Are All Computer Crimes Now Federal Computer Crimes? A Review of Recent Legislative Changes:
One of the remarkable developments in federal computer crime law in the last few years is Congress's elimination of the federal jurisdictional hooks that Congress has traditionally required for crimes to be a matter of federal rather than merely state or local concern. These important changes have gone almost entirely unnoticed, but I was really struck by them in the course of putting together the 2nd edition of my computer crime law casebook. I think readers interested in federalism, as well as readers interested in criminal law generally, might want to know the details.
First, some background. As recently as 2007, federal computer crime prosecutions generally required a showing of an interstate communication involved in the crime, or at least use of a computer used in interstate communications. The exact meaning of the statutory jurisdictional requirements were often somewhat unclear, but the idea was conceptually very important: Not all computer crimes are automatically federal computer crimes. If a computer crime is purely an intrastate matter, it's not a federal question. Some hook to interstate commerce, no matter how small, must be shown.
In the context of the federal child pornography laws, the statutory hook was usually that the images of child pornography were distributed or had at some point been distributed "in interstate or foreign commerce." That means that for the feds to get involved, the images had to have actually crossed state lines. In the context of the federal unauthorized access law, Section 1030, the requirement was that the computer be "used in interstate commerce," and in some cases that the information obtained by the unauthorized access cross state lines. The requirement that the computer be "used in interstate commerce" was never exactly clear -- used how and when? -- but the basic idea was that the computer had to be a networked computer or some computer that could have some connection to data crossing state lines.
Enter Congress, acting, as always, in its infinite wisdom. In the last two years, Congress has essentially eliminated the jurisdictional hurdles in these important computer crime statutes. It has done so by adding language to both the child pornography and unauthorized access laws that expand the scope of the statute to computers and data merely "affecting" interstate commerce, not actually "in" interstate commerce. In 2007, the Effective Child Pornography Prosecution Act of 2007, Pub. L. No. 110-358, replaced the jurisdictional requirement "in interstate or foreign commerce" with the new requirement "using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce." In 2008, Section 207 of the Former Vice President Protection Act, Pub.L. 110-326, expanded the definition of protected computer regulated by the statute to a computer that is "used in or affecting interstate or foreign commerce or communication" (new language in italics), and removed the requirement that information obtained had to be information that crossed state lines.
The switch from prohibiting conduct "in interstate commerce" to regulating conduct "affecting interstate commerce" is easy to overlook, but it turns out to be a critical change. When Congress uses the phrase "affecting interstate commerce," that is generally understood to express Congress's intent to regulate as far as the Commerce Clause will allow. See Russell v. United States, 471 U.S. 858, 849 (1985) (noting that prohibition regulating conduct "affecting interstate or foreign commerce" expresses "an intent by Congress to exercise its full power under the Commerce Clause"); Scarborough v. United States, 431 U.S. 563, 571 (1977) ("Congress is aware of the distinction between legislation limited to activities 'in commerce' and an assertion of its full Commerce Clause power so as to cover all activity substantially affecting interstate commerce."). When Congress uses the jurisdictional hook of "affecting interstate commerce," or its close cousin "affecting interstate or foreign commerce," then the scope of the jurisdictional hook is generally understood to be defined by Commerce Clause jurisprudence.
But here's the rub. Under Gonzales v. Raich, 545 U.S. 1 (2005), it seems awfully difficult to find any computer or any type of data that is actually beyond the scope of the federal commerce power. If you can aggregate the effect of all computers and all data, you're going to identify a rational basis for identifying a substantial effect on interstate commerce. Maybe I'm just too much of a Commerce Clause pessimist -- and if so, please let me know in the comment thread -- but it seems to me that under Raich, if it's a computer, it's going to be a computer that Congress can regulate. See, e.g., United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).
The end result: In the last two years, Congress has essentially gutted the idea of computer crimes that are beyond the reach of the federal government. If a computer is involved -- any computer -- it's very likely to be a federal issue. The federal government can always decline to prosecute a case, and it can consider the fact that it's just a local crime in the course of making that call. But that's a matter of discretion, not law. For those of us who care about federalism, it's a very sad state of affairs.
An interesting question is, how did this happen without anyone noticing? I'm not entirely sure, but here are two possibilities. First, the press isn't too likely to pick up on a subtle change like this. In a bill, the language is easy to overlook: it will be something like, "insert 'or affecting' after the term 'used in'." You would need to be pretty sharp to see the issue. Second, there are no natural constituents to object to Congress gutting federalism provisions in criminal law. These sorts of changes are generally framed as efforts to help the feds catch the bad guys by getting rid of annoying technicalities. Framed in that way, the legislation is likely to have broad popular support.
