Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 1 of 18

1 STEPHANIE M. HINDS (CABN 154284)

Attorney for the United States
2 Acting Under Authority Conferred by 28 U.S.C. § 515
THOMAS A. COLTHURST (CABN 99493)
3 Chief, Criminal Division

4 ANDREW F. DAWSON (CABN 264421)

BENJAMIN KINGSLEY (CABN 314192)
5 Assistant United States Attorneys

6 450 Golden Gate Avenue, Box 36055

San Francisco, California 94102-3495
7 Telephone: (415) 436-314192
FAX: (415) 436-7019
8 andrew.dawson@usdoj.gov

9 Attorneys for United States of America

10 UNITED STATES DISTRICT COURT

11 NORTHERN DISTRICT OF CALIFORNIA

12 SAN FRANCISCO DIVISION

13
UNITED STATES OF AMERICA, ) CASE NO. 20-337 WHO
14 )
Plaintiff, ) UNITED STATES’S SENTENCING
15 ) MEMORANDUM
v. )
16 )
JOSEPH SULLIVAN, )
17 )
Defendant. )
18 )

19

20

21

22

23

24

25

26

27

28

SENTENCING MEMORANDUM
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 2 of 18

1 TABLE OF CONTENTS

2 I. The Evidence ...................................................................................................................................2

3 II. Guidelines Calculation .....................................................................................................................7

4 A. The Court should apply a three-level enhancement because of Defendant’s

“substantial interference with the administration of justice”. ..............................................7
5
B. The Court should apply a two-level enhancement because Defendant’s
6 obstruction was “extensive in scope, planning, or preparation”. .........................................9

7 C. “Zero-Point Offender” variance. ........................................................................................10

8 III. Argument .......................................................................................................................................10

9 A. White collar crimes are difficult to detect, and the prospect of incarceration is
necessary to afford adequate deterrence. ...........................................................................10
10
B. A sentence of 15 months in prison promotes respect for the law. .....................................12
11
C. White-collar defendants are not entitled to special treatment. ...........................................14
12
IV. Conclusion .....................................................................................................................................15
13

14

15

16

17

18
19

20

21

22

23

24

25

26

27

28

SENTENCING MEMORANDUM i
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 3 of 18

1 TABLE OF AUTHORITIES

2 CASES

3 United States v. Amer,

110 F.3d 873 (2d Cir. 1997).................................................................................................................... 8
4
United States v. Kirilyuk,
5
29 F.4th 1128 (9th Cir. 2022) ................................................................................................................. 8
6
United States v. Olson,
7 856 F.3d 1216 (9th Cir. 2017) .............................................................................................................. 14

8 United States v. Prien-Pinto,

917 F.3d 1155 (9th Cir. 2019) ................................................................................................................ 8
9

10
GUIDELINES PROVISIONS
11

12 U.S.S.G. §2J1.2(b)(2) ................................................................................................................................. 7

13 U.S.S.G. §2J1.1(b)(3)(C) ............................................................................................................................ 9

14 U.S.S.G. §2J1.2 ........................................................................................................................................... 7

15

16

17

18
19

20

21

22

23

24

25

26

27

28

SENTENCING MEMORANDUM ii
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 4 of 18

1 Defendant Sullivan was found guilty by a jury of two felonies: obstruction of an official

2 proceeding of the Federal Trade Commission (“FTC”) and misprision of a felony. As a necessary

3 component of its verdict, the jury found that Sullivan “intentionally endeavored corruptly to influence,

4 obstruct, or impede” the FTC’s investigation into Uber Technologies, Inc. (“Uber”). Dkt. No. 219, at

5 17. The evidence at trial demonstrated that Defendant Sullivan prioritized his and his employer’s selfish

6 interests over the clear legal obligations owed to the FTC, and he thereby undermined the FTC’s mission

7 of protecting consumers. As this Court knows from the trial evidence, this case is not about the

8 undisputed merits of bug bounty programs. It is not about difficult decisions made every day by

9 cybersecurity professionals around the world. And it is not about a good-faith error made in the midst of

10 a stressful security incident. Indeed, while the case arose in the context of cybersecurity incident, it is

11 not ultimately about the details or merits of cybersecurity practices. Rather, it is about a powerful

12 person’s intentional exploitation of his position to cover up a deeply embarrassing event—an event that

13 also happened to be a crime—over the span of nearly 12 months. Sullivan, a senior corporate executive

14 with years of experience in both cybersecurity and the criminal justice system, harnessed the resources

15 of a multinational corporation to silence witnesses, generated fraudulent corporate paperwork, ratified

16 false statements to the FTC, and lied to Uber’s new CEO and internal investigators. The government

17 does not dispute any of Defendant’s good deeds or general moral qualities as reflected in the many

18 letters submitted on his behalf. Those same moral qualities only underscore that Defendant knew how
19 wrong his conduct was, and the case stands as shocking proof that even such a revered figure in his

20 community will resort to criminal activity when his reputation is on the line and he thinks no one is

21 watching.

