On September 12, 2012, the Federal Bureau of Investigation (FBI) took Barrett Brown into custody in Dallas, Texas.
Law-enforcement officers raided his apartment several hours after he posted a video threatening to “destroy” the life of a federal agent and gather information about that agent’s family.
The FBI had previously searched both his apartment and his mother’s apartment in the weeks leading up to his arrest due to his alleged involvement in the dissemination of confidential personal information gleaned from documents posted by an individual affiliated with the hacker collective known as “Anonymous.”
Prosecutors initially charged Brown with making internet threats against a federal agent, threatening to disseminate restricted personal information about a federal agent, and retaliating against a federal law-enforcement officer.
Two months later, prosecutors also charged Brown with an additional fourteen identity-fraud counts, including trafficking in stolen authentication features, access device fraud, and aggravated identity theft.
The government claimed Brown committed federal identity fraud and aggravated identity theft by copying a hyperlink to the infringing documents and sending that hyperlink to a group of individuals in a chat room under his control.
While awaiting trial in Texas, he faced a maximum sentence of 105 years in prison.
It would be difficult to characterize Barrett Brown as a sympathetic figure.
The cause for his initial arrest—a series of videos posted on YouTube in which he threatens an FBI agent for searching his home
—does little to support his case. However, the unique circumstances of his prosecution reveal weaknesses in the federal identity-fraud regime that affect more than just bloggers with questionable journalistic credentials.
Originally enacted to combat the proliferation of fraudulent immigration documents and later amended in response to online trading in stolen credit card information,
the federal identity-fraud statutes employ extraordinarily broad terms. While such open-ended phrasing gives law enforcement and prosecutors powerful tools to pursue identity thieves,
Brown’s prosecution demonstrates that even the relatively innocuous act of copying and pasting a hyperlink may constitute federal identity fraud.
This Note argues that several broad provisions of the federal identity-fraud statutes may facilitate unconstitutional restrictions on protected speech. Part I provides background information on identity fraud in the United States and discusses recent challenges related to hacktivism and dumps of confidential documents. Part II explores how federal identity-fraud statutes may restrict protected speech. Specifically, Part II.A presents an overview of First Amendment doctrine as applied to federal identity fraud. Part II.B examines two perspectives one might take in approaching First Amendment challenges to identity-fraud statutes and argues for heightened scrutiny in certain circumstances. Part II.C also highlights ambiguities in the Supreme Court’s recent First Amendment doctrine concerning dissemination of information unlawfully obtained by third parties. Part III then concludes by proposing three methods to eliminate or avoid unconstitutional restrictions on protected speech.
I. Prosecuting Identity Fraud in the Digital Age
A. Prevalence of Identity Fraud
The evolution of the Internet and digital content over the past two decades has dramatically altered the nature of identity crimes and investigative approaches taken by law enforcement.
While federal identity-fraud statutes originally targeted more traditional identity crimes
—such as producing fake driver’s licenses—subsequent amendments to these statutes clearly cover online and digital fraud as well.
Rapid evolution in both technology and the statutory framework has resulted in serious questions of statutory construction,
and federal law-enforcement priorities.
Some of these challenges are discussed in greater depth throughout the remainder of Part I.
1. Evolution of Identity Crimes. — Though more traditional forms of identity fraud such as dumpster diving and passport forgery remain legitimate security concerns,
digital content and the Internet have fundamentally changed the nature of identity crimes. Over the past two decades, a massive amount of personal-identity information has been transferred to electronic storage mediums—generally those connected to the Internet. E-commerce websites process credit cards when online purchases are made, banks record financial transactions in networked databases, and the government has made it easier to file tax returns with the click of a mouse.
This greater availability of information has resulted in lucrative opportunities for identity thieves.
Online identity fraud takes many forms and is facilitated by constantly evolving techniques. For example, before implementation of sophisticated verification technology, skilled hackers frequently engaged in “carding” schemes, in which fraudulently obtained credit card numbers were sold on internet forums to the highest bidder.
Internet-based identity fraud is rarely perpetrated by a single individual; the personal financial consequences that make identity theft so devastating often result only after personal information is filtered through several layers of the online and offline underworld.
Sophisticated hackers have become the bridge between legitimate possessors of personal information and identity thieves lacking the technical skills necessary to steal valuable identity information. Once personal information is dumped online or sold to downstream fraudsters, that information is misused to make fraudulent purchases or stashed away for other criminal purposes.
2. Law-Enforcement Barriers and Fraud Prevention. — The Internet has also made it much more difficult to investigate and prosecute computer-based identity fraud.
Digital communication provides a degree of anonymity: Tech-savvy users often identify themselves with nothing more than a forum handle. While criminals sometimes fail to conceal their true identities,
the massive resources required by identity-fraud investigations often prevent agencies from pursuing small-scale fraudsters.
Law-enforcement strategies have therefore focused on prevention and mitigation, as opposed to investigating isolated incidents.
These strategies focus on decreasing the availability of sensitive personal information on public-facing websites, increasing citizen awareness of identity fraud, and enforcing stricter requirements regarding data retention and encryption.
B. Identity Fraud Under Sections 1028 and 1028A
The legal framework for identity fraud in the United States is a complicated patchwork of state and federal statutes.
Identity and fraud-related crimes under federal law are exceptionally varied—the government may charge an individual with access device fraud,
financial institution fraud,
and immigration document fraud,
each under different provisions of the United States Code.
