The controversial punishment of Barrett Brown: A deep dive
I've read a lot of criticism recently about the sentencing of Barrett Brown. The online commentary mostly portrays Brown's sentence as a disturbing example of prosecutorial abuse, in which the Obama Administration's war on journalists and war on hackers came together to shred First Amendment freedoms. I wondered, is that true? What really happened in the case, and was Brown's sentence troublesome or not?
I spent some time looking into this over the last few days. Trying to break down the sentencing issues in the Brown case is actually pretty hard, as a lot of the key documents have not yet been released. The guilty plea and sentencing memos are under seal, and the transcript of the sentencing hearing has not yet been made public. [UPDATE: The plea is not under seal; it's here, via Free Barrett Brown.] So any conclusion right now has to be tentative, as we don't yet know all the facts.
With that said, here are three tentative conclusions. First, the sentencing judge may have made some mistakes in calculating Brown's sentence. Second, if the judge did make those mistakes, they may have led the judge to sentence Brown to an improperly long sentence - but then, oddly, they may alternatively have led the judge to sentence Brown to an improperly light sentence. Third, if there were errors, they were pretty technical errors. They were errors in interpreting an esoteric provision of the Federal Sentencing Guidelines, not anything relating to a "war on hackers" or a "war on journalists."
In that sense, the Barrett Brown case is pretty different from the case of Andrew Auernheimer, aka weev (and my former client). From indictment to appeal, the weev prosecution involved a long list of plainly troubling prosecution theories that had broad implications for civil liberties online. The Brown case raised some interesting legal issues at the beginning. I'll touch on some of them here, but others I'll have to leave out just to keep this post from turning into a book. But at this late stage, at sentencing, the legal issues in the Brown case aren't as grand as a lot of people seem to think.
With that enticing introduction, let's dive in.
I'll begin with some context. Barrett Brown pled guilty to three crimes. First, he helped some hackers evade detection by acting as an intermediary for them. That made him an accessory after the fact in violation of 18 U.S.C. 3, which punishes one who, "knowing that an offense against the United States has been committed, receives, relieves, comforts or assists the offender in order to hinder or prevent his apprehension, trial or punishment[.]" Second, when a search warrant was executed at his mom's house as part of the hacking investigation, he tried to hide his computer from the agents in violation of 18 U.S.C. 1501. (His mom helped, too; she was charged and received probation.) Third, after the search, he posted a Youtube video threatening the agent investigating him.
Despite the controversy surrounding the Brown case, it seems to be common ground that Brown did in fact commit these three crimes. He admitted as much at the sentencing hearing, and there weren't any stretches of the law involved in the three counts to which Brown pled guilty. [UPDATE: More stipulated facts are here.] There are harsh criticisms of a different count from an earlier indictment that was later dismissed, which I'll get to later. And there are a lot of objections that Brown wasn't really the biggest criminal in the world. He helped the hackers, many have pointed out, but he isn't a hacker himself. But at least as a legal matter, the factual basis of the three guilty pleas seems pretty uncontroversial.
In this post, I'll focus mostly on the controversy over the sentence Brown received following his guilty plea. By way of background, federal judges calculate sentences in federal criminal cases using a complicated framework set out in the Federal Sentencing Guidelines. The Guidelines work by calculating an offense level for every crime that tries to gauge the seriousness of the offense. It starts with a base offense level that applies to all such crimes, then considers "specific offense characteristics" that add or subtract points baed on the specific circumstances of that case. Judges then take the resulting offense level, calculate the defendant's criminal history, and then go to this chart to figure out what the sentencing range should be. The resulting range isn't legally binding on the judge, but it's the usual ballpark range for the sentence.
In the sentencing in Brown's case, the defense attorneys started off with a significant victory. Although Brown pled guilty to three crimes, his defense attorneys persuaded the judge to punish him as if he had only pled guilty to one of the three crimes. The Federal Sentencing Guidelines have some pretty arcane and complicated rules for how to calculate sentences when a person commits several offenses, and in this case the judge decided to calculate the sentence based on the most serious offense, helping the hackers as an accessory after the fact. The other offenses played a minor role that we'll get to later on, but the bulk of the sentencing was based on being an accessory after the fact to the hackers.
