Date:         Sat, 30 Jan 1993 15:12:11 EST
From:         Dave Banisar <[email protected]>
Subject: 3--Revised Computer Crime Sent

            Revised Computer Crime Sentencing Guidelines

>From Jack King ([email protected])

The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1,
specifically addressing the Computer Fraud and Abuse Act of 1988 (18
USC 1030), with a base offense level of 6 and enhancements of 4 to 6
levels for violations of specific provisions of the statute.

The new guideline practically guarantees some period of confinement,
even for first offenders who plead guilty.

For example, the guideline would provide that if the defendant
obtained ``protected'' information (defined as ``private information,
non-public government information, or proprietary commercial
information), the offense level would be increased by two; if the
defendant disclosed protected information to any person, the offense
level would be increased by four levels, and if the defendant
distributed the information by means of ``a general distribution
system,'' the offense level would go up six levels.

The proposed commentary explains that a ``general distribution
system'' includes ``electronic bulletin board and voice mail systems,
newsletters and other publications, and any other form of group
dissemination, by any means.''

So, in effect, a person who obtains information from the computer of
another, and gives that information to another gets a base offense
level of 10; if he used a 'zine or BBS to disseminate it, he would get
a base offense level of 12. The federal guidelines prescribe 6-12
months in jail for a first offender with an offense level of 10, and
10-16 months for same with an offense level of 12.  Pleading guilty
can get the base offense level down by two levels; probation would
then be an option for the first offender with an offense level of 10
(reduced to 8).  But remember:  there is no more federal parole.  The
time a defendant gets is the time s/he serves (minus a couple days a
month "good time").

If, however, the offense caused an economic loss, the offense level
would be increased according to the general fraud table (Sec. 2F1.1).
The proposed commentary explains that computer offenses often cause
intangible harms, such as individual privacy rights or by impairing
computer operations, property values not readily translatable to the
general fraud table. The proposed commentary also suggests that if the
defendant has a prior conviction for ``similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.'' An upward departure may also be
warranted, DOJ suggests, if ``the defendant's conduct has affected or
was likely to affect public service or confidence'' in ``public
interests'' such as common carriers, utilities, and institutions.
Based on the way U.S. Attorneys and their computer experts have
guesstimated economic "losses" in a few prior cases, a convicted
tamperer can get whacked with a couple of years in the slammer, a
whopping fine, full "restitution" and one to two years of supervised
release (which is like going to a parole officer). (Actually, it *is*
going to a parole officer, because although there is no more federal
parole, they didn't get rid of all those parole officers. They have
them supervise convicts' return to society.)

This, and other proposed sentencing guidelines, can be found at 57 Fed
Reg 62832-62857 (Dec. 31, 1992).

The U.S. Sentencing Commission wants to hear from YOU.  Write:  U.S.
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500,
Washington DC 20002-8002, Attention: Public Information.  Comments
must be received by March 15, 1993.

                                 * * *

Actual text of relevant amendments:

                   UNITED STATES SENTENCING COMMISSION
                 AGENCY: United States Sentencing Commission.
                              57  FR  62832

                              December 31, 1992

  Sentencing Guidelines for United States Courts

ACTION: Notice of proposed amendments to sentencing guidelines,
policy statements, and commentary. Request for public comment.
Notice of hearing.

SUMMARY: The Commission is considering promulgating certain
amendments to the sentencing guidelines, policy statements, and
commentary. The proposed amendments and a synopsis of issues to be
addressed are set forth below. The Commission may report amendments
to the Congress on or before May 1, 1993. Comment is sought on all
proposals, alternative proposals, and any other aspect of the
sentencing guidelines, policy statements, and commentary.

DATES: The Commission has scheduled a public hearing on these
proposed amendments for March 22, 1993, at 9:30 a.m. at the
Ceremonial Courtroom, United States Courthouse, 3d and Constitution
Avenue, NW., Washington, DC 20001.

  Anyone wishing to testify at this public hearing should notify
Michael Courlander, Public Information Specialist, at (202) 273-4590
by March 1, 1993.

  Public comment, as well as written testimony for the hearing,
should be received by the Commission no later than March 15, 1993,
in order to be considered by the Commission in the promulgation of
amendments due to the Congress by May 1, 1993.

ADDRESSES: Public comment should be sent to: United States
Sentencing Commission, One Columbus Circle, NE., suite 2-500, South
Lobby, Washington, DC 20002-8002, Attention: Public Information.

FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public
Information Specialist, Telephone: (202) 273-4590.

* * *

  59. Synopsis of Amendment: This amendment creates a new guideline
applicable to violations of the Computer Fraud and Abuse Act of 1988
(18 U.S.C. 1030). Violations of this statute are currently subject
to the fraud guidelines at S. 2F1.1, which rely heavily on the
dollar amount of loss caused to the victim. Computer offenses,
however, commonly protect against harms that cannot be adequately
quantified by examining dollar losses. Illegal access to consumer
credit reports, for example, which may have little monetary value,
nevertheless can represent a serious intrusion into privacy
interests. Illegal intrusions in the computers which control
telephone systems may disrupt normal telephone service and present
hazards to emergency systems, neither of which are readily
quantifiable. This amendment proposes a new Section 2F2.1, which
provides sentencing guidelines particularly designed for this unique
and rapidly developing area of the law.

