Federal criminal law has two overlapping misdemeanor criminal offenses that prohibit hacking into an e-mail account. The first, 18 U.S.C. 2701, specifically prohibits hacking into an e-mail account stored on an ISP’s server. The second, 18 U.S.C. 1030(a)(2), generally prohibits hacking into any computer, which will always be implicated when a person hacks into an e-mail account. The present overlap is largely a historical accident. When the two sections were enacted, both in 1986, Section 1030′s scope was very narrow. There was little overlap. But Section 1030 has been expanded over time so that it now covers every computer. As a result, 2701 in its current form is redundant: It doesn’t do any work that 1030 doesn’t already do. However, that overlap matters because violations of 2701 and 1030(a)(2) are normally misdemeanors, but Section 1030 contains an enhancement: The crime becomes a felony if it is conducted in furtherance of another crime. The present overlap between 1030 and 2701 raises the prospect that prosecutors might try to use the felony enhancement to engage in a kind of double-counting. Here’s the question: Can DOJ charge hacking into an e-mail account as a felony by claiming that it is a 1030 violation in furtherance of a 2701 violation?
Long-time readers may remember that DOJ actually tried this theory in one widely-noted case: It was the government’s original theory in the prosecution of the hack into Sarah Palin’s e-mail account. But DOJ reindicted the case on another theory, and whether double-counting is permitted was never resolved. In a post on that case in 2008, I expressed the view that this sort of double-counting was not permitted:
It makes no sense to allow a felony enhancement for a crime committed in furtherance of the crime itself; presumably the enhancement is only for intrusions committed in furtherance of some other crime. Otherwise the felony enhancement is meaningless, as every misdemeanor becomes a felony. . . . [I]f the government is trying to make this a felony on the theory that the intrusion was designed to further the crime of the intrusion, that strikes me as an extremely weak argument.
In the last two years or so, I’ve been following another case that was working its way through the Fourth Circuit that raised the same issue. Today the Fourth Circuit handed down its decision, United States v. Cioni, and held that the double-counting was not permitted and that hacking into an e-mail account remains a misdemeanor. Here’s the Court’s analysis, in an opinion by Judge Niemeyer:
Cioni argues, however, that the conduct of accessing [Victim 1]’s e-mail account and viewing her e-mail there was used to charge both the underlying violation of § 1030(a)(2)(C) as well as the elevating violation of § 2701, so that the same conduct supported both crimes. This overlap that Cioni identifies is essentially a “merger problem,” “tantamount to double jeopardy,” United States v. Santos, 553 U.S. 507, 527 (2008) (Stevens, J., concurring), where the facts or transactions alleged to support one offense are also the same used to support another. See also United States v. Halstead, ___ F.3d ___, No. 09-7442, 2011 WL 769053 (4th Cir. March 7, 2011). . . .
Looking simply at the allegations of Count 2, it does appear that the government charged Cioni with unauthorized access or attempted access to information in [Victim 1]’s e-mail account and sought to elevate that charge to a felony by alleg- ing that the access to [Victim 1]’s e-mail also constituted a violation of § 2701. Moreover, the facts that the government offered into evidence in support of Count 2 confirm this reading. . . . We thus conclude that a merger problem did arise, implicating double jeopardy principles, and that therefore the felony conviction on Count 2 must be vacated, and, as requested by Cioni, the count remanded for entry of a simple misdemeanor conviction, under § 1030(a)(2)(C).
. . . . Count 4, which claims two crimes, one in furtherance of the other, is actually based on Cioni’s single unsuccessful attempt to access [Victim 2]’s AOL electronic e-mail account. Moreover, this is all that the government proved at trial. If the government had proven that Cioni accessed [Victim 2]’s e-mail inbox and then used the information from that inbox to access another person’s electronic communications, no merger problem would have arisen. But the government charged and attempted to prove two crimes using the same conduct of attempting, but failing, to access only [Victim 2]’s e-mail account. This creates a merger problem, implicating double jeopardy principles.
That’s the correct result, in my view. The Fourth Circuit does not mention the significant statutory argument in favor of this reading: The “in furtherance” language in Section 1030 was expressly taken from the same language in the Wiretap Act, and the Wiretap Act caselaw makes the merger limitation explicit. But whatever the rationale for the merger limitation, I think the result is correct. Congress intended hacking into an e-mail account to be a misdemeanor, not a felony, and it’s unpersuasive to bootstrap the misdemeanor into a felony simply because there is accidental overlap between Section 1030 and Section 2701. I’m glad the Fourth Circuit reached the right result in this case. Of course, it may be that hacking into an e-mail account should be a felony, not a misdemeanor: I think there’s a lot to that idea. But that’s a question for Congress, not the courts.
Full disclosure: Years ago I had some role in obtaining amicus support for the defense in the case, and looked at a draft of that brief, all consistently with my position in my 2008 post and my position here.