The RISKS Digest
Volume 14 Issue 32

Friday, 5th February 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Programmer Licensing
Paul Robinson
**** pointer-> Injured using Computer Pointing Device?
Pete W. Johnson
Suggestions for a hi-tech crime-investigators' seminar ??
Jim Warren
Revised Computer Crime Sentencing Guidelines
Dave Banisar
Info on RISKS (comp.risks)

[TDR] Programmer Licensing

"Tansin A. Darcos & Company" <0005066432@mcimail.com>
Thu, 4 Feb 93 03:45 GMT
Al Underwood asked about the possibility of Government Computer Professional
Certification, otherwise known as Programmer Licensing.  A famous philosopher
referred to it as "Guild Socialism," i.e. that in exchange for their group
providing some needed service, their group must be the only one allowed to
perform it.  Doctors, Lawyers, Electricians, Plumbers and others got their
practices set up so that any involvement in them by persons who are not
licensed by their guild becomes a criminal offense.  That some of these
activities may be hazardous by persons not trained in the particular practice
in question may be the reasoning behind the requirements, but in every case,
the actual practice of licensing is used to protect those in that particular
guild from competition.  Doctors keep out people from foreign countries.
Lawyers use it to keep people from dispensing information about minor matters
such as bankruptcy, or use it as a club to threaten people, and so on.

I remember that New Jersey was planning to do this a couple of years ago. I
made a big stink on any forum I could find in the computer world (I did not
know of many Internet lists at that time, so I could only complain on one or
two) and sent out messages on the BBS networks I could get access to, in order
to warn people about this.

When certification is done at the mandatory level, i.e. you must have a
license to practice the certified occupation or you can be charged with a
criminal act, it gives to private parties the power of the State to decide
what is or is not satisfactory performance.  It can be prostituted in all
sorts of ways depending on the political agenda of the people who are
involved.

1.  License fees could be anything from $10 to $2000 a year depending on
    what the board wants to set the fees at.  If you can't afford the
    fee, that's too bad, you're out of the business.

2.  License boards generally grandfather the law: anyone who claims to be
    working in that particular field at the time the law is in effect is
    granted an automatic license.  Therefore the license rule serves to
    do just one thing: raise money for the licensing board and begin to
    weed out those who either weren't around when the licensing started
    or could not afford the fees.  This can also be used as a hidden
    tax, by, for example, budgeting $100,000 for the license bureau,
    while setting the tax to take in $1.1 or $2.1 million, thus using
    the law to raise an extra 2 mil for revenue hungry state legislatures.

3.  The license boards conceivably can decide what is or isn't valid
    practice in a particular occupation.  A Programmer Licensing Board,
    or "Software Engineers Quality Control Board" or whatever it is
    called, can decide, for example, that the use of the "GOTO" is
    no longer permitted, or the COBOL ALTER, or some other language
    construct, and make use of the proscribed method grounds for
    someone to lose their license.

4.  One state can set standards such that its requirements become
    effective beyond its borders.  It's noted there is a man who is
    a lawyer in California who has to come back into DC to defend
    his license to practice over an issue that allegedly was settled,
    because if the DC Bar revokes his license all the other states will.

5.  If someone writes opinions which are unflattering of a License Board
    or take an unpopular stance on an issue, the License Control
    Board can, using item 3 above, take someone's license away
    by changing the standard in a way that the person cannot meet it and
    thus loses his license.  For a fictional example of how this could be
    prostituted into requiring almost everyone in a particular
    guild to become an indentured servant of a particular company,
    read the short story "Magic, Inc." by Robert A. Heinlein.
    It's usually in a combined story of "Waldo, and Magic, Inc,"
    where two related short stories are combined.

