Open PDF in Browser: Connor Hagan,* Unconstitutional Cyberpunks: The Dubious Conspiracy Backdoor to Federal Cybercrime Venue
Computer‑based crimes are relatively new in our nation’s history. The Constitution’s criminal venue protections are not. Modern cybercrime statutes, for the way they interact with conspiracy law and the modern internet architecture, subvert the original purpose of these protections.
The Framers drafted these criminal venue protections in response to England’s colonial practice of transporting defendants to different colonies, or even back to England, to face trial in jurisdictions more favorable to the Crown. Rejecting this system, Article III of the Constitution requires that criminal trials be held in the state where the crime was committed.
The Sixth Amendment, for its part, then guaranteed that the defendant shall enjoy a jury composed of individuals from the state and district where the crime occurred. The way venue is laid in cybercrime prosecutions today does violence to these fundamental principles.
The chief cybercrime statute, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, was enacted in 1984 to provide clear legal boundaries for computer‑based conduct. The CFAA gives adequate notice to the public as to the nature of the proscribed conduct and provides prosecutors with the necessary legal framework to fight computer crime. It is silent, however, as to where that fight may take place. As a result, venue hinges on interpreting the CFAA’s statutory text and applying common law judicial tests. As such, the nature of the statute’s operative language is critical to venue—the action verbs often dictate the location of the crime and thus where prosecution is appropriate.
Two additional legal concepts further frustrate the already‑difficult venue analysis. The first disruptor is the heretofore rejected idea of manufactured venue. The second disruptor is conspiracy law—criminal liability for parties agreeing to break the law. Congress has specially provided that conspiracy is a continuing offense and therefore may be prosecuted in any district in which such offense was begun, continued, or completed.
Applying this legal framework to cybercrimes presents serious dangers for defendants due to the internet’s network architecture—the complex, decentralized, and interconnected character of modern internet hardware makes predicting a given piece of data’s path futile. Using two Colorado‑based hypotheticals, this Note will illustrate how the foregoing principles mix to form a dangerous alchemy for cybercrime defendants. These hypotheticals then serve as the basis for recommending three reforms.
Ultimately, this Note argues that advancements in technology and the increasing sophistication of cybercrime do not justify a departure from constitutional venue protections. Modern technology makes catching and prosecuting cybercriminals more difficult, yes. But this reality does not allow law enforcement or, by association, the courts to ignore defendants’ rights merely because they may inconvenience the government during prosecution.
Introduction
Imagine you live in Florida but were forced to face trial in New Jersey.[1] Without knowing more about the factual nature of the crime, this may appear unobjectionable. It may feel overtly unfair, however, when you learn that prosecution in New Jersey was premised largely on two attenuated events. First, that a coconspirator directed you “to travel to New Jersey to speak with a sales associate in connection with the purchase of a vehicle.”[2] And second, that the funds related to the scheme were “processed through the Fedwire Funds Service . . . ‘in a way that caused an electronic communication to travel through a Federal Reserve facility in New Jersey.’”[3] Stated plainly, venue was appropriate in New Jersey simply because the wire transfer system randomly routed the funds through the state.
These two minor elements, under the current venue scheme, would give the government all the leverage it needed to haul you to New Jersey for trial and deny your request to transfer venue to your home state of Florida.[4] Query whether such a system honors the criminal venue protections originally described in our Constitution: that we have a right to be tried where the crime occurred.[5]
Modern computer technology makes our lives easier. But sometimes, these same technologies make criminal defendants’ lives unconstitutionally harder. One modern jurist noted that “[a]s we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.”[6]
The Constitution’s venue limitations established requirements for where trials should take place and where juries should be drawn.[7] Today, however, cybercrime defendants suffer unconstitutional venue determinations merely because of the complex interplay between modern computer crime statutes, conspiracy law, and law enforcement tactics. The nature of the cybercrime statutes’ operative language is critical to venue—the action verbs often dictate the location of the crime and thus where prosecution is appropriate.
Understanding why the Framers believed these provisions to be so important begins with an examination of the system under which they rebelled. Accepting the primacy of their concerns, the current process of laying federal venue for cybercrimes derogates the Constitution’s promised safeguards. Instead, both Congress and the courts should insist on certain reforms to honor the Founders’ original intent.[8] These include a statutory preference for trial venues, an explicit prohibition of manufactured venue, and the implementation of a foreseeability requirement for cybercrime conspiracy charges.[9]
Starting with a historical reflection on colonial‑era trial practices, Part I articulates the constitutional first principles that illustrate the importance of criminal venue limits. Then, Part II transitions into a survey of commonly charged cybercrime statutes and how they shape modern venue determinations. Next, in Part III, this Note highlights a common (yet heretofore unsuccessful) defense to conspiracy and how existing conspiracy law opens an unconstitutional backdoor to criminal liability in the cybercrime context.
Using two Colorado‑based hypotheticals, Part IV seeks to demonstrate how, in concert, cybercrime statutes and conspiracy law can be weaponized by law enforcement to haul criminal defendants into distant venues viewed as more favorable to the prosecution. These references to the law from the District of Colorado and the Tenth Circuit serve two purposes: (1) They help ground legal precedent in a single location to simplify some of the predictive analysis, and (2) by establishing the legal foundation in the Colorado context, they provide a more realistic and understandable quality to the Colorado hypotheticals provided in this Part.
Finally, Part V concludes by offering actionable recommendations for reform—one aimed at the statutory text and two that urge jurists to adopt prudential constraints to limit defendants’ venue exposure. Adopting these recommendations will ensure defendants face trial in districts where they will have access to the necessary resources to present an effective defense. The Framers’ traditional reverence for criminal venue protections can be restored only by recentering the venue calculus on defendants in this manner.
The Constitutional Importance of Criminal Venue Protections
Federal cybercrime defendants face headwinds that the Constitution’s authors would find abhorrent.[10] To show why, Section I.A begins with an exploration of the original principles that inspired the Framers to embed protections for criminal defendants in the Constitution. Then, Section I.B illustrates how these ideals shape the legal tradition in the United States. This portion is primarily descriptive in nature, articulating the law’s current state. And because the hypothetical situations described in Part IV are based in Colorado, much of the caselaw cited draws from Tenth Circuit precedent. Finally, this Part closes by analyzing, in Section I.C, how the legal precedent establishes certain obligations for both federal prosecutors and defendants. Only by tracing our system’s criminal venue protections to the very beginning may we understand the modern cybercrime defendant’s unconstitutional hardship.[11]
Original Principles
The original understandings of criminal venue from the U.S. Constitution should inform the approach of how to view new developments like cybercrime. Under an originalist framing, a conclusion is effective for its ability to reflect the original principles underlying a given constitutional provision. But originalism and original understandings of constitutional provisions do not necessarily provide a better way to get constitutional answers.[12] More accurately understood, originalism is a standard against which to apply new facts rather than a step‑by‑step procedure to reach a legal conclusion.[13] “The goal of originalist history isn’t to learn ‘what James Madison thought about video games,’ as Justice Alito famously put it, but ‘to determine what principle Madison and his contemporaries adopted, and then to figure out whether and how that principle applies to the current case.’”[14]
A noted challenge associated with this strategy is the difficulty in finding historical evidence of such attitudes and principles.[15] The task is made more difficult for the issues regarding reaching some sort of consensus on that evidence.[16] Thankfully, at least with respect to the constitutional provisions at issue in this Note, the evidence of the authors’ intent is quite clear from the constitutional text and the historical context in which they were drafted. As such, originalism here serves as a prime standard to adjudge whether modern cybercrime practices live up to the principles intended by the Framers.
