One of the remarkable developments in federal computer crime law in the last few years is Congress’s elimination of the federal jurisdictional hooks that Congress has traditionally required for crimes to be a matter of federal rather than merely state or local concern. These important changes have gone almost entirely unnoticed, but I was really struck by them in the course of putting together the 2nd edition of my computer crime law casebook. I think readers interested in federalism, as well as readers interested in criminal law generally, might want to know the details.
First, some background. As recently as 2007, federal computer crime prosecutions generally required a showing of an interstate communication involved in the crime, or at least use of a computer used in interstate communications. The exact meaning of the statutory jurisdictional requirements were often somewhat unclear, but the idea was conceptually very important: Not all computer crimes are automatically federal computer crimes. If a computer crime is purely an intrastate matter, it’s not a federal question. Some hook to interstate commerce, no matter how small, must be shown.
In the context of the federal child pornography laws, the statutory hook was usually that the images of child pornography were distributed or had at some point been distributed “in interstate or foreign commerce.” That means that for the feds to get involved, the images had to have actually crossed state lines. In the context of the federal unauthorized access law, Section 1030, the requirement was that the computer be “used in interstate commerce,” and in some cases that the information obtained by the unauthorized access cross state lines. The requirement that the computer be “used in interstate commerce” was never exactly clear — used how and when? — but the basic idea was that the computer had to be a networked computer or some computer that could have some connection to data crossing state lines.
Enter Congress, acting, as always, in its infinite wisdom. In the last two years, Congress has essentially eliminated the jurisdictional hurdles in these important computer crime statutes. It has done so by adding language to both the child pornography and unauthorized access laws that expand the scope of the statute to computers and data merely “affecting” interstate commerce, not actually “in” interstate commerce. In 2007, the Effective Child Pornography Prosecution Act of 2007, Pub. L. No. 110-358, replaced the jurisdictional requirement