💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CUD › cud0527.txt captured on 2022-06-12 at 10:51:02.
-=-=-=-=-=-=-
Computer underground Digest Wed Apr 14 1993 Volume 5 : Issue 27
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cooyp Editor: Etaoin Shrdlu, Senior
CONTENTS, #5.27 (Apr 14 1993)
File 1--EFF and CPSR testimony against 18 USC 1030 Sent. Revisions
File 2--CPSR Comments on 1030 Guidelines
File 3--EFF Response to Proposed Sentencing Guidelines
File 4--LEGISLATIVE DATA ONLINE -- AB1624 needs support
File 5--AB1624 MANDATES ONLINE PUBLIC ACCESS TO LEGISLATIVE RECORDS
File 6--Some comments on AB1624 re online legislative access
File 7--AB1624 UPDATE#1--Making Leg. Data available Online
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The
editors may be contacted by voice (815-753-6430), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG
WHQ) 203-832-8441 NUP:Conspiracy
CuD is also available via Fidonet File Request from 1:11/70; unlisted
nodes and points welcome.
EUROPE: from the ComNet in Luxembourg BBS (++352) 466893;
ANONYMOUS FTP SITES:
UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud
uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud
halcyon.com( 202.135.191.2) in /pub/mirror/cud
AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
EUROPE: nic.funet.fi in pub/doc/cud. (Finland)
ftp.warwick.ac.uk in pub/cud (United Kingdom)
Back issues also may be obtained through mailservers at:
mailserv@batpad.lgb.ca.us or server@blackwlf.mese.com
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Some authors do copyright their material, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Wed, Apr 12 93 122:12:21 CST
From: Moderators <tk0jut2@mvs.cso.niu.edu>
Subject: File 1--EFF and CPSR testimony against 18 USC 1030 Sent. Revisions
On March 22, '93, the U.S. Sentencing Commission held public hearings
for input on revision in federal sentencing guidelines. CuD 5.09
reprinted the proposed revisions, and Jack King (gjk@well.sf.ca.us)
wrote the following:
The U.S. Dept. of Justice has asked the U.S. Sentencing
Commission to promulgate a new federal sentencing guideline,
Sec. 2F2.1, specifically addressing the Computer Fraud and
Abuse Act of 1988 (18 USC 1030), with a base offense level
of 6 and enhancements of 4 to 6 levels for violations of
specific provisions of the statute.
The new guideline practically guarantees some period of
confinement, even for first offenders who plead guilty.
For example, the guideline would provide that if the
defendant obtained "protected" information (defined as
"private information, non-public government information, or
proprietary commercial information), the offense level would
be increased by two; if the defendant disclosed protected
information to any person, the offense level would be
increased by four levels, and if the defendant distributed
the information by means of "a general distribution
system," the offense level would go up six levels.
The proposed commentary explains that a "general
distribution system" includes "electronic bulletin board
and voice mail systems, newsletters and other publications,
and any other form of group dissemination, by any means."
So, in effect, a person who obtains information from the
computer of another, and gives that information to another
gets a base offense level of 10; if he used a 'zine or BBS
to disseminate it, he would get a base offense level of 12.
The federal guidelines prescribe 6-12 months in jail for a
first offender with an offense level of 10, and 10-16 months
for same with an offense level of 12. Pleading guilty can
get the base offense level down by two levels; probation
would then be an option for the first offender with an
offense level of 10 (reduced to 8). But remember: there is
no more federal parole. The time a defendant gets is the
time s/he serves (minus a couple days a month "good time").
If, however, the offense caused an economic loss, the
offense level would be increased according to the general
fraud table (Sec. 2F1.1). The proposed commentary explains
that computer offenses often cause intangible harms, such as
individual privacy rights or by impairing computer
operations, property values not readily translatable to the
general fraud table. The proposed commentary also suggests
that if the defendant has a prior conviction for "similar
misconduct that is not adequately reflected in the criminal
history score, an upward departure may be warranted." An
upward departure may also be warranted, DOJ suggests, if
"the defendant's conduct has affected or was likely to
affect public service or confidence" in "public
interests" such as common carriers, utilities, and
institutions. Based on the way U.S. Attorneys and their
computer experts have guesstimated economic "losses" in a
few prior cases, a convicted tamperer can get whacked with a
couple of years in the slammer, a whopping fine, full
"restitution" and one to two years of supervised release
(which is like going to a parole officer). (Actually, it
*is* going to a parole officer, because although there is no
more federal parole, they didn't get rid of all those parole
officers. They have them supervise convicts' return to
society.)