22 Every day in boardrooms across the country, corporate executives are faced with legal

23 obligations that conflict with their self-interest. This is particularly so during government investigations:

24 the investigated would prefer that damaging information not be uncovered. In most cases, neither the

25 government nor the public has any visibility into decisions made behind the boardroom door. There is

26 even less visibility when, as here, the decision-makers include attorneys whose communications are

27 typically shielded from view. Unavoidably, we are left to trust that the people in those rooms will do the

28 right thing, even when nobody is watching and even when it makes them look bad. Defendant Sullivan,

SENTENCING MEMORANDUM 1
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 5 of 18

1 by all outward appearances, appeared to be well equipped to validate that trust. He failed. Instead of

2 doing what he knew was the right thing, he engaged in a rigorous effort to ensure that the victims, the

3 FTC, law enforcement, and the public never learned that he and his cybersecurity team had made

4 mistakes that allowed two hackers to steal personal information associated with more than 50 million

5 victims. Part of this Court’s task is to ensure that every other well-connected corporate executive in a

6 similar position, in the cybersecurity world and elsewhere, knows that the sanction for such a failure will

7 be significant and meaningful. Given how rarely such decisions even come to light, the only adequate

8 sanction is prison time. The government therefore recommends that the Court sentence Defendant to 15

9 months in prison.

10 I. The Evidence

11 After presiding over trial in this matter, the Court is no doubt quite familiar with the facts of the

12 case. The government revisits certain facts here because they are critical to the Court’s task at

13 sentencing, and because those facts remain obscured from the public at large as a result of Defendant’s

14 own years-long misinformation campaign about what actually happened at Uber from November 2016

15 to October 2017. Many of the letters submitted on Defendant Sullivan’s behalf evince that same

16 widespread misunderstanding of the facts and of the evidentiary basis for the jury’s verdicts—a

17 misunderstanding that clearly originates with Defendant’s own self-serving narrative that he first relied

18 on when he was interviewed by internal investigators in August 2017. While the Court should—indeed
19 must—take into account Defendant Sullivan’s personal history and circumstances, the Court should not

20 base its sentence on the false claim that Defendant Sullivan is being unfairly punished for a run-of-the-

21 mill cybersecurity incident in which his good-faith actions are being unfairly second guessed. That

22 claim is patently inconsistent with the evidence and with the jury’s verdict, and it dangerously

23 undermines the public-private partnerships that are necessary to enhance this country’s cybersecurity.

24 Defendant Sullivan was hired by Uber in April 2015 to take control of its security apparatus in

25 the wake of a 2014 data breach at the company (the “2014 Data Breach”). Within days of joining the

26 company, Sullivan received a copy of the Federal Trade Commission’s Civil Investigative Demand

27 (“CID”). See Exhibit 275. That CID related in large part to the 2014 Data Breach, but it reflected that

28 the scope of the FTC’s investigation extended to Uber’s entire cybersecurity program for protecting

SENTENCING MEMORANDUM 2
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 6 of 18

1 consumer data. Id. Over subsequent months, Uber began issuing written responses to the FTC and

2 producing documents. In a response dated September 25, 2015, Uber informed the FTC that Defendant

3 Sullivan and John Flynn, who was Defendant’s direct report, “supervised the preparation of Uber’s

4 response to this CID.” Exhibit 292. In March 2016, Sullivan and Flynn travelled to Washington, D.C.

5 to give a presentation to the FTC regarding Uber’s cybersecurity program. Tr. at 338-39 (Rossen). Ben

6 Rossen, who led the FTC investigation at that time, testified that the presentation communicated “the

7 changes that had been implemented at Uber since Mr. Sullivan took over as CSO.” Id. at 344:9-10.

8 During the presentation, Sullivan addressed a number of more minor security issues that had occurred

9 since the 2014 Data Breach. Id. at 346-49. On November 4, 2016, Defendant Sullivan sat for sworn

10 testimony in an FTC investigational hearing. That testimony included in-depth analysis of Uber’s data

11 security practices as they related to the FTC’s investigation—both those in place at the time of 2014

12 Data Breach and at the time of his testimony—such as encryption of personal data related to drivers and

13 customers and how Uber stored its access keys for the company’s Amazon Web Services (“AWS”) data

14 repositories. See Exhibit 340.

