Revised Computer Crime Sentencing Guidelines  
From Jack King (gjk@well.sf.ca.us)  

The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically
addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a
base offense level of 6 and enhancements of 4 to 6 levels for violations of
specific provisions of the statute.  The new guideline practically
guarantees some period of confinement, even for first offenders who plead
guilty.

For example, the guideline would provide that if the defendant obtained
``protected'' information (defined as ``private information, non-public
government information, or proprietary commercial information), the offense
level would be increased by two; if the defendant disclosed protected
information to any person, the offense level would be increased by four
levels, and if the defendant distributed the information by means of ``a
general distribution system,'' the offense level would go up six levels.

The proposed commentary explains that a ``general distribution system''
includes ``electronic bulletin board and voice mail systems, newsletters
and other publications, and any other form of group dissemination, by any
means.''
  
So, in effect, a person who obtains information from the computer of
another, and gives that information to another gets a base offense level of
10; if he used a 'zine or BBS to disseminate it, he would get a base
offense level of 12. The federal guidelines prescribe 6-12 months in jail
for a first offender with an offense level of 10, and 10-16 months for same
with an offense level of 12.  Pleading guilty can get the base offense
level down by two levels; probation would then be an option for the first
offender with an offense level of 10 (reduced to 8).  But remember: there
is no more federal parole.  The time a defendant gets is the time s/he
serves (minus a couple days a month "good time").

If, however, the offense caused an economic loss, the offense level would
be increased according to the general fraud table (Sec. 2F1.1).  The
proposed commentary explains that computer offenses often cause intangible
harms, such as individual privacy rights or by impairing computer
operations, property values not readily translatable to the general fraud
table. The proposed commentary also suggests that if the defendant has a
prior conviction for ``similar misconduct that is not adequately reflected
in the criminal history score, an upward departure may be warranted.'' An
upward departure may also be warranted, DOJ suggests, if ``the defendant's
conduct has affected or was likely to affect public service or confidence''
in ``public interests'' such as common carriers, utilities, and
institutions.  Based on the way U.S. Attorneys and their computer experts
have guesstimated economic "losses" in a few prior cases, a convicted
tamperer can get whacked with a couple of years in the slammer, a whopping
fine, full "restitution" and one to two years of supervised release (which
is like going to a parole officer). (Actually, it *is* going to a parole
officer, because although there is no more federal parole, they didn't get
rid of all those parole officers. They have them supervise convicts' return
to society.)

This, and other proposed sentencing guidelines, can be found at 57 Fed Reg
62832-62857 (Dec. 31, 1992).

The U.S. Sentencing Commission wants to hear from YOU.  Write: U.S.
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington
DC 20002-8002, Attention: Public Information.  Comments must be received by
March 15, 1993.

                                   * * *  

Actual text of relevant amendments:

                     UNITED STATES SENTENCING COMMISSION  
                 AGENCY: United States Sentencing Commission.
                               57  FR  62832 

                              December 31, 1992 

    Sentencing Guidelines for United States Courts 

 ACTION: Notice of proposed amendments to sentencing guidelines, policy 
statements, and commentary. Request for public comment.
Notice of hearing.

SUMMARY: The Commission is considering promulgating certain amendments 
to the sentencing guidelines, policy statements, and commentary. The 
proposed amendments and a synopsis of issues to be addressed are set 
forth below. The Commission may report amendments to the Congress on or 
before May 1, 1993. Comment is sought on all proposals, alternative 
proposals, and any other aspect of the sentencing guidelines, policy 
statements, and commentary.

DATES: The Commission has scheduled a public hearing on these proposed 
amendments for March 22, 1993, at 9:30 a.m. at the Ceremonial Courtroom, 
United States Courthouse, 3d and Constitution Avenue, NW., Washington, 
DC 20001.

   Anyone wishing to testify at this public hearing should notify 
Michael Courlander, Public Information Specialist, at (202) 273-4590 by 
March 1, 1993.

   Public comment, as well as written testimony for the hearing, should 
be received by the Commission no later than March 15, 1993, in order to 
be considered by the Commission in the promulgation of amendments due to 
the Congress by May 1, 1993.

ADDRESSES: Public comment should be sent to: United States Sentencing 
Commission, One Columbus Circle, NE., suite 2-500, South Lobby, 
Washington, DC 20002-8002, Attention: Public Information.

FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public Information 
Specialist, Telephone: (202) 273-4590.

 
* * * 

       59. Synopsis of Amendment: This amendment creates a new guideline 
applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 
U.S.C. 1030). Violations of this statute are currently subject to the 
fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of 
loss caused to the victim. Computer offenses, however, commonly protect 
against harms that cannot be adequately quantified by examining dollar 
losses. Illegal access to consumer credit reports, for example, which 
may have little monetary value, nevertheless can represent a serious 
intrusion into privacy interests. Illegal intrusions in the computers 
which control telephone systems may disrupt normal telephone service and 
present hazards to emergency systems, neither of which are readily 
quantifiable. This amendment proposes a new Section 2F2.1, which 
provides sentencing guidelines particularly designed for this unique and 
rapidly developing area of the law.

   Proposed Amendment: Part F is amended by inserting the following 
section, numbered S.  2F2.1, and captioned "Computer Fraud and Abuse," 
immediately following Section 2F1.2:   


"S.  2F2.1. Computer Fraud and Abuse     

   (a) Base Offense Level: 6  

   (b) Specific Offense Characteristics   

   (1) Reliability of data. If the defendant altered information, 
increase by 2 levels; if the defendant altered protected information, or 
public records filed or maintained under law or regulation, increase by 
6 levels.