Beyond those activities criminalized by federal statute, individuals may also face criminal penalties under more comprehensive state codes.
The government prosecutes a majority of federal identity-fraud cases under a general identity-fraud statute, 18 U.S.C. § 1028,
and the more recently enacted aggravated identity-theft statute, 18 U.S.C. § 1028A.
Congress has amended this framework on several occasions, responding to changes in technology and public pressure.
Originally enacted as part of the False Identification Crime Control Act of 1982, § 1028 targeted the fraudulent production, transfer, or possession of “identification documents.”
Congress was targeting the production of counterfeit physical documents used to misrepresent one’s identity in response to the proliferation of physical reproduction technology.
Increasingly sophisticated reproduction technology and criminal implementations of that technology have resulted in several amendments to § 1028,
as well as the enactment of minimum sentencing requirements under § 1028A for certain felony offenses.
Identity theft was not explicitly made a federal crime until 1998, when Congress amended § 1028 with the Identity Theft and Assumption Deterrence Act of 1998 (ITADA) in response to increased public pressure and the migration of financial information to digital and online media.
The scope of prohibited conduct distinguishes identity theft from identity fraud; while identity-fraud provisions criminalize a broad range of fraudulent behavior, identity theft targets the victimization of specific individuals.
The ability to conduct sensitive transactions on the Internet enabled criminals to impersonate others for financial gain, resulting in correspondingly personal harm to the victim.
In adding § 1028(a)(7) as an identity-fraud offense, Congress appears to have been responding to this growing threat to individual citizens.
During debate in the House of Representatives, comments focused on the ease with which a malicious individual could obtain and abuse another’s personal information, as well as on the financial hardship that victims faced due to gaps in federal law.
Representatives also focused on the Internet’s impact on the availability of personal information; because the Internet makes information more accessible, identity crimes were becoming more widespread.
Yet, despite Congress’s concern for struggling individuals, critics remained skeptical that amendments to § 1028 would alleviate the financial burdens of identity theft due to a lack of funding for federal investigations.
Furthermore, despite explicitly criminalizing “identity theft,” Congress initially failed to provide enhanced penalties corresponding to the severity of these crimes.
Congress also recognized in the early 2000s that concerns regarding identity authentication had expanded beyond the realm of physical documents and digital “means of identification.”
The SAFE ID Act of 2003 expanded the language of § 1028 to prohibit fraudulent production, transfer, or possession of “authentication features” such as holograms and watermarks.
Though this prohibition clearly covers authentication features such as a driver’s license hologram or birth-certificate watermark, the definition of “authentication features” is also broad enough to cover any string of numbers or letters used for authentication purposes.
Despite the breadth of the SAFE ID Act’s amendments, there appears to have been little congressional debate regarding the amendment.
C. Hacktivism and Identity Crimes
The practice of dumping massive numbers of confidential and personal documents on the Internet has resulted in recent challenges for identity-fraud investigators and prosecutors. For example, an online hacktivist group,
referring to itself as “LulzSec,” made waves in the data-security and law-enforcement communities by breaching private systems and dumping confidential personal information on the Internet in late 2011.
Unlike criminal syndicates or lone-wolf hackers who breach systems for profit, LulzSec appears to have facilitated massive data breaches for entertainment value and the embarrassment of its targets.
However, even in circumstances where LulzSec members did not themselves exploit personal information, they often posted this information online and made it available on public file-sharing websites.
LulzSec’s campaign of infiltration and information dumping has become characteristic of a new pattern in online mischief and identity fraud. Small groups of hackers with exceptional technical expertise lead many modern cyberattacks; these individuals exploit systems to damage, deface, or steal information.
But skilled hackers are often surrounded by a larger group of followers who exploit information released or who only passively participate in targeted attacks.
High-profile cyberattacks also draw digital onlookers and supporters without technical skills; this group may include security bloggers, political activists, institutional journalists, and ordinary citizens.
Existing laws, including federal identity- and computer-fraud statutes, often fail to account for this diversity of motives and varying degrees of involvement in fraudulent activities, resulting in potentially equal exposure to liability for each of the above groups.
1. Prosecuting Hacktivists Under the Computer Fraud and Abuse Act. — Infiltrating private computer systems without authorization may result in criminal liability under several statutes, but the framework for pursuing nontechnical participants, supporters, and observers is unclear. Prosecutors may invoke several federal statutes to pursue individuals for cyberattack involvement, even when individuals play no role in technical operations. The Computer Fraud and Abuse Act (CFAA),
for example, was used to pursue both the skilled hackers behind LulzSec and the group’s unofficial spokesperson.
The statutory language of the CFAA is rather broad and may be used to prosecute accessing a computer without authorization,
damaging or threatening to damage a computer,
using a computer to commit fraud,
or trafficking in passwords and “similar information.”
The CFAA has also become a potent prosecutorial tool because it explicitly criminalizes conspiracy to commit any of the charges it enumerates.
Critics allege the CFAA defines computer crimes too broadly and fails to adapt to modern communications.
For example, prosecutors have invoked the CFAA against individuals for violating a website’s Terms of Service (TOS)
and using an employer’s network for activity contrary to the employer’s interests.
Many of these concerns focus on the CFAA’s potential infringement on speech protected under the First Amendment.
While the death of Aaron Swartz—an open-access activist who took his own life after being aggressively prosecuted for CFAA violations—recently galvanized calls for CFAA reform, Congress has yet to commit to a major overhaul of the law.