15 Ten days after his testimony, Sullivan learned that Uber had been breached again (the “2016

16 Data Breach”), due to some of the same deficient security practices that had led to the 2014 Data

17 Breach, resulting in a loss of customer and driver data that dwarfed what was taken during the 2014

18 Data Breach. Contemporaneous business records establish that Defendant almost immediately
19 recognized that this second breach revealed that Uber’s prior representations to the FTC about

20 encryption practices and the scope of Uber employees’ access to such data —including those Defendant

21 had made under oath—had been false. See Exhibit 29 (Preacher Tracker) at 11 (“Joe: This may also

22 play very badly based on previous assertions.”); id. at 18 (“Joe was just deposed on this specific topic

23 and what the best or minimum practices that any company should follow in this area.”); see also Tr.

24 (Garbutt) 797:18-22 (testifying that “previous assertions” refers to prior assertions made to the FTC

25 about data controls and access at Uber—assertions proven incorrect or incomplete by the 2016 Data

26 Breach). Defendant then set about ensuring that the FTC never learned the truth, either about the 2016

27 Data Breach itself or the security vulnerabilities that had allowed it to happen. John Flynn testified that

28 early in the 2016 incident response efforts and in the context of a conversation about the FTC’s

SENTENCING MEMORANDUM 3
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 7 of 18

1 investigation and Defendant’s prior sworn testimony, Defendant directed him unequivocally that “this

2 can’t get out.” Id. (Flynn) 604:2-22.

3 Subsequent events demonstrate Defendant’s calculated efforts to conceal the incident, which

4 included both lies to his team and the creation of false and misleading corporate documents. The

5 Preacher Tracker, 1 for example, records Defendant’s attempt to ensure that nobody on his team breathed

6 a word about the breach outside the security group: “Joe Comments: 1. Information is extremely

7 sensitive and we need to keep this tightly controlled. Discussion with other Engineers must be tightly

8 controlled. Joe is communicating directly to the A-Team.” Exhibit 29 at 14. Defendant’s claim that he

9 was “communicating directly to the A-Team” was a lie designed to create the impression that all

10 relevant corporate stakeholders, to include the company’s General Counsel, had been informed about the

11 breach. The false claim had its desired effect: another of Defendant’s direct reports, Craig Clark,

12 testified that he understood Defendant to be claiming that, at a minimum, the General Counsel (Salle

13 Yoo) and the Chief Technology Officer (Thuan Pham) were in contact with Defendant. That was not

14 true. See Tr. (Yoo) 1608:9–14; id. (Pham) 1822:3–16.

15 Clark further testified that after the team had learned that 600,000 driver’s license numbers had

16 been stolen in the 2016 Data Breach, Defendant directed him to come up with a way to conceal the

17 breach by falsely portraying it as a standard interaction with security researchers within Uber’s bug

18 bounty program. Tr. (Clark) 1320:2-6; 1320:19–24. At this time, the terms of Uber’s “bug bounty”
19 program clearly excluded the precise technique employed by the hackers. Exhibit 16 at 4 (excluding

20 from program “use of AWS access key to dump user info”). Following Defendant’s direction, Clark

21 nonetheless communicated a potential theory to Defendant, which involved pretending that the extortive

22 hackers were instead somehow, “nunc pro tunc,” agents of the company. Id. (Clark) 1322:3–14.

23 Defendant then reported back to Clark that the “A-Team” had decided to treat the incident as a bug

24 bounty. This, of course, was a lie, since the broader A-Team, distinct from just the company’s CEO,

25 had not even been informed of the 2016 Data Breach.

26 Defendant’s decision to treat the 2016 Data Breach and accompanying $100,000 extortion

27
1
28 The Court will recall the Preacher Tracker, which was a Google document used by Defendant’s
team to record, in real time, the response effort to the 2016 Data Breach. See Exhibit 29.
SENTENCING MEMORANDUM 4
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 8 of 18

1 payment as a bug bounty report was, in reality, a convenient mechanism to draw attention away from the

2 incident, to make it appear to be a matter of little importance, and to find a convenient way to pay the

3 hackers’ extortion demand and buy their silence. For example, had Defendant truly believed it fit within

4 the bug bounty program, there would have been no reason to direct Craig Clark to introduce

5 demonstrably false language in the draft Non-Disclosure Agreement (“NDA”) with the hackers. Exhibit

6 144 (“You promise that you did not take or store any data during or through your research . . . .”

7 (emphasis added)); Tr. (Clark) 1345:9–10 (Q: Whose idea was that language?; A: That was Joe’s

8 idea.”). That lie had no purpose other than to minimize the significance of the 2016 Data Breach and to

9 make it appear to fit within the bug bounty program. Defendant knew that this language was in the

10 NDA and knew it was a lie. His knowledge was amply demonstrated both by his extensive line edits to

11 the document (Exhibits 100 through 115) and his later blatantly false statements to Randall Lee and

12 other outside counsel for Uber, where he falsely claimed he did not “remember the details” of why a

13 separate NDA was drafted and that he “wasn’t involved” in drafting the NDA. Exhibit 1111 at 8; see

14 also Tr. (Lee) at 2182:21–2183:14 (“My recollection is that he essentially said he didn’t have any role in

15 it.”).