To calculate Brown's sentence, the judge started with the guideline for being an accessory after the fact, Section 2X3.1. You can read that here. At first it seems pretty simple. You calculate the offense level for an accessory after the fact, it explains, by starting "6 levels lower than the offense level for the underlying offense." In other words, this guideline is derivative. To figure out how serious it is to be an accessory after the fact for a hacking offense, you have to first figure out how serious the underlying hack was and then deduct six levels.
The derivative nature of sentencing under 2X3.1 seems simple at first. But it quickly raises a difficult question. When you calculate the seriousness of the underlying crime, do you measure that based on what actually happened, completely independently of the accessory's role or knowledge? Or do you measure that based on what the defendant knew? Or what the accessory actually did? The guideline has an "Application Note" that provides guidance on this:
1. For purposes of this guideline, "underlying offense" means the offense as to which the defendant is convicted of being an accessory[.] Apply the base offense level plus any applicable specific offense characteristics that were known, or reasonably should have been known, by the defendant; see Application Note 10 of the Commentary to §1B1.3 (Relevant Conduct).
Application Note 10 of 1B1.3 largely repeats that language, saying:
In the case of . . . accessory after the fact, the conduct for which the defendant is accountable includes all conduct relevant to determining the offense level for the underlying offense that was known, or reasonably should have been known, by the defendant.
So to figure out the sentence for Brown, we need to start with the base offense level for hacking and then add "any applicable specific offense characteristics [of the underlying computer intrusion offense] that were known, or reasonably should have been known, by the defendant." The key issue is what Brown knew or should have known, not what Brown himself actually did as part of the crime.
The judge started this calculation with the Economic Crimes guideline, 2B1.1, which applies to hacking crimes and has a base offense level of 6. 2B1.1 has all sorts of special offense characteristics that judges are supposed to look to to determine if a particular economic crime is more serious or less serious than another. The judge recently published a memo showing his guidelines calculations, so I'll use them as a guide to understand what the judge did step by step.
First, and most importantly, the judge started by adding 14 levels (ouch!) for the amount of loss caused by the hack - more than $400,000 but less than $1,000,000. This particular enhancement was at least partly determined by the plea agreement. According to press accounts, the defense agreed in the plea that this was the loss caused by the intrusion. It's by far the largest enhancement that determined the sentence Brown received. If you were to take out the 14 level enhancement for loss, Brown would probably have faced 10 months for the accessory conviction instead of 63 months. He would have only received a slightly lower sentence overall, because his most serious count of conviction would have switched to the threat conviction instead, which was still pretty serious. But it could have made a significant difference.
Which brings me to my first concern with the sentence. Under 2X3.1, the judge should have applied this enhancement only to the extent Brown knew or reasonably should have know that this was the loss range for the crime. The relevant issue is what Brown knew or should have known about the loss at the time he was serving as an accessory after the fact. See United States v. Poulsen, 655 F.3d 492, 506 (6th Cir. 2011). The plea included an agreement about the loss caused by the crime, press reports say. Under the Guidelines, that would be the greater of the intended loss or the actual loss of the crime as a whole, whether reasonably foreseeable or not.
But I don't think that's the relevant question for Brown's sentence. As I read 2X3.1, Brown can only be held liable for the part of the loss that he knew or should have known about. Just from the published materials, it's not clear if the judge actually made that separate finding about what loss Brown knew or should have know of, or if he just looked (improperly) at the loss of the intrusion as a whole.
So that's a big question to watch for when more documents are released, such as the transcript of the sentencing hearing: Did the judge automatically apply the the entire loss caused by the crime, as would normally be the case, or did the judge only tag Brown with the loss amount that he knew or should have known would result? The former would be an error, and the latter correct. If the error occurred, it might have made a significant difference to Brown's sentence. He may have received a much longer sentence than he deserved, depending on what he actually knew or should have known.