It is easy to appreciate why the drafters considered criminal venue protections so important once we understand the colonial system against which they rebelled. Before our nation’s founding, while still under British rule, it was common English practice to transport defendants to another colony or to England for trial.[17] This judicial norm was likely an outgrowth of England’s centralized common law system that required parties to travel to Westminster to litigate their matter.[18]
As one might imagine, the colonists “vehemently protested that this practice prevented defendants from presenting an adequate defense and allowed the English government to obtain juries sympathetic to its position.”[19] Beyond the inconvenience and burden associated with long‑distance travel, the accused colonists suffered real prejudice at trial since the relevant witnesses and evidence were in the colonies.[20] Additionally, trying these defendants far from home deprived the local community the ability to redress the harm.[21] As a firm disavowal of the Crown’s system, the new American tradition would embody a commitment to decentralized and accessible courts.[22] So pressing and prevalent was this concern that the Declaration of Independence specifically “denounced George III ‘for transporting us beyond Seas to be tried for pretended offences.’”[23]
Today, venue in federal criminal cases is subject to a “complex interplay of constitutional provisions, statutes, and rules.”[24] In the constitutional context, the “Framers thought it so important that a person be tried where the crime was committed” that they cemented their ideas in two places.[25] Article III of the Constitution states that “[t]he Trial of all Crimes . . . shall be held in the State where the said Crimes shall have been committed.”[26] This language clearly prevents transporting a defendant to a distant venue that had no connection with the criminal act—directly addressing the prior British system. The Sixth Amendment then guarantees that “[i]n all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed.”[27] This latter right, known as “vicinage,” relates to the place from which the jurors are drawn.[28] The Framers’ standards are intentionally stringent because these provisions were specifically aimed at the history of an arbitrary British government trying Americans in England though they committed their crimes in the colonies.[29]
Fixing these historical principles in modern legal practice, the Federal Rules of Criminal Procedure now provide that “[u]nless a statute or these rules permit otherwise, the government must prosecute an offense in a district where the offense was committed.”[30] When a defendant faces multiple charges, the government must establish proper venue for each count.[31]
A fundamental feature of this new American legal system was that it acknowledged the importance of trying crimes within the community where the crime occurred and the citizens’ right to localized justice.[32] The Constitution deliberately honors the democratic component of our legal system: the public’s right to participate in the administration of criminal justice.[33] Specifically, drawing jurors from the vicinity respects both the community’s interest in law enforcement and the defendant’s right to a fair trial.[34]
Local juries are therefore vital because they “represent the common knowledge and values of the community, . . . legitimate the processes and outcomes of the criminal trial, and . . . permit the trial to heal the social rupture caused by the crime.”[35] The Framers appreciated that local jurors would not only serve as community representatives but also that vicinage juries are “more likely to reach accurate verdicts and . . . safeguard . . . innocent defendant[s] against wrongful prosecution.”[36]
Unlike the venue requirements in Article III, which are more affirmatively focused on protecting defendants, the vicinage clause was not crafted to guarantee defendants the most favorable jury available.[37] Instead, the Sixth Amendment addresses “the fear that in the absence of the vicinage right, the government might select the community that would be most prone to convict the defendant.”[38] Consequently, the vicinage clause was meant to ensure accurate verdicts and embody a “neutral‑venue rule that prevents the government from forum shopping for a community that will be more predisposed to convict than the natural vicinage.”[39]
As the foregoing discussion explains, the Constitution’s Article III venue protections seek to provide defendants with an affirmative right against being transported to distant locations to face criminal prosecution. The vicinage clause, for its part, ensures that the community remains engaged in the administration of justice and that the system is designed to reach accurate verdicts. These are principled and noble goals worth protecting notwithstanding technological developments that make the location of criminal acts more opaque and difficult to define.
Legal Tradition and Precedent
Over the years, the Supreme Court has consistently reaffirmed the importance of criminal venue protections within our federal system.[40] Laying venue is not merely a matter of mechanical procedure but rather “raise[s] deep issues of public policy in the light of which legislation must be construed.”[41] Going all the way back to the early twentieth century, the Court understood that requiring “a citizen to undertake a long journey across the continent to face his accusers . . . involves a serious hardship, to which he ought not to be subjected if the case can be tried in a court of his own jurisdiction.”[42] Any effort intended to broaden the scope of available venues was not for the government’s convenience—rather, it was in line with “relieving the accused, where possible, of the inconvenience incident to prosecution in a district far removed from his residence.”[43]
Even where Congress provided that “the locality of a crime” extended over the whole region where “force propelled by an offender operates,” the Supreme Court stressed the need for caution.[44] Indeed, this expansive reach “not only opens the door to needless hardship to an accused by prosecution remote from home” but “also leads to the appearance of abuses, if not to abuses, in the selection of what may be deemed a tribunal favorable to the prosecution.”[45] In so writing, the Court appreciated that venue considerations implicate “the fair administration of criminal justice and public confidence in it, on which it ultimately rests.”[46] With this underlying policy in mind, the Court counseled that constitutional safeguards preclude drawing defendants far from home when neither Congress nor expediency has required it.[47] Later Courts agreed, finding that, due to “unfairness and hardship involved when an accused is prosecuted in a remote place,” the statute or law “in question should be given that construction which will respect such considerations.”[48]
Honoring a defendant’s right not to be drawn to trial in distant districts does not mean the defendant’s place of residence is dispositive in every criminal proceeding.[49] Rather, the Sixth Amendment only favors trial at a defendant’s residence when it can reasonably be said that the offense was committed there.[50] As such, a “resident of Texas who goes off to Oregon and murders a federal officer there has no constitutional right to be tried in Texas.”[51] Under this interpretation, the Constitution provides jurists with a policy backdrop against which to make venue decisions: Where venue is appropriate in multiple districts, the court should favor the district least impactful to the defendant, and to do otherwise would arguably derogate the Framers’ intent. Reanimating the original purposes and historical context of Article III venue protections would result in courts favoring criminal proceedings close to the defendant’s home district, if not in the home district itself.
Not every jurist agrees on the level of protection the Constitution provides (or to whom), leading to tension around interpreting the Sixth Amendment considering the relevant statutory language.[52] Travis v. United States dealt with a union officer convicted of filing false affidavits as required by the National Labor Relations Act.[53] The venue issue arose because the defendant’s false documents were “made and executed in Colorado . . . [yet] filed in Washington, D.C.”[54] The district court denied the defendant’s motion to dismiss arguing venue was improper in Colorado, and the appellate court affirmed that venue was appropriate in both Colorado and Washington, D.C.[55] Since the offense began in Colorado and was completed in D.C., venue was properly laid in Colorado pursuant to 18 U.S.C. § 3237(a), which allows for multidistrict crimes to be “prosecuted in any district in which such offense was begun . . . or completed.”[56] The Supreme Court reversed the decision, relying heavily on the criminal statute’s phrasing.[57] And because the statute’s language there indicated that an offense only occurred if the defendant completed a filing in D.C., “[t]he locus of the offense ha[d] been carefully specified.”[58] As a result, the Court held that venue was only valid in D.C. and thus improperly laid in Colorado.[59]
The dissent would have held otherwise out of respect for the Sixth Amendment.[60] Under this view, the “Government was entitled to proceed either in Colorado, where this affidavit was made, or in the District of Columbia, where the affidavit was filed,” at least in part because “[t]he witnesses and relevant circumstances surrounding the contested issues . . . more probably will be found in” Colorado.[61] This case demonstrates the ambient friction that exists between constitutional principles, the statutory text, and the practical realities of trying federal crimes—a legal alchemy made more potent with the addition of geographically dispersed computer infrastructure.
Years of judicial accretion has led to the modern venue standard, best described by the Supreme Court in United States v. Rodriguez‑Moreno: To properly establish venue, courts must determine where the crime occurred, the locus delicti of the offense charged.[62] To do this, courts first identify the conduct constituting the offense and then discern where the defendant committed those criminal acts.[63] When conducting this inquiry, courts differentiate between essential conduct elements and circumstance elements by looking to the relevant statutory language, including (though not exclusively) action verbs.[64] This is a critical step since only essential conduct elements can serve as the basis for venue.[65] These essential conduct elements can be understood simply as the behaviors or actions necessary to violate the law.
