On February 27, the Supreme Court will hear argument in Dubin v. United States, a case on the Aggravated Identity Theft Statute, 18 U.S.C. § 1028A. This statute comes up often in the context of computer crimes, and its interpretation raises some interesting and important questions. So I thought I would blog about the case and offer some impressions.
I’ll start with the statutory problem that prompts the Dubin case; then turn to the case itself; and conclude with my own views.
A. The Mess of Statutory Drafting That is 18 U.S.C. § 1028A.
First, some context. Section 1028A was enacted in 2004 at a time when there was a lot of concern about computer crimes and credit card fraud. Aided by “cyberspace,” criminals were using the identity information of innocent consumers to get new credit cards in their names that were then used by the criminals fraudulently in ways that caused endless headaches for consumers who were then stuck with the fraudulent purchases on their credit record. This using of an innocent person’s identifying information to get a bogus line of credit, sticking them with the consequences, was being known as “identity theft.” And it was a big concern.
So what did Congress do? A natural thing would have been to enact a law adding a sentencing enhancement for fraud that caused those personal harms to innocent victims. That is, treat the harm—bad credit scores, the incurring of debts to others, etc.—as a result element that, if caused, triggers greater criminal liability.
But that is not what Congress did. Instead, Congress wrote this statute, titled “Aggravated Identity Theft”:
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Here’s the key: Instead of focusing on the causing of the harm, Congress tried to describe the extra-bad act that was generally associated with the extra-bad harm. And what was that extra-bad act? Congress figured, well, someone who was already committing some kind of fraud-based predicate felony (bad) was using identity information without the person’s permission (extra-bad). So in addition to the liability they had for the already-existing fraud-based felony, a criminal who uses the identifying information as part of that felony gets an extra two years in jail for using the identifying information.
At this point, you can probably see some problems with how the statute is drafted. There are two big problems, I think, and they are related. First, Congress did a lousy job describing the fraud-based felonies that can act as a predicate offense. Instead of saying the predicate offense had to be a fraud crime, Congress looked to various parts of Title 18 and included large swaths of the code that seemed to have some kind of connection to fraud. When you look at the predicate felonies in subsection (c), there are 11 different areas of Title 18 that are included as predicates. Some of those sections are about fraud. But some aren’t. Some were just codified near sections about fraud.
The second problem, and the one more directly relevant to the Dubin case, is that Congress did a terrible job describing the extra-bad act. The extra-bad thing the drafters were thinking about was using identity information in a way that caused the person to whom the information related to suffer harms such as bad credit scores or being stuck with the bill. But Congress instead wrote the extra-bad act in a very abstract way. In the statute, the extra-bad act is described as “knowingly transfer[ing], possess[ing], or us[ing], without lawful authority, a means of identification of another person” . . . “during and in relation to” one of the predicate offenses.
Yikes. So during and in relation to one of these possibly-but-not-necessarily fraud-related predicate offenses, a person has to do something about a “means of identification of another person” without that person’s permission? I mean, that could mean almost anything.
And the stakes are high. A lot of crimes are technically felonies under Title 18 but are pretty low-level felonies, the kind of thing likely to lead to probation or at most a short prison term. But if § 1028A applies, it tacks on a two-year prison sentence. So you could have a probation offense that becomes a two-years-in-jail offense if § 1028A is triggered, with the § 1028A punishment dwarfing the predicate felony punishment.
All of this prompts a natural question about how to construe the statute. Do you construe § 1028A broadly, to mean as far as the statutory language might in theory go, even if it ends up causing odd results? Or do you construe the statute narrowly in light of the problem Congress was trying to solve? That is the problem at the heart of the Dubin case.
B. The Dubin Case
The case before the Court, Dubin v. United States, is pretty simple. David Dubin helped submit a false bill to Medicaid concerning a psychological exam for a particular patient. The exam was given, but the bill gave a false date for it in a way that qualified it for payment. That false bill included the patient’s name and Medicaid ID number on it. The government charged Dubin with fraud for the improper bill, a charge no one disputes here. The disputed part is that the government added an additional count of aggravated identity theft because the bill included the patient’s name and Medicaid ID number, which are “means of identification” of the patient.
From the discussion above, you can pretty much predict what the briefs argue.
Wait, Dubin says, how can I get another two years in jail just because the bill included the patient’s name and Medicaid ID number? This has nothing to do with identity theft, which after all is the title of the crime. The patient isn’t a victim here. The fact that the patient’s name and ID number was used is incidental to the fraud scheme. You have to construe the statute more narrowly to focus on actual acts of identity theft.
But no you don’t, says the government. Just look at the text of the statute. Dubin “used” a means of identification of the patient “in relation to” committing health care fraud, a predicate felony. The text governs, and the text is satisfied. So Dubin is guilty.