2. Liability for Sharing Confidential Information. — Unlike members of LulzSec, Barrett Brown does not appear to have violated the CFAA. Though he publicly acknowledges his Anonymous connections, Brown is not seen as one of the more technically skilled individuals associated with the collective.
This apparent removal from daily operations of Anonymous did not, however, shield him from criminal charges stemming from the Stratfor Global Intelligence leak in December 2012.
Instead of being charged with computer fraud under the CFAA, Brown was indicted for identity fraud, access device fraud, and aggravated identity theft for accessing and sharing a hyperlink to confidential Stratfor documents posted online.
Though legitimate disagreements exist regarding the extent of Brown’s involvement with Anonymous and the media’s characterization of his case,
the basic facts of the Stratfor hack are relatively settled. In December 2011, hacker Jeremy Hammond infiltrated internal Stratfor systems and stole several hundred gigabytes of data including corporate emails, unencrypted credit card numbers, encrypted passwords, and confidential customer lists.
Hammond then transferred data to a server in New York and released information via publicly accessible hyperlinks.
He was arrested soon thereafter and charged with violations of the CFAA, conspiracy to commit access device fraud, and aggravated identity theft.
Following the Stratfor breach, Brown copied a hyperlink initially posted in an Anonymous IRC channel
and pasted that hyperlink in an IRC channel under his own control, allegedly out of interest in the journalistic value of the documents.
The hyperlink provided access to Stratfor documents released by Hammond, some of which contained credit card numbers of Stratfor customers.
Based on Brown’s sharing of the hyperlink, the government claimed:
[He] knowingly traffic[ked] in more than five authentication features knowing that such features were stolen, in that [he] transferred the hyperlink . . . from the Internet Relay Chat (IRC) called “#Anonops” to an IRC channel under Brown’s control called “#ProjectPM,” . . . and by transferring and posting the hyperlink, [he] caused the data to be made available to other persons online.
Regardless of the outcome in Barrett Brown’s own case,
commentators and civil rights organizations have referred to the government’s interpretation of §§ 1028 and 1028A as troubling for news organizations and journalists that do not fall within traditional definitions.
This is due primarily to Brown’s arguably journalistic activities. For example, before his legal troubles, Brown was portrayed as an unofficial “spokesperson” for Anonymous.
He has also written about his experiences with the collective and frequently discussed their activities with the media.
Further complicating matters, Brown had recently emphasized the latter role, distancing himself from Anonymous and portraying himself as an “investigative journalist” instead of “spokesperson” for the collective.
These factors resulted in a perfect-storm scenario that blurred the boundary between journalism and identity fraud in an increasingly online world.
Part II argues that the Brown case has drawn attention to shortcomings and ambiguity in the federal identity-fraud statutes that enable potentially unconstitutional restrictions on protected speech. While application of the statute in Brown’s case may not result in such restrictions, the broad definitions of § 1028(d) and the lack of an intent requirement in § 1028 enable unconstitutional restrictions in a significant number of cases.
Part III then proposes potential solutions for these shortcomings without infringing on the government’s aggressive prosecution of malicious identity thieves.
II. Identity Fraud and Restrictions on Protected Speech
Commentary surrounding Barrett Brown’s case and mainstream treatment of it has focused on the changing nature of online journalism and potential ramifications for the newsgathering activities of journalists.
While it is therefore tempting to argue for a journalist’s “right to hyperlink” by relying on the Press Clause of the First Amendment, the Supreme Court has refused to define who qualifies for special privileges as a member of “the press.”
Due to this lack of precedent, extending special privileges to an online journalist or blogger would require an expansive interpretation of the Press Clause that blurs distinctions between members of the public and “the press.”
Part II of this Note instead argues that prosecution for federal identity fraud in connection with sharing a hyperlink to documents containing confidential information may result in unconstitutional restrictions on protected speech under the First Amendment. Part II.A provides a general overview of identity fraud within a First Amendment framework and argues that independent online commentators are particularly vulnerable to identity-fraud prosecution, despite valuable contributions to public discourse. Part II.B discusses two approaches to analyzing potential infringements on protected speech imposed by identity-fraud prosecution. Part II.C then concludes by discussing special problems with dissemination of confidential information unlawfully obtained by third parties.
A. Identity Fraud and the First Amendment
The First Amendment protects both “freedom of speech”
and freedom “of the press.”
While this language seems to provide distinct privileges for ordinary citizens and for the institutional press, this interpretation is not universally recognized as the original intent of the Founders
and has not been explicitly adopted by the Supreme Court.
Perhaps for no reason beyond the sheer difficulty of determining who is a member of “the press,” the Court has largely avoided recognizing unique privileges based on the Press Clause of the First Amendment.
Legislatures have proven less hesitant to draw distinctions, though such actions have been mostly to the detriment of the independent commentators at issue here.
Several scholars have also attempted to more accurately define the institutional press for purposes of the First Amendment in response to the proliferation of digital content and new media.
This lack of clarity in the Court’s First Amendment doctrine presents a practical dilemma: Though many independent commentators exposed to liability for publishing or sharing personal information online would self-identify as journalists or members of “the press,” they are unlikely afforded more expansive privileges than those granted to all citizens.
Without clearly defined protections under the Court’s free-press doctrine, there is a danger that independent commentators may become unique targets for government abuse. Unlike the institutional press, independent commentators are often incapable of exercising substantial influence over a corrupt government or one that stifles dissent.