In the cybercrime context, for those provisions that contain interstate commerce hooks, venue is appropriate in any district where the computer communications originated, terminated, or passed through—“pass through” meaning simply that the computer communications ran through out‑of‑state servers on the way to its final destination.[66] For provisions that lack explicit interstate commerce language, namely 18 U.S.C. § 1030(a)(2), (a)(4)–(5), venue is narrowed to districts where the specific criminal acts occurred.[67]
Serving as a powerful tool for the government, multidistrict crimes “may be . . . prosecuted in any district in which such offense was begun, continued, or completed.”[68] The same holds true for continuing offenses such as conspiracy and those crimes that affect interstate commerce.[69] In these cases, venue is appropriate in any district where a coconspirator acted in furtherance of the conspiracy or “from, through, or into which such commerce . . . move[d].”[70] Appreciating the dispersed nature of modern computer networks,[71] it becomes clear how these statutes expose defendants to numerous and distant trial venues. One simple message sent over the internet may implicate multiple federal districts around the country, all of which would be fair game for prosecution.[72]
Venue Determinations at Trial—Roles and Obligations
To fully appreciate the risks cybercrime defendants face, one must understand the mechanisms by which courts determine the appropriate venue for trial. This Section sketches a picture of the relevant legal standards and methods for laying venue. By doing so, this Note illustrates how originalist understandings of defendants’ constitutional venue protections can inform and guide judicial determinations to re‑center those provisions’ purposes.
Venue is a question of fact for the jury, but whether the prosecution “presented sufficient evidence to support a jury’s finding on venue is a question of law.”[73] The government need only establish venue by a preponderance of the evidence rather than beyond a reasonable doubt.[74] This lower evidentiary standard makes sense because the Sixth Amendment was not intended as “an absolute right of the defendant.”[75] Rather, the Constitution’s authors sought to strike a difficult balance: Although the Sixth Amendment “right to venue was intended to protect a defendant against inconvenience and prejudice” the Framers “also intended to protect the government’s interest in trying a person accused of crime in an impartial environment.”[76] But today, the federal cybercrime ecosystem inappropriately prioritizes government convenience over the defendants’ constitutional rights—undermining the entire constitutional project. Not to mention that relocating prosecutions may also disserve the affected communities contemplated by the Sixth Amendment’s vicinage clause.
Just because defendants face exposure to distant federal venues does not mean they are totally without recourse. The Federal Rules of Criminal Procedure allow for defendants to, upon their motion, request that the proceedings against them be transferred to a different district.[77] Rule 21 contemplates two different scenarios: (1) requesting a transfer due to a risk of prejudice and (2) requesting a transfer for convenience.[78] In the case of prejudice, “the court must transfer the proceeding against that defendant to another district if the court is satisfied that so great a prejudice against the defendant exists in the transferring district that the defendant cannot obtain a fair and impartial trial there.”[79] Upon a request to transfer for convenience, “the court may transfer the proceeding . . . against that defendant to another district for the convenience of the parties, any victim, and the witnesses, and in the interest of justice.”[80]
The difference in language between the two subdivisions means courts enjoy far more discretion in electing to grant a motion to transfer for the defendant’s convenience. Importantly, the timing of this request is quite liberal; a defendant’s “motion to transfer may be made at or before arraignment or at any other time the court or these rules prescribe.”[81] Because Rule 21 is premised on the “important constitutional right to be tried by a jury of your vicinage,” change of venue is contingent “upon the defendant’s request therefor.”[82] This means defendants are protected from forcible changes of venue.[83]
Nevertheless, defendants do run the risk of unintentionally waiving their constitutional venue protections.[84] Though waiver of a constitutional right typically must be made intentionally and knowingly, courts apply “a more relaxed standard for finding a waiver of venue rights,” and defendants may even “waive venue rights by . . . inaction.”[85] It follows then that even “[t]he absence of an objection to venue, or a motion specifically raising the defect, has been held to constitute a waiver.”[86] Appellate relief is precluded when such a waiver occurs.[87] However, “failure to instruct [the jury] on venue, when requested, is reversible error unless it is beyond a reasonable doubt that the jury’s guilty verdict on the charged offense necessarily incorporates a finding of proper venue.”[88]
Absent a request for a specific jury instruction, courts review the defendant’s venue “contention under a plain error standard.”[89] To succeed under this deferential standard, the defendant “must show: (1) an error, (2) that is plain, which means clear or obvious under current law, and (3) that affects substantial rights.”[90] Upon meeting these criteria, the court “may exercise discretion to correct the error if (4) it seriously affects the fairness, integrity, or public reputation of judicial proceedings.”[91] Due to the broad discretion enjoyed by trial judges, the fairness of a given venue determination is largely dictated by the court and the factfinder.
As such, it is ever more important to emphasize the historical principles underlying the law and urge jurists to reassert the ideals upon which the Constitution was founded, namely defendants’ venue rights. Though modern video conferencing technology and air travel may make remote trials more feasible than at the time the Constitution was drafted, criminal defendants should retain their right to a local prosecution if venue in their home district would be appropriate. The precepts outlined in Article III and the Sixth Amendment do not have an efficiency carve out. Nothing in the text indicates that courts need only honor the venue and vicinage protections unless the crime can just as easily be prosecuted elsewhere. The text is clear and the principles absolute: Crimes should be prosecuted where they occur to protect defendants from being drawn to distant tribunals. The latter part of this idea—the Constitution’s purpose in offering such protection—should be the animating principle for courts adjudicating venue in the cybercrime context. This context is defined by the Computer Fraud and Abuse Act.
The Computer Fraud and Abuse Act and Its Impact on Venue Analysis
After discussing the origins and importance of criminal venue protections in Part I, this Part now embarks on a survey of today’s cybercrime statute so that this Note’s hypotheticals more effectively illustrate the pressing need for reform. This Part steps through key cybercrime subsections one by one to demonstrate how even minor changes in the statutory language can have substantial impacts on defendants’ venue considerations.
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, was enacted in 1984 “to provide a clear statement of proscribed activity concerning computers.”[92] The CFAA has been amended over the years to strengthen the document and “clos[e] gaps in the law to protect better the confidentiality, integrity, and security of computer data and networks.”[93] This legislation’s ultimate goal was to address computer crime in a single statute “rather than identifying and amending every potentially applicable statute affected by advances in computer technology.”[94]
Though the CFAA “provides law enforcement with the necessary legal framework to fight computer crime,” it is silent as to where that fight may take place.[95] Appropriateness of venue hinges instead on interpreting the statutory text and applying judicial tests established under common law. Statutory language includes action verbs, which influence essential conduct elements (and their location), which in turn determine criminal venue. Deliberate statutory drafting, as noted below in Section II.B, can result in a scheme more protective of defendants’ criminal venue protections. The following discussion highlights five subsections of the CFAA to analyze the relevant action verbs and essential conduct elements[96] and to describe the threshold considerations for discerning where venue is appropriate.
The analysis after each section relates specifically to Colorado. “Placing” this legal analysis in a single district was done for two reasons: to tee up the hypotheticals in Part IV which take place in Colorado and to more clearly provide a snapshot of the relevant venue rules and predictive assessments of likely outcomes.
18 U.S.C. § 1030(a)(2) is the subsection that deals directly with unauthorized access to obtain information. Because this provision is not defined in terms of its effects, venue is limited to the districts where the defendant accessed the protected computer and obtained the information.[97] Section 1030(a)(2) criminalizes anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” any of the following:
(1) information contained in a financial record of a financial institution, or of a card issuer . . . , or contained in a file of a consumer reporting agency on a consumer . . . ;
(2) information from any department or agency of the United States; or
(3) information from any protected computer.[98]
The statute’s language “reveals two essential conduct elements: accessing without authorization and obtaining information.”[99] Understanding this to be the nature of the proscribed conduct, venue is only appropriate in the districts where these essential conduct elements occurred.[100] Such essential conduct elements can be understood simply as the behaviors or actions necessary to violate the law.[101]
Venue is improper in a district in which the defendant performed no essential conduct element.[102] In United States v. Auernheimer, the defendant was found guilty in New Jersey for violating CFAA section 1030(a)(2).[103] The defendant and his coconspirator hacked into AT&T’s servers by exploiting a vulnerability in the company’s iPad login functionality.[104] The pair wrote a computer program to sweep up customer email addresses, ultimately collecting 114,000 unique emails over the course of a few days.[105]
At all relevant times during the course of their conduct, the defendant and his coconspirator were in California and Arkansas, and “[t]he servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia.”[106] The only connection to New Jersey was that 4,500 of the emails collected by the defendant belonged to residents of that state.[107] The district court recognized that the defendant was never “in New Jersey while allegedly committing the crime, and that the servers accessed were not in New Jersey,” but nevertheless found venue appropriate there because of the effect felt by the residents.[108]
The Third Circuit reversed the lower court’s venue determination and vacated the conviction.[109] On review, the court reasoned that “New Jersey was not the site of either essential conduct element”: Evidence at trial indicated that “[n]o protected computer was accessed and no data was obtained in New Jersey.”[110] Because the defendant failed to perform “any ‘essential conduct element’ of the underlying CFAA violation or any overt act in furtherance of the conspiracy in New Jersey, venue was improper.”[111] Section 1030(a)(2) “punishes only the actions that the defendant takes to access and obtain” the information and “does not speak in terms of the effects on those whose information is obtained,” thus making venue in this case appropriate only in districts where the defendants or servers were located.[112]
With the Auernheimer decision in mind, the government faces a critical threshold consideration when seeking to prosecute a violation of section 1030(a)(2): Where was the “protected computer” located when the unauthorized access occurred?[113] What counts most is determining the specific location of the computers and servers accessed by the defendant to obtain the victims’ information.
