Subject: RISKS DIGEST 14.32 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 5 February 1993 Volume 14 : Issue 32 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Programmer Licensing (Paul Robinson) **** pointer-> Injured using Computer Pointing Device? (Pete W. Johnson) Suggestions for a hi-tech crime-investigators' seminar ?? (Jim Warren) Revised Computer Crime Sentencing Guidelines (Dave Banisar) The RISKS Forum is a moderated digest discussing risks; comp.risks is its undigested Usenet counterpart. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 4 Feb 93 03:45 GMT From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> To: Al Underwood Subject: [TDR] Programmer Licensing Al Underwood asked about the possibility of Government Computer Professional Certification, otherwise known as Programmer Licensing. A famous philosopher referred to it as "Guild Socialism," i.e. that in exchange for their group providing some needed service, their group must be the only one allowed to perform it. Doctors, Lawyers, Electricians, Plumbers and others got their practices set up so that any involvement in them by persons who are not licensed by their guild becomes a criminal offense. That some of these activities may be hazardous by persons not trained in the particular practice in question may be the reasoning behind the requirements, but in every case, the actual practice of licensing is used to protect those in that particular guild from competition. Doctors keep out people from foreign countries. Lawyers use it to keep people from dispensing information about minor matters such as bankruptcy, or use it as a club to threaten people, and so on. I remember that New Jersey was planning to do this a couple of years ago. I made a big stink on any forum I could find in the computer world (I did not know of many Internet lists at that time, so I could only complain on one or two) and sent out messages on the BBS networks I could get access to, in order to warn people about this. When certification is done at the mandatory level, i.e. you must have a license to practice the certified occupation or you can be charged with a criminal act, it gives to private parties the power of the State to decide what is or is not satisfactory performance. It can be prostituted in all sorts of ways depending on the political agenda of the people who are involved. 1. License fees could be anything from $10 to $2000 a year depending on what the board wants to set the fees at. If you can't afford the fee, that's too bad, you're out of the business. 2. License boards generally grandfather the law: anyone who claims to be working in that particular field at the time the law is in effect is granted an automatic license. Therefore the license rule serves to do just one thing: raise money for the licensing board and begin to weed out those who either weren't around when the licensing started or could not afford the fees. This can also be used as a hidden tax, by, for example, budgeting $100,000 for the license bureau, while setting the tax to take in $1.1 or $2.1 million, thus using the law to raise an extra 2 mil for revenue hungry state legislatures. 3. The license boards conceivably can decide what is or isn't valid practice in a particular occupation. A Programmer Licensing Board, or "Software Engineers Quality Control Board" or whatever it is called, can decide, for example, that the use of the "GOTO" is no longer permitted, or the COBOL ALTER, or some other language construct, and make use of the proscribed method grounds for someone to lose their license. 4. One state can set standards such that its requirements become effective beyond its borders. It's noted there is a man who is a lawyer in California who has to come back into DC to defend his license to practice over an issue that allegedly was settled, because if the DC Bar revokes his license all the other states will. 5. If someone writes opinions which are unflattering of a License Board or take an unpopular stance on an issue, the License Control Board can, using item 3 above, take someone's license away by changing the standard in a way that the person cannot meet it and thus loses his license. For a fictional example of how this could be prostituted into requiring almost everyone in a particular guild to become an indentured servant of a particular company, read the short story "Magic, Inc." by Robert A. Heinlein. It's usually in a combined story of "Waldo, and Magic, Inc," where two related short stories are combined. 6. A computer program is the creation of the mind of an individual, and as such is "a figment of the imagination" since a computer program has no physical apportation other than as bits on disk, which are no different from any other bits. As such, a computer program is a form of writing. I question whether a law requiring someone to have a license in order to write something would stand challenge in the United States on 1st Amendment grounds of prior restraint. I do not know if someone has ever tried to license reporters in order to show that they know how to write and spell and use English correctly; whether such would withstand court scrutiny is an interesting question. But a law that allowed a reporter to lose his license if a government agency decided he is not qualified would be so offensive to the first amendment that a court wouldn't even consider arguments over the intended "improvement" of the reporters guild such a law would attain. Requiring reporters to know their subject matter in order to write about it would certainly make them better writers. It also would certainly be unconstitutional. 