Therefore, while such individuals may fulfill an important role in public discourse comparable even to institutional journalists,
they seem exposed to substantial liability without protections rooted elsewhere in the law.
Instead of analyzing implications of the Press Clause, this Note argues that expansive free speech doctrine may justifiably protect independent commentators from identity-fraud charges under §§ 1028 and 1028A.
Though independent commentators are vulnerable to liability for identity fraud in ways that institutional journalists are not,
existing free speech doctrine may protect public discourse on the Internet without creating an overly broad exception arbitrarily shielding ordinary citizens from liability.
The threshold question in a free speech analysis is whether the relevant statute regulates “speech.”
Courts have generally distinguished between two categories of restrictions on speech: (1) content-based and (2) content-neutral.
Content-based restrictions are those that limit communications based entirely on the message or subject matter of the communication.
The Supreme Court has held that content-based restrictions are “presumptively invalid” and courts review them under a rigorous strict scrutiny standard.
Content-neutral restrictions, by comparison, limit speech without regard for the message or subject matter and are evaluated under the more deferential standard of intermediate scrutiny.
The Court has also recognized that some statutes not regulating speech may have “incidental” effects on speech.
Where an impact on speech is merely incidental, it is generally presumed that a First Amendment issue is not raised.
But if that impact is “highly disproportionate” or “significantly limits the opportunities for free expression,” the restriction may still be challenged.
The federal identity-fraud statutes are laws of general applicability
that prohibit misuse of certain types of confidential personal information. Sections 1028 and 1028A therefore seem to impose only content-neutral restrictions on speech,
if not entirely incidental restrictions.
While there is a plausible argument that §§ 1028 to 1028A do not impose even incidental restrictions on speech, this seems like an oversimplification of the prohibited conduct and the nature of confidential personal information itself. Part II.B attempts to define those circumstances in which identity-fraud statutes impose restrictions on protected speech.
B. Protecting Speech in the Identity-Fraud Context
First Amendment challenges to the federal identity-fraud statutes may be viable in several scenarios, though sharing information via hyperlink poses particularly unique challenges. These challenges stem from two observations. First, the Internet has evolved into a uniquely valuable medium of communication with hyperlinking as a fundamental component.
Second, the complex dynamics of hacktivist campaigns and confidential-document dumps have resulted in many nonmalicious individuals accessing or sharing confidential information via hyperlink.
Part II.B responds to these concerns by addressing the identity-fraud statutes generally and then devoting particular attention to the context of hyperlinking.
Part II.B.1 analyzes potential First Amendment challenges by focusing on the actual information regulated—the “means of identification” and “authentication features”—while Part II.B.2 conducts the same analysis focusing on the hyperlink itself as potentially protected speech.
1. Identity-Fraud Statutes as Restrictions on Protected Speech. — Sections 1028 and 1028A prohibit the unlawful transfer, production, possession, or use of “means of identification”
and “authentication features.”
Analyzing potential First Amendment challenges by focusing on the confidential personal information accessed or shared results in two relevant First Amendment questions: whether “means of identification,” “authentication features,” or the underlying documents in which those two categories of features exist can ever constitute speech, and, if so, whether §§ 1028 and 1028A regulate speech or nonspeech elements.
If courts scrutinize the actual hyperlink in this analysis, the First Amendment challenge becomes more complicated and likely turns on the role of the hyperlink in a particular factual scenario.
“Means of identification”—such as credit card numbers and email addresses—undoubtedly serve functional or nonspeech roles.
The function of a “means of identification” or identification document is somewhat self-explanatory: Entities use them to identify a specific individual and grant access, manage finances, or otherwise link that individual with their online and offline lives.
Though it is true that a name or number
may be communicative, names and numbers without more do not always communicate a message.
Furthermore, it seems even less likely that an “authentication feature”
would communicate a message protected by the First Amendment, since the sole function of such a feature is to verify the authenticity of another document, string of characters, or document-making implement.
It is a fundamental principle of First Amendment doctrine that the right to free speech is not absolute and that certain categories of speech may be justifiably prohibited or regulated by the government,
such as obscenity,
and incitement of illegal activity.
Some categories of speech, however, such as political
or religious speech,
represent the strongest examples of protected speech under the First Amendment. In certain limited contexts, there is a plausible argument that these names or numbers are essential to a message communicated by documents in which “means of identification” or “authentication features” exist.
Therefore, where personally identifiable information constitutes merely one component of a larger message—as will often be the case with massive dumps of confidential information carried out for political purposes—courts must determine whether the value of the speech outweighs the potential damage of disseminating personal information in a specific context.
Imagine a writer at the New York Times stumbles across an extensive list, anonymously posted to WikiLeaks, of individuals subject to federal background investigations and personal information, such as home addresses, phone numbers, and online usernames.
Some entries appear legitimate, but the writer also notices thousands are bogus. Believing the list of investigated individuals provides evidence of unsecure practices and government waste, the writer shares a hyperlink to these documents with her editorial team at the Times, along with a message expressing interest in writing a related story. While most would recognize this conduct as a legitimate exercise of protected speech, the writer appears to have transferred thousands of “means of identification,” committing identity fraud and exposing several individuals to criminal liability in the process.
2. Hyperlinking Prohibitions as Restrictions on Protected Speech. — Hyperlinking as a means of sharing access to confidential personal information warrants special attention due to hyperlinking’s importance as a medium of digital communication.