Both the EFF and CPSR submitted objections to the proposed revisions.
Their objections follow in the next two files.
------------------------------
Date: Wed, 24 Mar 1993 23:26:20 EST
From: Dave Banisar <banisar@WASHOFC.CPSR.ORG>
Subject: File 2--CPSR Comments on 1030 Guidelines
CPSR COMMENTS ON PROPOSED CHANGES TO
COMPUTER CRIME SENTENCING GUIDELINES
March 15, 1993
Chairman William W. Wilkins, Jr.
US Sentencing Commission
One Columbus Circle, NE
Suite 2-500
South Lobby
Washington, DC 20002-8002
Dear Mr. Chairman:
We are writing to you regarding the proposed amendments to sentencing
guidelines, policy statements, and commentary announced in the Federal
Register, December 31, 1992 (57 FR 63832). We are specifically
interested in addressing item 59, regarding the Computer Fraud and
Abuse Act of 1988 (18 U.S.C. 1030).
CPSR is national membership organization of professionals in the
computing field. We have a particular interest in information
technology, including the protection of civil liberties and privacy.
We have sponsored a number of public conferences to explore the issues
involving computers, freedom, and privacy.
We have also testified before the House of Representatives and the
Senate regarding the federal computer crime law. It is our position
that the government must be careful not to extend broad criminal
sanctions to areas where technology is rapidly evolving and terms are
not well defined. We believe that such efforts, if not carefully
considered, may ultimately jeopardize the use of new information
technology to promote education, innovation, commerce, and public
life.
We also remain concerned that criminal sanctions involving the use of
information technologies may unnecessarily threaten important personal
freedoms, such as speech, assembly, and privacy. It is the experience
of the computing profession that misguided criminal investigation and
the failure of law enforcement to fully understand the use of computer
technology will have a detrimental impact on the entire community of
computer users.
For example, you may wish to review the recent decision of Steve
Jackson Games v. Secret Service, involving a challenge to the
government's conduct of a particular computer crime investigation.
The court found that the Secret Service's conduct "resulted in the
seizure of property, products, business records, business documents,
and electronic communications equipment of a corporation and four
individuals that the statutes were intended to protect." The court,
clearly concerned about the government's conduct, recommended "better
education, investigation, and strict compliance with the statutes as
written."
Clearly, the decisions made by the Sentencing Commission regarding
those factors that may increase or decrease a criminal sentence will
have an important impact on how computer crime is understood and how
the government conducts investigations. We therefore appreciate the
opportunity to express our views on the propose changes to the
guidelines for 18 U.S.C. 1030.
For the reasons stated below, it our belief that the proposed
guidelines regarding the Computer Fraud and Abuse Act now under
consideration by the Sentencing Commission place emphasis upon the
wrong factors, and may discourage the use of computer technology for
such purposes as publication, communication, and access to government
information. For these reasons, CPSR hopes that the current proposal
will not be adopted.
The Proposed Guidelines Will have a Chilling Effect on
Constitutionally Protected Activities
The proposed amendment would treat as an aggravating factor the
alteration, obtaining, or disclosure of "Protected information." This
term is defined in the proposed guidelines as "private information,
non-public government information, or proprietary commercial
information." The term is nowhere mentioned in the statute passed
Congress.
We oppose this addition. It has been the experience of the computer
profession that efforts to create new categories of information
restriction invariably have a chilling impact on the open exchange of
computerized data.
For example, National Security Decision Directive 145, which gave the
government authority to peruse computer databases for so-called
"sensitive but unclassified information," was widely opposed by the
computing community, as well as many organizations including the
Information Industry Association and the American Library Association.
The reason was that the new designation allowed the government to
extend classification authority and to restrict the free flow of
information and ideas.
Clearly, this proposal to increase the sentence for a violation of a
particular federal statute is not as sweeping as a Presidential order.
Nonetheless, we believe that the problems posed by efforts to create
new categories of computer-based information for the purpose of
criminal sentencing will raise similar concerns as did NSDD-145. It
is not in the interest of those who rely on information systems for
the purpose of public dissemination to encourage the development of
such classifications.
