Computer underground Digest Sun Jan 31, 1993 Volume 5 : Issue 09 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Copy Editor: Etaion Shrdlu, Junoir CONTENTS, #5.09 (Jan 31, 1993) File 1--Media hype goes both ways (in re: Forbes article) File 2--Forbes, NPR, and a Response to Jerry Leichter File 3--Revised Computer Crime Sent File 4--Balancing Computer Crime Statutes and Freedom Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue, 12 Jan 93 12:20:21 EDT From: Jerry Leichter Subject: 1--Media hype goes both ways (in re: Forbes article) In Cu Digest, #4.66, Jim Thomas reviews article from the 21 December 1992 Forbes Magazine, and grants it CuD's 1992 MEDIA HYPE award. I read the article before reading Thomas's comments, and was considering posting a very different summary. Did we read the same words? Let me briefly summarize what I got out of the article, and then go over some of Thomas's points. The article claims that we are seeing a new kind of computer miscreant. Let me call such people "crims", a word I've just invented; according to the article, they identify themselves as hackers (to the extent they identify themselves at all), so the article also calls them hackers (sometimes, "hacker hoods"), thus raising many irrelevant emotional issues. Unlike old-style hackers, who were in it for what they could build; or new-style hackers, who are nominally in it for what they can learn; crims are in it for what they can steal. The article does NOT claim that the same people who've been hackers have now turned to real crime; rather, as I read it it claims that the crims have taken the techniques developed by the hackers and gone on to different things. Just look at the title of the article: "The Playground Bullies are Learning how to Type". The crims are the people who a few years ago might be burglars or jewel thieves; today, they are learning how to go after money and other valuable commodities (like trade or military secrets) in their new, electronic form. Thomas's criticism begins with a long attack on Brigid McMenamin, one of the reporters on the piece. He is upset that she keeps "bugging" people for information. Reporters do that; it's not their most endearing quality, but it's essential to their job, especially when dealing with people who don't particularly want to talk to them. He is upset that she kept asking about "illegal stuff" and "was oblivious to facts or issues that did not bear upon hackers-as-criminals." Given the article she was writing - exactly focusing on the crims - that's exactly what I would have expected her to do. Just because Thomas is interested in the non-criminal side of hacking doesn't mean McMenamin is under any obligation to be. Thomas reports that in his own conversations with McMenamin "Her questions suggested that she did not understand the culture about which she was writing." Again, Thomas presumes that she was writing about the people *Thomas* is interested in. In general, Thomas's criticisms of McMemanim reveal him to be so personally involved with the "hacker culture" that he studies that he's protective of it - and blind to the possibility that the world may be bigger and nastier than he would like. Thomas then summarizes "The Story". He criticizes it for not presenting a "coherent and factual story about the types of computer crime", but rather for making "hackers" the focal point and taking on a narrative structure. Well, I didn't particularly see "hackers" as the focal point, and considering the nature of the material being covered - it's all recent, and the crims are hardly likely to be interested in making themselves available to reporters - a narrative structure is probably inevitable. Perhaps Thomas will write the definitive study of the types of computer crime; I doubt any working reporter will do so for a magazine. Len Rose's story is told with a reasonable slant. None of us know ALL the facts, but at least Rose is pictured as a relatively innocent victim, chosen pretty much at random to bear the weight of actions taken by many people. In fact, that's just what a prosecutor interviewed in this piece of the story says: Because of the nature of the crimes, such as they are, the people caught and punished are often not the ones who actually did much of anything. He doesn't indicate that he LIKES this - just the opposite. He reports on facts about the real world. Thomas then says that the article describes a salami-slicing attack, alleged to have taken place at Citibank. He criticizes the article for lack of evidence. He's right, but after all, this was a criminal enterprise, and the criminals weren't caught. Just what evidence would he expect? He then goes on with a comment that makes no sense at all: Has anybody calculated how many accounts one would have to "skim" a few pennies from before obtaining $200,000? At a dime apiece, that's over 2 million. If I'm figuring correctly, at one minute per account, 60 accounts per minute non-stop for 24 hours a day all year, it would take nearly 4 straight years of on-line computer work for an out-sider. According to the story, it took only 3 months. At 20 cents an account, that's over a million accounts. Why would anyone even imagine that an attack of this nature would be under-taken on an account-at-a-time basis? The only way it makes