6.  A computer program is the creation of the mind of an individual,
    and as such is "a figment of the imagination" since a computer
    program has no physical apportation other than as bits on disk,
    which are no different from any other bits.  As such, a computer
    program is a form of writing.  I question whether a law requiring
    someone to have a license in order to write something would stand
    challenge in the United States on 1st Amendment grounds of prior
    restraint.  I do not know if someone has ever tried to license
    reporters in order to show that they know how to write and spell
    and use English correctly; whether such would withstand court
    scrutiny is an interesting question.  But a law that allowed a
    reporter to lose his license if a government agency decided he
    is not qualified would be so offensive to the first amendment
    that a court wouldn't even consider arguments over the intended
    "improvement" of the reporters guild such a law would attain.
    Requiring reporters to know their subject matter in order to
    write about it would certainly make them better writers.  It
    also would certainly be unconstitutional.

7.  There is generally a shortage of talented computer people.  A
    law requiring licensing of programmers (or 'software engineers'
    or whatever it is) would not fix the problem and would only
    exacerbate it and might make things worse since everyone currently
    working can be grandfathered, some places might have to hire
    incompetents because the supply of quality people is dried up.

8.  Some companies have gone to training their own people in order
    to make up for a famine of supply.  If the laws require that
    you can only enter the field after a four year degree from an
    accredited university, there goes the space for opening level
    people and the chance for a company to 'grow their own.'

9.  Cutting people's appendixes for free is still 'practicing
    medicine'.  Fighting a traffic ticket (where traffic offenses are
    still crimes) is still 'practicing law'.  Doing these things for
    someone else, even if for free, is still performing a licensed
    occupation which is a crime.  What does this do to the shareware
    world of people who write programs on spec for others to try and
    use and pay for if they like them?

10. A few years ago the Food and Drug Administration busted into a
    warehouse and seized thousands of gallons of contraband orange
    juice.  Because it was unfit for human consumption?  Because it
    was contaminated?  Because there was a danger to the public?
    Because the agency didn't like the label on it and wanted that
    particular processor - Proctor and Gamble - to comply with a
    standard that it was not requiring of 300 other orange juice
    processors.  When P&G said that if the EPA would evenly enforce
    the law on everyone they would go along, the EPA decided to
    seize the packages.  What this has to do with the licensing
    of software people is slightly related to #9.  If someone is
    writing software for a company and doesn't have a license, can
    the software be seized?  If the person has a license where the
    program is made but not in other states?  (You can't practice
    medicine or law or engineering in states not licensed.)  If
    the program is transported from a state not requiring a license
    to create software to one where on is, can the product be
    seized for noncompliance?  The product was produced by an
    unlicensed person in a state where licensing is required.  In
    some states if you order a stock not registered in that state
    and then decide to change your mind and not buy it, the broker
    cannot force you to pay for it because of mandatory registration
    of stock issues.  Could not the same thing be done for
    computer programs or the creators of same?

These and perhaps other points come up in the licensing of software
professionals; the dangers to the people who make this stuff, and perhaps
dangers to the public.

I have heard that the reason it was killed was because (1) the software
industry didn't want it; (2) Bell Labs, in New Jersey, was upset when the
estimated license fees for all of the people who worked there would cost the
company more than $1,000,000.

Apparently some legislator in New Jersey proposed this law without
asking anyone either in the industry or in its customers, if anyone
even wanted it.

Paul Robinson — TDARCOS@MCIMAIL.COM

    [Also, see RISKS-13.13 and 15, CACM Inside RISKS Feb 91]


**** pointer-> Injured using Computer Pointing Device?: READ THIS ****

Pete W. Johnson <petej@garnet.berkeley.edu>
2 Feb 1993 04:03:04 GMT
This is a pointer to a basenote and discussion pertaining to computer pointing
device injuries (mouse, trackballs, puck, stylus, etc.) in
sci.med.occupational.  For convenience I have included a copy of the basenote
below.  To follow net etiquette, please direct all responses to the basenote
below in sci.med.occupational notesgroup ONLY.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                      (Copy of Basenote)

This note (which is being posted monthly) is for anyone that has been
injured using a computer pointing device (mouse, trackball, puck, tablet,
etc.).  I have been assisting computer operators who have been injured using
pointing devices for the past 4 years.  I am now presently doing research
at the University of California's (San Francisco and Berkeley's) Ergonomics
Lab on the design of computer pointing devices with the goal of reducing
injuries associated with their use.  In order to do this, I need to collect
information on pointing device design characteristics (button design, button
force, device size, device shape, etc.) that are important in minimizing
and/or reducing the physical stresses operators are subjected to.  Some of
this information will be collected through my laboratory research, but a
major and important source of information has to come from operators like
yourself.  I need to collect all the information I can from computer
operators that have been injured as a result of pointing device use.