The proposed guidelines would also treat as an aggravating factor the
alteration of public record information. This proposal may go
directly against efforts to promote public access to electronic
information and to encourage the use of computer networks for the
conduct of government activities. For example, computer bulletin
boards have been established by agencies, such as the Department of
Commerce and Environmental Protection Agency, precisely for the
purpose of encouraging public use of on-line services and to
facilitate the administration of agency business.
Much of the problem may well be with the use of the term "alter"
without any further discussion of the nature of the alteration.
Computer systems are by nature interactive. Any user of a computer
system "alters" the data on the system. System operators may control
the status of a particular file by designating it as a "read only"
file or a "read-write" file. When a file is "read only," a user may
access the file but is technically unable to alter the files contents.
However a file that is "read-write" may allow users to both review
files and to alter them.
Certainly, there are many other factors that relate to computer system
security, but this particular example demonstrates that in many
instances altering a public file may in fact be the intended outcome
of a system operator. Failing to distinguish between permissible and
impermissible alterations of a computer file in the sentencing
guidelines misses entirely the operation of many computer systems.
The proposed amendment would also discourage the publication of
information in electronic environments. The amendment recommends that
the sentence be increased by 4 levels where "the defendant disclosed
protected information to any person" and by six levels where "the
defendant disclosed protected information to the public by means of a
general distribution system."
Both of these proposals would punish the act of publication where
there is no economic advantage to the defendant nor any specific harm
indicated. Such provisions could be used to discourage
whistle-blowing in the first instance, and subsequent dissemination of
computer messages by system operators in the second.
For this reason, we strongly oppose the inclusion of comment 10 which
states that a "general distribution system" includes electronic
bulletin boards and voice mail systems. This particular comment could
clearly have a chilling effect on operators of electronic bulletin
boards who may become reluctant to disseminate information where such
dissemination could be considered an aggravating factor for the
purpose of the federal computer crime law.
Current guidelines
It is our view that the current guidelines are a reasonably fair
articulation of the specific harms that might warrant additional
stringency, at least in the area of computer crime. We believe that
it is appropriate to impose additional sanction where there is "more
than minimal planning" or "scheme to defraud more than one victim," as
currently stated in the Guidelines. One of our concerns with the
application of 18 U.S.C. 1030 after the decision in U.S. v. Morris,
928 F.2d 504 (2d Cir. 1991) is that the provision does not adequately
distinguish between those acts where harm is intended and those where
it is not. For this reason, provisions in the sentencing guidelines
which help to identify specific harms, and not simply the disclosure
of computerized information, may indeed be helpful to prosecutors who
are pursuing computer fraud cases and to operators of electronic
distribution systems.
For similar reasons, we support the current $2F1.1(4) which allows an
upward departure where the offense involves the "conscious or reckless
risk of serious bodily injury." Again, it is appropriate to impose a
greater penalty where there is risk of physical harm
The Commission may wish to consider at some future date a provision
which would allow an upward departure for the disclosure of personally
identifiable data that is otherwise protected by federal or state
statute. We believe that privacy violations remain an important
non-economic harm that the Commission could address. For instance, the
disclosure of credit reports, medical records, and criminal history
records, by means of an unauthorized computer use (or where use
exceeds authorization) may be an appropriate basis for the imposition
of additional sanctions.
We suggest that the Commission also consider whether a downward
departure may be appropriate for those defendants who provide
technical information about computer security that may diminish the
risk of subsequent violations of the computer fraud statute. Such a
provision may lead to improvements in computer security and the
reduced likelihood of computer-related crime.
We recognize that the Commission is currently considering factors that
should be considered in the imposition of federal sentencing, and that
this process should not be equated with the creation of new criminal
acts. Nonetheless, the decisions of the Commission in this area may
well influence subsequent legislation, and the ability of computer
users to make use of information systems, to access government
information, and to disseminate electronic records and files. It is
for these reasons that we hope the Sentencing Commission will give
careful consideration as to potential impact on the user community of
these proposed changes to the federal sentencing guidelines.
We appreciate the opportunity to provide these comments to the
Commission and would be pleased to answer any questions you might
have. Please contact me directly at 202/544-9240.