7. There is generally a shortage of talented computer people. A law requiring licensing of programmers (or 'software engineers' or whatever it is) would not fix the problem and would only exacerbate it and might make things worse since everyone currently working can be grandfathered, some places might have to hire incompetents because the supply of quality people is dried up. 8. Some companies have gone to training their own people in order to make up for a famine of supply. If the laws require that you can only enter the field after a four year degree from an accredited university, there goes the space for opening level people and the chance for a company to 'grow their own.' 9. Cutting people's appendixes for free is still 'practicing medicine'. Fighting a traffic ticket (where traffic offenses are still crimes) is still 'practicing law'. Doing these things for someone else, even if for free, is still performing a licensed occupation which is a crime. What does this do to the shareware world of people who write programs on spec for others to try and use and pay for if they like them? 10. A few years ago the Food and Drug Administration busted into a warehouse and seized thousands of gallons of contraband orange juice. Because it was unfit for human consumption? Because it was contaminated? Because there was a danger to the public? Because the agency didn't like the label on it and wanted that particular processor - Proctor and Gamble - to comply with a standard that it was not requiring of 300 other orange juice processors. When P&G said that if the EPA would evenly enforce the law on everyone they would go along, the EPA decided to seize the packages. What this has to do with the licensing of software people is slightly related to #9. If someone is writing software for a company and doesn't have a license, can the software be seized? If the person has a license where the program is made but not in other states? (You can't practice medicine or law or engineering in states not licensed.) If the program is transported from a state not requiring a license to create software to one where on is, can the product be seized for noncompliance? The product was produced by an unlicensed person in a state where licensing is required. In some states if you order a stock not registered in that state and then decide to change your mind and not buy it, the broker cannot force you to pay for it because of mandatory registration of stock issues. Could not the same thing be done for computer programs or the creators of same? These and perhaps other points come up in the licensing of software professionals; the dangers to the people who make this stuff, and perhaps dangers to the public. I have heard that the reason it was killed was because (1) the software industry didn't want it; (2) Bell Labs, in New Jersey, was upset when the estimated license fees for all of the people who worked there would cost the company more than $1,000,000. Apparently some legislator in New Jersey proposed this law without asking anyone either in the industry or in its customers, if anyone even wanted it. Paul Robinson -- TDARCOS@MCIMAIL.COM [Also, see RISKS-13.13 and 15, CACM Inside RISKS Feb 91] ------------------------------ Date: 2 Feb 1993 04:03:04 GMT From: petej@garnet.berkeley.edu (Pete W. Johnson) Subject: **** pointer-> Injured using Computer Pointing Device?: READ THIS **** This is a pointer to a basenote and discussion pertaining to computer pointing device injuries (mouse, trackballs, puck, stylus, etc.) in sci.med.occupational. For convenience I have included a copy of the basenote below. To follow net etiquette, please direct all responses to the basenote below in sci.med.occupational notesgroup ONLY. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (Copy of Basenote) This note (which is being posted monthly) is for anyone that has been injured using a computer pointing device (mouse, trackball, puck, tablet, etc.). I have been assisting computer operators who have been injured using pointing devices for the past 4 years. I am now presently doing research at the University of California's (San Francisco and Berkeley's) Ergonomics Lab on the design of computer pointing devices with the goal of reducing injuries associated with their use. In order to do this, I need to collect information on pointing device design characteristics (button design, button force, device size, device shape, etc.) that are important in minimizing and/or reducing the physical stresses operators are subjected to. Some of this information will be collected through my laboratory research, but a major and important source of information has to come from operators like yourself. I need to collect all the information I can from computer operators that have been injured as a result of pointing device use. In order to do this, I need your help. If you have been injured using a pointing device, I would appreciate it if you would send me a note with information pertaining to your injury. I would like the information e- mailed directly to me (petej@garnet.berkeley.edu). The format I would like the information sent to me is as follows, fill in as much as you can: 1) NAME: (optional) 2) COMPANY: (optional) 3) PHONE #: (optional) 4) NUMBER OF HOURS SPENT IN FRONT OF THE COMPUTER PER DAY: 5) PERCENTAGE OF TIME SPENT USING A POINTING DEVICE: 6) MANUFACTURER OF COMPUTER AND MODEL NUMBER: 7) POINTING DEVICE USED AT TIME OF INJURY: (Please be specific) a) MANUFACTURER b) MODEL OR PART NUMBER c) DESCRIPTION OF DEVICE 8) PRIMARY SOFTWARE APPLICATION USED AT THE TIME OF YOUR