In order to do this, I need your help.  If you have been injured using a
pointing device, I would appreciate it if you would send me a note with
information pertaining to your injury.  I would like the information e-
mailed directly to me (petej@garnet.berkeley.edu).  The format I would
like the information sent to me is as follows, fill in as much as you
can:

 1) NAME: (optional)
 2) COMPANY: (optional)
 3) PHONE #: (optional)
 4) NUMBER OF HOURS SPENT IN FRONT OF THE COMPUTER PER DAY:
 5) PERCENTAGE OF TIME SPENT USING A POINTING DEVICE:
 6) MANUFACTURER OF COMPUTER AND MODEL NUMBER:
 7) POINTING DEVICE USED AT TIME OF INJURY: (Please be specific)
      a) MANUFACTURER
      b) MODEL OR PART NUMBER
      c) DESCRIPTION OF DEVICE
 8) PRIMARY SOFTWARE APPLICATION USED AT THE TIME OF YOUR INJURY
 9) TYPE OF INJURY
10) WHAT YOU THINK CAUSED YOUR INJURY
11) IF INJURY IS RESOLVED OR YOUR CONDITIONS HAVE IMPROVED, WHAT CHANGES
    WERE MADE (This is probably the most beneficial information)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My intent is to enter this information into a database in order to
gather information and look for trends.  Each month I will share
relevant information by posting a monthly summary in
sci.med.occupational similar to what has been done with keyboard
information.  If you are presently experiencing problems, feel free to
call me (510/231-9405) and I will share with you what I know.  I am also
open for suggestions, please post responses to this basenote or e-mail
me if you have any further suggestions or input.

If your company has internal bulletin boards, please post this note or
provide a pointer telling your co-workers about this basenote in the
sci.med.occupational newsgroup.  I will be also be posting a pointer to
this basenote in comp.risks, comp.human-factors, and sci.med as well.

Finally, if you have any opinions or inputs on a particular pointing
device or pointing device design in general, send me a note or call me.
Our lab is assisting some of the major pointing device manufacturers
with the design of their pointing devices. If you have some inputs for a
particular company, I will be happy to direct them to the appropriate
person.

Thanks for your help.

Peter W. Johnson
                          (End of Basenote)


Suggestions for a hi-tech crime-investigators' seminar ??

Jim Warren <jwarren@autodesk.com>
Thu, 4 Feb 93 14:01:53 PST
  I have been invited to give (or organize) a 4-hour seminar presenting civil
liberties perspectives and concerns to a group of 40-60 high-tech criminal
investigators on the first day of the HTCIA Northern California 3-day workshop
in April (High Tech Criminal Investigators Association).  They are expecting
attendees from Nor Cal and from beyond.  My understanding is that most of
the members are sworn peace officers who are specializing in investigating
high-tech crime; a minority are corporate and agency computer security
officers.  Most will attend the seminar (only one seminar per time-period).

  I see it as an *outstanding* opportunity to
(a) open [more] communication channels between in-the-trenches law enforcement
officials and civlibbies,
(b) learn more of their concerns and problems,
(c) enhance the chances of additional similar and expanded exchanges at future
law-enforcement meetings through *nonconfrontational*, well-informed, candid
discourse, and
(d) better inform law enforcement folks of the complexities, styles and trade-
offs in "cyberspace," and their ramifications for law enforcement's legitimate
and significant concerns.
  [And — heh! — it will give "them" a chance to harangue "us" civlib types;
equitable role-reversal for those cops who have entered the lion's den by
attending any of the Computers, Freedom & Privacy conferences of the last
several years.]

