As most readers are aware, the English newspaper “News of the World” has recently been shut down over reports that the paper’s reporters regularly hacked into the voicemail boxes of celebrities and political figures to gather news for stories. The hacking has had huge ripple effects, ranging from its impact on UK politics to Rupert Murdoch. I wanted to blog about one angle to the story I haven’t seen covered elsewhere: Did these intrusions violate U.S. federal criminal law? Put another way, could the federal government prosecute individuals for the hacking in the U.K.?
We don’t know all the details yet, but I think it’s possible. I’ve blogged a lot about the Computer Fraud and Abuse Act, 18 U.S.C. 1030, which prohibits unauthorized access to protected computers. I’ve regularly pointed out that this statute is extraordinarily broad, and its breadth is relevant here. Some of the analysis is easy: Hacking in to another person’s voicemail box is clearly an unauthorized access, and the computers that host voicemail files are clearly “computers.” See, e.g., United States v. Kramer (8th Cir. 2010). But more interestingly, the fact that the hacking was probably all done outside the U.S. probably doesn’t matter, even if all the computers that were hacked are outside the U.S. The Computer Fraud and Abuse Act extends to computers outside the United States in most circumstances. Here’s the key statutory language:
the term “protected computer” means a computer . . . which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
18 U.S.C. 1030(e)(2)(B) (emphasis added). Notably, the statutory phrase “affects interstate or foreign commerce” is a term of art: In U.S. law, it means as far as the interstate or foreign commerce clauses will allow. See Russell v. United States, 471 U.S. 858, 849 (1985). As a result, a computer is a “protected computer” covered by the CFAA if the interstate or foreign commerce clauses permit them to be regulated under the Constitution, even if it is located outside the United States.
That brings us to the scope of the Foreign Commerce Clause, which under Article I, Section 8, Cl. 3 provides that Congress can “regulate Commerce with foreign Nations.” The scope of the foreign commerce clause is not often litigated, and its precise meaning remains somewhat unclear. See generally Anthony Colangelo, The Foreign Commerce Clause, 96 Va. L. Rev. 949 (2010). But, in general, the scope of the foreign commerce clause has been interpreted as more or less analogous to the scope of the interstate commerce clause. Communications networks such as the telephone network and the Internet are channels of interstate commerce that have long been subject to federal regulation under the Commerce Clause. See, e.g., United States v. Ho, 311 F.3d 589, 597 (5th Cir. 2002). As a result, such networks outside the United States are likely subject to regulation under the Foreign Commerce Clause, as well.
One significant uncertainty is how much if any nexus to the United States is required under the Foreign Commerce Clause to constitute a channel of foreign commerce: Does that mean a channel of commerce with the United States, or just among foreign nations? And in the case of an international network like the phone network or the Internet, is the relevant question whether the communications involved the United States at that time or whether the channels themselves interacted with United States networks more generally? These issues don’t come up often because prosecutions of foreign conduct are rare. And in the case of the “News of the World” hacks, we don’t know what role any U.S. networks or computers played. But depending on how the foreign commerce clause arguments are resolved, there’s a chance that the intrusions may be chargeable under United States criminal law in addition to under the law of the UK.