Thoughts on Dubin v. United States and the Aggravated Identity Theft Statute

Arguments will be heard in the Supreme Court on February 27 Dubin v. United States, a case on the Aggravated Identity Theft Statute, 18 USC § 1028A. This law often comes up in the context of computer crime, and its interpretation raises some interesting and important questions. So I thought I’d blog about the case and offer some impressions.

I will begin with the statutory issue that begs the request drowned The case then turns on the case itself; And end with my own opinion.

A. The statutory drafting mess that is 18 USC § 1028A.

First, some context. Section 1028A was enacted in 2004 at a time when there was much concern about computer crime and credit card fraud. With “cyberspace”, criminals were using the identity information of innocent consumers to obtain new credit cards in their name which were then fraudulently used by criminals in a way that caused endless headaches for consumers who were then stuck with fraudulent purchases on their credit. Record using an innocent person’s identifying information to obtain a fake line of credit, leaving them stuck with the consequences, was known as “identity theft.” And it was a big concern.

So what did Congress do? A natural thing was to enact a law that added a penalty enhancement for fraud that caused personal harm to innocent victims. That is, treat the harm—bad credit score, amount owed to others, etc.—as a result of factors that, if they occur, trigger greater criminal liability.

But Congress did not. Instead, Congress wrote this law, entitled “Aggravated Identity Theft”:

Whoever, during and in connection with any criminal violation enumerated in subsection (c), knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person, shall be punished, in addition to the penalty provided for such offense. Up to a term of imprisonment of 2 years.

Here’s the point: Instead of focusing on the cause of the harm, Congress tried to describe the extra-bad act that would normally be associated with the extra-bad harm. And what was that extra bad job? Congress thought, well, that someone who is already committing some kind of fraud-based predicate offense (bad) is using identity information without the person’s permission (extra-bad). So in addition to their liability for an already existing fraud-based offense, an offender who uses identifying information as part of that offense faces an additional two years in prison for using identifying information.

At this point, you can probably see some problems with how the law is drafted. There are two big problems, I think, and they are related. First, Congress has done a terrible job by defining fraud-based offenses that can serve as predicate offenses. Instead of saying the predicate offense must be a fraud offense, Congress looked at various parts of Title 18 and included large sections of the code that seemed to have some sort of connection to fraud. When you look at the predicate felonies in subsection (c), there are Title 18 has 11 different fields That is included as predicates. Some of these clauses deal with fraud. But nothing happens. Some were just codified nearby Section on Fraud.

The second problem, and a more directly relevant one drowned In the case, Congress did a terrible job defining extra-bad acts. The extra-bad thing the drafters were thinking about is using identity information in a way that causes harm to the person to whom the information relates, such as a bad credit score or being stuck with bills. But Congress instead wrote the extra-bad act very abstractly. In the statute, the extra-bad act is described as a “knowing transfer”.[ing]entitled to[ing]or us[ing]Without lawful authority, a means of identifying another person” … “at the time and in connection with” is a predicate offense.

yes So during and in connection with one of these possible-but-not-necessarily fraud-related predicate offenses, a person must something What about “means of identifying another person” without that person’s permission? I mean, it could mean almost anything.

And the stakes are high. Many crimes under Title 18 are technically felonies, but are fairly low-level offenses, which can lead to probation or at least prison terms. But if § 1028A applies, it carries a two-year sentence. So you can have a probation offense that results in a two-year prison sentence if § 1028A is triggered, dwarfing the felony penalty with the § 1028A penalty.

All this raises a natural question about how to formulate the law. Do you interpret § 1028A broadly, meaning as far as the statutory language can theoretically go, even if it leads to odd results? Or are you narrowly interpreting the statute in light of the problem Congress was trying to solve? That’s heart trouble drowned case

b. D drowned case

court case, Dubin v. United States, quite simple. David Dubin helped submit a false bill to Medicaid regarding a psychological test for a particular patient. The test was given, but the bill gave a false date for it to qualify for payment. That false bill included the patient’s name and Medicaid ID number. No one disputes here that the government charged Dubin with fraud for improper billing. The controversial part is that the government added an additional count of identity theft because the bill included the patient’s name and Medicaid ID number, which is a “means of identification” of the patient.

From the discussion above, you can roughly guess what the briefs argue

Wait, said Dubin, how can I get another two years in jail because the bill includes the patient’s name and Medicaid ID number? This has nothing to do with identity theft, which is a headline crime after all. The patient is not the victim here. The fact that patient names and ID numbers were used is incidental to the fraud scheme. You need to narrow the statute down to focus on the actual acts of identity theft.

But no you don’t, says the government. Just look at the text of the statute. Dubin “used” a means of identifying patients “in connection with” health care fraud, a predicate offense. The text controls, and the text is satisfied. So Dubin is guilty.

