In the wake of social justice activist Aaron Swartz's tragic death, EFF and Internet users around the country are in the middle of a week-of-action, asking Congress to reform the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. The CFAA has many problems and users can contact their representative to demand reform. In this two-part series, we'll explore the specific problems with federal sentencing under the CFAA. Part 1 explains why maximums matter.
Much of the recent discussion about the problems with the CFAA's tough penalty scheme has revolved around its draconian maximum punishments. While maximums play an important role in criminal sentencing, the actual sentence a defendant will receive depends mostly on the sentencing range recommended in the United States Sentencing Guidelines ("USSG"). The Guidelines are written and updated by the United States Sentencing Commission ("USSC"), an independent agency of the judicial branch created by Congress in 1984, to help judges determine where in the spectrum from no jail time to the maximum a sentence should fall. Once binding on sentencing courts, in 2005 the Supreme Court ruled that were only a recommendation the court was free to disregard. Nonetheless, the vast majority of federal criminal sentences fall within the Guideline range recommended by the USSC. And when it comes to looking at how the Guidelines treat CFAA cases, it's clear why the law needs to be reformed.
How the Guidelines Work
The Guideline range only hinges on two things: the characteristics of the crime committed and the defendant’s criminal history. It plots these two factors on a table. On the Y-Axis is a scale of 1 to 43 that measures the "offense level" or the seriousness of a crime; 1 is the least serious crime; 43 is the most serious crime. On the X-Axis is a scale of I to VI that measure's a defendant's criminal history; I is the least serious criminal history including first offenders; VI is the highest.
At sentencing, the court must first calculate the offense level for the specific statute of conviction. Then, it can apply enhancements for aggravating behavior like choosing an "official victim." Once the court calculates the offense level it then determines the defendant's criminal history. Then, once these two factors have been calculated, the court matches the two numbers on the table, leading to the recommended sentencing range for a particular crime. As any of these two axes increase, so does the length of the sentence. The court can impose a sentence within the range—which can be presumed reasonable on appeal -- or disregard the range and impose whatever sentence it wants up to the maximum.
While the Supreme Court has noted the Guideline ranges created by the USSC are supposed to be based on "empirical data and national experience," oftentimes they are born out of Congressional directive to the Commission to increase sentencing ranges after Congress increases maximum punishments. That's exactly what Congress did in 2008 (PDF) after it increased the CFAA's maximum penalties and told the USSC it wanted the Guideline ranges for CFAA crimes to be "increased in comparison to those currently provided by such guidelines and policy statements."
The Guideline section that applies to the CFAA is § 2B1.1 which also covers other fraud and theft crimes. The "base offense level," or starting point of the Guideline calculation, depends on the maximum punishment. But unless a defendant is convicted of causing damage to a protected computer that "recklessly causes serious bodily injury" or a repeat violation of some CFAA crimes, the base offense level for CFAA crimes is 6.
At first blush, a CFAA defendant is clearly at the lower end of the sentencing spectrum. For sentences ranges falling in "Zone A," the Guidelines authorize a court to impose probation without any imprisonment. However, the offense levels steadily increase as the Guidelines' myriad number of adjustments and enhancement start to apply.
"Loss," The Infinite Enhancement
After determining the base offense level, § 2B1.1(b) tells the court to calculate the amount of financial loss caused by the crime. "Loss" means the greater of either "actual loss"—the reasonably foreseeable financial harm caused by the crime—or the "intended loss"—the financial harm the defendant intended to cause if not for some obstacle getting in the way. In a fraud or theft case, that generally is the value of the thing taken. But the Guidelines define "loss" much broader for CFAA convictions:
In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.
Not only does this exclusive CFAA definition and the corresponding sentencing increase lead to excessive sentences compared to other forms of fraud; it also gives prosecutors wide discretion to ratchet potential sentences for defendants who insist on exercising their constitutional right to go to trial.
For example Andrew "Weev" Auernheimer was sentenced to 41 months in prison for exposing a security hole on AT&T's servers that publicly revealed iPad users' email addresses. The court ruled that the "loss" to AT&T in his case was $73,000. But that wasn't the "value" of the email addresses that were taken or the cost of fixing the computers or servers; rather that was how much it cost AT&T to mail a letter to its customers notifying them of the email breach. As Professor Orin Kerr has noted, that loss amount is unreasonable because it had nothing to do with fixing the computers and wasn't a reasonable response to the problem by AT&T since AT&T also sent an email notice of the breach, which had been effective. Yet, that $73,000 loss amount resulted in an 8 level increase to the offense level for Auernheimer. For his co-defendant Daniel Spitler, who pleaded guilty and testified against Auernheimer, prosecutors agreed to a loss amount of $30,000, subjecting him to only a 6 level increase.
