How the Sentencing Guidelines Work Against Defendants in CFAA Cases

In the wake of social justice activist Aaron Swartz's tragic death, EFF and Internet users around the country are in the middle of a week-of-action, asking Congress to reform the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. The CFAA has many problems and users can contact their representative to demand reform. In this two-part series, we'll explore the specific problems with federal sentencing under the CFAA. Part 1 explains why maximums matter.

Much of the recent discussion about the problems with the CFAA's tough penalty scheme has revolved around its draconian maximum punishments. While maximums play an important role in criminal sentencing, the actual sentence a defendant will receive depends mostly on the sentencing range recommended in the United States Sentencing Guidelines ("USSG"). The Guidelines are written and updated by the United States Sentencing Commission ("USSC"), an independent agency of the judicial branch created by Congress in 1984, to help judges determine where in the spectrum from no jail time to the maximum a sentence should fall. Once binding on sentencing courts, in 2005 the Supreme Court ruled that were only a recommendation the court was free to disregard. Nonetheless, the vast majority of federal criminal sentences fall within the Guideline range recommended by the USSC. And when it comes to looking at how the Guidelines treat CFAA cases, it's clearwhy the law needs to be reformed.

How the Guidelines Work

The Guideline range only hinges on two things: the characteristics of the crime committed and the defendant’s criminal history. It plots these two factors on a table. On the Y-Axis is a scale of 1 to 43 that measures the "offense level" or the seriousness of a crime; 1 is the least serious crime; 43 is the most serious crime. On the X-Axis is a scale of I to VI that measure's a defendant's criminal history; I is the least serious criminal history including first offenders; VI is the highest.

At sentencing, the court must first calculate the offense level for the specific statute of conviction. Then, it can apply enhancements for aggravating behavior like choosing an "official victim." Once the court calculates the offense level it then determines the defendant's criminal history. Then, once these two factors have been calculated, the court matches the two numbers on the table, leading to the recommended sentencing range for a particular crime. As any of these two axes increase, so does the length of the sentence. The court can impose a sentence within the range—which can be presumed reasonable on appeal -- or disregard the range and impose whatever sentence it wants up to the maximum.

While the Supreme Court has noted the Guideline ranges created by the USSC are supposed to be based on "empirical data and national experience," oftentimes they are born out of Congressional directive to the Commission to increase sentencing ranges after Congress increases maximum punishments. That's exactly what Congress did in 2008 (PDF) after it increased the CFAA's maximum penalties and told the USSC it wanted the Guideline ranges for CFAA crimes to be "increased in comparison to those currently provided by such guidelines and policy statements."

The Guideline section that applies to the CFAA is § 2B1.1 which also covers other fraud and theft crimes. The "base offense level," or starting point of the Guideline calculation, depends on the maximum punishment. But unless a defendant is convicted of causing damage to a protected computer