For example, if these systems reside outside the District of Colorado, venue will be inappropriate in the Centennial State unless the defendant themselves is in Colorado.[114] Though this provision first appears to be protective of defendants (at least in the venue context), Congress made clear that the threshold to “obtain[] information” is absurdly low and does not even require “asportation of the data in question.”[115] Per the CFAA’s Senate report, “[b]ecause the premise of this subsection is privacy protection, the Committee wishes to make clear that ‘obtaining information’ in this context includes mere observation of the data.”[116] This low bar means that unauthorized access to data (without more) is sufficient for criminal liability—the typical scenario being hackers.[117]
Even worse for defendants, although prosecution of the substantive CFAA violation may be inappropriate, conspiracy charges open a backdoor to criminal liability.[118] If the defendant formed a conspiratorial agreement or performed any overt act in furtherance of the conspiracy within the district, then venue there is valid on the conspiracy charge.[119] In the cybercrime context, conspiracy charges widen the net for venue because they are continuing offenses and may be prosecuted in “any district in which such offense was begun, continued, or completed.”[120]
Because conspiracies formed or furthered through electronic communications often continue through intermediary servers or nodes located in numerous states, courts recognize “pass through” venue as appropriate when those touchpoints reside in the relevant district.[121] So far, only the Second Circuit has instituted a foreseeability requirement to establish venue for conspiracy (requiring that “it is foreseeable that such an act would occur in the district”), and many circuits explicitly reject such a standard.[122] In justifying its rejection, one court explained that it refused to find a mens rea requirement in a venue provision that clearly lacked one.[123]
Effectively, these foreseeability requirements mean that defendants are protected from prosecution in a given district unless it was reasonably foreseeable that their conspiratorial conduct would “touch” the district in question.[124] Incorporating such a foreseeability requirement in the cybercrime context would go a long way in reasserting the primacy of a cybercrime defendant’s constitutional right to avoid being dragged to distant lands to face prosecution.[125]
Though the Tenth Circuit has not addressed this issue head‑on,[126] let alone in a cybercrime context, conspiratorial agreements or acts in furtherance of a conspiracy that continue through servers or routers located in Colorado are most likely an appropriate basis for venue. This means that criminal venue will be valid in those states and districts where conspiratorial communications or overt acts flowed over servers residing there. This remains true whether the use of servers in those locations was reasonably foreseeable or not. By mere operation of the internet, defendants therefore risk facing trial in an innumerable number of districts.
Section 1030(a)(4): The Knowingly and with Intent to Defraud Provision
18 U.S.C. § 1030(a)(4) aims to punish whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”[127] Section 1030(a)(4) is structured like the unauthorized access provision but adds on a layer of fraudulent intent.
Generally, venue for charges under section 1030(a)(4) is therefore restricted to those districts where the protected computer was accessed and where the thing of value was obtained.[128] Again, because this provision is not defined in terms of its effects, and does not contain language implicating interstate commerce, venue is appropriate only where those essential conduct elements occurred.[129]
This sort of deliberate drafting is required to ensure we do not allow technological advancements to extinguish defendants’ constitutional protections. As illustrated by the following case, however, the government often argues that even a section 1030(a)(4) offense, when multidistrict in nature, may be prosecuted anywhere an intermediary “pass through” server is located.[130]
The court in United States v. Klyushin highlighted how a defendant’s use of an intermediary server may provide a valid basis for venue even if the server functioned merely as a pass through.[131] As a result, the Klyushin court ultimately held that venue was appropriate in a district where access and obtainment did not directly occur.[132] Klyushin involved a group of Russian nationals who conspired to hack into computer systems used by American filing agents and use the information to make stock market trades.[133]
The defendant and his coconspirators gained unauthorized access to the agents’ network in Illinois via a server in Boston, Massachusetts.[134] Without knowing that they were using a Boston‑based server, the hackers then downloaded confidential earnings reports “back to . . . [the] server in Boston,” and eventually transmitted them back to Russia.[135] Importantly, the Internet Protocol (IP)[136] addresses traced to Stackpath, a virtual private network (VPN)[137] service provider.[138] Stackpath hosted those IPs on a server physically located in a Boston data center that acted as the “on‑ramp to the Internet” for the Russian defendants.[139]
The district court reasoned that venue was appropriate in Massachusetts because a jury could reasonably find that the defendants’ use of the IP addresses in Boston was essential conduct.[140] The defendant “hit send on a computer in Russia,” but “caused the crimes to be implemented in part in Massachusetts.”[141] Noting a lack of cases on point, the court cited holdings from other contexts to support the proposition that “courts addressing criminal convictions have found proper venue involving ‘pass through’ intermediaries.”[142]
In support of its venue argument, the Government distinguished Auernheimer.[143] The Auernheimer court never reached the “pass through” issue because “the conspirators did not use an IP address on a server within New Jersey to access or obtain information remotely.”[144] In Klyushin, however, Boston IP addresses “were used in accessing confidential information . . . and transmitting the information to Russia”; thus the “essential conduct element . . . happened in Boston.”[145]
The defendant argued that venue was improper in Massachusetts because the use of Boston IP addresses was purely coincidental and that it was not reasonably foreseeable that their access was facilitated by a Boston‑based server.[146] The defendant claimed that “the Boston . . . IP addresses used in the hacking scheme were assigned at random by the VPN service provider” and were only operational for a short period of time.[147] Consequently, the defendant argued, “the evidence show[ed] that Boston was a mere ‘pass through’ to Russia which Klyushin could not reasonably have foreseen.”[148] The court sided with the Government, however, and rejected the foreseeability argument, refusing to adopt the Second Circuit’s test.[149]
In dicta, the court went on to say that “even if there were a foreseeability requirement,” a jury could find that whoever “commits a crime employing a VPN service provider that uses random IP addresses nationwide in order to preserve anonymity could . . . reasonably foresee that venue would exist in a district where the assigned server was located.”[150] This analysis makes sense only if the prosecution can prove the defendant had actual knowledge of the VPN service’s functionality and use of randomly assigned servers. Otherwise, such dicta risks expanding criminal venue based on a threadbare presumption that every internet user knows how the technology works.
At no point did the court stop to consider whether this was a constitutional outcome, or whether the laws should be construed to better protect the defendants under the existing venue scheme.[151] Even so, the government maintains its position that “[t]he case for ‘pass through’ venue may be stronger where the transmission of the communications themselves constitutes the criminal offense,” like for conspiracy or acts under 18 U.S.C. § 1030(a)(7), and when “the path of transmission is certain (e.g., when an employee’s email is sent through a company mail server in a particular state).”[152] Though technically accurate, this is not how a just criminal system should operate.