Sincerely yours,
Marc Rotenberg, director
CPSR Washington office
Enclosure
------------------------------
Date: Mon, Mar 22 92 22:50:29 PST
From: Cliff Figallo <fig@well.sf.ca.us>
Subject: File 3--EFF Response to Proposed Sentencing Guidelines
March 15, 1993
United States Sentencing Commission
One Columbus Circle, NE
Suite 2-500, South Lobby
Washington, DC 20002-9002
Attention: Public Information
Re: Proposed Amendment #59 to the Sentencing Guidelines for
United States Courts, which creates a new guideline applicable
to violations of the Computer Fraud and Abuse Act of 1988 (18
U.S.C. 1030)
Dear Commissioners:
The Electronic Frontier Foundation (EFF) writes to state our
opposition to the new proposed sentencing guideline applicable to
violations of the Computer Fraud and Abuse Act of 1988, 18 U.S.C.
1030 (CFAA). We believe that, while the proposed guideline promotes
the Justice Department's interest in punishing those who engage in
computer fraud and abuse, the guideline is much too harsh for first
time offenders and those who perpetrate offenses under the statute
without malice aforethought. In addition, promulgation of a
sentencing guideline at the present time is premature, as there have
been very few published opinions where judges have issued sentences
for violations of the CFAA. Finally, in this developing area of the
law, judges should be permitted to craft sentences that are just in
relation to the facts of the specific cases before them.
The Proposed Guideline Is Too Harsh.
The proposed CFAA sentencing guideline, with a base offense level of
six and innumerable enhancements, would impose strict felony
liability for harms that computer users cause through sheer
inadvertence. This guideline would require imprisonment for first
time offenders who caused no real harm and meant none. EFF is
opposed to computer trespass and theft, and we do not condone any
unauthorized tampering with computers -- indeed, EFF's unequivocal
belief is that the security of private computer systems and networks
is both desirable and necessary to the maintenance of a free society.
However, it is entirely contrary to our notions of justice to brand a
computer user who did not intend to do harm as a felon. Under the
proposed guideline, even a user who painstakingly attempts to avoid
causing harm, but who causes harm nonetheless, will almost assuredly
be required to serve some time in prison.
The proposed guideline, where the sentencing judge is given no
discretion for crafting a just sentence based on the facts of the
case, is too harsh on less culpable defendants, particularly first
time offenders. As the Supreme Court has stated, the notion that a
culpable mind is a necessary component of criminal guilt is "as
universal and persistent in mature systems of law as belief in
freedom of the human will and a consequent ability and duty of the
normal individual to choose between good and evil." Morissette v.
United States, 342 U.S. 246, 250 (1952). In the words of another
court, "[u]sually the stigma of criminal conviction is not visited
upon citizens who are not morally to blame because they did not know
they were doing wrong." United States v. Marvin, 687 F.2d 1221, 1226
(8th Cir. 1982), cert. denied, 460 U.S. 1081 (1983).
There Is Not Yet Enough Caselaw to Warrant a Guideline.
The Sentencing Commission itself has recognized the importance of
drafting guidelines based on a large number of reported decisions.
In the introduction to the Sentencing Commission's Guidelines Manual,
the Commission states:
The Commission emphasizes that it drafted the initial guidelines with
considerable caution. It examined the many hundreds of criminal
statutes in the United States Code. It began with those that were
the basis for a significant number of prosecutions and sought to
place them in a rational order. It developed additional distinctions
relevant to the application of these provisions, and it applied
sentencing ranges to each resulting category. In doing so, it relied
upon pre-guidelines sentencing practice as revealed by its own
statistical analyses based on summary reports of some 40,000
convictions, a sample of 10,000 augmented pre-sentence reports, the
parole guidelines, and policy judgments.
United States Sentencing Commission, Guidelines Manual, Chap. 1, Part
A (1991).
At the present time, there are only five reported decisions that
mention the court's sentencing for violations of the Computer Fraud
and Abuse Act. See, United States v. Lewis, 872 F.2d 1030 (6th Cir.
1989); United States v. Morris, 928 F.2d 504 (2d Cir. 1991), cert.
denied, 112 S. Ct. 72 (1991); United States v. Carron, 1991 U.S. App.
LEXIS 4838 (9th Cir. 1991); United States v. Rice, 1992 U.S. App.
LEXIS 9562 (1992); and United States v. DeMonte, 1992 U.S. App.
LEXIS 11392 (6th Cir. 1992). New communications technologies, in
their earliest infancy, are becoming the subject of precedent-setting
litigation. Overly strict sentences imposed for computer-related
fraud and abuse may have the effect of chilling these technologies
even as they develop. Five decisions are not enough on which to base
a guideline to be used in such an important and growing area of the
law.
