TABLE OF CONTENTS I. INTRODUCTION 314 II. BACKGROUND 317 A. Factors Affecting Sentencing Under the Computer Fraud and Abuse Act 317 1. Maximum Sentences 317 2. Sentencing Guidelines 319 B. Criminological Studies of Crime Seriousness 322 III. STUDY I: BETWEEN-SUBJECTS EXPERIMENTS 327 A. Methodology 327 1. Research Questions 327 2. Design 328 B. Theoretical Model 331 C. Results 331 IV. STUDY II: FACTORIAL VIGNETTE SURVEY EXPERIMENT 338 A. Methodology 339 1. Research Questions 339 2. Design 339 B. Theoretical Model 342 C. Results 342 V. DISCUSSION 345 A. Comparison of Results Between the Two Studies 345 B. Implications for Sentencing Policy 346 C. Limitations and Opportunities for Further Research 351 D. Conclusion 352 APPENDIX A: U.S. SENTENCING GUIDELINES TABLE 353 APPENDIX B: REGRESSION TABLES FOR BETWEEN-SUBJECTS EXPERIMENTS (STUDY I) 354 APPENDIX C: INTER-RESPONDENT HETEROGENEITY 360 I. INTRODUCTION
The U.S. Computer Fraud and Abuse Act (CFAA) (1) is not a popular law. (2) Enacted in 1986 to deal with the nascent computer crimes of that era, it has aged badly. It has been widely criticized as vague, poorly structured, and having an overly broad definition of loss that invites prosecutorial abuse. (3)
These criticisms only increased when Aaron Swartz committed suicide in 2013 after he was threatened with up to 35 years in prison for downloading millions of academic papers from an online database. (4)
One of the problems with sentencing under the CFAA has received little attention: a misalignment between the facts that affect sentencing and the importance of those facts to the seriousness of CFAA crimes. It has been observed, for example, that CFAA sentences escalate rapidly as (easily inflated) losses increase. (5) But this escalation may be rapid not only in an absolute sense, but in disproportion to other attributes of the crime. Other factors, such as the offender's motivation, the context of the crime, its scope, or the type of data affected, may play a larger role in the seriousness of a crime.
The purpose of this piece is to explore that potential misalignment between punishment and perceptions through a series of empirical experiments that measure public opinions about cybercrime. Experimental measurement of public opinion has been used to study crime seriousness since at least the 1960s. (6) Criminal law codifies social norms, which manifest as perceptions that can be empirically measured. (7) More generally, public opinion influences policymaking. (8) Criminal codes "reflect through the state legislature's deliberations and actions some understanding, however dim and remote, of what 'the public' deems appropriate for the crimes in question." (9) Although public perceptions of the criminal justice system are flawed, (10) these perceptions influence how crimes are defined, what punishments they carry, whether those punishments are believed to be fair, and how resources are allocated to enforcement.
We report on the results of two studies with over 2,600 respondents: (1) a series of six between-subjects experiments and (2) a factorial vignette survey experiment. We conducted these two types of studies to take advantage of the benefits of each methodology. The factorial vignette methodology has been used to investigate how different factors of a crime (such as the offender's race, income, and gender) affect perceptions of that crime." The between-subjects methodology, in contrast, allows us to ask more questions about each vignette as well as tailor the specifics of each vignette to increase plausibility.
Our results provide empirical support for arguments that CFAA sentencing is miscategorized in the federal sentencing guidelines. Although an attacker's motivation, the type of data affected, and the amount of loss are all statistically significant factors in perceived seriousness, the weight placed on financial loss in sentencing calculations is not reflected in public attitudes. Another factor in CFAA sentencing--the target of the crime--appears to have no statistically significant effect on perceptions. In contrast, the most important factor in ratings of seriousness--the attacker's motivation--has much less of an effect on sentencing. These results suggest that CFAA sentences are indeed out of alignment with the public's views.
The rest of this piece proceeds as follows. Part 0 provides background information. In Part II.A, we discuss the factors that affect the maximum sentences under the CFAA and the factors that determine the recommended sentences under the federal sentencing guidelines; in Part II.B, we summarize previous work on crime seriousness. Part III presents the methodology, model, and results of our between-subjects experiments. Part IV presents our factorial vignette survey experiment. Part 0 discusses the implications of our results and concludes.