INJURY 9) TYPE OF INJURY 10) WHAT YOU THINK CAUSED YOUR INJURY 11) IF INJURY IS RESOLVED OR YOUR CONDITIONS HAVE IMPROVED, WHAT CHANGES WERE MADE (This is probably the most beneficial information) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - My intent is to enter this information into a database in order to gather information and look for trends. Each month I will share relevant information by posting a monthly summary in sci.med.occupational similar to what has been done with keyboard information. If you are presently experiencing problems, feel free to call me (510/231-9405) and I will share with you what I know. I am also open for suggestions, please post responses to this basenote or e-mail me if you have any further suggestions or input. If your company has internal bulletin boards, please post this note or provide a pointer telling your co-workers about this basenote in the sci.med.occupational newsgroup. I will be also be posting a pointer to this basenote in comp.risks, comp.human-factors, and sci.med as well. Finally, if you have any opinions or inputs on a particular pointing device or pointing device design in general, send me a note or call me. Our lab is assisting some of the major pointing device manufacturers with the design of their pointing devices. If you have some inputs for a particular company, I will be happy to direct them to the appropriate person. Thanks for your help. Peter W. Johnson (End of Basenote) ------------------------------ Date: Thu, 4 Feb 93 14:01:53 PST From: jwarren@autodesk.com (Jim Warren) Subject: Suggestions for a hi-tech crime-investigators' seminar ?? I have been invited to give (or organize) a 4-hour seminar presenting civil liberties perspectives and concerns to a group of 40-60 high-tech criminal investigators on the first day of the HTCIA Northern California 3-day workshop in April (High Tech Criminal Investigators Association). They are expecting attendees from Nor Cal and from beyond. My understanding is that most of the members are sworn peace officers who are specializing in investigating high-tech crime; a minority are corporate and agency computer security officers. Most will attend the seminar (only one seminar per time-period). I see it as an *outstanding* opportunity to (a) open [more] communication channels between in-the-trenches law enforcement officials and civlibbies, (b) learn more of their concerns and problems, (c) enhance the chances of additional similar and expanded exchanges at future law-enforcement meetings through *nonconfrontational*, well-informed, candid discourse, and (d) better inform law enforcement folks of the complexities, styles and trade- offs in "cyberspace," and their ramifications for law enforcement's legitimate and significant concerns. [And -- heh! -- it will give "them" a chance to harangue "us" civlib types; equitable role-reversal for those cops who have entered the lion's den by attending any of the Computers, Freedom & Privacy conferences of the last several years.] I have invited an attorney who is specializing in these issues to join me in organizing and presenting this seminar, and am in hopes that her organization will support her participation. She has been closely monitoring related legislation in Washington, DC, and has also been directly involved in a major computer-search case currently being litigated in Texas. Query/request: I have a number of ideas for topics and perspectives to present/cover, and have several documents I plan to provide as handouts. But, I am very-much interested in receiving suggestions and/or papers/handouts that might be appropriate for presentation/distribution at a regional meeting of high tech criminal investigators [long on meat; short on emotion and opinion, please]. Please forward comments, suggestions and copies (ideally e-copies for reformatting and printing in a combined handout, including a note permitting reproduction for this purpose). [Confidentiality of sources and suggestors will be protected, upon request.] --jim [forward or post elsewhere, as desired] Jim Warren, 345 Swett Rd., Woodside CA 94062; 415-851-7075 jwarren@well.sf.ca.us -or- jwarren@autodesk.com [for identification purposes only: founder and Chair, 1991 First Conference on Computers, Freedom & Privacy; a recipient, 1992 Electronic Frontier Foundation Pioneer Awards; "futures" columnist, MicroTimes; member, Autodesk Bd.of Dirs.] ------------------------------ Date: Sat, 30 Jan 1993 15:12:11 EST From: Dave Banisar Subject: Revised Computer Crime Sentencing Guidelines >From Jack King (gjk@well.sf.ca.us) The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a base offense level of 6 and enhancements of 4 to 6 levels for violations of specific provisions of the statute. The new guideline practically guarantees some period of confinement, even for first offenders who plead guilty. For example, the guideline would provide that if the defendant obtained ``protected'' information (defined as ``private information, non-public government information, or proprietary commercial information), the offense level would be increased by two; if the defendant disclosed protected information to any person, the offense level would be increased by four levels, and if the defendant distributed the information by means of ``a general distribution system,'' the offense level would go up six levels. The proposed commentary explains that a ``general distribution system'' includes ``electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means.'' So, in effect, a person who obtains information from the computer of another, and gives that information