  Proposed Amendment: Part F is amended by inserting the following
section, numbered S.  2F2.1, and captioned "Computer Fraud and
Abuse," immediately following Section 2F1.2:


"S.  2F2.1. Computer Fraud and Abuse

  (a) Base Offense Level: 6

  (b) Specific Offense Characteristics

  (1) Reliability of data. If the defendant altered information,
increase by 2 levels; if the defendant altered protected
information, or public records filed or maintained under law or
regulation, increase by 6 levels.

  (2) Confidentiality of data. If the defendant obtained protected
information, increase by 2 levels; if the defendant disclosed
protected information to any person, increase by 4 levels; if the
defendant disclosed protected information to the public by means of
a general distribution system, increase by 6 levels.

  Provided that the cumulative adjustments from (1) and (2), shall
not exceed 8.

  (3) If the offense caused or was likely to cause

  (A) interference with the administration of justice (civil or
criminal) or harm to any person's health or safety, or

  (B) interference with any facility (public or private) or
communications network that serves the public health or safety,
increase by 6 levels.

  (4) If the offense caused economic loss, increase the offense
level according to the tables in S.  2F1.1 (Fraud and Deceit). In
using those tables, include the following:

  (A) Costs of system recovery, and

  (B) Consequential losses from trafficking in passwords.

  (5) If an offense was committed for the purpose of malicious
destruction or damage, increase by 4 levels.

  (c) Cross References

  (1) If the offense is also covered by another offense guideline
section, apply that offense guideline section if the resulting level
is greater. Other guidelines that may cover the same conduct
include, for example: for 18 U.S.C. 1030(a)(1), S.  2M3.2 (Gathering
National Defense Information); for 18 U.S.C. 1030(a)(3), S.  2B1.1
(Larceny, Embezzlement, and Other Forms of Theft), S.  2B1.2
(Receiving, Transporting, Transferring, Transmitting, or Possessing
Stolen

Property), and S.  2H3.1 (Interception of Communications or
Eavesdropping); for 18 U.S.C. 1030(a)(4), S.  2F1.1 (Fraud and
Deceit), and S.  2B1.1 (Larceny, Embezzlement, and Other Forms of
Theft); for 18 U.S.C. S.  1030(a)(5), S.  2H2.1 (Obstructing an
Election or Registration), S.  2J1.2 (Obstruction of Justice), and
S.  2B3.2 (Extortion); and for 18 U.S.C. S.  1030(a)(6), S.  2F1.1
(Fraud and Deceit) and S.  2B1.1 (Larceny, Embezzlement, and Other
Forms of Theft).


Commentary

  Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)

  Application Notes:

  1. This guideline is necessary because computer offenses often
harm intangible values, such as privacy rights or the unimpaired
operation of networks, more than the kinds of property values which
the general fraud table measures. See S.  2F1.1, Note 10. If the
defendant was previously convicted of similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.

  2. The harms expressed in paragraph (b)(1) pertain to the
reliability and integrity of data; those in (b)(2) concern the
confidentiality and privacy of data. Although some crimes will cause
both harms, it is possible to cause either one alone. Clearly a
defendant can obtain or distribute protected information without
altering it. And by launching a virus, a defendant may alter or
destroy data without ever obtaining it. For this reason, the harms
are listed separately and are meant to be cumulative.

  3. The terms "information," "records," and "data" are
interchangeable.

  4. The term "protected information" means private information,
non-public government information, or proprietary commercial
information.

  5. The term "private information" means confidential information
(including medical, financial, educational, employment, legal, and
tax information) maintained under law, regulation, or other duty
(whether held by public agencies or privately) regarding the history
or status of any person, business, corporation, or other
organization.

  6. The term "non-public government information" means
unclassified information which was maintained by any government
agency, contractor or agent; which had not been released to the
public; and which was related to military operations or readiness,
foreign relations or intelligence, or law enforcement investigations
or operations.

  7. The term "proprietary commercial information" means non-public
business information, including information which is sensitive,
confidential, restricted, trade secret, or otherwise not meant for
public distribution. If the proprietary information has an
ascertainable value, apply paragraph (b) (4) to the economic loss
rather than (b) (1) and (2), if the resulting offense level is
greater.

  8. Public records protected under paragraph (b) (1) must be filed
or maintained under a law or regulation of the federal government, a
state or territory, or any of their political subdivisions.

  9. The term "altered" covers all changes to data, whether the
defendant added, deleted, amended, or destroyed any or all of it.

  10. A "general distribution system" includes electronic bulletin
board and voice mail systems, newsletters and other publications,
and any other form of group dissemination, by any means.

  11. The term "malicious destruction or damage" includes injury to
business and personal reputations.

  12. Costs of system recovery: Include the costs accrued by the
victim in identifying and tracking the defendant, ascertaining the
damage, and restoring the system or data to its original condition.
In computing these costs, include material and personnel costs, as
well as losses incurred from interruptions of service. If several
people obtained unauthorized access to any system during the same
period, each defendant is responsible for the full amount of
recovery or repair loss, minus any costs which are clearly
attributable only to acts of other individuals.

  13. Consequential losses from trafficking in passwords: A
defendant who trafficked in passwords by using or maintaining a
general distribution system is responsible for all economic losses
that resulted from the use of the password after the date of his or
her first general distribution, minus any specific amounts which are
clearly attributable only to acts of other individuals. The term
"passwords" includes any form of personalized access identification,
such as user codes or names.

  14. If the defendant's acts harmed public interests not
adequately reflected in these guidelines, an upward departure may be
warranted. Examples include interference with common carriers,
utilities, and institutions (such as educational, governmental, or
financial institutions), whenever the defendant's conduct has
affected or was likely to affect public service or confidence".

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.