16 Defendant’s understanding that the data breach could not legitimately be treated as a bug bounty

17 disclosure was further demonstrated when he rewrote language for an email to Dara Khosrowshahi, who

18 was appointed as Uber’s new CEO in August 2017, in which Defendant deleted information establishing
19 that the 2016 Data Breach had, in fact, been a massive data breach. Exhibit 212 (Consolidated Preacher

20 Report Google document version with Sullivan edits); Exhibit 218 (later version with more Sullivan

21 edits). Among other lies about the circumstances of the 2016 Data Breach response, Sullivan’s email to

22 Khosrowshahi falsely suggested that the hackers responsible for the 2016 Data Breach had never

23 actually taken any data, let alone personally identifiable data (“PII”), and that they had been identified

24 before they were paid. Exhibit 623. Of course, the evidence showed that the hackers had in fact stolen

25 vast quantities of PII and were paid $100,000 when they were still anonymous, on the condition that

26 they not tell anyone else what they had done. In other words, having instructed his team to keep silent

27 about the breach, Defendant then paid hush money to the hackers to ensure that they never disclosed

28 what they had done. See Exhibit 144 (“You promise that you have not and will not disclose anything

SENTENCING MEMORANDUM 5
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 9 of 18

1 about the vulnerabilities or your dialogue with us to anyone for any purpose without our written

2 permission.”). Such an agreement was unprecedented within Uber’s bug bounty program, and Rob

3 Fletcher testified that he could not recall such an agreement in any other bug bounty program in which

4 he had participated. Tr. (Fletcher) 973:19–23. Defendant’s insistence on such an agreement further

5 supports the jury’s finding that he was acting to conceal and cover up the breach.

6 Evidence of Defendant’s intent to obstruct the FTC investigation continued even into the spring

7 and summer of 2017. Most damningly, Defendant received via email a summary of the FTC’s initial

8 draft of settlement documentation, in which it was apparent that the FTC was relying on false claims

9 previously provided by Uber—claims proven to be false by the 2016 Data Breach itself. See Exhibit

10 703. There can be no dispute that Defendant read the email, as he drafted and sent a lengthy response.

11 Id. But, in this response, Defendant omitted any reference to the fact that Uber had falsely told the FTC

12 that it had ceased storing unencrypted personal information on AWS after March 2015, and that the FTC

13 was relying on this false representation in negotiating a settlement. Defendant, of course, knew that the

14 truth was far worse: unencrypted personal information remained on AWS until at least November 2016,

15 when two hackers stole a huge quantity of that data.

16 Finally, evidence of Defendant’s intent was extensively demonstrated by his many lies during his

17 interviews with Randall Lee and other outside counsel for Uber, who were conducting an internal

18 investigation. These lies—which the letters submitted by Defendant demonstrate have been adopted by
19 many in the cybersecurity industry, despite the sworn testimony at trial and verdict in this matter—were

20 motivated by a guilty conscience and Sullivan’s awareness that he had corruptly obstructed the FTC

21 proceeding. For example, during those interviews, Sullivan told false and shifting stories about the legal

22 justification for not disclosing the data breach to the FTC. See, e.g., Exhibit 1051 at 9 (during an August

23 2017 interview, Sullivan said he did not disclose the breach “Because we were able to ensure that no

24 data was out in the wild”); Exhibit 1055 at 7 (September 2017 interview, said decision not to disclose

25 was “Same call we made 100 times”); Exhibit 1111 at 2 (October 2017 interview, said he did not recall

26 discussing the “issue of disclosure” and that he hadn’t “reviewed” Craig Clark’s “work” on the “legal

27 issues, analysis that needed to be done” on disclosure). He lied about where he was during the incident

28 response. Exhibit 1055 at 3 (“Not physically part of the team”), id. at 7 (“That week I wasn’t at 555,

SENTENCING MEMORANDUM 6
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 10 of 18

1 was in prep, in east coast.”). He refused to answer as to “what PII was at stake” and falsely said he

2 “wasn’t involved” in the analysis of whether the incident was a reportable data breach. Exhibit 1111 at

3 6; see also Exhibit 29 at 13, 15–16, 17, 20–21 (evidencing that Defendant repeatedly asked about and

4 was told what data and PII was stolen). In response to a question about whether he remembered

5 “discussions with any other a-team member about this incident,” he falsely said that they “Went big very

6 fast.” Exhibit 1111 at 3. Compare with Exhibit 29 at 9–10 (Preacher Tracker statement that: “Our

7 common story has to be: -This investigation does not exist.”). And, as noted above, he lied about his

8 role in both the inception of the NDA and its drafting. Exhibit 1111 at 8.