FACTORS AFFECTING SENTENCING UNDER THE COMPUTER FRAUD AND ABUSE ACT
As with all non-capital federal crimes, sentencing under the CFAA is determined by statutory provisions and federal sentencing guidelines. The statute sets maximum sentences based on the nature of the crime. (12) The sentencing guidelines determine the recommended sentencing range based on aspects of both the crime and relevant conduct. (13) The rest of this section discusses how various factors of a CFAA crime affect maximum and recommended sentences.
The CFAA criminalizes six types of conduct as "computer crime." (14) In general terms, these are (1) obtaining information, (15) (2) accessing government computers, (16) (3) committing computer fraud, (17) (4) causing damage with or to a computer, (18) (5) trafficking in passwords, (19) and (6) extorting money by threatening to obtain information or damage a computer. (20) Table 1 summarizes the CFAA sections and the maximum sentences for each. As the table shows, the base maximum sentence for most CFAA crimes is one year except for computer fraud and extortion, which have maximum sentences of five years for a first offense, (21) and accessing national security information, with a maximum sentence of ten years for a first offense. (22)
Two provisions can increase the maximum sentence. The first applies to CFAA crimes of accessing information, accessing government computers, or trafficking in passwords. The maximum sentence for any of these offenses increases to five years if (i) "the offense was committed for purposes of commercial advantage or private financial gain," (ii) the offense was committed "in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State," or (iii) "the value of the information obtained exceeds $5000." (23)
The other provision is a two-dimensional scale that increases maximum sentences for computer damage based on the amount of damage and the level of intent. Recklessly causing damage carries a maximum sentence of five years if the conduct led to at least $5,000 in loss, impaired medical treatment, caused physical injury, posed a threat to public health or safety, damaged any computer used by the U.S. government "in furtherance of the administration of justice, national defense, or national security," or damaged ten or more computers. (24) If the offender intentionally caused any of the forms of damage listed above, the maximum sentence increases to ten years. (25) And if the offender intentionally caused serious bodily injury or death, the maximum sentence increases to twenty years or life, respectively. (26)
If the data obtained in a cybercrime includes "a means of identification of another person," the crime can be charged under the identity theft statutes. (27) A conviction for identity theft carries a maximum sentence of five years. (28) Most computer-connected identity theft crimes will also subject the offender to prosecution under the aggravated identity theft statute, which adds two years imprisonment to a felony conviction under the CFAA. (29)
Maximum sentences under the statute thus depend on the facts of a crime. The maximum sentence can increase based on scope, motive, consequences, context, and the type of information accessed. Scope refers to the number of victims. A CFAA crime that damages ten or more computers has a five-year maximum sentence based on scope. (30) Motive is reflected in an increased maximum sentence of five years for obtaining information for purposes of commercial advantage or financial gain. (31) The consequences of a CFAA crime can increase sentences through the $5000 loss threshold in certain subsections (32) and through maximum sentences that grow longer as damage increases to include physical injury, serious bodily injury, or death. (33) By context, we mean the type of organization or computer victimized. The increase in maximum sentence by five or ten years for damaging government computers is an example. (34) And the type of information matters too: accessing identifying information such as social security numbers can increase the maximum sentence to five years or add two years to the imposed sentence. (35) If an offender accessed classified national security information, the maximum sentence for a first offense increases to ten years. (36)
Although the statute sets maximum sentences, sentence lengths within those maximums are largely determined by the federal sentencing guidelines. Promulgated by the United States Sentencing Commission pursuant to the Sentencing Reform Act of 1984, (37) the guidelines are intended to "provide certainty and fairness in meeting the purposes of sentencing, avoiding unwarranted sentencing disparities among defendants with similar records who have been found guilty of similar criminal conduct while maintaining sufficient flexibility to permit individualized sentences when warranted[.]" (38)
The sentencing range recommended under the guidelines is a function of the crime's offense level and the...