There is also a narrow debate in the briefs as to how the “without lawful authority” element applies to the facts. Dubin said it was not satisfied because the patient was authorized to bill Medicaid using his identifying information. Therefore the use of identifying information was permitted. The Government replies that the concept of authority must be interpreted more narrowly. The patient authorized submission of the bill to Medicaid, but was circumvented by submitting a fraudulent bill.

Amicus briefs in support of Dubin were filed by NACDL, the National Association of Federal Defenders and Professor Joel Johnson.

C. My thoughts on the case

I think Dubin has a better argument on the whole issue, whether the Court wants to rule more narrowly or more broadly.

On the broader issue, I’m a fan of narrowly interpreting ambiguous criminal statutes, so it’s easy for me to side with Dubin there. But I think Dubin also has a good textual argument, under the interpretive principle that “Congress does not change the basic details of a regulatory scheme in vague terms or ancillary provisions—it is not, one might say, hiding elephants in mouseholes.” Whitman v. American Trucking Assns., Inc.531 US 457, 468 (2001).

Under the government’s reading, § 1028A is an elephant. It essentially overrules Congress’s carefully considered judgment on penalties in dozens of statutes. Congress wrote detailed provisions for statutory penalties and enhancements for crimes in Title 18 Given the large number of crimes that § 1028A predicates, and the additional two-year sentence for violations of § 1028A, the government’s interpretation means that cautionary sentences throughout Title 18 would be compounded by § 1028A. I think courts should be cautious about construing the law to have such massive multi-section effect, especially because of the strange results it would produce.

Dubin’s answer briefly addresses this argument, but let me give an example that shows just how broad the government’s 1028A elephant move is. I already mentioned the federal computer hacking law, 18 USC § 1030, also known as the Computer Fraud and Abuse Act. Although most CFAA crimes have nothing to do with fraud, any criminal violation of § 1030 is a predicate offense for § 1028A. This is because one of the eleven sections includes “any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028(a)(7).” 18 USC § 1028A(c)(4). That chapter refers to chapter 47 of title 18, extending from § 1001 to § 1040. It’s a lot of crime! And that means that any criminal violation of the CFAA is a criminal predicate for aggravated identity theft, whether related to fraud or not, simply because the CFAA was placed within Chapter 47.

The government’s interpretation of § 1028A would lead to bizarre results for CFAA penalties. Congress was very specific in drafting the penalties for CFAA violations. It carefully describes what is a felony and a misdemeanor, and what the statutory maximum penalty should be for the various crimes, see 18 USC § 1030(c). It has thought carefully about whether there should be a mandatory minimum for violating the CFAA; It added a 6-month mandate for some CFAAAs in the 1990s and removed them in 2021 after minimal failures were proven. And it tasked the Sentencing Commission with reviewing guideline offenses for Section 1030 offenses. see Homeland Security Act of 2002, Pub. L. 107–296 § 225(b), (c).

What if the government’s interpretation of § 1028A is correct? really The issue for CFAA penalties is whether the hacking involved someone else’s password. If you hack into someone’s account by exploiting a security flaw, that’s just a standard CFAA offense and you’ll likely get probation unless there’s a large dollar loss. But if you hack someone’s account using their password without permission, now you’re in deep trouble: That password is a “means of identification” under § 1028A, so now your hacking is Aggravated Identity Theft and you’ll go to jail for two years because a Password was used. (This is not a hypothetical; see United States v. Barrington648 F.3d 1178 (11th Cir. 2011), where this rationale was used, and has been upheld, at least on plain error review.)

Under the government’s view, all the careful statutory work that Congress did in the CFAA sentence would be largely beside the point. And this would lead to an odd result, where the use of a person’s password would become the most important question in determining punishment for hacking. It’s all very strange, and far removed from something like identity theft. Replicate that process for all other predicate felony offenses covered under § 1028A(c), and the vague language of § 1028A does not appear to effectively replace all those other statutory sentencing categories.

It is possible that the court will resolve instead drowned On narrow grounds, such as the “without lawful authority” element. I think Dubin has a better argument there too. As I see it, this is similar to the issue that the courts have grappled with recently Van Buren v. United States, 593 US ___ (2021), what “beyond authorized access” and “without authorization” mean under the federal computer hacking statute. Like Van Buren, Dubin had permission to use relevant information, but then used it to do something he wasn’t supposed to do. The parties (i.e. represented by the same lawyers from neighborsas it turns out) are arguing the same ground as from neighbors, It seems to me. Q: Does the authorization include information that you can use but then repurpose it for? I think the following answer from neighbors “No” should, as I elaborate here (see pp. 181–85), match the traditional treatment of the lack of sanction element in other criminal laws.

As always, stay tuned.