The Commission itself has recognized that certain areas of federal
criminal law and procedure are so new that policy statements, rather
than inflexible guidelines, are preferable. See, e.g., United States
Sentencing Commission, Guidelines Manual, Chap. 7, Part A (1990)
(stating the Commission's choice to promulgate policy statements,
rather than guidelines, for revocation of probation and supervised
release "until federal judges, probation officers, practitioners, and
others have the opportunity to evaluate and comment. . . ."). A
flexible policy statement, rather than a specific sentencing
guideline, is a more appropriate way to handle sentencing under the
Computer Fraud and Abuse Act until there has been enough litigation
on which to base a guideline.
Judges Must Be Permitted to Craft Their Own Sentences for Cases
Involving Special Circumstances.
Individual sentencing decisions are best left to the discretion of the
sentencing judge, who presumably is most familiar with the facts
unique to each case. To promulgate an inflexible sentencing
guideline, which would cover all crimes that could conceivably be
prosecuted under the Computer Fraud and Abuse Act, is premature at
this time.
As discussed above, there have only been five reported decisions
where the Computer Fraud and Abuse Act has been applied. In three of
these reported CFAA cases, the judges involved used their discretion
and fashioned unique sentences for the defendants based on the
special facts of the case. See, Morris, 928 F.2d at 506 (where the
judge placed Defendant Morris on probation for three years to perform
400 hours of community service, ordered him to pay fines of $10,050,
and ordered him to pay for the cost of his supervision at a rate of
$91 a month); Carron at 3 (where the judge found that Defendant
Carron's criminal history justified a sentence of 12 months
incarceration followed by 12 months of supervised release and
restitution to the two injured credit card companies); and DeMonte at
4 (where the trial court judge held that Defendant DeMonte's
"extraordinary and unusual level of cooperation" warranted a sentence
of three years probation with no incarceration). Judges must be
permitted to continue fashioning sentences that are just, based on
the facts of a specific case.
Computer communications are still in their infancy. Legal
precedents, particularly the application of a sentencing guideline to
violations of the Computer Fraud and Abuse Act, can radically affect
the course of the computer technology's future, and with it the fate
of an important tool for the exchange of ideas in a democratic
society. When the law limits or inhibits the use of new
technologies, a grave injustice is being perpetrated. The Electronic
Frontier Foundation respectfully asks the Commission to hold off
promulgating a sentencing guideline for the Computer Fraud and Abuse
Act until there are enough prosecutions on which to base a guideline.
Thank you in advance for your thoughtful consideration of our
concerns. We would be pleased to provide the Commission with any
further information that may be needed.
Sincerely yours,
Shari Steele
Staff Attorney
The Electronic Frontier Foundation is a privately funded, tax-exempt,
nonprofit organization concerned with the civil liberties, technical
and social problems posed by the applications of new computing and
telecommunications technology. Its founders include Mitchell Kapor,
a leading pioneer in computer software development who founded
the Lotus Development Corporation and developed the Lotus 1-2-3
Spreadsheet software.
------------------------------
Date: Mon, 12 Apr 1993 09:21:42 -0700
From: Jim Warren <jwarren@WELL.SF.CA.US>
Subject: File 4--LEGISLATIVE DATA ONLINE -- AB1624 needs support
A bill has been introduced to require almost all legislative
information to be made "available to the public by means of access
through a computer modem" --including full text of all bills,
amendments, bill analyses, bill history, bill status, veto messages,
daily files of each house of the legislature, each house and committee
schedule, etc.
For the first time, citizens, reporters, community and interest
groups, unions, corporations, city and county staff, attorneys, etc.,
could have *timely* and *economical* access to legislation-in-progress
that impacts them.
Like Hawaii's FYI system, AB1624 offers leadership for those states
[and Congress] not yet providing timely, *economical*, online citizen
access to their legislatures. This California bill was introduced
March 4th by State Assembly Member Debra Bowen (D-Torrance/Marina del
Rey area).
The legislative information is already online internally, and is sold
to a few high-priced information-distributors for $300,000-$500,000
per year. So far, -- like books in a millionaire's private library --
only well-funded lobbyists and special interests can afford the high
per-byte and per-minute fees of those few private data-distributors
(LegiTech, StateNet, etc.) that functionally monopolize online access
to these electronic public records.
The FIRST COMMITTEE ACTION will be Monday, 4/19 [new], by the Assembly
Rules Committee (Chair: John Burton, D-San Francisco). As few as
20-30 letters and faxes -- BY FRIDAY, APRIL 16th -- would show