March 15, 1993 United States Sentencing Commission One Columbus Circle, NE Suite 2-500, South Lobby Washington, DC 20002-9002 Attention: Public Information Re: Proposed Amendent #59 to the Sentencing Guidelines for United States Courts, which creates a new guideline applicable to violations of the Computer Fraud and Abuse Act of 1988 (18 U.S.C. 1030) Dear Commissioners: The Electronic Frontier Foundation (EFF) writes to state our opposition to the new proposed sentencing guideline applicable to violations of the Computer Fraud and Abuse Act of 1988, 18 U.S.C. 1030 (CFAA). We believe that, while the proposed guideline promotes the Justice Department's interest in punishing those who engage in computer fraud and abuse, the guideline is much too harsh for first time offenders and those who perpetrate offenses under the statute without malice aforethought. In addition, promulgation of a sentencing guideline at the present time is premature, as there have been very few published opinions where judges have issued sentences for violations of the CFAA. Finally, in this developing area of the law, judges should be permitted to craft sentences that are just in relation to the facts of the specific cases before them. The Proposed Guideline Is Too Harsh. The proposed CFAA sentencing guideline, with a base offense level of six and innumerable enhancements, would impose strict felony liability for harms that computer users cause through sheer inadvertence. This guideline would require imprisonment for first time offenders who caused no real harm and meant none. EFF is opposed to computer trespass and theft, and we do not condone any unauthorized tampering with computers - - indeed, EFF's unequivocal belief is that the security of private computer systems and networks is both desirable and necessary to the maintenance of a free society. However, it is entirely contrary to our notions of justice to brand a computer user who did not intend to do harm as a felon. Under the proposed guideline, even a user who painstakingly attempts to avoid causing harm, but who causes harm nonetheless, will almost assuredly be required to serve some time in prison. The proposed guideline, where the sentencing judge is given no discretion for crafting a just sentence based on the facts of the case, is too harsh on less culpable defendants, particularly first time offenders. As the Supreme Court has stated, the notion that a culpable mind is a necessary component of criminal guilt is "as universal and persistent in mature systems of law as belief in freedom of the human will and a consequent ability and duty of the normal individual to choose between good and evil." Morissette v. United States, 342 U.S. 246, 250 (1952). In the words of another court, "[u]sually the stigma of criminal conviction is not visited upon citizens who are not morally to blame because they did not know they were doing wrong." United States v. Marvin, 687 F.2d 1221, 1226 (8th Cir. 1982), cert. denied, 460 U.S. 1081 (1983). There Is Not Yet Enough Caselaw to Warrant a Guideline. The Sentencing Commission itself has recognized the importance of drafting guidelines based on a large number of reported decisions. In the introduction to the Sentencing Commission's Guidelines Manual, the Commission states: The Commission emphasizes that it drafted the initial guidelines with considerable caution. It examined the many hundreds of criminal statutes in the United States Code. It began with those that were the basis for a significant number of prosecutions and sought to place them in a rational order. It developed additional distinctions relevant to the application of these provisions, and it applied sentencing ranges to each resulting category. In doing so, it relied upon pre-guidelines sentencing practice as revealed by its own statistical analyses based on summary reports of some 40,000 convictions, a sample of 10,000 augmented pre-sentence reports, the parole guidelines, and policy judgments. United States Sentencing Commission, Guidelines Manual, Chap. 1, Part A (1991). At the present time, there are only five reported decisions that mention the court's sentencing for violations of the Computer Fraud and Abuse Act. See, United States v. Lewis, 872 F.2d 1030 (6th Cir. 1989); United States v. Morris, 928 F.2d 504 (2d Cir. 1991), cert. denied, 112 S. Ct. 72 (1991); United States v. Carron, 1991 U.S. App. LEXIS 4838 (9th Cir. 1991); United States v. Rice, 1992 U.S. App. LEXIS 9562 (1992); and United States v. DeMonte, 1992 U.S. App. LEXIS 11392 (6th Cir. 1992). New communications technologies, in their earliest infancy, are becoming the subject of precedent-setting litigation. Overly strict sentences imposed for computer-related fraud and abuse may have the effect of chilling these technologies even as they develop. Five decisions are not enough on which to base a guideline to be used in such an important and growing area of the law. The Commission itself has recognized that certain areas of federal criminal law and procedure are so new that policy statements, rather than inflexible guidelines, are preferable. See, e.g., United States Sentencing Commission, Guidelines Manual, Chap. 7, Part A (1990) (stating the Commission's choice to promulgate policy statements, rather than guidelines, for revocation of probation and supervised release "until federal judges, probation officers, practitioners, and others have the opportunity to evaluate and comment. . . ."). A flexible policy statement, rather than a specific sentencing guideline, is a more appropriate way to handle sentencing under the Computer Fraud and Abuse Act until there has been enough litigation on which to base a guideline. Judges Must Be Permitted to Craft Their Own Sentences for Cases Involving Special Circumstances. Individual sentencing decisions are best left to the discretion of the sentencing judge, who presumably is most familiar with the facts unique to each case. To promulgate an inflexible sentencing guideline, which would cover all crimes that could conceivably be prosecuted under the Computer Fraud and Abuse Act, is premature at this time. As discussed above, there have only been five reported decisions where the Computer Fraud and Abuse Act has been applied. In three of these reported CFAA cases, the judges involved used their discretion and fashioned unique sentences for the defendants based on the special facts of the case. See, Morris, 928 F.2d at 506 (where the judge placed Defendant Morris on probation for three years to perform 400 hours of community service, ordered him to pay fines of $10,050, and ordered him to pay for the cost of his supervision at a rate of $91 a month); Carron at 3 (where the judge found that Defendant Carron's criminal history justified a sentence of 12 months incarceration followed by 12 months of supervised release and restitution to the two injured credit card companies); and DeMonte at 4 (where the trial court judge held that Defendant DeMonte's "extraordinary and unusual level of cooperation" warranted a sentence of three years probation with no incarceration). Judges must be permitted to continue fashioning sentences that are just, based on the facts of a specific case. Computer communications are still in their infancy. Legal precedents, particularly the application of a sentencing guideline to violations of the Computer Fraud and Abuse Act, can radically affect the course of the computer technology's future, and with it the fate of an important tool for the exchange of ideas in a democratic society. When the law limits or inhibits the use of new technologies, a grave injustice is being perpetrated. The Electronic Frontier Foundation respectfully asks the Commission to hold off promulgating a sentencing guideline for the Computer Fraud and Abuse Act until there are enough prosecutions on which to base a guideline. Thank you in advance for your thoughtful consideration of our concerns. We would be pleased to provide the Commission with any further information that may be needed. Sincerely yours, Shari Steele Staff Attorney The Electronic Frontier Foundation is a privately funded, tax-exempt, nonprofit organization concerned with the civil liberties, technical and social problems posed by the applications of new computing and telecommunications technology. Its founders include Mitchell Kapor, a leading pioneer in computer software development who founded the Lotus Development Corporation and developed the Lotus 1-2-3 Spreadsheet software. Downloaded From P-80 International Information Systems 304-744-2253