Hyperlinks generally consist of both expressive and non-expressive elements.
Though used to connect different locations on the Internet and pages on a single website, hyperlinks may also serve as a sign of authority or affiliation.
Links may be used by the general public to facilitate access to obscure information, draw mainstream attention to a particular issue, or even to make political statements by manipulating connections between webpages.
While the expressive elements of hyperlinks may be directly regulated in contexts such as trademark infringement under the Lanham Act,
prohibitions on conduct related to identity fraud only incidentally restrict the expressive elements of hyperlinking.
Turning to hyperlinks within the scope of §§ 1028 and 1028A, the question becomes whether sharing a hyperlink to documents containing confidential personal information can constitute protected speech.
The Supreme Court has noted “[i]t is possible to find some kernel of expression in almost every activity a person undertakes,” but that such a minimal degree of expression is insufficient to grant First Amendment protection to the conduct at issue.
However, whether hyperlinking to unlawfully obtained “means of identification” or “authentication features”
actually constitutes protected speech for purposes of the First Amendment represents a narrow question on which there is limited case law directly on point.
Several related developments in the area of intellectual property may prove informative for the identity-fraud context because they provide detailed legal and technical analysis of hyperlinks. In Pearson Education, Inc. v. Ishayev, a federal district court determined that emailing a hyperlink to copyrighted works did not constitute “distribut[ing] copies”
in violation of an owner’s exclusive rights.
Drawing on precedent in the Southern District of New York and Ninth Circuit,
the court explained that sharing a hyperlink does not constitute copyright infringement because a hyperlink is “the digital equivalent of giving the recipient driving directions to another website on the Internet.”
In other words, the hyperlink itself does not contain substantive content; it merely contains HTML instructions directing the recipient to the content’s location on the Internet.
Several circuit courts have also reviewed hyperlinking in the context of “commercial use” of trademarks under the Lanham Act.
While these cases have dealt with varied factual scenarios, courts consider the totality of the circumstances to determine whether hyperlinking to trademarked materials constitutes commercial use.
As part of this analysis, courts look to the underlying purpose of the Lanham Act—protecting the ability of consumers to distinguish between competitors—to determine whether or not hyperlinking constitutes “commercial use.”
Courts have also considered whether imposition of liability would unnecessarily infringe on an individual’s First Amendment rights, though the factual circumstances in those cases greatly differ.
This judicial approach recognizes hyperlinks are multifunctional objects that must be analyzed in both their online context and the context of the statutory prohibition.
Despite an understanding of hyperlinks as “HTML instructions” that do not necessarily violate a copyright owner’s exclusive right to distribute
or result in commercial use problems under the Lanham Act, several cases brought under the anticircumvention provision of the Digital Millennium Copyright Act (DMCA)
have resulted in liability for the mere posting of hyperlinks. In Universal City Studios v. Reimerdes, a federal district court determined that posting hyperlinks to decryption software on a website constituted “offering, providing, or otherwise trafficking in” prohibited software.
According to the trial court, making the hyperlinks publicly available on a website was “the functional equivalent of transferring the [decryption software] code to the user themselves.”
Beyond the statutory issues, the trial court was asked to address several constitutional challenges—including an argument that the anticircumvention provision of the DMCA violates the First Amendment—but ultimately determined that the DMCA survived all constitutional challenges.
Applying the requirements pertaining to content-neutral regulations as laid out in O’Brien,
the trial court determined that the anticircumvention provision of the DMCA did not constitute unlawful infringement of protected speech because it protected a substantial government interest without unnecessarily infringing on free expression.
While Universal I was affirmed on appeal, the Second Circuit explicitly reaffirmed the First Amendment holding below without adopting the trial court’s more rigorous analysis.
According to the circuit court, since computer code contains both speech and nonspeech elements, the level of scrutiny applied should depend on the elements targeted by a particular regulation; since the anticircumvention provision of the DMCA did not target the expressive elements of decryption software, it was treated as a content-neutral regulation subject to intermediate scrutiny.
Drawing on these three lines of doctrine, it is unclear which is most analogous to identity fraud under § 1028(a)(2). The statutory language provides that it is unlawful for any person to “knowingly transfer an . . . authentication feature.”
It is true that a hyperlink to unlawfully obtained authentication features appears to do no more than the set of “HTML instructions” in copyright infringement cases like Pearson Education or Perfect 10, but it is unclear whether “means of identification” and “authentication features” are more analogous to copyrighted works or the harm caused by disseminating the location of those works.
More interesting is the question of whether the framework applied in Corley would also be applicable in the identity-fraud context. It is unlikely that credit card numbers or any other “means of identification” or “authentication features” could constitute computer code similar to the decryption software at issue in Corley. It is certainly possible, however, that “authentication features” or “means of identification” may sometimes contain both expressive and functional elements.
If courts adopt an interpretive approach similar to Corley, they must first determine whether the expressive or non-expressive elements of the features are being restricted and then subject the restriction to the appropriate standard of review.
As discussed in Parts II.B.1 and II.B.2, however, it is unclear whether courts should look toward the information regulated—“means of identification” and “authentication features”—or the hyperlink used to share the location of that information.
Where a hyperlink to nothing more than a list of credit card numbers is shared,
it would be difficult to argue that protected speech is restricted by an identity-fraud prosecution.
But where many fewer credit card numbers are included in a dump of several million documents demonstrating alleged government wrongdoing,
as alleged in the Brown case,
the argument becomes more viable. Defendants in such circumstances may argue either that they either did not know the information was available at the hyperlinked location
or that the information was itself necessary to the message the documents conveyed.