to another gets a base offense level of 10; if he used a 'zine or BBS to disseminate it, he would get a base offense level of 12. The federal guidelines prescribe 6-12 months in jail for a first offender with an offense level of 10, and 10-16 months for same with an offense level of 12. Pleading guilty can get the base offense level down by two levels; probation would then be an option for the first offender with an offense level of 10 (reduced to 8). But remember: there is no more federal parole. The time a defendant gets is the time s/he serves (minus a couple days a month "good time"). If, however, the offense caused an economic loss, the offense level would be increased according to the general fraud table (Sec. 2F1.1). The proposed commentary explains that computer offenses often cause intangible harms, such as individual privacy rights or by impairing computer operations, property values not readily translatable to the general fraud table. The proposed commentary also suggests that if the defendant has a prior conviction for ``similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted.'' An upward departure may also be warranted, DOJ suggests, if ``the defendant's conduct has affected or was likely to affect public service or confidence'' in ``public interests'' such as common carriers, utilities, and institutions. Based on the way U.S. Attorneys and their computer experts have guesstimated economic "losses" in a few prior cases, a convicted tamperer can get whacked with a couple of years in the slammer, a whopping fine, full "restitution" and one to two years of supervised release (which is like going to a parole officer). (Actually, it *is* going to a parole officer, because although there is no more federal parole, they didn't get rid of all those parole officers. They have them supervise convicts' return to society.) This, and other proposed sentencing guidelines, can be found at 57 Fed Reg 62832-62857 (Dec. 31, 1992). The U.S. Sentencing Commission wants to hear from YOU. Write: U.S. Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington DC 20002-8002, Attention: Public Information. Comments must be received by March 15, 1993. * * * Actual text of relevant amendments: UNITED STATES SENTENCING COMMISSION AGENCY: United States Sentencing Commission. 57 FR 62832 December 31, 1992 Sentencing Guidelines for United States Courts ACTION: Notice of proposed amendments to sentencing guidelines, policy statements, and commentary. Request for public comment. Notice of hearing. SUMMARY: The Commission is considering promulgating certain amendments to the sentencing guidelines, policy statements, and commentary. The proposed amendments and a synopsis of issues to be addressed are set forth below. The Commission may report amendments to the Congress on or before May 1, 1993. Comment is sought on all proposals, alternative proposals, and any other aspect of the sentencing guidelines, policy statements, and commentary. DATES: The Commission has scheduled a public hearing on these proposed amendments for March 22, 1993, at 9:30 a.m. at the Ceremonial Courtroom, United States Courthouse, 3d and Constitution Avenue, NW., Washington, DC 20001. Anyone wishing to testify at this public hearing should notify Michael Courlander, Public Information Specialist, at (202) 273-4590 by March 1, 1993. Public comment, as well as written testimony for the hearing, should be received by the Commission no later than March 15, 1993, in order to be considered by the Commission in the promulgation of amendments due to the Congress by May 1, 1993. ADDRESSES: Public comment should be sent to: United States Sentencing Commission, One Columbus Circle, NE., suite 2-500, South Lobby, Washington, DC 20002-8002, Attention: Public Information. FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public Information Specialist, Telephone: (202) 273-4590. * * * 59. Synopsis of Amendment: This amendment creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030). Violations of this statute are currently subject to the fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of loss caused to the victim. Computer offenses, however, commonly protect against harms that cannot be adequately quantified by examining dollar losses. Illegal access to consumer credit reports, for example, which may have little monetary value, nevertheless can represent a serious intrusion into privacy interests. Illegal intrusions in the computers which control telephone systems may disrupt normal telephone service and present hazards to emergency systems, neither of which are readily quantifiable. This amendment proposes a new Section 2F2.1, which provides sentencing guidelines particularly designed for this unique and rapidly developing area of the law. Proposed Amendment: Part F is amended by inserting the following section, numbered S. 2F2.1, and captioned "Computer Fraud and Abuse," immediately following Section 2F1.2: "S. 2F2.1. Computer Fraud and Abuse (a) Base Offense Level: 6 (b) Specific Offense Characteristics (1) Reliability of data. If the defendant altered information, increase by 2 levels; if the defendant altered protected information, or public records filed or maintained under law or regulation, increase by 6 levels. (2) Confidentiality of data. If the defendant obtained protected information, increase by 2 levels; if the defendant disclosed protected information to any person, increase by 4 levels; if the defendant disclosed protected information to the public by means of a general distribution system, increase by 6 levels. Provided that the cumulative adjustments