For prosecutors and investigators, the factual inquiry for section 1030(a)(4) violations is essentially identical to that of section 1030(a)(2). The government must first show the specific location of the computers and servers accessed by the defendant to obtain the victims’ information were in the district.[153] Then, as applicable, the government may expand the venue net by identifying any “pass through” nodes that may reside in the state.[154] Under the Klyushin court’s construction, these minor touchpoints offer a valid basis for venue. Since the location of essential conduct elements controls the venue analysis, venue is appropriate in the District of Colorado when the system accessed or information obtained resides in Colorado.[155] Additionally, under the Klyushin standard, venue is also appropriate when any intermediary server that had the relevant data pass over it resides in Colorado.[156] The astonishing breadth of potential criminal venues implicated by the “pass through” rule directly contradicts the purpose of defendants’ constitutional venue protections: ensuring they face trial at home, when appropriate.
Section 1030(a)(5): The Generic Hacking Provision
18 U.S.C. § 1030(a)(5) marks a departure from the previous analysis because it is the first provision “defined in terms of its effects—the damage caused.”[157] Section 1030(a)(5)(A) punishes anyone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”[158] Sections 1030(a)(5)(B) and (C) apply to anyone who “intentionally accesses a protected computer without authorization, and as a result of such conduct,” either “recklessly causes damage” or “causes damage and loss.”[159]
The statute defines loss as “(1) ‘any reasonable cost to any victim, including the cost of responding to an offense’; and (2) ‘any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.’”[160] Since the threshold to show loss is so low—even including paying an employee overtime to respond to the issue—it amounts to nothing more than a nominal requirement. Damage, in turn, is described as “any impairment to the integrity or availability of data, a program, a system, or information.”[161] Merely causing the victim’s computer to run slowly will most likely satisfy this definition, once again lowering the bar for the government to prove criminal conduct.[162] Again, the fact that showing damage is so easy means there is essentially no protection for defendants—the statutory language creates a quasi‑strict liability regime.
Because Congress defined the essential conduct element in terms of damage rather than mere access or obtainment, “venue could be proper wherever that [damage] occurred.”[163] This assessment aligns with the Department of Justice manual, which states that section 1030(a)(5) charges “may be brought where the effects are felt because th[e] charges are defined in terms of ‘loss,’ even if the bulk of network crimes may not be prosecuted in a district simply because the effects of the crime are felt there.”[164] For prosecutions under section 1030(a)(5) then, venue is appropriate in the district where the effects of the crime are felt, though the data at issue may reside on servers physically located elsewhere.[165]
In a Second Circuit case, the defendant was fired from her job as the Florida‑based human resources manager for a virtual accounting firm headquartered in New York City.[166] A major feature of the firm’s business was “the creation and maintenance of a database of accountants who can be hired by its clients.”[167] After the defendant’s firing, most of her log‑in credentials were revoked with the exception of one key database, which a supervisor neglected to remove.[168] The weekend after the defendant was fired, the firm’s employees were unable to access the database at all.[169] Eventually able to log in, the firm discovered that “nearly all the information on it had been deleted, including other employees’ accounts, 17,000 job applications, documents, resumes, [and] job postings.”[170] An activity log indicated that an account associated with the defendant had deleted the data over the course of the weekend.[171] On account of these deletions, the defendant was charged with violating subsections 1030(a)(5)(A) and 1030(a)(5)(B), and promptly found guilty on both counts.[172]
On appeal, the defendant argued that venue was improper in the Southern District of New York because “there was no evidence that data [she] . . . deleted physically ‘resided’ in the district.”[173] “If the data did not reside in” the district, her argument went, then “she could not have damaged” a protected computer there.[174] Though true that the database in question “resided on servers . . . in Virginia and California,” the Second Circuit held that venue was proper in the Southern District of New York.[175] The victim’s testimony indicated that “she was unable to access data stored in the . . . database from her computer in New York,” and the statutory text makes clear that “preventing a computer from accessing data that it regularly accesses constitutes ‘damage.’”[176]
Since the offense is defined in terms of its effects, the court reasoned that “[v]enue is thus appropriate in any place where . . . [the defendant] transmitted the program, obtained access, or caused damage to [the] . . . protected computer.”[177] Evidence of “one damaged computer was enough.”[178] That the deletion may have also “damaged the . . . servers located in Virginia and California makes no difference,” as “venue ‘may lie in more than one place.’”[179] This case demonstrates how statutory drafting influences courts’ venue analyses: Because the proscribed conduct is articulated in terms of its effects, courts avoid the need to trace the communications or data paths that caused those effects. Such statutes make the venue analysis more straightforward and arguably better honor the Constitution’s purpose of localized justice.
That said, however, under section 1030(a)(5)’s “effects‑based” venue analysis, prosecutors are presented with an opportunity to shape the trial landscape. Since it is the government who characterizes the victim’s harm, the prosecutors can frame the nature and location of the damage. The statutory text sets a low bar for what may constitute damage.[180] Though the common law is still developing in this area, there are at least two recent cases that suggest the mere deletion of data and slowing of computers both suffice.[181]
With that in mind, the primary inquiry becomes where the victim, or victim’s system, was located when that damage was felt. Even if the defendant acts wholly out‑of‑state, because the statute is defined in terms of its effects (damage), venue remains appropriate wherever a victim feels damaging effects.
Section 1030(a)(6): The Trafficking in Passwords Provision
Unlike the three preceding CFAA provisions, 18 U.S.C. § 1030(a)(6) is the first subsection to explicitly implicate interstate commerce as a substantive element of the offense.[182] Section 1030(a)(6) penalizes whoever “knowingly and with intent to defraud traffics . . . in any password or similar information through which a computer may be accessed without authorization” if the conduct affects interstate commerce or a government computer.[183]
Since any federal charge brought under section 1030(a)(6)(A) carries the presumption of affecting interstate commerce, the offense is “continuing” under 18 U.S.C. § 3237(a) and may be prosecuted in any district where the offense was “begun, continued, or completed.”[184] Under this provision, traffics, as defined in 18 U.S.C. § 1029, means to “transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of.”[185]
This definition clearly encompasses the sale or trade of illicit passwords yet is broad enough to implicate the mere sending of passwords or information to another. Basically, once the illicit password is no longer at rest on the defendant’s system, they may be liable for trafficking as defined in section 1029.
Though not explicitly defined in the CFAA, the drafters intended “password” to be construed broadly.[186] Consequently, passwords are not limited to those words or phrases that enable one to access a computer. Rather, “[t]he Committee recognize[d] that a ‘password’ may actually be comprised of a set of instructions or directions for gaining access to a computer.”[187] The best examples of cases dealing with this provision of the CFAA come from the civil realm. Though less relevant to the criminal venue arguments at issue in this Note, these cases are nevertheless helpful in understanding the types of scenarios that may lead to criminal charges under section 1030(a)(6).
One such case involved a defendant who, along with his coconspirators, engaged in: the unlawful use of T‑Mobile’s trademarks; the unlawful acquisition and activation of their subscriber identity module (SIM) cards; and “the illegal procurement, use, and sale of proprietary codes, identifiers, and methods for defrauding T‑Mobile out of airtime and services.”[188] The defendant then advertised these illicit SIM cards for sale on websites such as eBay and Craigslist.[189] In addition to the online sales, the defendant maintained a brick‑and‑mortar storefront which falsely advertised itself as a T‑Mobile dealer.[190]
The court in this case quickly concluded that these activities violated section 1030(a)(6): “[T]hey trafficked in T‑Mobile’s confidential pass‑codes that access its proprietary computer systems.”[191] Using the information gathered from T‑Mobile’s databases, they then bought and sold illegally activated SIM cards to consumers. Such conduct is in the heartland of section 1030(a)(6) because “[t]hese illegally‑activated SIM cards operate as a gateway (or computer password) to T‑Mobile’s nationwide wireless telecommunications network.”[192] This case endorses the broad reading of “password” that the CFAA’s drafters intended.[193] Though a civil case, this set of facts helps put a finer point on what it means to traffic in passwords or methods of gaining unauthorized access to a network or service.[194]
Directly regarding federal criminal venue now, the explicit interstate commerce language in section 1030(a)(6)(A) simplifies the venue analysis for investigators and prosecutors. Interstate commerce violations immediately make the defendant’s conduct a continuing offense,[195] so the government need only establish that the trafficking began, continued through, or was completed using computer systems within the relevant federal district. Consider an illicit password sent from a computer in State A, through an intermediary server in State B, and to the ultimate recipient in State C. The sender of that password could face prosecution for trafficking in passwords under section 1030(a)(6)(A) in any one of those three states because of the continuing offense standard.
