Posted by Orin Kerr:
Are All Computer Crimes Now *Federal* Computer Crimes? A Review of Recent
Legislative Changes:
http://volokh.com/archives/archive_2009_05_31-2009_06_06.shtml#1244004465
One of the remarkable developments in federal computer crime law in
the last few years is Congress's elimination of the federal
jurisdictional hooks that Congress has traditionally required for
crimes to be a matter of federal rather than merely state or local
concern. These important changes have gone almost entirely unnoticed,
but I was really struck by them in the course of putting together the
2nd edition of [1]my computer crime law casebook. I think readers
interested in federalism, as well as readers interested in criminal
law generally, might want to know the details.
First, some background. As recently as 2007, federal computer crime
prosecutions generally required a showing of an interstate
communication involved in the crime, or at least use of a computer
used in interstate communications. The exact meaning of the statutory
jurisdictional requirements were often somewhat unclear, but the idea
was conceptually very important: Not all computer crimes are
automatically federal computer crimes. If a computer crime is purely
an intrastate matter, it's not a federal question. Some hook to
interstate commerce, no matter how small, must be shown.
In the context of the federal child pornography laws, the statutory
hook was usually that the images of child pornography were distributed
or had at some point been distributed "in interstate or foreign
commerce." That means that for the feds to get involved, the images
had to have actually crossed state lines. In the context of the
federal unauthorized access law, Section 1030, the requirement was
that the computer be "used in interstate commerce," and in some cases
that the information obtained by the unauthorized access cross state
lines. The requirement that the computer be "used in interstate
commerce" was never exactly clear -- used how and when? -- but the
basic idea was that the computer had to be a networked computer or
some computer that could have some connection to data crossing state
lines.
Enter Congress, acting, as always, in its infinite wisdom. In the
last two years, Congress has essentially eliminated the jurisdictional
hurdles in these important computer crime statutes. It has done so by
adding language to both the child pornography and unauthorized access
laws that expand the scope of the statute to computers and data merely
"affecting" interstate commerce, not actually "in" interstate
commerce. In 2007, [2]the Effective Child Pornography Prosecution Act
of 2007, Pub. L. No. 110-358, replaced the jurisdictional requirement
�in interstate or foreign commerce� with the new requirement �using
any means or facility of interstate or foreign commerce or in or
affecting interstate or foreign commerce.� In 2008, Section 207 of
the[3] Former Vice President Protection Act, Pub.L. 110-326, expanded
the definition of protected computer regulated by the statute to a
computer that is "used in or affecting interstate or foreign commerce
or communication" (new language in italics), and removed the
requirement that information obtained had to be information that
crossed state lines.
The switch from prohibiting conduct "in interstate commerce" to
regulating conduct "affecting interstate commerce" is easy to
overlook, but it turns out to be a critical change. When Congress uses
the phrase �affecting interstate commerce,� that is generally
understood to express Congress�s intent to regulate as far as the
Commerce Clause will allow. See Russell v. United States, 471 U.S.
858, 849 (1985) (noting that prohibition regulating conduct �affecting
interstate or foreign commerce� expresses �an intent by Congress to
exercise its full power under the Commerce Clause�); Scarborough v.
United States, 431 U.S. 563, 571 (1977) (�Congress is aware of the
distinction between legislation limited to activities �in commerce�
and an assertion of its full Commerce Clause power so as to cover all
activity substantially affecting interstate commerce.�). When Congress
uses the jurisdictional hook of �affecting interstate commerce,� or
its close cousin �affecting interstate or foreign commerce,� then the
scope of the jurisdictional hook is generally understood to be defined
by Commerce Clause jurisprudence.
But here's the rub. Under [4]Gonzales v. Raich, 545 U.S. 1 (2005),
it seems awfully difficult to find any computer or any type of data
that is actually beyond the scope of the federal commerce power. If
you can aggregate the effect of all computers and all data, you're
going to identify a rational basis for identifying a substantial
effect on interstate commerce. Maybe I'm just too much of a Commerce
Clause pessimist -- and if so, please let me know in the comment
thread -- but it seems to me that under Raich, if it's a computer,
it's going to be a computer that Congress can regulate. See, e.g.,
[5]United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).
The end result: In the last two years, Congress has essentially
gutted the idea of computer crimes that are beyond the reach of the
federal government. If a computer is involved -- any computer -- it's
very likely to be a federal issue. The federal government can always
decline to prosecute a case, and it can consider the fact that it's
just a local crime in the course of making that call. But that's a
matter of discretion, not law. For those of us who care about
federalism, it's a very sad state of affairs.
An interesting question is, how did this happen without anyone
noticing? I'm not entirely sure, but here are two possibilities.
First, the press isn't too likely to pick up on a subtle change like
this. In a bill, the language is easy to overlook: it will be
something like, "insert 'or affecting' after the term 'used in'." You
would need to be pretty sharp to see the issue. Second, there are no
natural constituents to object to Congress gutting federalism
provisions in criminal law. These sorts of changes are generally
framed as efforts to help the feds catch the bad guys by getting rid
of annoying technicalities. Framed in that way, the legislation is
likely to have broad popular support.
Finally, I'm more than a little annoyed with myself for not seeing
this earlier, while the legislation was pending, and when there was at
least a chance (albeit extremely remote) that blogospheric objections
could make a difference. I didn't really sit down to look at these
changes until I was putting together the jurisdictional chapter of the
2nd edition of my casebook in the past few weeks. When I looked
closely at the new legislation, I was very surprised by the textually
subtle but (to my mind) far-reaching changes. I'll try to watch these
issues more closely in the future, but that's easier said than done.
References
1. http://www.amazon.com/Kerrs-Computer-Crime-Law-American/dp/0314144005
2. http://www.govtrack.us/congress/billtext.xpd?bill=h110-4120
3. http://www.govtrack.us/congress/billtext.xpd?bill=h110-5938
4. http://www.law.cornell.edu/supct/html/03-1454.ZS.html
5. http://openjurist.org/425/f3d/1266/united-states-v-jeronimo-bautista
_______________________________________________
Volokh mailing list
[email protected]
http://lists.powerblogs.com/cgi-bin/mailman/listinfo/volokh