sense is for the attack to have modified the software. If the criminals had a way to directly siphon money out of an account, they would have made one big killing and disappeared. Citibank has many thousands of accounts with much more than $200,000 in them; it probably has many thousands of accounts for which a $200,000 discrepancy wouldn't be noticed until the end of the quarter. A salami-slice attack only makes sense when the attacker intends to remain undetected, so that the attack continues to operate indefinitely. The romantic picture of the hacker sitting at his terminal, day in and day out, moving a few pennies here and there, may have a lot of appeal, but it's not reality. The crux of the Thomas's critique is: "Contrary to billing, there was no evidence in the story, other than questionable rumor, of `hacker' connection to organized crime." But, again, that isn't the point of the story, which to me seemed to do a fairly reasonable (though imperfect) job of distinguishing between the innocents who "just want to hack" and the new "crims". The article does, however, warn that the crims will have no compunctions about using the hackers, whether by just showing up at hacker conventions to learn the latest tricks - like every group, hackers think they can identify the "true" group members who believe in the group's ideals, when in fact it's always been trivially easy for those who are willing to lie to sneak in - or by hiring hackers, with money, drugs, or whatever. I don't know to what degree the rumors of the spread of the crims are true. It makes SENSE that they would be true, and in certain cases (particularly cellular telephone fraud) we have strong evidence. It's naive to think that the hacker community or the hacker ethic is somehow immune to the influence of criminal minds. There was an explicit warning from some prosecuter quoted in the article. What he said was that people are upset by the crimes, and government is responding harshly, often against the wrong targets. No one would be so stupid as to walk into a bank carrying a toy gun and try to get money from a teller, intending to leave it at the door, "just to test security". Yet hackers seem to believe that they can do the same thing with a bank's computers. If there were no such thing as real bank robbers, the toy gun game would be just fine; in the real world, that's an excellent way to get shot - or sent to prison for many years. As the crims become more active - and even if the current stories are all baseless, they inevitably will, and sooner rather than later - any hackers who don't adjust to the new reality will find themselves in big trouble. Many's the idealist who's been lead by the nose to help the dishonest - and it's usually the idealist who gets stuck with the bills. ------------------------------ Date: Sat, 30 Jan 93 23:01:49 CST From: Jim Thomas Subject: 2--Forbes, NPR, and a Response to Jerry Leichter Jerry Leichter asks of our mutual reading of Forbes' Magazine's "The Hacker Hood" article (see CuD #4.66): "Did we read the same words?" Although his question is presumably rhetorical, and although we normally do not respond to articles (even if critical), Jerry's question and commentary raises too many issues to let pass. The answer to his rhetorical question is: No, we did not read the same words. Not only did we not read the same words in the Forbes piece, I'm not certain that Jerry read the Forbes article with particular care, and it's certain he did not read our response to it (or our oft-repeated position on "computer deviance" over the years) with care. This would be of little consequence except that he makes several false assertions about my own background and he embodies an attitude that perpetuates the kinds of misunderstandings that lead to questionable laws, law enforcement, and misunderstanding among the public. Although Jerry obviously wrote in passion and in good faith, his commentary again raises the issues that we found disturbing in the Forbes piece. We thank him for his post and for the opportunity to again address these issues. Jerry's criticism's of the Forbes' commentary can be divided into three parts: 1) His perception of my naivete; 2) His disagreement with our evaluation and interpretation of the Forbes writers and the substance of the article; and 3) A disagreement over the nature and extend of "hacker crime." 1. JERRY'S CRITICISMS OF THOMAS Jerry's criticisms of me include several of sufficient magnitude that they require a response. First, he claims that I'm apparently blinded to objectivity because of a commitment to hacking: >In general, Thomas's criticisms of McMemanim (sic) reveal him to be >so personally involved with the "hacker culture" that he >studies that he's protective of it - and blind to the >possibility that the world may be bigger and nastier than he >would like. Had he claimed that I'm so involved in civil rights that I sometimes lose objectivity, I might agree with him. However, even a cursory reading of my response indicates that the criticisms of one of the Forbes writers, Brigid McMenamin would reveal that the objections had nothing to do with hackers or rights, but with journalistic ethics and responsibility. Those with whom I spoke who were contacted by Ms. McMenamin all reached an independent consensus