The classification of an offense as “continuing” does not necessarily eliminate a defendant’s home venue as an option for trial. It does, however, add a host of other venues where prosecution would be appropriate and therefore drastically increase the defendant’s risk of being pulled into a distant venue to face trial. If, however, charges are brought under section 1030(a)(6)(B)—those where the password in question grants unauthorized access to a computer used by or for the government—the analysis likely reverts to that employed for sections 1030(a)(2) and 1030(a)(4): The location of the computer associated with government activity and the location of the defendant most likely become the anchors for venue. The lack of an interstate commerce hook narrows venue, as the violation is no longer a continuing offense. When treating venue in these cases, courts will likely adopt the existing essential conduct element test from the section 1030(a)(2) and 1030(a)(4) jurisprudence since the relevant factual analysis is so similar.
To establish venue in Colorado, prosecutors merely need to demonstrate that the requisite “trafficking” conduct touched Colorado‑based computers at some point during the transfer. As noted above, that includes when the sender or recipient are located in the state or when Colorado‑based intermediary servers are used to transfer the illicit password or access information.
Section 1030(a)(7): The Threats, Extortion, and Ransomware Provision
The final subsection relevant for this Note’s argument was a late addition and seems more relevant than ever given the modern cyber risk landscape.[196] Added to the CFAA in 1996, 18 U.S.C. § 1030(a)(7) was specifically aimed at addressing “the interstate or international transmission of threats directed against computers and computer systems.”[197]
Congress anticipated the rise in cyber extortion and sought to criminalize unlawful threats of interference, such as “denying access to authorized users, erasing or corrupting data or programs, slowing down the operation of the computer or system, or encrypting data and then demanding money for the key.”[198] Consequently, section 1030(a)(7) criminalizes anyone who, “with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing” any one of the following:
(1)
(1) threat to cause damage to a protected computer;
(2) threat to obtain information . . . or to impair the confidentiality of information obtained from a protected computer; or
(3) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion.[199]
Again, because section 1030(a)(7)’s language presumes conduct affecting interstate or foreign commerce,[200] the offense is “continuing” under section 3237(a) and may be prosecuted in any district where the offense was “begun, continued, or completed.”[201]
Somewhat helpful for defendants, the government can only charge section 1030(a)(7) violations if it can prove the threat passed through interstate commerce—mere use of the internet is insufficient to establish this element.[202] In United States v. Golightley, a defendant was charged under section 1030(a)(7) for threatening to damage a protected computer owned by a Kansas company.[203] Specifically, the defendant threatened to take down the company’s website with a distributed denial of service attack in retaliation for the removal of his content and the suspension of his account.[204]
On appeal, the defendant argued that the evidence at trial was insufficient to show that he transmitted a threat in interstate commerce.[205] More simply, the defendant alleged that the Government could not prove that his online communications actually travelled through multiple states.[206] It was undisputed that both the company and its servers were located in Kansas and that the defendant transmitted his threats from Kansas as well.[207] The Government’s interstate commerce theory rested wholly on the presumption that the defendant’s threats were sent from his personal email address and passed through “out‑of‑state servers.”[208] But the court found that “the government’s argument [was] fatally flawed because it assume[d] facts not in evidence.”[209]
Instead, evidence of the threatening messages “show that the sender used a form available on . . . [the company’s] online help desk.”[210] Because the form was completed and submitted entirely on the company’s website using servers located in Kansas, the Government could not produce sufficient evidence to show the jury that the defendant ever transmitted his threats in interstate commerce.[211] Citing the Government’s failure to establish the necessary interstate commerce connection, the Tenth Circuit vacated the conviction.[212]
The interstate commerce hook in section 1030(a)(7) is a double‑edged sword for investigators and prosecutors. On the one hand, any offense charged under section 1030(a)(7) is continuing and thus easier to establish venue when the threats pass through the state. On the other hand, interstate commerce is a substantive element of the offense that must be proved beyond a reasonable doubt; mere use of the internet will not suffice. As a result, it is important in the early stages of an investigation to confirm the threats traveled in interstate commerce by assessing the path they took online. If the defendant and the victim both reside in the same state, there must be evidence that the threatening communications traveled beyond the state’s borders. The calculation is simpler when the defendant and victim reside in different states; venue will be appropriate based on the continuing nature of the offense. At base, the threshold question remains where the essential conduct element (the threat) originated, where it was received, and where it passed through.
Herein lies the opportunity for the government to inappropriately influence the location of the crime and thus the number and location of available trial venues. By leveraging modern computer technology, investigators and prosecutors can channel the defendant’s conduct into the districts of their choice merely to enable prosecution.[213] The government’s choices at that stage of an operation will impact a court’s venue analysis later—granting it unbridled power to influence the trial location.
For Colorado venue specifically, prosecutors need only show that the “threat” traveled through multiple states and at some point came in contact with a Colorado‑based server. Basically, this means that there are only two situations where venue is inappropriate in Colorado for a section 1030(a)(7) charge: when the threat never enters a Colorado server and when the threat originates and terminates in the state without ever leaving Colorado’s borders.
* * *
This Note began with an exploration of the historical rationale for the Constitution’s criminal venue protections. From there, this Note illustrated how courts and advocates argue and decide venue determinations at trial. Then, the Note surveyed the CFAA to demonstrate how the statutory language of common cybercrime provisions will impact a court’s venue analysis. From this vantage we can truly comprehend the troubling interactions between cybercrime and venue.
Next, the Note transitions to a discussion of additional considerations that may further challenge defendants—or offer them relief. Only then will the true harm to cybercrime defendants be apparent. The hypotheticals that follow put a finer point on how these laws collide with reality to burden defendants in ways the Constitution was designed to prevent. Finally, this Note offers concrete solutions to ensure the Constitution’s venue protections remain potent in a digital world.
Venue Disruptors
As noted early on, courts do not consider the venue determination to be a straightforward or mechanical process.[214] External considerations, including public policy and constitutional concerns, may frustrate what should be an easy question: Where can the government conduct this criminal trial? This Part therefore explores two facets of today’s cybercrime landscape that exist beyond the statutes and Constitution yet have the potential to influence the location of criminal venue nonetheless. This Note terms these influences “venue disruptors.”
The first disruptor, discussed in Section III.A, is manufactured venue. This theory represents a consistently ignored defense that warrants reconsideration due to the ease in which the government may now influence the location of cybercrimes. The second disruptor, discussed in Section III.B, is conspiracy law. Conspiracy is a concerning area of the law that, when coupled with cybercrime statutes, presents a menacing bramble for defendants. Only by examining the difficulties defendants face under these conditions may the urgent need for reform become evident.
Playing Defense: Venue Entrapment or Manufactured Venue
Venue entrapment, or manufactured venue, is a common, yet unsuccessful, defense used to attack the government’s case in chief. Essentially, defendants assert that government agents inappropriately influenced the location of a crime to secure a more favorable or convenient venue for prosecution.[215] Common in conspiracy and wire fraud cases, this tactic is often pitched by defendants as a type of prosecutorial forum shopping or venue entrapment.[216] Now that it is so simple for investigators and law enforcement to influence the location of cybercrimes, the manufactured venue defense deserves serious consideration.[217]
Many courts disagree with this view, finding that the entrapment doctrine protects defendants from “manufactured offenses” but “does not limit venue.”[218] Those courts assert that any of the defendant’s venue concerns can be fully addressed by moving to transfer the trial per Federal Rule of Criminal Procedure 21(b).[219] Other courts, however, have reserved judgment on the matter. In dicta, two courts acknowledged that venue may be inappropriate in cases “involving ‘extreme’ law enforcement tactics” or when “the prosecution, preferring trial elsewhere, lures a defendant to a distant district for some minor event simply to establish venue.”[220] Though the latter view is the minority, the Tenth Circuit has yet to rule on this issue.