9 Ultimately, the breach was disclosed to the FTC and to the public in November 2017 by Uber’s

10 new leadership. The FTC’s lead investigator, Ben Rossen, testified that when Uber’s counsel belatedly

11 informed him of the new breach in November 2017, it was “probably the single most frustrating

12 experience that I had at my time at the Federal Trade Commission.” Tr. (Rossen) at 445:3-5.

13 II. Guidelines Calculation

14 As noted in the Presentence Report, the applicable guideline is U.S.S.G. § 2J1.2, which provides

15 a base offense level of 14. As explained further below, the government believes two enhancements

16 apply: (1) a three-level increase pursuant to § 2J1.2(b)(2) because the offense resulted in substantial

17 interference with the administration of justice, and (2) a two-level increase pursuant to § 2J1.2(b)(3)(C)

18 because the offense was extensive in scope, planning, or preparation. 2 The government also does not
19 oppose a two-level downward variance to account for an anticipated amendment to the Guidelines that,

20 if it were in effect today, would result in a two-level downward adjustment to the overall offense level.

21 A. The Court should apply a three-level enhancement because of Defendant’s

“substantial interference with the administration of justice”.
22

23 The government agrees with Probation’s application of a three-level enhancement under Section

24 2J1.2(b)(2), which applies upon a showing that “the offense resulted in substantial interference with the

25 administration of justice.” The application notes to Section 2J1.2 provide that this category “includes a

26 premature or improper termination of a felony investigation; an indictment, verdict, or any judicial

27
2
28 While the probation officer initially agreed that this enhancement should apply, the final PSR
removed it from the calculation. See PSR Addendum, ¶ 1.
SENTENCING MEMORANDUM 7
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 11 of 18

1 determination based upon perjury, false testimony, or other false evidence; or the unnecessary

2 expenditure of substantial governmental or court resources” (emphasis added). The Application Notes

3 do not provide a limiting definition of the term, but rather an illustrative list. And in any event, courts

4 “ascribe somewhat less legal weight to the Application Notes than to the Guidelines proper: if the

5 Guideline and Application Note are inconsistent, the Guideline prevails.” United States v. Kirilyuk, 29

6 F.4th 1128, 1136 (9th Cir. 2022) (quoting United States v. Prien-Pinto, 917 F.3d 1155, 1157 (9th Cir.

7 2019)).

8 The evidence recounted above establishes that Defendant’s conduct resulted in substantial

9 interference with the administration of justice in at least two ways—one, targeting the FTC and its

10 agency proceedings, and two, targeting the FBI. First, by not reporting the entirety of the 2016 Data

11 Breach to the FTC, Sullivan prevented the FTC from learning that the event had happened at all. As a

12 result, his obstruction caused the improper and premature termination of the FTC’s investigation and a

13 settlement with the FTC based on false evidence. In the context of § 1505, which targets obstruction of

14 administrative agencies generally, these are directly analogous to the judicial circumstances described in

15 the Application Notes—“the premature or improper termination of a felony investigation” or a “judicial

16 determination based upon . . . false evidence.”

17 Second, Defendant not only hid a data breach, he covered up a crime—and his conviction for

18 misprision of a felony reflects the seriousness of that conduct. The 2016 Data Breach was a serious
19 crime, and one for which both Brandon Glover and Vasile Mereacre (“the Hackers”) were subsequently

20 prosecuted. Rather than comply with the law, Defendant Sullivan sought to cover up that crime by

21 paying the Hackers $100,000 in exchange for their silence. Defendant realized that the FBI and federal

22 law enforcement authorities would be acutely interested in such a hack, and documentary evidence

23 reflects Defendant’s goal that evidence of the hack be withheld from the FBI. See Exhibit 195 at 1

24 (reflecting the goal that the hacked data not be “caught up in that [FBI] seizure”). By purchasing the

25 hackers’ silence, Defendant Sullivan “prevented proper legal proceedings from occurring by taking

26 matters completely outside the purview of the administration of justice.” United States v. Amer, 110

27 F.3d 873 (2d Cir. 1997).

28 //

SENTENCING MEMORANDUM 8
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 12 of 18

1 B. The Court should apply a two-level enhancement because Defendant’s obstruction

was “extensive in scope, planning, or preparation”.
2

3 Section 2J1.1 separately includes a possible two-level enhancement for three categories of

4 offenses. The enhancement applies if the offense:

5 (A) involved the destruction, alteration, or fabrication of a substantial

number of records, documents, or tangible objects; (B) involved the
6 selection of any essential or especially probative record, document, or
tangible object, to destroy or alter; or (C) was otherwise extensive in
7 scope, planning, or preparation . . . .

8 U.S.S.G. §2J1.1(b)(3). The text of the enhancement is structured with the first two categories, under (A)

9 and (B), having specific definitions, with category (C) playing the role of a residual clause, applying to

10 offenses that are “otherwise extensive in scope, planning, or preparation.” Id.