about her methods, "homework," and ability to write a factual story. Jerry counters with no facts that would dispute any of the interpretations, but instead seems to defend what some judged as incompetence. Is it not possible, in Jerry's worldview, to question a reporter's methods, especially when those methods seem troublesome to others who are experienced in dealing with the press? It's also unclear how Jerry interprets anything written by CuD editors as "protective" of "hacker culture." My Forbes commentary was quite clear: The issue isn't whether one supports of opposes "hacker culture." It's simply whether we believe that a medium such as Forbes should be committed to minimal standards of accuracy or whether we are willing to accept broad assertions and innuendo that contribute to the hysteria that feeds bad legislation and questionable law enforcement tactics such as those occuring during the "hacker crackdown." I also assure Jerry that, as a criminologist who has lived in and also studied the nastiest criminal cultures, I recognize that segments of the world are indeed big and nasty. I also recognize that nastiness is not limited to the criminal segment of society. In the scheme of things, even the worst of computer crime is generally not among the worst offenses that one can commit. He seems unaware that the current U.S. prison population hoovers around 900,000, and that it's increasing by almost ten percent a year. Much of this increase is due to "get tough" attitudes on crime in which an increasing number of behaviors are criminalized, sanctions for crimes are increased, and sentences imposed (and time served) grows longer. Jerry fails to understand that the issue isn't simply "hackers," but rather what constitutes an acceptable social response to new social offenses. Jerry also implies that to criticize increased criminalization and to oppose demonization for relatively mild offenses is naively idealistic. Although he fails to provide a rationale for this claim, it presumably stems from a view that sees advocates of civil rights siding with criminals rather than victims. This, of course, is a false argument. There is little, if any, evidence that civil rights advocates side with criminals. Rather, they side with the rule of law that, under our Constitution, guarantees protections to all people. The Forbes article creates an image that, in a time of strong opposition to civil rights, promotes inappropriately strong laws and weaker protections of rights. If adhering to the Enlightenment principles and Constitutional values on which our judicial (and social) system were founded makes me a naive idealist, then I'm guilty as charged. I find this a far more civilized stance than the alternative. 2. JERRY'S CRITICISMS OF MY INTERPRETATION OF THE FORBES PIECE Jerry "didn't particularly see 'hackers' as the focal point of the story." The title and the narrative of the piece seemed quite clear: "The Hacker Hoods?" Nearly every paragraph alluded to vague hacker criminality or to specific people identified as criminal "hackers." No, I do not think we did read the same words. If I had any lingering doubts about Jerry's lack of thoroughness in reading the Forbes piece, they were eliminated when I read his criticism of my commentary on the "salami attack." The Forbes piece adduced as an example of a "hacker crime" an unsupported story about a computer intruder who lopped a penny or two from various accounts. Jerry thinks it odd that one would question the veracity of the story and suggests that, contrary to what I said, a hacker could easily do this in a few seconds with a "big killing." He apparently failed to note that the story indicated this was done by skimming "off a penny or so from each account. Once he ((the hacker)) had $200,000, he quit" (p. 186). Again, it seems we didn't read the same words. The point wasn't whether this could be done, but that the story was provided as "fact" with no corroboration. In fact, neither the banking victim (Citibank) nor a nationally recognized computer crime expert (Donn Parker) had knowledge of the deed. As written in Forbes, the method does raise some skepticism, as Jerry concedes: >The romantic picture of the hacker sitting at his terminal, >day in and day out, moving a few pennies here and there, may >have a lot of appeal, but it's not reality. Here we agree. Had he read the Forbes piece accurately, he would see that this was precisely my point. The picture Jerry disputes is the one drawn in the Forbes piece. It appears that he agrees with me: The Forbes picture is not reality. The issue here isn't that Jerry didn't read either the Forbes piece or the commentary carefully. Rather, it's that his comments show how easily even an otherwise informed reader can uncritically gloss over material that doesn't conform to a preferred view. It's not that I disagree with Jerry (or the Forbes piece). Rather, the issue at stake lies in a fundamental difference over how material is to be presented. In highly volatile topics, sensationalistic portrayals strike me as irresponsible and reinforce attitudes that lead to unacceptable social responses. The Forbes piece and Jerry's uncritical acceptance of it contribute to what in past times were called witch hunts. Jerry seems to find it odd that one would