In the case of Aaron Swartz, the ability of prosecutors to determine loss resulted in an enormous sentencing exposure swing. Since Swartz didn't "hack" into anything and didn't harm any computers, the sole issue that would determine his possible sentence would be the value of the articles he took from JSTOR. When prosecutors offered Swartz a plea deal that would result in a few months in jail, they were likely calculating the loss to be more than $10,000 but less than $30,000, resulting in only a 4 level increase from in the Guidelines. But according to Swartz's lawyer Elliot Peters, prosecutors also threatened Swartz with a much greater sentence if he went to trial, claiming the amount of loss was $2 million. That would result in a 16 level increase in his Guideline range. Others have speculated that if taken to its logical extreme -- taking 4.8 million articles that cost $19 apiece to download -- the loss could be $91 million, leading to a 24 level increase, bringing his Guideline sentence closer to the maximum punishments bandied about in DOJ's press release.
These wild swings create uncertainty and pressures on defendants to plead guilty. And while that's true in any criminal case, it's amplified with the CFAA since the loss definition is broader than even other federal fraud crimes.
Double (and Triple) Counting Computer Skills
Unfortunately, there's more. Section 2B1.1(b)(10) also calls for a two level increase for using "sophisticated means" to commit the crime. For Auernheimer, that was Spitler's act of running the script that simply modified a number in a public URL. It could easily be the same thing for Swartz, who also allegedly ran a script in order to bulk download the files from JSTOR, despite the fact he actually had permission to access the files, just not with a bulk downloader.
Meanwhile, there's another enhancement that covers the same exact conduct which could also apply. Under § 3B1.3 a defendant who uses a "special skill" to commit a crime faces another two level enhancement, notwithstanding § 2B1.1(b)(10)'s "sophisticated means" increase. A "special skill" is a "a skill not possessed by members of the general public and usually requiring substantial education, training or licensing." The examples given by the USSG are a pilot, lawyer or doctor. DOJ claimed Auernheimer—who again did no "hacking" or script writing—had "special" computer skills that justified the increase. So he received an additional 4 level increase.
Its easy to imagine the same enhancement applying to Swartz too for not only running the script, but also for masking his IP address—a legitimate practice designed to protect anonymity—in order to avoid getting kicked off of MIT's network or JSTOR's servers and leave no trace of who he was or where he was coming from.
The Guidelines allow the same conduct to result in multiple level increases, ultimately resulting in a higher sentence.
Adding It All Together
Auernheimer also received another two level increase under § 2B1.1(b)(11) for transferring a "means of identification," specifically the email addresses. So here's how the Guidelines ultimately worked out for Weev and Swartz on the CFAA counts. Both are in criminal history category I:
|Base Offense Level||6||6|
|Loss||+8 ($73,000)||+16 ($2 million)|
|"Means of Identification||+2||0|
|Adjusted Offense Level||20||26|
|Guideline Range||33-41 months||63-78 months|
Weev and Swartz are in "Zone D" of the table, meaning the Guidelines disqualified them from probation and required a prison sentence. Weev received a sentence at the high end of the Guideline range, 41 months, with some noting his past Internet behavior motivated the higher sentence. And in truth, § 1B1.4 of the Guidelines tell the Court it "may consider, without limitation, any information concerning the background, character and conduct of the defendant" when deciding on the appropriate sentence.
Prosecutors took full advantage of this provision, informing the court of Auernheimer's past behavior, and the court took the bait, holding Weev accountable for actions irrelevant to the criminal sentence and imposing a sentence that was not only at the high end of the Guideline range, but more than other defendants convicted of arguably worse behavior.
It's easy to imagine prosecutors doing the same with Swartz, using his prior bulk download of documents from PACER and his "Guerilla Open Access Manifesto" as a reason to justify the tough prosecution and sentence.
Ultimately, the Guidelines are just as much of a problem in CFAA cases as the broad language of the statute and the maximum punishments. We're working hard to reform the CFAA, advocating for the law’s penalties to be proportionate to the wrongdoing they're meant to punish. That means Congress needs to not only change the CFAA's penalty scheme but also must call on the USSC to reexamine how the Guidelines treat the CFAA too. So please join EFF in calling on Congress to fix the CFAA by sending an email to your elected representatives now.