  I have invited an attorney who is specializing in these issues to join me in
organizing and presenting this seminar, and am in hopes that her organization
will support her participation.  She has been closely monitoring related
legislation in Washington, DC, and has also been directly involved in a major
computer-search case currently being litigated in Texas.

Query/request:
  I have a number of ideas for topics and perspectives to present/cover, and
have several documents I plan to provide as handouts. But, I am very-much
interested in receiving suggestions and/or papers/handouts that might be
appropriate for presentation/distribution at a regional meeting of high tech
criminal investigators [long on meat; short on emotion and opinion, please].
  Please forward comments, suggestions and copies (ideally e-copies for
reformatting and printing in a combined handout, including a note permitting
reproduction for this purpose).  [Confidentiality of sources and suggestors
will be protected, upon request.]

--jim                               [forward or post elsewhere, as desired]
Jim Warren, 345 Swett Rd., Woodside CA 94062; 415-851-7075
jwarren@well.sf.ca.us  -or-  jwarren@autodesk.com
[for identification purposes only: founder and Chair, 1991 First Conference on
Computers, Freedom & Privacy; a recipient, 1992 Electronic Frontier Foundation
Pioneer Awards; "futures" columnist, MicroTimes; member, Autodesk Bd.of Dirs.]


Revised Computer Crime Sentencing Guidelines

Dave Banisar <banisar@washofc.cpsr.org>
Sat, 30 Jan 1993 15:12:11 EST
>From Jack King (gjk@well.sf.ca.us)

The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1, specifically
addressing the Computer Fraud and Abuse Act of 1988 (18 USC 1030), with a base
offense level of 6 and enhancements of 4 to 6 levels for violations of
specific provisions of the statute.  The new guideline practically guarantees
some period of confinement, even for first offenders who plead guilty.

For example, the guideline would provide that if the defendant obtained
``protected'' information (defined as ``private information, non-public
government information, or proprietary commercial information), the offense
level would be increased by two; if the defendant disclosed protected
information to any person, the offense level would be increased by four
levels, and if the defendant distributed the information by means of ``a
general distribution system,'' the offense level would go up six levels.

The proposed commentary explains that a ``general distribution system''
includes ``electronic bulletin board and voice mail systems, newsletters and
other publications, and any other form of group dissemination, by any means.''

So, in effect, a person who obtains information from the computer of another,
and gives that information to another gets a base offense level of 10; if he
used a 'zine or BBS to disseminate it, he would get a base offense level of
12. The federal guidelines prescribe 6-12 months in jail for a first offender
with an offense level of 10, and 10-16 months for same with an offense level
of 12.  Pleading guilty can get the base offense level down by two levels;
probation would then be an option for the first offender with an offense level
of 10 (reduced to 8).  But remember: there is no more federal parole.  The
time a defendant gets is the time s/he serves (minus a couple days a month
"good time").

If, however, the offense caused an economic loss, the offense level would be
increased according to the general fraud table (Sec. 2F1.1). The proposed
commentary explains that computer offenses often cause intangible harms, such
as individual privacy rights or by impairing computer operations, property
values not readily translatable to the general fraud table. The proposed
commentary also suggests that if the defendant has a prior conviction for
``similar misconduct that is not adequately reflected in the criminal history
score, an upward departure may be warranted.'' An upward departure may also be
warranted, DOJ suggests, if ``the defendant's conduct has affected or was
likely to affect public service or confidence'' in ``public interests'' such
as common carriers, utilities, and institutions.  Based on the way U.S.
Attorneys and their computer experts have guesstimated economic "losses" in a
few prior cases, a convicted tamperer can get whacked with a couple of years
in the slammer, a whopping fine, full "restitution" and one to two years of
supervised release (which is like going to a parole officer). (Actually, it
*is* going to a parole officer, because although there is no more federal
parole, they didn't get rid of all those parole officers. They have them
supervise convicts' return to society.)

This, and other proposed sentencing guidelines, can be found at 57 Fed Reg
62832-62857 (Dec. 31, 1992).