object to claims being made without evidence: >He ((Thomas)) criticizes the article for lack of >evidence. He ((Thomas))'s right, but after all, this >was a criminal enterprise, and the criminals weren't >caught. Just what evidence would he expect? Crimes are detected in two ways. First, the criminal is apprehended in the act. Second, a victim reports the crime. As a criminologist, I've been taught that however one measures crime, it is generally done either by some combination of crimes known to police or by victimization surveys. In an article ostensibly describing crime, I would assume that there would be at least minimal evidence for the hard core crimes attributed to "hackers". It's obvious Jerry and I did not read the same words. Didn't he read Managing Editor Lawrence Minard's introduction? >While working with Bill Flanagan on the multibillion-dollar >telephone toll fraud phenomenon (Forbes, Aug. 3), Brigid >McMenamin was intrigued to find that organized crime was >hiring young computer hackers to do some of their electronic >dirty work. This is a claim. Other claims are made in the article. It's not unreasonable to expect at least minimal evidence for the claims made. The story was not based on facts but on innuendo. The Forbes piece was criticized *not* because it was in opposition to a preferred view of a particular social group, but because it took a stigmatized group and further demonized it by making claims without recourse to specific cases. 3. WHAT'S AT STAKE IN THIS DISCUSSION As I stated explicitly in my original Forbes commentary, the issue is not whether "hackers" are portrayed to one's liking. The point is how one creates images of groups or behaviors that lead to social stigma and criminal sanctions. I judged the Forbes piece to grossly err on the side of falsely dramatizing a label that has been misused, abused, and used to create what many judge as inappropriate or chaotic laws. If the Forbes piece were limited to identifying new types of computer crime without attempting to exaggerate the link between "hackers" and organized crime, and if it had been more factual, it would not have been objectionable. If it had focused on computer delinquents and the problems they cause by identifying explicit instances of security transgressions, telephone abuse, or other identifiable behaviors, it would have been less objectionable. Had it made a clear distinction between the culture of "hackers," whether the old-guard explorer or the newer nuisance and computer criminals who do use a computer to prey (but are not "hackers"), it would have been less objectionable. The Forbes piece did none of this. Instead, it distorted both "hacking" and computer crime. The authors did nothing to clarify a complex problem and did much to obscure it. There is computer crime? Old news. Some hackers commit computer crimes? Old news. What is new in the piece is that it implies a logic in which a) anyone adept at a computer is a hacker; b) Computer criminals (by definition) are adept at computers; c) Computer criminals are hackers. Conclusion: Look out for the hackers! Consider: Substitute the term "computer professionals" or "sys ads" for "hackers." "Sys ad bullies?" "Sys ads learn to type and commit crimes?" Computer criminals, by definition, have computer skills, and to conflate all computer crime with "hacking" makes as much sense as conflating computer criminals with any other label that captures the imagination of a public that can't distinguish between the reality and the simulacrum. In the Forbes piece, the symbol, "hackers," becomes an abstract demon. Forbes employed its resources, which are considerable, to produce a misleading piece that subverts the efforts of those who attempt to balance fair laws and their application to civil liberties. I doubt that Forbes' readers, over one million of them, were able to ascertain the complexities of this delicate balance from the article. The visibility of the Forbes article also put one author, William Flanagan, in the public eye on a National Public Radio "Morning Edition" segment (21 December, '92). Flanagan essentially repeated his points from the article. When asked by reporter Renee Montagne "But are we talking about computer hackers who've become criminals, or is it criminals who've become computer hackers?" Flanagan responded: It's--it's a bit of both actually. You really have three categories. You have the--the sport hackers who used to fool around and show off. They would go into a government or a telephone company computer and pull out a sensitive file and then show it off as a trophy. They really didn't have too much malice in what they were doing other than the anarchic thing that you will find among a lot of late-teenage boys and--and it's mainly boys. But some of them have been co-opted into it by the Mafia, by organized crime. They give them money and drugs and they perform some stunts for them like come up with telephone numbers. Then, there are those who are larcenous to start with and--and who have developed the techniques or have hired others to do it. Then, the third category--and perhaps this is even the most dangerous. It's people who have an awful lot of computer knowledge and are suddenly out of work and are very angry and have the capability of creating all kinds