[IMPORTANT UPDATE, 1/30 at 12:30pm: The plea agreement is available here, and it has the following specific language:"The government recommends that the appropriate guideline range for a loss related to Brown's violation of 18 U.S.C. 3 is more than $400,000 but less than $1,000,000 based on Strategic Forecasting Inc's estimated loss relating to the remediation of its computer system." Just reading that language, it seems to be about what Brown knew or should have known about, rather than the loss of the intrusion of the whole. It talks about the "loss related to Brown's violation," not the loss as a whole. In that case, it seems likely that the judge did not make the mistake I am discussing above.]
Let's move on, as we have lots of other enhancements to consider. After the 14-level enhancement for loss, the judge added 2 levels because the offense - that is, the hacking crime - "involved sophisticated means." An Application Note explains:
For purposes of subsection (b)(10)(C), 'sophisticated means' means especially complex or especially intricate offense conduct pertaining to the execution or concealment of an offense. For example, in a telemarketing scheme, locating the main office of the scheme in one jurisdiction but locating soliciting operations in another jurisdiction ordinarily indicates sophisticated means. Conduct such as hiding as-sets or transactions, or both, through the use of fictitious entities, corporate shells, or offshore financial accounts also ordinarily indicates sophisticated means.
I understand the purpose behind this enhancement to grounded primarily in deterrence. If a criminal uses sophisticated means of committing or concealing the offense, the thinking runs, the offense is going to be harder to investigate and the bad guys harder to catch. The extra punishment is supposed to provide added deterrence in response. Or at least that's the idea. In any event, it's very common for this enhancement to apply in computer hacking cases under the CFAA. No surprise it was given here, and it seems clear that Brown knew of that aspect of the offense. So now we're at offense level 22.
Next, the judge added 2 levels because the intrusion involved the unauthorized dissemination of personal information. That part seems pretty clear, so we're up to 24.
The last two specific offense characteristics under 2B1.1 are the most confusing to me. I think the judge may have made an error in these last two calculations, although it's not clear which way the error cuts - it may have actually helped Brown rather than hurt him.
Here are the details. The judge's memo explains that he added four levels because Brown "is accountable for more than 50 but less than 250 victims," and that he added two levels because "the offense involved trafficking of unauthorized access devices and authentication features." Where did the judge get that? Well, first let's focus on the Guidelines language. The first of these two enhancements, for multiple victims, applies this language:
If the offense . . . involved 10 or more victims, increase by 2 levels; involved 50 or more victims, increase by 4 levels; or involved 250 or more victims, increase by 6 levels.
The second enhancement, for trafficking, applies this language:
If the offense involved (A) the possession or use of any (i) device-making equipment, or (ii) authentication feature; (B) the production or trafficking of any (i) unauthorized access device or counterfeit access device, or (ii) authentication feature; or (C)(i) the unauthorized transfer or use of any means of identification unlawfully to produce or obtain any other means of identification, or (ii) the possession of 5 or more means of identification that unlawfully were produced from, or obtained by the use of, another means of identification, increase by 2 levels
That brings me to the puzzling part. Just based on that language in the judge's memo, it's not clear if the judge imposed these enhancements based on what Brown did or what Brown knew or should have known others did. As I read the guidance in 2X3.1, the relevant legal question is what Brown knew or should have known about what others did. What he actually did was irrelevant. His culpable act was being an accessory after the fact, and his punishment depends on the crime he helped - minus six levels - not how much he helped it.