11 Defendant’s offense was extensive in scope, and the Court should apply the two-level

12 enhancement. As noted in detail in the evidentiary summary above, Defendant harnessed the resources

13 of a major, international corporation in order to accomplish his goals. From deploying surveillance

14 teams in both the United States and Canada, to six-figure hush money payments, to falsified corporate

15 documentation, to calculated lies told to corporate executives and internal investigators, the crime at

16 issue here was undoubtedly extensive in scope.

17 Analysis of Subsection C in context with the rest of the enhancement buttresses this conclusion.

18 As noted above, Subsection C is drafted as a residual clause, applying to offenses that are “otherwise”
19 extensive in scope, planning, or preparation, which impliedly refers to the previous subsections.

20 Subsection B, for example, applies to the alteration or destruction of “any essential or especially

21 probative record, document, or tangible object.” Section B therefore would apply to an offense

22 involving the destruction of a single document, so long as that document was “essential or especially

23 probative.” While Defendant’s conduct here did not focus on a single essential document or record, it

24 did focus on suppression of “especially probative” evidence that would have been critical to the FTC’s

25 investigation: the existence of the 2016 Data Breach. As noted above, the FTC’s investigation was

26 triggered by the 2014 Data Breach and expanded to encompass a review of Uber’s entire cybersecurity

27 apparatus, with a particular focus on AWS and encryption of personal information. In that context,

28 news of a new and larger data breach, which also highlighted AWS access and unencrypted personal

SENTENCING MEMORANDUM 9
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 13 of 18

1 information, this time on a massive scale, was clearly “especially probative” to the FTC’s investigation.

2 Had Defendant and Uber disclosed the 2016 Data Breach promptly, it obviously would have been a

3 hugely significant revelation and it would have changed the course of the investigation—as it ultimately

4 did when the 2016 Data Breach was ultimately disclosed in 2017. If alteration of a single “especially

5 probative” document is sufficient to trigger the enhancement, a twelve-month campaign to suppress

6 evidence of an “especially probative” data breach is sufficient as well. The Court should therefore apply

7 a two-level enhancement because Defendant’s offense was “extensive in scope, planning, or

8 preparation.”

9 C. “Zero-Point Offender” variance.

10 The Sentencing Commission has proposed an amendment to the Guidelines, applicable to certain

11 defendants with zero criminal history points, which would call for a two-level decreased in the offense

12 level (specifically, Section 4C1.1). Probation has assessed that Defendant meets the criteria for the

13 proposed amendment, but notes that the amendment is not set to take effect until November 2023. PSR

14 ¶ 105.

15 While the amendment has not yet taken effect, the government does not oppose a two-level

16 downward variance to account for the anticipated amendment.

17 As a result, the government recommend an adjusted offense level of 14 + 3 + 2 -2, which results

18 in an Adjusted Offense Level of 17, which yields a Guidelines range of 24 to 30 months.

19 III. Argument

20 Congress has provided that a sentencing court must look beyond simply the individual standing

21 before the Court at sentencing. Section 3553(a) requires the Court to consider the effect its sentence will

22 have on others, both in terms of deterring others from similar crimes and in terms of promoting respect

23 for the law. These considerations, applied to the facts of this case and the context in which it arises, call

24 for a prison sentence.

25 A. White collar crimes are difficult to detect, and the prospect of incarceration is
necessary to afford adequate deterrence.
26

27 Defendant Sullivan is not the first former Uber executive to stand before a court of the Northern

28 District of California for sentencing. On August 4, 2020, approximately two months after the indictment

SENTENCING MEMORANDUM 10
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 14 of 18

1 was returned in this case, Anthony Levandowski stood for sentencing before Judge Alsup, having

2 pleaded guilty to one count of trade secret theft. As here, dozens of letters had been submitted on

3 Levandowski’s behalf, noting all the good qualities of his character. Levandowski’s able counsel

4 highlighted all the good deeds he had done through his life, including assistance offered to the

5 government. Counsel went on to list all the collateral consequences that had already been visited upon

6 Levandowski prior to sentencing, arguing that his fall from grace—including having been fired by

7 Uber—was more than adequate to deter future crimes, and that prison time would be gratuitous and

8 more than necessary. Defense counsel in this matter will no doubt offer up the same arguments here.

9 In that case, Judge Alsup acknowledged the mitigating import of those arguments, but he

10 emphatically rejected the argument that prison time was unnecessary:

11 The question is -- the key question here is deterrence and whether someone in the future,
who is in Mr. Levandowski’s position, with billions -- not just millions -- billions of
12 dollars in some new technology are in play, and that person in the future, that engineer in
the future, who, let’s say, is brilliant, has the opportunity to go start their own company
13 and they're thinking to themselves: “Do I steal these trade secrets so it’ll give me a heads-
up? Maybe I won’t get caught” -- so they're factoring in the risk of detection – “and if I
14 do get caught, well, they’ll just give me probation like they gave Mr. Levandowski.”

