Thoughts on Dubin v. United States and the Aggravated Identity Theft Statute
Thoughts on Dubin v. United States and the Aggravated Identity Theft Statute
18 U.S.C. § 1028A, this is your day in court.
ORIN S. KERR | 2.19.2023 4:18 PM
On February 27, the Supreme Court will hear argument in Dubin v. United States, a case on the Aggravated Identity Theft Statute, 18 U.S.C. § 1028A. This statute comes up often in the context of computer crimes, and its interpretation raises some interesting and important questions. So I thought I would blog about the case and offer some impressions.
I'll start with the statutory problem that prompts the Dubin case; then turn to the case itself; and conclude with my own views.
A. The Mess of Statutory Drafting That is 18 U.S.C. § 1028A.
First, some context. Section 1028A was enacted in 2004 at a time when there was a lot of concern about computer crimes and credit card fraud. Aided by "cyberspace," criminals were using the identity information of innocent consumers to get new credit cards in their names that were then used by the criminals fraudulently in ways that caused endless headaches for consumers who were then stuck with the fraudulent purchases on their credit record. This using of an innocent person's identifying information to get a bogus line of credit, sticking them with the consequences, was being known as "identity theft." And it was a big concern.
So what did Congress do? A natural thing would have been to enact a law adding a sentencing enhancement for fraud that caused those personal harms to innocent victims. That is, treat the harm—bad credit scores, the incurring of debts to others, etc.—as a result element that, if caused, triggers greater criminal liability.
But that is not what Congress did. Instead, Congress wrote this statute, titled "Aggravated Identity Theft":
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Here's the key: Instead of focusing on the causing of the harm, Congress tried to describe the extra-bad act that was generally associated with the extra-bad harm. And what was that extra-bad act? Congress figured, well, someone who was already committing some kind of fraud-based predicate felony (bad) was using identity information without the person's permission (extra-bad). So in addition to the liability they had for the already-existing fraud-based felony, a criminal who uses the identifying information as part of that felony gets an extra two years in jail for using the identifying information.
At this point, you can probably see some problems with how the statute is drafted. There are two big problems, I think, and they are related. First, Congress did a lousy job describing the fraud-based felonies that can act as a predicate offense. Instead of saying the predicate offense had to be a fraud crime, Congress looked to various parts of Title 18 and included large swaths of the code that seemed to have some kind of connection to fraud. When you look at the predicate felonies in subsection (c), there are 11 different areas of Title 18 that are included as predicates. Some of those sections are about fraud. But some aren't. Some were just codified near sections about fraud.
The second problem, and the one more directly relevant to the Dubin case, is that Congress did a terrible job describing the extra-bad act. The extra-bad thing the drafters were thinking about was using identity information in a way that caused the person to whom the information related to suffer harms such as bad credit scores or being stuck with the bill. But Congress instead wrote the extra-bad act in a very abstract way. In the statute, the extra-bad act is described as "knowingly transfer[ing], possess[ing], or us[ing], without lawful authority, a means of identification of another person" . . . "during and in relation to" one of the predicate offenses.
18 U.S.C. § 1028A, this is your day in court.
ORIN S. KERR | 2.19.2023 4:18 PM
On February 27, the Supreme Court will hear argument in Dubin v. United States, a case on the Aggravated Identity Theft Statute, 18 U.S.C. § 1028A. This statute comes up often in the context of computer crimes, and its interpretation raises some interesting and important questions. So I thought I would blog about the case and offer some impressions.
I'll start with the statutory problem that prompts the Dubin case; then turn to the case itself; and conclude with my own views.
A. The Mess of Statutory Drafting That is 18 U.S.C. § 1028A.
First, some context. Section 1028A was enacted in 2004 at a time when there was a lot of concern about computer crimes and credit card fraud. Aided by "cyberspace," criminals were using the identity information of innocent consumers to get new credit cards in their names that were then used by the criminals fraudulently in ways that caused endless headaches for consumers who were then stuck with the fraudulent purchases on their credit record. This using of an innocent person's identifying information to get a bogus line of credit, sticking them with the consequences, was being known as "identity theft." And it was a big concern.
So what did Congress do? A natural thing would have been to enact a law adding a sentencing enhancement for fraud that caused those personal harms to innocent victims. That is, treat the harm—bad credit scores, the incurring of debts to others, etc.—as a result element that, if caused, triggers greater criminal liability.
But that is not what Congress did. Instead, Congress wrote this statute, titled "Aggravated Identity Theft":
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Here's the key: Instead of focusing on the causing of the harm, Congress tried to describe the extra-bad act that was generally associated with the extra-bad harm. And what was that extra-bad act? Congress figured, well, someone who was already committing some kind of fraud-based predicate felony (bad) was using identity information without the person's permission (extra-bad). So in addition to the liability they had for the already-existing fraud-based felony, a criminal who uses the identifying information as part of that felony gets an extra two years in jail for using the identifying information.
At this point, you can probably see some problems with how the statute is drafted. There are two big problems, I think, and they are related. First, Congress did a lousy job describing the fraud-based felonies that can act as a predicate offense. Instead of saying the predicate offense had to be a fraud crime, Congress looked to various parts of Title 18 and included large swaths of the code that seemed to have some kind of connection to fraud. When you look at the predicate felonies in subsection (c), there are 11 different areas of Title 18 that are included as predicates. Some of those sections are about fraud. But some aren't. Some were just codified near sections about fraud.
The second problem, and the one more directly relevant to the Dubin case, is that Congress did a terrible job describing the extra-bad act. The extra-bad thing the drafters were thinking about was using identity information in a way that caused the person to whom the information related to suffer harms such as bad credit scores or being stuck with the bill. But Congress instead wrote the extra-bad act in a very abstract way. In the statute, the extra-bad act is described as "knowingly transfer[ing], possess[ing], or us[ing], without lawful authority, a means of identification of another person" . . . "during and in relation to" one of the predicate offenses.