The U.S. Sentencing Commission wants to hear from YOU.  Write: U.S.
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500, Washington DC
20002-8002, Attention: Public Information.  Comments must be received by March
15, 1993.
                                  * * *

Actual text of relevant amendments:

                    UNITED STATES SENTENCING COMMISSION
                  AGENCY: United States Sentencing Commission.
                               57  FR  62832

                               December 31, 1992

   Sentencing Guidelines for United States Courts

ACTION: Notice of proposed amendments to sentencing guidelines,
policy statements, and commentary. Request for public comment.
Notice of hearing.

SUMMARY: The Commission is considering promulgating certain
amendments to the sentencing guidelines, policy statements, and
commentary. The proposed amendments and a synopsis of issues to be
addressed are set forth below. The Commission may report amendments
to the Congress on or before May 1, 1993. Comment is sought on all
proposals, alternative proposals, and any other aspect of the
sentencing guidelines, policy statements, and commentary.

DATES: The Commission has scheduled a public hearing on these
proposed amendments for March 22, 1993, at 9:30 a.m. at the
Ceremonial Courtroom, United States Courthouse, 3d and Constitution
Avenue, NW., Washington, DC 20001.

   Anyone wishing to testify at this public hearing should notify
Michael Courlander, Public Information Specialist, at (202) 273-4590
by March 1, 1993.

   Public comment, as well as written testimony for the hearing,
should be received by the Commission no later than March 15, 1993,
in order to be considered by the Commission in the promulgation of
amendments due to the Congress by May 1, 1993.

ADDRESSES: Public comment should be sent to: United States
Sentencing Commission, One Columbus Circle, NE., suite 2-500, South
Lobby, Washington, DC 20002-8002, Attention: Public Information.

FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public
Information Specialist, Telephone: (202) 273-4590.

* * *

   59. Synopsis of Amendment: This amendment creates a new guideline
applicable to violations of the Computer Fraud and Abuse Act of 1988 (18
U.S.C. 1030). Violations of this statute are currently subject to the fraud
guidelines at S. 2F1.1, which rely heavily on the dollar amount of loss caused
to the victim. Computer offenses, however, commonly protect against harms that
cannot be adequately quantified by examining dollar losses. Illegal access to
consumer credit reports, for example, which may have little monetary value,
nevertheless can represent a serious intrusion into privacy interests. Illegal
intrusions in the computers which control telephone systems may disrupt normal
telephone service and present hazards to emergency systems, neither of which
are readily quantifiable. This amendment proposes a new Section 2F2.1, which
provides sentencing guidelines particularly designed for this unique and
rapidly developing area of the law.

   Proposed Amendment: Part F is amended by inserting the following section,
numbered S. 2F2.1, and captioned "Computer Fraud and Abuse," immediately
following Section 2F1.2:

"S. 2F2.1. Computer Fraud and Abuse

   (a) Base Offense Level: 6

   (b) Specific Offense Characteristics

   (1) Reliability of data. If the defendant altered information, increase by
2 levels; if the defendant altered protected information, or public records
filed or maintained under law or regulation, increase by 6 levels.

   (2) Confidentiality of data. If the defendant obtained protected
information, increase by 2 levels; if the defendant disclosed protected
information to any person, increase by 4 levels; if the defendant disclosed
protected information to the public by means of a general distribution system,
increase by 6 levels.

   Provided that the cumulative adjustments from (1) and (2), shall
not exceed 8.

   (3) If the offense caused or was likely to cause

   (A) interference with the administration of justice (civil or criminal) or
harm to any person's health or safety, or

   (B) interference with any facility (public or private) or communications
network that serves the public health or safety, increase by 6 levels.

   (4) If the offense caused economic loss, increase the offense level
according to the tables in S. 2F1.1 (Fraud and Deceit). In using those
tables, include the following:

   (A) Costs of system recovery, and

   (B) Consequential losses from trafficking in passwords.

   (5) If an offense was committed for the purpose of malicious destruction or
damage, increase by 4 levels.