15 Case No. 3:19-cr-00377 WHA, Docket No. 102, at p. 43.

16 As Judge Alsup observed, deterrence in the white-collar context must account for the fact that

17 sophisticated defendants know that their crimes must be uncovered before they can face any

18 consequences. The concern applies with even more force in this case, where the crime at issue is
19 precisely the effort to avoid detection, and where the participants know that their communications are

20 shielded by legal privileges and are unlikely to ever see the light of day. Judge Alsup hit upon the only

21 available answer: “Prison time is the answer to that.” Id. at 44.

22 Defendant Sullivan, like Anthony Levandowski before him, has a spotless history. He is

23 respected in his community. He is an innovator in his field. He is loyal to his friends and has supported

24 those less fortunate. But, when given the opportunity to choose between himself and adherence to the

25 law, he chose himself. Worse than that, Defendant Sullivan prioritized his and Uber’s interests over

26 those of the tens of millions of Uber users and riders who trusted their personal information to the

27 company. He prioritized his and Uber’s interests over the structural need for honesty and transparency

28 in federal investigations. He undermined the ability of the FTC to fulfill its essential mission of

SENTENCING MEMORANDUM 11
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 15 of 18

1 protecting American consumers. Corporate leaders are called upon to do the right thing even when it is

2 embarrassing, even when it is bad for the company’s bottom line. Nobody, neither corporations nor the

3 executives who lead them, is above the law.

4 And Defendant Sullivan almost got away with it. If not for the fortuitous arrival of new

5 leadership at Uber, there is every reason to believe the tens of millions of victims of the 2016 Data

6 Breach never would have learned about it. This case is a cautionary tale of how many unwitting

7 corporate employees can be enlisted into a coverup without even appreciating what is going on. Since

8 knowledge of the FTC investigation and Uber’s cybersecurity program was siloed within the company, a

9 small number of people appreciated the significance of the 2016 Data Breach and what they were doing

10 in response to that breach. Only Defendant Sullivan could see everything. That too is not uncommon in

11 corporate America, particularly in large corporations, where visibility is broadest at the top, and those

12 who report up do not necessarily see the full significance of their actions. Defendant Sullivan, like any

13 corporate executive in his shoes in similar circumstances, would have every reason to think he could get

14 away with it. Indeed, he almost did.

15 While the collateral consequences outlined by defense counsel are real, to the corporate

16 executive acting in the moment, they are highly speculative. Companies like Uber and others in Silicon

17 Valley have flourished based on an industry-wide willingness to take risk. But prison is a risk too far.

18 As Judge Alsup observed, prison time is a deterrent like none other, and a sentence of custodial time in
19 this case will communicate to others in the industry that the willful interference with government

20 investigations, even when they are uncomfortable or costly, is not amenable to a cost-benefit analysis

21 because the sanction—incarceration—is unacceptable. The government therefore recommends that the

22 Court sentence Defendant to a prison term of 15 months.

23 B. A sentence of 15 months in prison promotes respect for the law.

24 Separate and apart from the goal of deterrence, a prison sentence in this case will promote

25 respect for the law. There is a justifiable narrative in this country that corporate executives get away

26 with criminal activity—and that when they are caught, because of their resources, they rarely face actual

27 prison. As discussed above, given the extraordinarily difficult nature of detecting and prosecuting

28 criminal activity by senior corporate executives, who like Defendant Sullivan in this very case, commit

SENTENCING MEMORANDUM 12
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 16 of 18

1 their crimes under the cover of attorney-client privilege and have the power to cover it up, there is some

2 truth in this. Probationary or token prison sentences for corporate executives in general undermine

3 respect for the law and the criminal justice system at large, and disregard the core principle that all

4 defendants are equal before the law regardless of their position and power.

5 Beyond this general concern, though, there is a very specific need in this case for a prison

6 sentence that sufficiently sanctions Defendant for his conduct. One of the themes that becomes evident

7 in reviewing the letters submitted on Defendant Sullivan’s behalf is that many in the cybersecurity

8 industry are not aware of the egregious conduct Defendant Sullivan has been proved guilty off—the

9 witness tampering, the fraudulent corporate paperwork, the many lies. Letter after letter submitted to

10 this Court suggests that this prosecution reflects simple second-guessing of a difficult decision, that

11 Defendant Sullivan is nothing more than a scapegoat, and that neither the government nor the jury really

12 understands cybersecurity. See Defendant’s Sentencing Submission to Probation, Appendix 1, Ex. G, at

13 9, 10, 18-19, and 29; Ex. H at 003, Ex. I at 1, 3, 6-7, 11-12, 15, 17. As the Court is aware after presiding

14 over the trial in this matter, none of this is true. Additionally, as the Court may be aware, this false

15 narrative has the real potential to drive a wedge between the cybersecurity community and law

16 enforcement at precisely a time when our country is facing an unprecedented array of cyber threats that

17 require those two communities to work hand-in-glove.