3. Standard of Review for Hyperlinking Restrictions. — When reviewing content-neutral restrictions on speech, courts generally apply one of three standards of scrutiny; the court’s choice depends on the degree to which valued speech is restricted and the significance of the government interest involved.
The standard of “intermediate scrutiny” is ordinarily invoked when reviewing content-neutral restrictions; it requires that courts ask only whether a content-neutral restriction is “narrowly tailored to serve a significant governmental interest.”
However, Geoffrey Stone has argued that courts may apply the heightened standard of strict scrutiny (or a more rigorous form of intermediate scrutiny) to a content-neutral restriction on speech in certain circumstances. This would require the government to demonstrate a “compelling interest” instead of a merely “substantial interest.”
Some scholars have argued hyperlinking prohibitions are one such scenario necessitating heightened scrutiny—even in the context of content-neutral restrictions—due to the unique value hyperlinks provide to online communication. Expanding on Stone’s three-step formulation of content-neutral review, Anjali Dalal argues that the content-neutral doctrine is essentially an “effects-based doctrine” in which courts evaluate the “net effect on valued speech.”
Since hyperlinking is essential to uniquely valuable online communication, restrictions on hyperlinking where First Amendment rights are implicated should be subject to a heightened standard of review.
In making this argument, Dalal relies heavily on the seminal case New York Times Co. v. Sullivan
and highlights the Internet as a medium of communication rivaling the importance of newspapers in the 1960s.
This analytical approach is discussed further in Part III.B.
C. Disseminating Information Unlawfully Obtained
Part I.C of this Note highlighted increasingly complex and anonymous interactions between individuals who (1) infiltrate private computer systems and release confidential information, (2) exploit confidential personal information released on the Internet, and (3) access or share dumped confidential information for nonmalicious purposes. Parts II.A and II.B explored several concerns regarding unconstitutional restrictions on protected speech resulting from prosecution for identity fraud. Part II.C argues that recent developments in the Supreme Court’s First Amendment doctrine highlight the disconcerting impact of imposing criminal liability on those who access and share confidential information unlawfully obtained by third parties.
1. Private Information Unlawfully Obtained. — In Bartnicki v. Vopper,
the Court addressed a factual scenario similar to that in United States v. Brown,
though the medium of communication was different: A local radio personality received information from a third party who had obtained that information unlawfully.
The radio personality then disseminated the information to the public by means of his radio program.
Though Bartnicki recognized that unlawfully intercepting a private phone conversation implicates significant individual privacy rights,
it determined the radio personality could not be held liable because he had not himself unlawfully obtained the information. Under these circumstances, disclosure of information in the public interest outweighed individual privacy rights.
While Bartnicki establishes that unlawful interception of information by a third party does not automatically limit the First Amendment right to publish, it does little to define the boundaries of “public concern.”
Examining the line of cases that Bartnicki builds upon, the concept of “public concern” may clearly be stretched further than anticipated; it has been used to justify publication of classified documents concerning the Vietnam War,
names of juvenile defendants in criminal proceedings,
names of alleged rape victims,
and confidential inquiries before a state agency.
While one may argue that personally identifiable information such as credit card numbers should be excluded from this well-established exception for matters of “public concern,” at least one court has held that even social security numbers may be posted on the Internet by private citizens when those numbers are lawfully obtained from public records previously available on government websites and displayed in their original form.
According to the Fourth Circuit in Ostergren v. Cuccinelli, the government’s decision to make information publicly available itself implies the information is a matter of public concern.
2. Knowledge of Unlawfulness. — Two important questions remain open following Bartnicki and are particularly relevant in the context of information anonymously posted on the Internet. The first is whether Bartnicki applies to circumstances in which an individual knows the information received was unlawfully obtained.
Though the radio personality in Bartnicki broadcast an unlawfully obtained conversation on his show, it is unclear whether he knew the conversation was illegally intercepted.
Without judicial clarification in the identity-fraud context, the government would need to prove no more than knowledge the information belonged to another person and was contained in documents transmitted.
This question seems at least slightly more complicated when dealing with aggravated identity theft because the Court has held that an individual must knowingly transfer a means of identification that they also know belongs to another person.
In other words, even if an individual knows the information received and shared contains “means of identification,” that individual must also know the “means of identification” belong to another person to be convicted under § 1028A.
The second important question for purposes of this Note is whether Bartnicki also extends to ordinary citizens, as opposed to media personalities and institutional journalists. Though Ostergren held that social security numbers may be published by an independent commentator when lawfully obtained from public records, the Fourth Circuit did not address whether publication would be allowed if the numbers had been unlawfully obtained by a third party.
Recent cases such as United States v. Brown
and United States v. Auernheimer
further call into question the applicability of Bartnicki to independent commentators and ordinary citizens. While related decisions such as United States v. Stevens recognize that speech derivative to third-party illegality may sometimes be protected under the First Amendment,
these decisions address more traditional forms of speech and are therefore only partly analogous.
Many scholars assert the Internet and increased accessibility of information can serve important democratic functions unfulfillable via the institutional press.
These arguments tend to support equal treatment of any individual publishing in the public interest and furthering democratic discourse.
But the Court’s reluctance to broadly define and grant special privileges to “the press,” combined with a failure to explicitly relieve ordinary citizens from liability for third-party illegality, has distanced independent commentators from the holdings of cases like Bartnicki and New York Times Co. v. Sullivan.
