amendment: Part F is amended by inserting the following
|
|
section, numbered S. 2F2.1, and captioned "Computer Fraud and Abuse,"
|
|
immediately following Section 2F1.2:
|
|
|
|
|
|
"S. 2F2.1. Computer Fraud and Abuse
|
|
|
|
(a) Base Offense Level: 6
|
|
|
|
(b) Specific Offense Characteristics
|
|
|
|
(1) Reliability of data. If the defendant altered information,
|
|
increase by 2 levels; if the defendant altered protected information, or
|
|
public records filed or maintained under law or regulation, increase by
|
|
6 levels.
|
|
|
|
(2) Confidentiality of data. If the defendant obtained protected
|
|
information, increase by 2 levels; if the defendant disclosed protected
|
|
information to any person, increase by 4 levels; if the defendant
|
|
disclosed protected information to the public by means of a general
|
|
distribution system, increase by 6 levels.
|
|
|
|
Provided that the cumulative adjustments from (1) and (2), shall not
|
|
exceed 8.
|
|
|
|
(3) If the offense caused or was likely to cause
|
|
|
|
(A) interference with the administration of justice (civil or
|
|
criminal) or harm to any person's health or safety, or
|
|
|
|
(B) interference with any facility (public or private) or
|
|
communications network that serves the public health or safety, increase
|
|
by 6 levels.
|
|
|
|
(4) If the offense caused economic loss, increase the offense level
|
|
according to the tables in S. 2F1.1 (Fraud and Deceit). In using those
|
|
tables, include the following:
|
|
|
|
(A) Costs of system recovery, and
|
|
|
|
(B) Consequential losses from trafficking in passwords.
|
|
|
|
(5) If an offense was committed for the purpose of malicious
|
|
destruction or damage, increase by 4 levels.
|
|
|
|
(c) Cross References
|
|
|
|
(1) If the offense is also covered by another offense guideline
|
|
section, apply that offense guideline section if the resulting level is
|
|
greater. Other guidelines that may cover the same conduct include, for
|
|
example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering National Defense
|
|
Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1 (Larceny,
|
|
Embezzlement, and Other Forms of Theft), S. 2B1.2 (Receiving,
|
|
Transporting, Transferring, Transmitting, or Possessing Stolen
|
|
Property), and S. 2H3.1 (Interception of Communications or
|
|
Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit),
|
|
and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18
|
|
U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an Election or
|
|
Registration), S. 2J1.2 (Obstruction of Justice), and S. 2B3.2
|
|
(Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1 (Fraud and
|
|
Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft).
|
|
|
|
Commentary
|
|
|
|
Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)
|
|
|
|
Application Notes:
|
|
|
|
1. This guideline is necessary because computer offenses often harm
|
|
intangible values, such as privacy rights or the unimpaired operation of
|
|
networks, more than the kinds of property values which the general fraud
|
|
table measures. See S. 2F1.1, Note 10. If the defendant was previously
|
|
convicted of similar misconduct that is not adequately reflected in the
|
|
criminal history score, an upward departure may be warranted.
|
|
|
|
2. The harms expressed in paragraph (b)(1) pertain to the reliability
|
|
and integrity of data; those in (b)(2) concern the confidentiality and
|
|
privacy of data. Although some crimes will cause both harms, it is
|
|
possible to cause either one alone. Clearly a defendant can obtain or
|
|
distribute protected information without altering it. And by launching a
|
|
virus, a defendant may alter or destroy data without ever obtaining it.
|
|
For this reason, the harms are listed separately and are meant to be
|
|
cumulative.
|
|
|
|
3. The terms "information," "records," and "data" are
|
|
interchangeable.
|
|
|
|
4. The term "protected information" means private information, non-
|
|
public government information, or proprietary commercial information.
|
|
|
|
5. The term "private information" means confidential information
|
|
(including medical, financial, educational, employment, legal, and tax
|
|
information) maintained under law, regulation, or other duty (whether
|
|
held by public agencies or privately) regarding the history or status of
|
|
any person, business, corporation, or other organization.
|
|
|
|
6. The term "non-public government information" means unclassified
|
|
information which was maintained by any government agency, contractor or
|
|
agent; which had not been released to the public; and which was related
|
|
to military operations or readiness, foreign relations or intelligence,
|
|
or law enforcement investigations or operations.
|
|
|
|
7. The term "proprietary commercial information" means non-public
|
|
business information, including information which is sensitive,
|
|
confidential, restricted, trade secret, or otherwise not meant for
|
|
public distribution. If the proprietary information has an ascertainable
|
|
value, apply paragraph (b) (4) to the economic loss rather than (b) (1)
|
|
and (2), if the resulting offense level is greater.
|
|
|
|
8. Public records protected under paragraph (b) (1) must be filed or
|
|
maintained under a law or regulation of the federal government, a state
|
|
or territory, or any of their political subdivisions.
|
|
|
|
9. The term "altered" covers all changes to data, whether the
|
|
defendant added, deleted, amended, or destroyed any or all of it.
|
|
|
|
10. A "general distribution system" includes electronic bulletin
|
|
board and voice mail systems, newsletters and other publications, and
|
|
any other form of group dissemination, by any means.
|
|
|
|
11. The term "malicious destruction or damage" includes injury to
|
|
business and personal reputations.
|
|
|
|
12. Costs of system recovery: Include the costs accrued by the victim
|
|
in identifying and tracking the defendant, ascertaining the damage, and
|
|
restoring the system or data to its original condition.
|
|
In computing these costs, include material and personnel costs, as well
|
|
as losses incurred from interruptions of service. If several people
|
|
obtained unauthorized access to any system during the same period, each
|
|
defendant is responsible for the full amount of recovery or repair loss,
|
|
minus any costs which are clearly attributable only to acts of other
|
|
individuals.
|
|
|
|
13. Consequential losses from trafficking in passwords: A defendant
|
|
who trafficked in passwords by using or maintaining a general
|
|
distribution system is responsible for all economic losses that resulted
|
|
from the use of the password after the date of his or her first general
|
|
distribution, minus any specific amounts which are clearly attributable
|
|
only to acts of other individuals. The term "passwords" includes any
|
|
form of personalized access identification, such as user codes or names.
|
|
|
|
14. If the defendant's acts harmed public interests not adequately
|
|
reflected in these guidelines, an upward departure may be warranted.
|
|
Examples include interference with common carriers, utilities, and
|
|
institutions (such as educational, governmental, or financial
|
|
institutions), whenever the defendant's conduct has affected or was
|
|
likely to affect public service or confidence".
|
|
|
|
* * *
|