of mayhem or stealing great deals of money. Of course there are hackers who commit crimes, just as there are systems administrators who commit crimes. But, in putting together the beginnings of a data base on computer crime in recent years, I have yet to come across a pointer to a Mafia-related "hacker" case. The thinking reflected in Flanagan's commentary resembles that of someone who's read one too many National Inquirer articles or seen one too many Geraldo shows. It distorts the problem, distorts possible solutions, and offers no new information. When we distort the nature of the problem, we obstruct a solution. Flanagan repeats the error of equating Robert T. Morris, of "the Internet work" fame with "hackers." The reporter notes that he was given probation, and asks, "What about now?" Flanagan: He would be in jail and I guarantee you, his father's connections wouldn't have helped him in this day and age. Montagne: His father was... Flanagan: Was a high government official I think with the FTC. Throughout most of the '80s when these kids were caught, they would be given a rap on the knuckles and there was a widespread belief that all they had to do was to tell law enforcement or tell the telephone company how they did something and to give up that information or maybe give up the names of some of their friends, and they'd be let go. But that's not the case any more. Now, it's a seemingly minor error to assume that Morris's father's connections helped him, a claim for which there's no evidence. It's also relatively minor that a detail such as linking Morris' father to the FTC was wrong (the senior Morris was a computer security expert who was the chief scientist at the NSA's National Computer Security Center). It's also a minor quibble that Flanagan thinks that three years probation, a $10,000 fine, 400 of community service and almost $150,000 in legal fees is a light punishment. But, in the aggregate, these errors indicate that Flanagan, speaking as an "expert" on the issues of hacking and computer crime, doesn't know his subject. His pronouncements have a high profile: If it's in Forbes *and* on NPR, it *must* be true. Yet, his factual errors and the style of crafting them into narrative demonic images cast fatal doubt on his credibility. One way to counter this kind of hyperbole and disinformation is to provide an antidote by challenging the veracity of the facts and the images. This, as Jerry's response indicates, bothers some people. As I argued, I hope clearly, in the original Forbes commentary, the concern isn't with "hackers," but with law and justice. For over a decade, we have witnessed the curtailment of civil and other rights that were thought to be well-established. We have seen the criminalization of a variety of new behaviors and the imposition of harsher sentences on old ones. We have seen the abuses of a few law enforcement officials and others in pursuing their targets. We have seen creative use of seizure and forfeiture laws to take property and disrupt lives. We have seen a public, frustrated by crime, succumb to the hyperbole and rhetoric of politicians and media sensationalism. To oppose the Forbes piece and those who defend it is not to take issue with personalities or a given medium. Rather, it is a modest, perhaps chimerical attempt to joust with those repressive windmills that substitute emotionalism and ignorance in solving problems for the harder task of coming to grips with thier complexity and nuances. So, no, Jerry, we did not read the same words, nor do we see the world in the same way. Which is fine. We learn through the dialogic competition of ideas. And, yes, I do recognize that the world is a far more nasty place than suits my liking. However, I also recognize that not all of the nastiness is caused by criminals. To modify a line from Stephenson's Snow Crash, condensing fact from the vapor of nuance is fine, but replacing facts with vaporous nuances isn't. ------------------------------ Date: Sat, 30 Jan 1993 15:12:11 EST From: Dave Banisar Subject: 3--Revised Computer Crime Sent Revised Computer Crime Sentencing Guidelines >From Jack King (gjk@well.sf.ca.us) The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a base offense level of 6 and enhancements of 4 to 6 levels for violations of specific provisions of the statute. The new guideline practically guarantees some period of confinement, even for first offenders who plead guilty. For example, the guideline would provide that if the defendant obtained ``protected'' information (defined as ``private information, non-public government information, or proprietary commercial information), the offense level would be increased by two; if the defendant disclosed protected information to any person, the offense level would be increased by four levels, and if the defendant distributed the information by means of ``a general distribution system,'' the offense level would go up six levels. The proposed commentary explains that a ``general distribution system'' includes ``electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means.'' So, in effect, a person who obtains information from the computer of another, and gives that information to another gets a base offense level of 10; if he used a 'zine or BBS to disseminate it, he would get a base