18 Defendant Sullivan is solely responsible for seeding this false narrative nearly six years ago,

19 when he began lying to Uber executives and investigators about the events surrounding the 2016 Data

20 Breach and his role in those events. His defense at trial was premised on the same argument—that other

21 people made difficult decisions under tremendous pressure and that he simply trusted they were

22 following appropriate protocols under Uber’s cybersecurity policies. The jury rejected that defense, but

23 the false narrative remains visible in the letters submitted to the Court, buoyed by the esteem in which

24 many in the cybersecurity hold Defendant Sullivan. The letter writers are no doubt sincere in their

25 admiration for Defendant Sullivan, but Defendant has exploited that esteem, first by lying about his

26 conduct, and now by permitting others to rely on those lies in their submissions to this Court.

27 A sentence of probation in this case would tacitly affirm those lies. It would, like Sullivan’s

28 unsuccessful defense at trial, suggest to the public that Defendant Sullivan simply made an innocent

SENTENCING MEMORANDUM 13
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 17 of 18

1 mistake. That any wrongful conduct was minimal or inadvertent. That everything Defendant Sullivan

2 has been saying since August 2017 was true. And that obstruction of a federal investigation designed to

3 protect the broader public ultimately does not matter. A sentence of probation would also ratify the lie

4 that this case represents some drastic change in standards applicable to the cybersecurity industry and

5 the government’s desire to partner with the private sector, including victims, in countering cyber threats.

6 That is simply not the case. The case arises in the context of cybersecurity, but it is not about

7 cybersecurity. It is about old-fashioned obstruction of justice, which has always been illegal, no matter

8 what industry one works in. It is about hiding a felony from law enforcement, which has been a crime

9 since the common law and which was codified into federal law in 1790 by the First Congress. See

10 United States v. Olson, 856 F.3d 1216, 1221–22 (9th Cir. 2017). Just as the subject of a narcotics

11 investigation cannot tamper with witnesses or evidence, neither can a chief security officer of a massive

12 technology company under an FTC investigation. There should be nothing surprising in this. The scope

13 of this case is thus far broader than Defendant would have it be, and the lines he crossed much clearer

14 and more vivid than his supporters have been led to believe. A meaningful prison sentence is necessary

15 to refocus the public—and the cybersecurity industry—on the truth and promote respect for the rule of

16 law.

17 C. White-collar defendants are not entitled to special treatment.

18 Defendant Sullivan has submitted more than 100 letters penned by his friends and colleagues.

19 Obviously, the Court should take into account all the laudatory things said about Defendant Sullivan in

20 his other pursuits, which the government does not doubt are true and which are unrelated to his criminal

21 conduct in this case. But the government notes that white-collar defendants in general, and successful

22 corporate executives in particular, will almost always have deep networks of supporters to call upon in

23 difficult times. One does not become an executive at a company like Uber without having such a

24 network. Indeed, Anthony Levandowski made a very similar presentation to Judge Alsup prior to his

25 sentencing.

26 These letters only underscore Defendant’s extraordinarily privileged position among the many

27 individuals the Department of Justice prosecutes—and the many defendants this Court sentences. They

28 mainly demonstrate that Defendant is a wealthy, powerful man, with a strong network of family and

SENTENCING MEMORANDUM 14
20-337 WHO
 Case 3:20-cr-00337-WHO Document 254 Filed 04/27/23 Page 18 of 18

1 friends that has benefited him throughout his life. To place considerable weight on such submissions

2 systematically privileges successful defendants over unsuccessful ones, wealthy defendants over

3 impoverished ones, and defendants who had the means to make better choices over those with few other

4 options. An undocumented drug dealer sentenced in federal court is unlikely to have had the

5 opportunity to whitewash his criminal record by volunteering to help war-torn Ukrainians, nor the

6 network or resources to make an extensive showing of other good deeds in his life, even if that

7 individual is just as critical to his or her family and community. There cannot be two different systems

8 of justice, one for the privileged and another for the rest. Any such perception would do grievous

9 damage to public respect for the law, and it would be inconsistent with the values towards which our

10 system of justice strives.

11 IV. Conclusion

12 For the foregoing reasons, the United States recommends that Defendant Sullivan be sentenced

13 to 15 months in prison.

14

15 DATED: April 27, 2023 Respectfully submitted,

16
STEPHANIE M. HINDS
17 Attorney for the United States
Acting Under Authority Conferred by 28
18
U.S.C. § 515
19

20 _______/s/_________________
ANDREW F. DAWSON
21 BENJAMIN KINGSLEY
Assistant United States Attorneys
22

23

24

25

26

27

28

SENTENCING MEMORANDUM 15
20-337 WHO