Courts generally acknowledge that government “agents may influence where the federal crime occurs, and thus where venue lies.”[221] In United States v. Al‑Talib, the court found venue was appropriate in the Eastern District of Virginia for drug conspiracy charges even though government agents were the ones who chose the delivery location.[222] The court reasoned that “government agents must have flexibility in conducting sting operations,” and that “[c]oncerns of safety, efficiency, and convenience assume great importance in such circumstances, and are best assessed by the officers at the time.”[223] Showing deference to law enforcement, the court held that as long as the defendant is predisposed to commit the crime, “it hardly matters for entrapment purposes where the acts are carried out.”[224]
Additionally, the Ninth Circuit upheld venue in the Northern District of California based on a government agent’s outgoing phone calls to a defendant who never even set foot in the district.[225] There, a confidential informant (CI), acting on behalf of the government, placed calls to the defendant to negotiate the terms of a drug deal.[226] The court held that it did not matter that the defendant did not initiate the calls himself or “whether [he] . . . knew or should have known that the CI was located in the Northern District of California during the calls.”[227] What counted was that the defendant “effectively propelled the drug‑selling conspiracy into the [district].”[228] And because conspiracy is a continuing offense, the court concluded that venue is appropriate wherever a communication was made and where it was received, as well as in any intervening district.[229] Data—the messages, emails, and voice calls upon which we all rely—passing through intermediary servers would therefore justify laying venue in those intervening districts where those servers were located.
Though this breadth of trial venues was perhaps useful in twentieth‑century prosecutions, the urgent need to address modern technological realities means jurists should seriously reconsider adopting this protection for cybercrime defendants. To illustrate this point, take virtual private networks (VPNs) as an example. VPNs originally began as a way for “employees to connect to a company’s server without having to be physically present at work.”[230] VPNs function like a “tunnel allowing for remote access to a server that is physically located somewhere else.”[231] Often, traffic between the home device and the VPN is encrypted and wholly “routed through the VPN connection rather than through the user’s [internet service provider].”[232] This has the implication of fully masking “any subsequent connections to other websites” and, most crucially, making “it seem as though an IP address is originating from a different geographic location.”[233] This has the effect of hiding a user’s internet “breadcrumbs” and true location.
In the cybercrime setting, most courts today will likely (unfortunately) determine that the government’s use of an in‑district VPN is an appropriate basis for venue. Looking to examples like Al‑Talib and Gonzalez, courts are likely to defer to the government’s choice to use a VPN as part of an undercover operation, especially when there is a legitimate law enforcement purpose motivating the decision. Government agents’ use of a VPN to channel communications through a particular server would likely be seen by a court as a tactical decision by agents to enhance the safety, efficiency, or convenience of the operation.[234] Here, the VPN serves a similar function as the phone in Gonzalez, merely facilitating communications. Because venue for continuing offenses is so broad, the fact that the government’s own conduct alone implicates a district will not preclude prosecution there. Just as the government’s decision in Al‑Talib to execute a drug transaction in a specific district did not preclude venue there, the use of a VPN is similarly insulated.
Allowing for unfettered government use of VPNs in enforcing cybercrimes offers unprecedented power to influence the location of digital crime and thus the site of prosecution. VPNs allow users to select server locations, thus allowing investigators and prosecutors to handpick venue locations anywhere in the country. This power completely consumes the Constitution’s venue protections for criminal defendants.
Questions of fairness or convenience for the defendant are often channeled by the court through Federal Rule of Criminal Procedure 21(b).[235] For those offenses charged that are not continuing, venue still hinges on the location of the “essential conduct elements.”[236] And absent extreme misconduct, which the use of a VPN likely is not, the government’s influence over the location of these essential acts will not invalidate venue. Judges have long recognized the risks to defendants that this broad power poses: “[S]uch leeway not only opens the door to needless hardship to an accused . . . . It also leads to the appearance of abuses, if not to abuses, in the selection of what may be deemed a tribunal favorable to the prosecution.”[237]
Conspiracy: The Unconstitutional Backdoor to Criminal Venue and Liability
In addition to allegations of manufactured venue, conspiracy law serves as a wicked prosecutorial tool in charging cybercrimes.[238] No doubt, “[c]oncerns about the crime of conspiracy have been around for a long time.”[239] The doctrine is intended to serve two distinct purposes.[240]
The first is described as “inchoate” in nature, meaning conspiracy functions in a preventative manner to stop the illegal behavior “in its early stages of growth before it has a full opportunity to bloom.”[241] In reality, scholars note that conspiracy is seldom treated like this—charges typically result when “an attempted or completed ‘substantive offense’ (the object of the agreement) has taken place.”[242] Here, the idea is that the law should not require the commission of a crime before prosecution is available. If that were the case, law enforcement would have a perverse incentive to sit on knowledge of a crime yet to occur since prosecution would only be available upon commission. The second purpose, arguably the true purpose, is simply “the belief that serious group danger is present in the usual conspiracy,”[243] and “joint action is, generally, more dangerous than individual action.”[244] To achieve these goals, the crime of conspiracy necessarily prohibits the “agreement between two or more persons formed for the purpose of committing a crime.”[245] Here, conspiracy law is said to serve as a deterrent for group crime: By risking high penalties for agreeing to commit crimes, the theory goes, criminals are less likely to act jointly.
Generally, the government is given a wide berth when proving its case, able to show an agreement entirely through circumstantial evidence.[246] Defendants may even be “found guilty of the crime if shown to have conspired with unknown conspirators.”[247] This low bar is made more dangerous for defendants because “a conspirator can be held responsible for crimes committed by her co‑conspirators as long as such crimes were in furtherance of the agreement and were reasonably foreseeable.”[248] This relaxes criminal liability to a “simple negligence standard, reasonable foreseeability.”[249] First established in Pinkerton v. United States,[250] this lower standard means that when the government has insufficient proof of guilt for a given crime, “it need only convince the jury of the defendant’s guilt of conspiracy to secure convictions on the otherwise unsupportable substantive charges.”[251]
For defendants wrapped up in criminal enterprises, “[p]unishment for the completed conspiracy crime has always been stiff.”[252] The law treats conspiracy substantively apart from the completed or attempted offense, and it typically does not merge into that base offense.[253] Under this system, defendants may receive consecutive sentences for the two crimes.[254] Punishment for conspiracy under the Federal Sentencing Guidelines does allow for a three level reduction from the base offense level—which can reduce the total recommended sentence.[255] This relief is unavailable, however, when “the defendant or a co‑conspirator completed all the acts the conspirators believed necessary on their part for the successful completion of the substantive offense.”[256]
For an agreement to hack into a database, then, a conspirator can theoretically complete their portion of the conspiracy simply by sending the necessary access information to a coconspirator. And because of the reasonable foreseeability standard noted above, this means a conspirator is liable for the substantive offense because it is reasonably foreseeable that the recipient would use that access information to complete the hacking. Additionally, relevant for cybercrimes, 18 U.S.C. § 1030 treats a conspiracy to violate the CFAA the same as any substantive offense therein.[257] Conspiracy punishment mirrors the substantive punishment—a standard that favors the government and justifies additional protections for defendants facing conspiracy charges.
Congress has specially provided that conspiracy is a continuing offense and “may be inquired of and prosecuted in any district in which such offense was begun, continued, or completed.”[258] With this in mind, consider also how expansive conspiracy venue is: “Venue will lie where the conspiracy agreement was made, and it will also lie in any district where an act in furtherance of the conspiracy was performed.”[259]
Note how these legal elements might work in concert to further expand a defendant’s possible venues for trial.[260] The government might leverage this conspiracy backdoor to punish cyber criminals as if they completed the substantive crime—even though the facts would not enable them to prove such beyond a reasonable doubt. Not only does this have the effect of drawing defendants to distant venues but it also risks that the government might “charge conspiracy, along with a substantive offense, merely to obtain for itself the best possible forum.”[261] Only intentional reform can combat this risk of injustice.[262]
The foregoing discussion highlighted two external factors that challenge courts’ venue analysis. These venue disruptors have an outsized impact on cybercrime prosecutions and their location—only by acknowledging their hidden force can courts adequately protect defendants. To ignore their duty on this point, courts are complicit in the erosion of the constitutional criminal venue protections the Founders so cherished.