Finally, I'm more than a little annoyed with myself for not seeing this earlier, while the legislation was pending, and when there was at least a chance (albeit extremely remote) that blogospheric objections could make a difference. I didn't really sit down to look at these changes until I was putting together the jurisdictional chapter of the 2nd edition of my casebook in the past few weeks. When I looked closely at the new legislation, I was very surprised by the textually subtle but (to my mind) far-reaching changes. I'll try to watch these issues more closely in the future, but that's easier said than done.
First, some background. As recently as 2007, federal computer crime prosecutions generally required a showing of an interstate communication involved in the crime, or at least use of a computer used in interstate communications. The exact meaning of the statutory jurisdictional requirements were often somewhat unclear, but the idea was conceptually very important: Not all computer crimes are automatically federal computer crimes. If a computer crime is purely an intrastate matter, it's not a federal question. Some hook to interstate commerce, no matter how small, must be shown.
In the context of the federal child pornography laws, the statutory hook was usually that the images of child pornography were distributed or had at some point been distributed "in interstate or foreign commerce." That means that for the feds to get involved, the images had to have actually crossed state lines. In the context of the federal unauthorized access law, Section 1030, the requirement was that the computer be "used in interstate commerce," and in some cases that the information obtained by the unauthorized access cross state lines. The requirement that the computer be "used in interstate commerce" was never exactly clear -- used how and when? -- but the basic idea was that the computer had to be a networked computer or some computer that could have some connection to data crossing state lines.
Enter Congress, acting, as always, in its infinite wisdom. In the last two years, Congress has essentially eliminated the jurisdictional hurdles in these important computer crime statutes. It has done so by adding language to both the child pornography and unauthorized access laws that expand the scope of the statute to computers and data merely "affecting" interstate commerce, not actually "in" interstate commerce. In 2007, the Effective Child Pornography Prosecution Act of 2007, Pub. L. No. 110-358, replaced the jurisdictional requirement "in interstate or foreign commerce" with the new requirement "using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce." In 2008, Section 207 of the Former Vice President Protection Act, Pub.L. 110-326, expanded the definition of protected computer regulated by the statute to a computer that is "used in or affecting interstate or foreign commerce or communication" (new language in italics), and removed the requirement that information obtained had to be information that crossed state lines.
The switch from prohibiting conduct "in interstate commerce" to regulating conduct "affecting interstate commerce" is easy to overlook, but it turns out to be a critical change. When Congress uses the phrase "affecting interstate commerce," that is generally understood to express Congress's intent to regulate as far as the Commerce Clause will allow. See Russell v. United States, 471 U.S. 858, 849 (1985) (noting that prohibition regulating conduct "affecting interstate or foreign commerce" expresses "an intent by Congress to exercise its full power under the Commerce Clause"); Scarborough v. United States, 431 U.S. 563, 571 (1977) ("Congress is aware of the distinction between legislation limited to activities 'in commerce' and an assertion of its full Commerce Clause power so as to cover all activity substantially affecting interstate commerce."). When Congress uses the jurisdictional hook of "affecting interstate commerce," or its close cousin "affecting interstate or foreign commerce," then the scope of the jurisdictional hook is generally understood to be defined by Commerce Clause jurisprudence.
But here's the rub. Under Gonzales v. Raich, 545 U.S. 1 (2005), it seems awfully difficult to find any computer or any type of data that is actually beyond the scope of the federal commerce power. If you can aggregate the effect of all computers and all data, you're going to identify a rational basis for identifying a substantial effect on interstate commerce. Maybe I'm just too much of a Commerce Clause pessimist -- and if so, please let me know in the comment thread -- but it seems to me that under Raich, if it's a computer, it's going to be a computer that Congress can regulate. See, e.g., United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).
The end result: In the last two years, Congress has essentially gutted the idea of computer crimes that are beyond the reach of the federal government. If a computer is involved -- any computer -- it's very likely to be a federal issue. The federal government can always decline to prosecute a case, and it can consider the fact that it's just a local crime in the course of making that call. But that's a matter of discretion, not law. For those of us who care about federalism, it's a very sad state of affairs.
An interesting question is, how did this happen without anyone noticing? I'm not entirely sure, but here are two possibilities. First, the press isn't too likely to pick up on a subtle change like this. In a bill, the language is easy to overlook: it will be something like, "insert 'or affecting' after the term 'used in'." You would need to be pretty sharp to see the issue. Second, there are no natural constituents to object to Congress gutting federalism provisions in criminal law. These sorts of changes are generally framed as efforts to help the feds catch the bad guys by getting rid of annoying technicalities. Framed in that way, the legislation is likely to have broad popular support.
Finally, I'm more than a little annoyed with myself for not seeing this earlier, while the legislation was pending, and when there was at least a chance (albeit extremely remote) that blogospheric objections could make a difference. I didn't really sit down to look at these changes until I was putting together the jurisdictional chapter of the 2nd edition of my casebook in the past few weeks. When I looked closely at the new legislation, I was very surprised by the textually subtle but (to my mind) far-reaching changes. I'll try to watch these issues more closely in the future, but that's easier said than done.