offense level of 12. The federal guidelines prescribe 6-12 months in jail for a first offender with an offense level of 10, and 10-16 months for same with an offense level of 12. Pleading guilty can get the base offense level down by two levels; probation would then be an option for the first offender with an offense level of 10 (reduced to 8). But remember: there is no more federal parole. The time a defendant gets is the time s/he serves (minus a couple days a month "good time"). If, however, the offense caused an economic loss, the offense level would be increased according to the general fraud table (Sec. 2F1.1). The proposed commentary explains that computer offenses often cause intangible harms, such as individual privacy rights or by impairing computer operations, property values not readily translatable to the general fraud table. The proposed commentary also suggests that if the defendant has a prior conviction for ``similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted.'' An upward departure may also be warranted, DOJ suggests, if ``the defendant's conduct has affected or was likely to affect public service or confidence'' in ``public interests'' such as common carriers, utilities, and institutions. Based on the way U.S. Attorneys and their computer experts have guesstimated economic "losses" in a few prior cases, a convicted tamperer can get whacked with a couple of years in the slammer, a whopping fine, full "restitution" and one to two years of supervised release (which is like going to a parole officer). (Actually, it *is* going to a parole officer, because although there is no more federal parole, they didn't get rid of all those parole officers. They have them supervise convicts' return to society.) This, and other proposed sentencing guidelines, can be found at 57 Fed Reg 62832-62857 (Dec. 31, 1992). The U.S. Sentencing Commission wants to hear from YOU. Write: U.S. Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington DC 20002-8002, Attention: Public Information. Comments must be received by March 15, 1993. * * * Actual text of relevant amendments: UNITED STATES SENTENCING COMMISSION AGENCY: United States Sentencing Commission. 57 FR 62832 December 31, 1992 Sentencing Guidelines for United States Courts ACTION: Notice of proposed amendments to sentencing guidelines, policy statements, and commentary. Request for public comment. Notice of hearing. SUMMARY: The Commission is considering promulgating certain amendments to the sentencing guidelines, policy statements, and commentary. The proposed amendments and a synopsis of issues to be addressed are set forth below. The Commission may report amendments to the Congress on or before May 1, 1993. Comment is sought on all proposals, alternative proposals, and any other aspect of the sentencing guidelines, policy statements, and commentary. DATES: The Commission has scheduled a public hearing on these proposed amendments for March 22, 1993, at 9:30 a.m. at the Ceremonial Courtroom, United States Courthouse, 3d and Constitution Avenue, NW., Washington, DC 20001. Anyone wishing to testify at this public hearing should notify Michael Courlander, Public Information Specialist, at (202) 273-4590 by March 1, 1993. Public comment, as well as written testimony for the hearing, should be received by the Commission no later than March 15, 1993, in order to be considered by the Commission in the promulgation of amendments due to the Congress by May 1, 1993. ADDRESSES: Public comment should be sent to: United States Sentencing Commission, One Columbus Circle, NE., suite 2-500, South Lobby, Washington, DC 20002-8002, Attention: Public Information. FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public Information Specialist, Telephone: (202) 273-4590. * * * 59. Synopsis of Amendment: This amendment creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030). Violations of this statute are currently subject to the fraud guidelines at S. 2F1.1, which rely heavily on the dollar amount of loss caused to the victim. Computer offenses, however, commonly protect against harms that cannot be adequately quantified by examining dollar losses. Illegal access to consumer credit reports, for example, which may have little monetary value, nevertheless can represent a serious intrusion into privacy interests. Illegal intrusions in the computers which control telephone systems may disrupt normal telephone service and present hazards to emergency systems, neither of which are readily quantifiable. This amendment proposes a new Section 2F2.1, which provides sentencing guidelines particularly designed for this unique and rapidly developing area of the law. Proposed Amendment: Part F is amended by inserting the following section, numbered S. 2F2.1, and captioned "Computer Fraud and Abuse," immediately following Section 2F1.2: "S. 2F2.1. Computer Fraud and Abuse (a) Base Offense Level: 6 (b) Specific Offense Characteristics (1) Reliability of data. If the defendant altered information, increase by 2 levels; if the defendant altered protected information, or public records filed or maintained under law or regulation, increase by 6 levels. (2) Confidentiality of data. If the defendant obtained protected information, increase by 2 levels; if the defendant disclosed protected information