The threat of criminal liability for federal identity fraud therefore hangs particularly heavy over independent commentators, chilling public discourse and potentially infringing on constitutionally protected speech.
3. Beyond Barrett Brown: The Sony Pictures and Celebrity-Photo Hacks. — Two recent incidents serve to highlight challenges posed by massive dumps of confidential information and the potential for enforcement against individuals responsible for disseminating those documents: the 2014 celebrity-photo hack and the 2014 Sony Pictures Entertainment (SPE) hack. Though these cases deal with different victims, motives, and information, each resulted in the unauthorized disclosure and dissemination of massive amounts of confidential information.
The 2014 celebrity-photograph hack has been called the largest online disclosure of celebrities’ personal information in history and was widely discussed as an egregious violation of privacy.
On August 30, 2014, an anonymous hacker posted nude photographs of several major celebrities on the website 4chan.
Links to the images and the images themselves were subsequently distributed on social media and reported by major news outlets,
raising the strong implication that stolen images or hyperlinks to those images were either viewed by or disseminated by both bloggers and institutional journalists.
Though celebrities have threatened ISPs with legal action based on the DMCA,
copyright claims based on the DMCA would likely be ineffective against news outlets and individuals. Victims must therefore find another means of civil or criminal redress against those disseminating the photographs; given at least some statements regarding intent to “prosecute,”
the federal identity-fraud statutes may provide the only mechanism to impose criminal liability.
The SPE hack in November 2014 also resulted in a massive disclosure of confidential information obtained by a group of hackers, but it involved the dissemination of a greater variety of information.
The hackers stole and released thousands of social security numbers, credit card numbers, and passports—documents that undoubtedly fall within the definitions of §§ 1028 and 1028A—but many media reports focused on information obtained from SPE emails.
Due to widespread coverage of information contained in the confidential dump, SPE retained noted litigator David Boies and demanded media outlets delete any “stolen information” reported on.
This incident and related litigation threats should therefore clearly illustrate the danger of the government’s argument in United States v. Brown: If hyperlinking to the massive dump of confidential documents from SPE constitutes identity fraud, even if the hyperlinks are shared only internally among the news team at the New York Times or Washington Post, dozens of journalists and bloggers will be exposed to serious criminal liability under federal law.
III. Reconciling Identity-Fraud Prosecution with the First Amendment
As discussed throughout Part II, there are several ways to frame First Amendment challenges in the context of identity fraud. One approach is to view the sharing of confidential documents through the lens of the intellectual property cases discussed in Part II.B.2.
This approach requires determining whether sharing specific information constitutes “traffic[king]” in the actual “means of identification”
or “authentication features”
and, if so, whether prosecution constitutes an unconstitutional restriction on protected speech.
Prohibitions on sharing confidential personal information may also be troubling where such information was unlawfully obtained by a third party but subsequently accessed or shared as a matter of public concern by another.
Finally, on a more theoretical level, sharing information via hyperlink may be viewed as a uniquely expressive mode of communication warranting special protection akin to that afforded print publication in New York Times v. Sullivan.
Regardless of how these statutory issues are framed, unconstitutional restrictions on protected speech may be avoided in several ways. Part III.A argues the First Amendment doctrines of overbreadth and vagueness may warrant invalidation of §§ 1028 and 1028A, though overbreadth is generally seen as “strong medicine” and rarely invoked. Part III.B argues the most effective way to avoid First Amendment challenges to §§ 1028 and 1028A is narrowly redefining the terms of § 1028(d) and heightening the mens rea requirement for provisions vulnerable to abuse. Part III.C then concludes by arguing First Amendment challenges to the federal identity-fraud regime should be reviewed using strict scrutiny when prohibitions on hyperlinking occur.
A. Vagueness and Overbreadth
As discussed in Part I.B, the statutory definitions of “means of identification”
and “authentication features”
are extraordinarily broad—practically any name, string of numbers, or feature of an identification document may be regulated.
First Amendment challenges to §§ 1028 and 1028A may therefore rely on the breadth of these terms in arguing laws are overbroad
and unconstitutionally vague.
The “overbreadth” and “void-for-vagueness” doctrines are closely related and rooted in the average citizen’s ability to recognize the precise conduct prohibited by criminal statutes.
The fundamental premise of overbreadth doctrine is that narrowly defined statutory terms are required to avoid sweeping restrictions on protected speech.
Overbroad restrictions chill otherwise protected speech by individuals attempting to avoid liability.
Many of Barrett Brown’s supporters focused on variations of this argument, claiming aggressive prosecution will result in a chilling effect on journalists and ordinary citizens.
There is some merit to this argument, as demonstrated by the government’s recent assertion that even email addresses may constitute “means of identification” giving rise to prosecution when misused.
But since invocation of the overbreadth doctrine is generally viewed as “strong medicine,” it is unclear whether potential restrictions on protected speech outweigh the inconvenience and disruption of facially invalidating a criminal statute.
For such an argument to be seriously considered, those subject to prosecution must demonstrate unconstitutional restrictions on individuals with more straightforward cases. While Brown’s case may not lend itself to reevaluating decades of statutory interpretation, indictment of an individual for genuinely journalistic activity might.
The closely related “void for vagueness” doctrine requires that criminal statutes be defined with sufficient clarity to inform ordinary citizens of the conduct prohibited.