   (2) Confidentiality of data. If the defendant obtained protected 
information, increase by 2 levels; if the defendant disclosed protected 
information to any person, increase by 4 levels; if the defendant 
disclosed protected information to the public by means of a general 
distribution system, increase by 6 levels.

   Provided that the cumulative adjustments from (1) and (2), shall not 
exceed 8.

   (3) If the offense caused or was likely to cause  

   (A) interference with the administration of justice (civil or 
criminal) or harm to any person's health or safety, or  

   (B) interference with any facility (public or private) or 
communications network that serves the public health or safety, increase 
by 6 levels.

   (4) If the offense caused economic loss, increase the offense level 
according to the tables in S.  2F1.1 (Fraud and Deceit). In using those 
tables, include the following:  

   (A) Costs of system recovery, and  

   (B) Consequential losses from trafficking in passwords.

   (5) If an offense was committed for the purpose of malicious 
destruction or damage, increase by 4 levels.

   (c) Cross References  

   (1) If the offense is also covered by another offense guideline 
section, apply that offense guideline section if the resulting level is 
greater. Other guidelines that may cover the same conduct include, for 
example: for 18 U.S.C. 1030(a)(1), S.  2M3.2 (Gathering National Defense 
Information); for 18 U.S.C. 1030(a)(3), S.  2B1.1 (Larceny, 
Embezzlement, and Other Forms of Theft), S.  2B1.2 (Receiving, 
Transporting, Transferring, Transmitting, or Possessing Stolen  
Property), and S.  2H3.1 (Interception of Communications or 
Eavesdropping); for 18 U.S.C. 1030(a)(4), S.  2F1.1 (Fraud and Deceit), 
and S.  2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 
U.S.C. S.  1030(a)(5), S.  2H2.1 (Obstructing an Election or 
Registration), S.  2J1.2 (Obstruction of Justice), and S.  2B3.2 
(Extortion); and for 18 U.S.C. S.  1030(a)(6), S.  2F1.1 (Fraud and 
Deceit) and S.  2B1.1 (Larceny, Embezzlement, and Other Forms of Theft).

 Commentary  

   Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)  

   Application Notes:  

   1. This guideline is necessary because computer offenses often harm 
intangible values, such as privacy rights or the unimpaired operation of 
networks, more than the kinds of property values which the general fraud 
table measures. See S.  2F1.1, Note 10. If the defendant was previously 
convicted of similar misconduct that is not adequately reflected in the 
criminal history score, an upward departure may be warranted.

   2. The harms expressed in paragraph (b)(1) pertain to the reliability 
and integrity of data; those in (b)(2) concern the confidentiality and 
privacy of data. Although some crimes will cause both harms, it is 
possible to cause either one alone. Clearly a defendant can obtain or 
distribute protected information without altering it. And by launching a 
virus, a defendant may alter or destroy data without ever obtaining it. 
For this reason, the harms are listed separately and are meant to be 
cumulative.

   3. The terms "information," "records," and "data" are 
interchangeable.

   4. The term "protected information" means private information, non-
public government information, or proprietary commercial information.

   5. The term "private information" means confidential information 
(including medical, financial, educational, employment, legal, and tax 
information) maintained under law, regulation, or other duty (whether 
held by public agencies or privately) regarding the history or status of 
any person, business, corporation, or other organization.

   6. The term "non-public government information" means unclassified 
information which was maintained by any government agency, contractor or 
agent; which had not been released to the public; and which was related 
to military operations or readiness, foreign relations or intelligence, 
or law enforcement investigations or operations.

   7. The term "proprietary commercial information" means non-public 
business information, including information which is sensitive, 
confidential, restricted, trade secret, or otherwise not meant for 
public distribution. If the proprietary information has an ascertainable 
value, apply paragraph (b) (4) to the economic loss rather than (b) (1) 
and (2), if the resulting offense level is greater.

   8. Public records protected under paragraph (b) (1) must be filed or 
maintained under a law or regulation of the federal government, a state 
or territory, or any of their political subdivisions.

   9. The term "altered" covers all changes to data, whether the 
defendant added, deleted, amended, or destroyed any or all of it.

   10. A "general distribution system" includes electronic bulletin 
board and voice mail systems, newsletters and other publications, and 
any other form of group dissemination, by any means.

   11. The term "malicious destruction or damage" includes injury to 
business and personal reputations.

   12. Costs of system recovery: Include the costs accrued by the victim 
in identifying and tracking the defendant, ascertaining the damage, and 
restoring the system or data to its original condition.
In computing these costs, include material and personnel costs, as well 
as losses incurred from interruptions of service. If several people 
obtained unauthorized access to any system during the same period, each 
defendant is responsible for the full amount of recovery or repair loss, 
minus any costs which are clearly attributable only to acts of other 
individuals.

   13. Consequential losses from trafficking in passwords: A defendant 
who trafficked in passwords by using or maintaining a general 
distribution system is responsible for all economic losses that resulted 
from the use of the password after the date of his or her first general 
distribution, minus any specific amounts which are clearly attributable 
only to acts of other individuals. The term "passwords" includes any 
form of personalized access identification, such as user codes or names.

   14. If the defendant's acts harmed public interests not adequately 
reflected in these guidelines, an upward departure may be warranted. 
Examples include interference with common carriers, utilities, and 
institutions (such as educational, governmental, or financial 
institutions), whenever the defendant's conduct has affected or was 
likely to affect public service or confidence".

 * * *