to any person, increase by 4 levels; if the defendant disclosed protected information to the public by means of a general distribution system, increase by 6 levels. Provided that the cumulative adjustments from (1) and (2), shall not exceed 8. (3) If the offense caused or was likely to cause (A) interference with the administration of justice (civil or criminal) or harm to any person's health or safety, or (B) interference with any facility (public or private) or communications network that serves the public health or safety, increase by 6 levels. (4) If the offense caused economic loss, increase the offense level according to the tables in S. 2F1.1 (Fraud and Deceit). In using those tables, include the following: (A) Costs of system recovery, and (B) Consequential losses from trafficking in passwords. (5) If an offense was committed for the purpose of malicious destruction or damage, increase by 4 levels. (c) Cross References (1) If the offense is also covered by another offense guideline section, apply that offense guideline section if the resulting level is greater. Other guidelines that may cover the same conduct include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2 (Receiving, Transporting, Transferring, Transmitting, or Possessing Stolen Property), and S. 2H3.1 (Interception of Communications or Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an Election or Registration), S. 2J1.2 (Obstruction of Justice), and S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1 (Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft). Commentary Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6) Application Notes: 1. This guideline is necessary because computer offenses often harm intangible values, such as privacy rights or the unimpaired operation of networks, more than the kinds of property values which the general fraud table measures. See S. 2F1.1, Note 10. If the defendant was previously convicted of similar misconduct that is not adequately reflected in the criminal history score, an upward departure may be warranted. 2. The harms expressed in paragraph (b)(1) pertain to the reliability and integrity of data; those in (b)(2) concern the confidentiality and privacy of data. Although some crimes will cause both harms, it is possible to cause either one alone. Clearly a defendant can obtain or distribute protected information without altering it. And by launching a virus, a defendant may alter or destroy data without ever obtaining it. For this reason, the harms are listed separately and are meant to be cumulative. 3. The terms "information," "records," and "data" are interchangeable. 4. The term "protected information" means private information, non-public government information, or proprietary commercial information. 5. The term "private information" means confidential information (including medical, financial, educational, employment, legal, and tax information) maintained under law, regulation, or other duty (whether held by public agencies or privately) regarding the history or status of any person, business, corporation, or other organization. 6. The term "non-public government information" means unclassified information which was maintained by any government agency, contractor or agent; which had not been released to the public; and which was related to military operations or readiness, foreign relations or intelligence, or law enforcement investigations or operations. 7. The term "proprietary commercial information" means non-public business information, including information which is sensitive, confidential, restricted, trade secret, or otherwise not meant for public distribution. If the proprietary information has an ascertainable value, apply paragraph (b) (4) to the economic loss rather than (b) (1) and (2), if the resulting offense level is greater. 8. Public records protected under paragraph (b) (1) must be filed or maintained under a law or regulation of the federal government, a state or territory, or any of their political subdivisions. 9. The term "altered" covers all changes to data, whether the defendant added, deleted, amended, or destroyed any or all of it. 10. A "general distribution system" includes electronic bulletin board and voice mail systems, newsletters and other publications, and any other form of group dissemination, by any means. 11. The term "malicious destruction or damage" includes injury to business and personal reputations. 12. Costs of system recovery: Include the costs accrued by the victim in identifying and tracking the defendant, ascertaining the damage, and restoring the system or data to its original condition. In computing these costs, include material and personnel costs, as well as losses incurred from interruptions of service. If several people obtained unauthorized access to any system during the same period, each defendant is responsible for the full amount of recovery or repair loss, minus any costs which are clearly attributable only to acts of other individuals. 13. Consequential losses from trafficking in passwords: A defendant who trafficked in passwords by using or maintaining a general distribution system is responsible for all economic losses that resulted from the use of the password after the date of his or her first general distribution, minus any specific amounts which are clearly attributable only to acts of other individuals. The term "passwords" includes any form of personalized access identification, such as user codes or names. 