When coupled with the broad definitions of § 1028(d),
a plausible argument exists that the statute fails to inform ordinary citizens of precisely what conduct is prohibited, thereby encouraging arbitrary enforcement and necessitating facial invalidation.
Indeed, concerns regarding the breadth and vagueness of the federal identity-fraud statutes have been raised since the original enactment of § 1028 in 1982.
While §§ 1028 and 1028A may be justifiably invoked where an individual transfers a hyperlink to documents containing credit card numbers, the statutory language appears to prohibit transfer of many other types of information as well—including email addresses, online usernames, or any unique numeric identifier.
B. Amending the Statutory Framework
Identity fraud has evolved alongside technologies facilitating it, necessitating statutory amendments at watershed moments such as the dawn of the Internet.
Recent developments like social media and hacktivism may represent yet another watershed moment requiring congressional intervention.
As discussed in Part I.C of this Note, hacktivism and the increased availability of information have altered the flow of information online and resulted in complex interactions between different actors—sometimes exposing relatively passive participants to the same liability as malicious hackers.
Two potential amendments to §§ 1028 and 1028A may reduce this potential for abuse and prevent unconstitutional restrictions on protected speech: narrower definitions in § 1028(d) and a heightened intent requirement for certain provisions of § 1028(a).
As discussed in Part III.A, the most pressing concern with the federal identity-fraud regime is the sheer breadth of its statutory definitions.
Amending § 1028(d) by narrowing these definitions would make prosecution for sharing documents such as customer lists and email addresses less likely, alleviating some concerns regarding restrictions on newsgathering as well.
An alternative approach to overbroad statutory definitions may come in the form of a federal media shield law, such as the one debated by Congress at the time this Note was drafted.
Incorporating a safe harbor provision for individuals whose newsgathering activities incidentally violate federal identity-fraud statutes may protect institutional journalists while avoiding harmful restraints on law enforcement. As a counterpoint, such a broad exception for “newsgathering activities” would raise similar concerns as the overbroad terms of §§ 1028 and 1028A.
Regardless, federal shield law proposals have explicitly left entities like WikiLeaks and noninstitutional commentators unprotected.
Requiring intent under certain provisions of §§ 1028(a) and 1028A may help avoid arbitrary enforcement and conviction.
Section 1028(a)(2), for example, prohibits “knowingly transfer[ring] an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority.”
Heightening the mens rea standard in this section by requiring intent that information be used for malicious purposes may refocus identity-fraud prosecutions on the law’s original targets: identity thieves and individuals trafficking in identity features for entirely fraudulent or malicious purposes.
Requiring intent would raise several subsidiary questions, not least of all being “intent to do what?” The difficulty here is drafting a provision encompassing malicious use of identity information while avoiding the catch-all phrases that result in further overbreadth and vagueness.
These difficult questions also support arguments that an intent requirement enables malicious identity thieves to avoid prosecution and is therefore undesirable.
C. Strict Scrutiny for Hyperlinking Restrictions
Though not necessarily an independent solution,
Dalal’s framework for analyzing hyperlinks within the First Amendment context provides an interesting lens through which courts may analyze prosecution for identity fraud connected to sharing a hyperlink.
As briefly mentioned in Part II.B.2, Dalal argues that the standard of “actual malice” adopted in New York Times Co. v. Sullivan
should be extended to the hyperlinking context.
According to Dalal, the Internet has evolved in such a way that it now serves the same democracy-protecting function print media served at the time Sullivan was decided.
Therefore, regulation of hyperlinking as a vital communicative component of the Internet should be subject to strict scrutiny review.
Strict scrutiny would require statutory prohibitions on hyperlinking to be “narrowly tailored to further compelling governmental interests.”
The governmental interest behind identity-fraud statutes is undoubtedly compelling.
Narrowly tailoring statutes to further this interest, however, poses more difficult questions beyond the scope of this Note.
More interesting than the outcome in any particular factual scenario,
application of strict scrutiny to hyperlinking as a communicative medium addresses the core First Amendment concerns stemming from prosecution for hyperlinking to confidential information. While identity-fraud statutes serve compelling governmental interests, criminal prohibitions on hyperlinking that are not narrowly tailored to that interest threaten to restrict a communicative medium with unique democratizing and information-sharing value.
Courts often respond to rapid technological change by trying to fit “old crimes into new bottles.”
This understandable and cautious approach towards technology and law, however, seems to justify heightened review of matters fundamentally important to digital communication.
Where outdated criminal statutes are applied to new technologies and social trends, strict scrutiny protects First Amendment rights until legal implications are clearly understood. Applying this general principle to identity fraud, strict scrutiny review protects ordinary citizens and the right to access or share publicly available information, while allowing Congress to narrowly tailor provisions addressing malicious identity fraud.
Identity fraud is facilitated by rapid growth in technology and social trends, thereby necessitating periodic statutory revisions. Increased data mobility and the challenges of widespread hacktivism have resulted in significant new barriers to identity-fraud prosecution under the current framework. In addressing cases with potential implications for First Amendment rights, however, courts must carefully balance the need for aggressive prosecution of identity theft with the accompanying chilling effects on democratic discourse. The Internet now serves a uniquely valuable role in ensuring the free flow of information of public concern; without either judicial constraints on identity-fraud prosecution or statutory revisions to its outdated legal framework, arbitrary prosecution will remain a threat to independent commentators and ordinary citizens seeking to contribute to public discourse.