   (c) Cross References

   (1) If the offense is also covered by another offense guideline section,
apply that offense guideline section if the resulting level is greater. Other
guidelines that may cover the same conduct include, for example: for 18 U.S.C.
1030(a)(1), S. 2M3.2 (Gathering National Defense Information); for 18 U.S.C.
1030(a)(3), S. 2B1.1 (Larceny, Embezzlement, and Other Forms of Theft), S.
2B1.2 (Receiving, Transporting, Transferring, Transmitting, or Possessing
Stolen Property), and S. 2H3.1 (Interception of Communications or
Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and Deceit), and S.
2B1.1 (Larceny, Embezzlement, and Other Forms of Theft); for 18 U.S.C. S.
1030(a)(5), S. 2H2.1 (Obstructing an Election or Registration), S. 2J1.2
(Obstruction of Justice), and S. 2B3.2 (Extortion); and for 18 U.S.C. S.
1030(a)(6), S. 2F1.1 (Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement,
and Other Forms of Theft).


Commentary

   Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)

   Application Notes:

   1. This guideline is necessary because computer offenses often harm
intangible values, such as privacy rights or the unimpaired operation of
networks, more than the kinds of property values which the general fraud table
measures. See S. 2F1.1, Note 10. If the defendant was previously convicted of
similar misconduct that is not adequately reflected in the criminal history
score, an upward departure may be warranted.

   2. The harms expressed in paragraph (b)(1) pertain to the reliability and
integrity of data; those in (b)(2) concern the confidentiality and privacy of
data. Although some crimes will cause both harms, it is possible to cause
either one alone. Clearly a defendant can obtain or distribute protected
information without altering it. And by launching a virus, a defendant may
alter or destroy data without ever obtaining it. For this reason, the harms
are listed separately and are meant to be cumulative.

   3. The terms "information," "records," and "data" are interchangeable.

   4. The term "protected information" means private information, non-public
government information, or proprietary commercial information.

   5. The term "private information" means confidential information (including
medical, financial, educational, employment, legal, and tax information)
maintained under law, regulation, or other duty (whether held by public
agencies or privately) regarding the history or status of any person,
business, corporation, or other organization.

   6. The term "non-public government information" means unclassified
information which was maintained by any government agency, contractor or
agent; which had not been released to the public; and which was related to
military operations or readiness, foreign relations or intelligence, or law
enforcement investigations or operations.

   7. The term "proprietary commercial information" means non-public business
information, including information which is sensitive, confidential,
restricted, trade secret, or otherwise not meant for public distribution. If
the proprietary information has an ascertainable value, apply paragraph (b)
(4) to the economic loss rather than (b) (1) and (2), if the resulting offense
level is greater.

   8. Public records protected under paragraph (b) (1) must be filed or
maintained under a law or regulation of the federal government, a state or
territory, or any of their political subdivisions.

   9. The term "altered" covers all changes to data, whether the defendant
added, deleted, amended, or destroyed any or all of it.

   10. A "general distribution system" includes electronic bulletin board and
voice mail systems, newsletters and other publications, and any other form of
group dissemination, by any means.

   11. The term "malicious destruction or damage" includes injury to business
and personal reputations.

   12. Costs of system recovery: Include the costs accrued by the victim in
identifying and tracking the defendant, ascertaining the damage, and restoring
the system or data to its original condition.  In computing these costs,
include material and personnel costs, as well as losses incurred from
interruptions of service. If several people obtained unauthorized access to
any system during the same period, each defendant is responsible for the full
amount of recovery or repair loss, minus any costs which are clearly
attributable only to acts of other individuals.

   13. Consequential losses from trafficking in passwords: A defendant who
trafficked in passwords by using or maintaining a general distribution system
is responsible for all economic losses that resulted from the use of the
password after the date of his or her first general distribution, minus any
specific amounts which are clearly attributable only to acts of other
individuals. The term "passwords" includes any form of personalized access
identification, such as user codes or names.

   14. If the defendant's acts harmed public interests not adequately
reflected in these guidelines, an upward departure may be warranted. Examples
include interference with common carriers, utilities, and institutions (such
as educational, governmental, or financial institutions), whenever the
defendant's conduct has affected or was likely to affect public service or
confidence".

Please report problems with the web pages to the maintainer

x
Top