14. If the defendant's acts harmed public interests not adequately reflected in these guidelines, an upward departure may be warranted. Examples include interference with common carriers, utilities, and institutions (such as educational, governmental, or financial institutions), whenever the defendant's conduct has affected or was likely to affect public service or confidence". ------------------------------ Date: 22 Dec 92 15:31:52 EST From: Ken Citarella <70700.3504@COMPUSERVE.COM> Subject: 4--Balancing Computer Crime Statutes and Freedom An Illustration of How Computer Crime Statutes Try To Balance Competing Interests of Security and Freedom -- and Come Up With Interesting Answers copyright 1992, Kenneth C. Citarella (CompuServe; 70700,3504) Computers deserve protection. If we did not all agree on that state legislatures and the Congress would not have passed computer crime statutes. Exactly how much protection to afford them, however, is the crux of the problem. Sometimes resolving that gets confused with a desire to avoid criminalizing inquisitive and youthful computer intruders. The New York State computer crime statutes illustrate this confusion. The basic computer crime in New York is Unauthorized Use of a Computer, a misdemeanor. A person commits this crime when he uses, or causes to be used, a computer without authorization, and the computer is programmed to prevent unauthorized use. Thus, the unauthorized use of any computer in New York which does not have user-id/password security or some equivalent is arguably lawful under this statute. Moreover, under the definition of "uses a computer without authorization", the unauthorized user must be notified orally, in writing, or by the computer itself that unauthorized users are not welcome. There are, therefore, two threshold protections that a system owner must install to have his computer come under the protection of the New York unauthorized use statute. First, there must be protective programming; second, there must a warning to the prospective intruder. These obligations do not seem excessive regarding misuse by an employee or other user with limited access to the computer in question. It is difficult to include with everyone's employment materials a written warning regarding unauthorized use of the computer, and it is certainly common enough to issue user-ids and passwords. Consider, however, the remote unauthorized user. If a business has a computer with an unlisted modem number, has issued user-ids and passwords to its authorized users, has dial back modems, and has encrypted log-in procedures, its computer may still not be protected by the unauthorized use statute. Should an intruder locate the modem number by random demon dialling, guess at a password and encryption code, and enter the system to install and operate a pirate bulletin board, it may not be a criminal act. As long as the intruder does not access government records, medical records, or corporate secrets, alter any file or program, or download anything from the system, there may not be a crime. As long as the system did not display a warning that unauthorized users were not welcome, the crime of unauthorized use cannot occur. Thus, the legislature has elevated the display of a few words almost certain to deter no one to far greater legal importance than actual technical protective steps, all in the name of not criminalizing our inquisitive youths. Yet, if technical security procedures cannot convince them not to intrude upon a system, what importance can be attached to the displayed warning? Aren't unlisted phones, passwords, and other standard security procedures sufficient warning in and of themselves? Or, is form really more important than substance? It is curious to note that the legislature seized upon notice as the prerequisite for computer crime law protection. It is a crime to enter and drive away with a car without permission, even if the car door is open, the key in the ignition, and the engine running. It is a crime to enter a premises without permission, even if the door is open, the lights on, and dinner on the table. In either scenario, notice is implicit in the intruder's knowledge that he does not belong there. The prosecutor must prove the absence of permission at trial, just as he rightly should in a computer crime case. But under current legislation, egregious computer intrusions must go unprosecuted if, despite extensive technical protection, three little words -- "Authorized Users Only" -- do not appear to warn an intruder not to enter where he already knows he does not belong. If computers are ever to become as integrated into our lives as cars and homes should they not be afforded the same protection under the criminal law? ((The author is a Deputy Bureau Chief of the Frauds Bureau in the District Attorney's Office, Westchester County, New York. The opinions expressed herein are purely personal and do not necessarily reflect the opinions or policies of the District Attorney's Office.)) ------------------------------ End of Computer Underground Digest #5.09 ************************************