Based on the press coverage and the judge's memo, however, it's possible or even likely that the judge missed this. For the multiple victims enhancement, the judge writes about what Brown "is accountable for," which sounds like he's asking how many victims were impacted by what Brown did. Further, a statement by one of Brown's defense lawyers, Marlo Cadeddu, suggests that the trafficking enhancement was for what Brown actually did:
[T]he government argued that Barrett trafficked in stolen credit cards when he reposted a link to stolen data that was already in the public domain. We argued that the posting of a link could not constitute trafficking - that Barrett didn't share the actual data but only posted a link to a public internet location where it could be accessed. Moreover, the link was posted in the #Anonops IRC channel and then Barrett immediately reposted the link to the #Projectpm channel and did not have time to open the link himself to see what data could be accessed using the link. The court overruled our objection and added two points to the offense level for trafficking.
The Intercept published a similar report.
A lot of the press coverage of the Brown case has been based on the possibility that Brown was punished for sharing a link - specifically, he may have received a two-level enhancement for trafficking as a result of it. There has been a lot of outrage over the idea that a person can punished for just sharing a link. Brown was originally charged with trafficking for copying and pasting the link, although the charges were later dropped. A lot of people have interpreted the judge's two-level enhancement for trafficking as essentially resurrecting the trafficking charge, again raising concerns that the government overreached by treating cutting and pasting a link as illegal "trafficking."
If I understand the Guidelines correctly, however, it's completely irrelevant whether Brown's own conduct amounted to trafficking. The legally relevant issue is whether the underlying hack that Brown helped included trafficking that Brown knew or should have known about. If the judge added these enhancements based on Brown's own acts, I think that was an error. The key issue isn't what Brown did, but what Brown knew or should have known about what others did.
Now, with that said, it's not clear which way that possible error cuts in the context of the multiple victims and trafficking enhancements. It's entirely possible that this potential error led the sentencing judge to impose a lower sentence than he should have. In particular, the enhancement for multiple victims is a 6-level enhancement for over 250 victims. If the underlying hack involved more than 250 victims, and Brown knew or should have known about it, the judge should have applied a 6-level enhancement for that rather than the 4-level enhancement that the judge applied for the part of the crime that Brown was "accountable for." And if Brown knew or should have known that the underlying crime involved trafficking, he should have received that enhancement anyway - just for a different reason than he did. (To be clear, I'm not saying that he should have. Forgive me, but I haven't bothered to learn the details of the underlying crime to say. But that's the right question, I think.)
After that calculation, the rest of the guidelines calculation is pretty straightforward. Go down six levels for being an accessory after the fact rather than a principal. Go up two levels for obstruction, based on the interference with the warrant process and the threat to the officer. (That's correct, I think; those counts weren't formally included in the calculation, but the facts can be considered and seem to apply.) Down three levels for pleading guilty. So we end up at offense level 23. Brown's prior criminal record makes him category II, elevating his sentencing range from 46-57 months to 51-63 months. And then the judge sentenced Brown to the top end of the Guidelines, 63 months.
The three readers who have followed me this far are probably wondering, what comes next? Can Brown appeal his sentence? [SEE IMPORTANT UPDATE BELOW] Yes, he can, although whether he gets anywhere may depend on whether his lawyers objected to the possible errors I have described above. If a lawyer doesn't object to a particular enhancement at the sentencing proceeding, appellate courts say that the issue wasn't "preserved" and they then review the enhancement only for plain error. Basically, it has to be a really egregious violation if the lawyers below didn't flag the problem for the sentencing judge.
So that brings me to my answer as to what may happen next, which may be the ultimate in contingent and annoyingly-lawyerly responses: If the judge made the errors I described, and if his lawyers objected to these possible errors before the sentencing judge, Brown may get an appellate court to say he was wrongly sentenced - but the appellate review may or may not help him, because while some the errors may have cut against him others may have actually favored him.
IMPORTANT UPDATE: The plea agreement, which I had not seen at the time of this post, contains a waiver of rights to appeal the sentence outside certain specific circumstances. See paragraph 14 of the agreement. Because of that waiver of rights, the answer to what will happen next in the case is actually really simple: Nothing will happen, as Brown waived his rights to appeal these issues when he agreed to plead guilty. So the case is over, and there won't be further review of the sentence in this case.