from (1) and (2), shall not exceed 8. (3) If the offense caused or was likely to cause (A) interference with the administration of justice (civil or criminal) or harm to any person's health or safety, or (B) interference with any facility (public or private) or communications network that serves the public health or safety, increase by 6 levels. (4) If the offense caused economic loss, increase the offense level according to the tables in S. 2F1.1 (Fraud and Deceit). In using those tables, include the following: (A) Costs of system recovery, and (B) Consequential losses from trafficking in passwords. (5) If an offense was committed for the purpose of malicious destruction or damage, increase by 4 levels. (c) Cross References (1) If the offense is also covered by another offense guideline section, apply that offense guideline section if the resulting level is greater. Other guidelines that may cover the same conduct include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2 (Receiving, Transporting, Transferring, Transmitting, or Possessing Stolen Property), and S. 2H3.1 (Interception of Communications or Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an Election or Registration), S. 2J1.2 (Obstruction of Justice), and S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1 (Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft). Commentary Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6) Application Notes: 1. This guideline is necessary because computer offenses often harm intangible values, such as privacy rights or the unimpaired operation of networks, more than the kinds of property values which the general fraud table measures. See S. 2F1.1, Note 10. If the defendant was previously convicted of similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted. 2. The harms expressed in paragraph (b)(1) pertain to the reliability and integrity of data; those in (b)(2) concern the confidentiality and privacy of data. Although some crimes will cause both harms, it is possible to cause either one alone. Clearly a defendant can obtain or distribute protected information without altering it. And by launching a virus, a defendant may alter or destroy data without ever obtaining it. For this reason, the harms are listed separately and are meant to be cumulative. 3. The terms "information," "records," and "data" are interchangeable. 4. The term "protected information" means private information, non-public government information, or proprietary commercial information. 5. The term "private information" means confidential information (including medical, financial, educational, employment, legal, and tax information) maintained under law, regulation, or other duty (whether held by public agencies or privately) regarding the history or status of any person, business, corporation, or other organization. 6. The term "non-public government information" means unclassified information which was maintained by any government agency, contractor or agent; which had not been released to the public; and which was related to military operations or readiness, foreign relations or intelligence, or law enforcement investigations or operations. 7. The term "proprietary commercial information" means non-public business information, including information which is sensitive, confidential, restricted, trade secret, or otherwise not meant for public distribution. If the proprietary information has an ascertainable value, apply paragraph (b) (4) to the economic loss rather than (b) (1) and (2), if the resulting offense level is greater. 8. Public records protected under paragraph (b) (1) must be filed or maintained under a law or regulation of the federal government, a state or territory, or any of their political subdivisions. 9. The term "altered" covers all changes to data, whether the defendant added, deleted, amended, or destroyed any or all of it. 10. A "general distribution system" includes electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means. 11. The term "malicious destruction or damage" includes injury to business and personal reputations. 12. Costs of system recovery: Include the costs accrued by the victim in identifying and tracking the defendant, ascertaining the damage, and restoring the system or data to its original condition. In computing these costs, include material and personnel costs, as well as losses incurred from interruptions of service. If several people obtained unauthorized access to any system during the same period, each defendant is responsible for the full amount of recovery or repair loss, minus any costs which are clearly attributable only to acts of other individuals. 13. Consequential losses from trafficking in passwords: A defendant who trafficked in passwords by using or maintaining a general distribution system is responsible for all economic losses that resulted from the use of the password after the date of his or her first general distribution, minus any specific amounts which are clearly attributable only to acts of other individuals. The term "passwords" includes any form of personalized access identification, such as user codes or names. 14. If the defendant's acts harmed public interests not adequately reflected in these guidelines, an upward departure may be warranted. Examples include interference with common carriers, utilities, and institutions (such as educational, governmental, or financial institutions), whenever the defendant's conduct has affected or was likely to affect public service or confidence". ------------------------------ End of RISKS-FORUM Digest 14.32 ************************