The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
Computer crime law is mostly a federal law field. Because computer crimes cross state and national boundaries, the federal government ends up doing most of the investigations and prosecutions. The relevant law is mostly federal, often relying on statutes such as the Computer Fraud and Abuse Act, the Wiretap Act, the Stored Communications Act and the Pen Register statute.
But consider this twist: Although the law is heavily federal in practice, most states have enacted state versions of these statutes. Some of the state statutes largely track the federal laws. But some state statutes go beyond their federal law cousins by restricting a wider range of conduct. For example, some state computer misuse laws punish more conduct than the federal computer misuse law, such as by criminalizing "knowing access" instead of unauthorized access. Some state surveillance laws impose greater restrictions than the federal Wiretap Act, such as by requiring all-party consent rather than one-party consent to record a conversation.
These greater restrictions imposed by state laws don't cause particular problems in criminal investigations. The federal government can ignore state laws under the Supremacy Clause. The state laws may impose greater investigative burdens on state police, but that is the choice of voters in that state as to whether that's a bug or a feature. And even if it's a bug, it's a limited one, as it often has the effect of pushing more investigations up to the federal level where the state laws don't apply.
The state laws can cause major headaches for a lot of Internet businesses, though. If you run a business online, reaching into every state, your product needs to comply with federal and every state law. If you want to make sure that your product complies with all relevant laws, the prospect of a single state law imposing greater restrictions creates a major problem. Many of those state laws have a civil cause of action, meaning that you can be sued under a state cause of action from any state that has an outlier law.
Here's a thought: Internet businesses should challenge the scope of state laws that go beyond their parent federal statute under the so-called dormant commerce clause. Under the balancing test of Pike v. Bruce Church, Inc., 397 U.S. 137 (1970), a facially neutral state law is unconstitutional when "the burden imposed" on interstate commerce "is clearly excessive in relation to the putative local benefits" of the law.
I think the dormant commerce clause provides a powerful tool to challenge state computer crime laws that go beyond their federal cousins, at least in some contexts. Here's a quick sketch of why.
First, the local benefits of such state laws are often modest, if not close to zero. Because the federal laws exist and have essentially no federalism limitations (see here and here), the state laws laws add only marginal protection beyond the federal law standard.
Even that marginal protection can be of questionable benefit, as sometimes Internet technology makes the state laws rather absurd in their application. Consider state statutes requiring all-party consent to recording communications. In a telephone era, that is a plausible rule: It requires everyone on the call to consent to recording. In an Internet era, however, the technology often stores a copy of the communication automatically. Why should the law require explicit consent to record something that is necessarily recorded anyway? As the underlying technological facts over which the laws apply have changed, the local benefits of the laws have diminished.
On the flip side, the burdens on interstate commerce of such laws are often great. The laws effectively require every Internet business to comply with the most restrictive state law. Think of a state law that prohibits violating Terms of Service, which the more recent federal cases have said does not violate the CFAA. If you're using the Internet, or you have a business that visits different websites, you need to watch out for those state laws. You might be clear under the CFAA but violate the state CFAA analogue somewhere else, which could lead to criminal liability, civil liability or both. And because the reach of the state laws may be governed by server locations, which you won't necessarily be able to know ahead of time, you would have to follow the law of the most restrictive state even if you have no intention of doing business there or being regulated by the laws of that state.
Exactly how far such challenges should go is a hard question. I'm very skeptical that the federal laws should occupy the field with no room for the states. There's clearly some role for states, such as by imposing greater standards of cause on state investigators if voters want it. So I tend to disagree with the Second Circuit's prediction in 2003 that "the internet will soon be seen as falling within the class of subjects that are protected from State regulation because they imperatively demand a single uniform rule." At the same time, I think there are significant instances in which state computer crime laws fail the Pike balancing test in application.
I should also flag that there's already a somewhat significant body of caselaw on dormant commerce clause challenges to state Internet crime laws. See pages 697 to 710 of my "Computer Crime Law" case book for the details. I haven't seen any challenges to state computer crime laws on the grounds I propose, however.
Maybe someday I'll write a short law review article fleshing out these ideas. But for now, I thought I would flag the argument here with the hopes that enterprising lawyers might read it and may start to make the arguments in court. And feedback is very welcome in the comment threads or elsewhere.