There’s also a narrower debate in the briefs about how the “without lawful authority” element applies to the facts. Dubin says that wasn’t satisfied because the patient authorized using his identifying information to submit bills to Medicaid. So use of the identifying information was authorized. The government replies that the notion of authority has to be interpreted more narrowly. The patient authorized submitting bills to Medicaid, but that was exceeded by submitting a fraudulent bill.
Amicus briefs in support of Dubin were filed by NACDL, the National Association of Federal Defenders, and Professor Joel Johnson.
C. My Thoughts on the Case
I think Dubin has the better argument on the whole, whether the Court wants to rule more narrowly or more broadly.
On the broad issue, I’m a fan of construing vague criminal statutes narrowly, so it’s easy for me to be on Dubin’s side there. But I think Dubin also has a good textual argument, under the interpretive principle that “Congress does not alter the fundamental details of a regulatory scheme in vague terms or ancillary provisions—it does not, one might say, hide elephants in mouseholes.” Whitman v. American Trucking Assns., Inc., 531 U.S. 457, 468 (2001).
Under the government’s reading, § 1028A is an elephant. It essentially overrides Congress’s carefully considered judgments about punishment for dozens of statutes. Congress has written out detailed provisions for the statutory punishments and enhancements of offenses in Title 18. Given the large number of crimes that are predicate offenses for § 1028A, and that the extra two years of punishment for violating 1028A is such a heavy hammer, the government’s interpretation would mean that the careful judgments throughout Title 18 would be subsumed by § 1028A. I think the Court should be cautious about construing the statute to have that kind of massive multi-section effect, especially given the weird results it would cause.
Dubin’s reply brief addresses this argument, but let me give an example that shows how broadly the government’s 1028A elephant steps. The federal computer hacking statute, known as the Computer Fraud and Abuse Act (CFAA), is found at 18 U.S.C. § 1030. Although most CFAA crimes have nothing to do with fraud, any felony violation of § 1030 is a predicate offense for § 1028A. This is because one of the eleven categories includes “any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028(a)(7).” 18 U.S.C. § 1028A(c)(4). That chapter refers to Title 18’s Chapter 47, spanning § 1001 to § 1040. That’s a lot of crimes! And it means that any felony violation of the CFAA is a felony predicate for aggravated identity theft, whether it has to do with fraud or not, just because the CFAA was placed within Chapter 47.
The government’s interpretation of § 1028A would lead to bizarre results for CFAA sentencing. Congress has been really specific in drafting the punishments for CFAA violations. It has carefully described what is a felony and a misdemeanor, and what the statutory maximum punishment should be for various felonies, see 18 U.S.C. § 1030(c). It has thought carefully about whether there should be mandatory minimums for CFAA violations; it added 6-month mandatories for some CFAAA in the 90s, and then removed them in 2001 after the minimums proved a failure. And it has tasked the Sentencing Commission with rethinking Guidelines offenses for Section 1030 offenses. See Homeland Security Act of 2002, Pub. L. 107-296 § 225(b), (c).
If the government’s interpretation of § 1028A is correct, however, what really matters for CFAA punishment is whether the hacking involved someone else’s password. If you hack into someone’s account by exploiting a security flaw, that’s just a standard CFAA offense and you’ll probably get probation unless a lot of dollar loss occurred. But if you hacked into someone’s account by using their password without permission, now you’re in deep trouble: That password is a “means of identification” under § 1028A, so now your hacking is Aggravated Identity Theft and you’ll go to prison for two years because a password was used. (This isn’t a hypothetical; see United States v. Barrington, 648 F.3d 1178 (11th Cir. 2011), in which this reasoning was used, and at least on plain error review, upheld.)
Under the government’s view, all the careful statutory work Congress has put into CFAA sentences would be largely beside the point. And it would lead to a bizarre result, in which using a person’s password would become the most important question in determining punishments for hacking. It’s all very odd, and very far removed from anything resembling identity theft. Replicate that process for all the other predicate felony offenses covered under § 1028A(c), and it seems unlikely that the vague language of § 1028A should effectively supplant all those other statutory punishment sections.
It’s possible that the Court would instead resolve Dubin on narrower grounds, such as the “without lawful authority” element. I think Dubin has the better argument there, too. As I see it, this is similar to the issue the Court grappled with recently in Van Buren v. United States, 593 U.S. ___ (2021), on what “exceeds authorized access” and “without authorization” mean under the federal computer hacking statute. Like Van Buren, Dubin had authorization to use the relevant information, but then used it to do something he wasn’t supposed to do. The parties (represented by the same lawyers as in Van Buren, as it turns out) are arguing over similar ground as in Van Buren, it seems to me. The question: Does authorization include having information you’re allowed to use but then putting it to other uses? I think the answer following Van Buren should be “yes,” which, as I have detailed here (see pages 181-84), matches the traditional treatment of lack of authorization elements in other criminal statutes.
As always, stay tuned.
[UPDATE: I have fiddled a bit with this after posting to correct typos, etc.]