Hypotheticals—Risks of Government Misconduct
The previous two parts laid the foundation that will support the hypotheticals offered here. The constitutional harm suffered by defendants becomes crystal clear when we view the problem through the lens of the possible. The first scenario, sketched out in Section IV.A, imagines a law enforcement operation where agents deploy a VPN as the primary basis for federal venue. The second scenario, discussed in Section IV.B, illustrates how the government can weaponize conspiracy law to charge defendants in venues far from home.
This Note uses these hypotheticals to offer concrete examples of how government cybercrime prosecutions derogate defendants’ constitutional protections. Only by raising the alarm in this way can the community advocate for the necessary reforms.[263]
The Hosted‑Server Scenario
The first situation involves a law enforcement sting operation that intends to catch internet users who are trafficking in passwords that grant access to government computers. The team running this operation is based in Florida, where they have the most experience and resources available to them. Assume that Colorado has seen an uptick in government network intrusions at the municipal, state, and federal levels. The new United States Attorney for the District of Colorado has issued a general policy letter which indicates her desire to prosecute any party involved in such conduct, including those who buy and sell network passwords. This, she believes, will serve justice and demonstrate that she will not sit idly by allowing government resources to be put at risk.
In this situation, there exists a win‑win for both parties. On the one hand, the agents working in Florida know they have a motivated prosecutor in Colorado, and on the other, the U.S. Attorney has an effective team to bring her cases. All that needs to happen to ensure these parties can capitalize on their mutual goal is to set up a VPN in the state of Colorado. Technically speaking, the traffic is actually flowing through that geographic location; it is just that the origin of the signal is concealed. This is the exact technology that will enable our hypothetical agents and U.S. Attorney to proceed happily.
The agents in Florida can now set up (virtual) shop using a VPN server in Colorado and begin trying to purchase government passwords. This allows them to run their operation from Florida and creates the nexus of activity necessary to lay federal venue in the District of Colorado pursuant to 18 U.S.C. § 1030(a)(6)(B).[264] Because the locus delicti of the crime will now be partially occurring in Colorado, venue is appropriate there.
Now imagine a criminal defendant, located in Ohio, who wants to make some extra money by selling access to the local Air Force base’s internal network. He is a low‑level information technology contractor who dislikes his boss and authority more broadly. This individual goes on the dark web and begins engaging with whom he believes to be a reputable buyer. As it would happen, he is actually messaging with one of our agents down in Florida.
Our defendant is no amateur though—he is also using a VPN to mask his internet traffic from his service providers. He purchased a service that routes his traffic through a different private server in the network every minute or so. For the sake of the hypothetical, imagine his traffic was bouncing through a server in Texas when he first offered to sell the passwords. Once the purchase is completed, the government has all the facts necessary to bring charges. While the agent was working out the details of the exchange, the rest of the team was busy decrypting the defendant’s traffic to see where he was located. They can now dispatch local teams in Ohio to arrest him and prepare for trial in Colorado.
The venue analysis for this case is straightforward. Under the “essential conduct elements” analysis from Rodriguez‑Moreno,[265] the defendant would be liable in the District of Colorado since the passwords were exchanged on the in‑district VPN. The password exchange was a criminal act, so venue is valid wherever that conduct occurred. As soon as the defendant exchanged the passwords for money, the offense was committed. Because the VPN in Colorado served as the anchor, the U.S. Attorney has firm footing to prosecute there. Under the current legal framework, it does not matter that the Colorado connection was manufactured by the government for the simple reason of wanting a trial there.
No part of this fact pattern is illegal. No part of this fact pattern is even frowned upon. Nothing prevents federal law enforcement from employing such tactics to seek prosecution in a favorable venue. The courts, the government, and the law do not care about the defendant’s plight—being drawn to a distant venue to face his accusers. The Constitution was designed to prevent this exact result. To preserve the constitutional protections, Ohio and Texas should be the only proper venues for prosecution: Ohio because that is where the defendant was physically located while he committed the crime and Texas because that was the relevant data’s natural path before being influenced by the government’s VPN.
The Bent‑Pipe Scenario
The second hypothetical is even more worrying due to the influence of conspiracy law. Again, imagine we are working with our Florida agents and our hard‑charging U.S. Attorney in Colorado. This time, however, imagine that Colorado small businesses have recently been experiencing a record number of ransomware attacks. Ransomware is a type of “malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”[266] The hackers then “demand ransom in exchange for decryption.”[267]
In response to this threat, the U.S. Attorney engages her favorite Florida law enforcement officers to request that they hang a shingle on the dark web to advertise hacking services. Specifically, the agents are instructed to indicate they are willing to infect a target network with ransomware in exchange for a percentage of the ransom payment.
This type of crime would be a substantive violation of the CFAA under 18 U.S.C. § 1030(A)(7).[268] In this hypothetical, the Florida agents again establish a VPN presence in Colorado, but this time, it merely serves as a “bent pipe” back to their operating center. The bent‑pipe metaphor simply means that the government intentionally diverts the relevant traffic through the desired trial venue. Instead of flowing uninterrupted from point A to point B, the defendant’s ones and zeroes travel through a third location, like Colorado, before arriving at the destination. Though probably detectable, this diverted traffic would likely not immediately raise any suspicion due to how internet traffic usually travels across the network.[269]
Additionally, in this scenario, the U.S. Attorney leverages her backchannels to grant access to this VPN to any federal law enforcement willing to advertise similar ransomware services. This means that the Colorado VPN would be a center of gravity, vacuuming up all the digital‑communications traffic necessary to negotiate the agents’ faux services. Essentially, the Colorado server’s only purpose is to ensure that a portion of the relevant communications are flowing through the U.S. Attorney’s district.
Now, assuming the agents—in Florida and elsewhere—successfully induce requests for their services, picture how the U.S. Attorney could pursue prosecution in Colorado. In this case, conspiracy law will serve as the main hook for criminal liability. As a reminder, section 1030(a)(7)(C) makes it illegal to “transmit[] in interstate or foreign commerce any communication containing any . . . demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion.”[270]
Obviously, since the federal agents will not be following through on any of their advertised services here, there is no need to analyze the substantive crime at issue. Rather, what we are dealing with is the agreement between the defendant and agents to violate this section of the CFAA. If the prosecution can prove the agreement here, which is very likely considering the record of communications they will have, the defendant will be liable for conspiracy to violate the CFAA regardless of where they were located when they sent such communications. And because conspiracy is a continuing offense under 18 U.S.C. § 3237(a), venue can be laid in any federal district “in which such offense was begun, continued, or completed.”[271] This is where the Colorado VPN has the strongest impact. Because any defendant who agreed to enter a conspiracy with our agents would have had their internet communications routed through Colorado, bringing charges in the district would be appropriate since the offense “continued” through the state. Although our U.S. Attorney will be unable to charge for the substantive offense, she need not fret; she has valid conspiracy charges against those bad actors, which would remove them from the dark web “streets.”
Under today’s cybercrime architecture, nothing in the preceding scenarios is illegal or viewed as unconstitutional. With that said, nothing about these hypotheticals necessarily feels good either. The defendant’s connection to Colorado, and thus his exposure to trial there, was only established by the government’s own conduct. This scenario is the exact sort that the Framers were attempting to combat when they wrote venue protections into the Constitution. They sought to prevent an overreaching government from drawing criminal defendants to distant tribunals for prosecution.
Some critics might say that crimes should be punished in any allowable district regardless of the government’s influence.[272] These arguments often focus on limiting the prosecutor’s burden in holding defendants accountable for their crimes. In response, this Note contends that what is at issue is not the ability to bring a prosecution in the first instance but rather the appropriateness of doing so in venues far from a defendant’s home and in locations where the only relationship to that district stemmed from the government’s influence. To allow this to stand as a valid basis for venue is to ignore key protections espoused by the Constitution.
Regardless of where our theoretical defendants live, the U.S. Attorney has legitimate grounds to haul them to the District of Colorado to face prosecution. Nothing in the cybercrime or conspiracy jurisprudence recognizes the validity of a manufactured venue defense, nor does any aspect of the law demand venue be laid in the defendants’ districts instead of Colorado. The system has failed to consider how technological changes have undermined the constitutional protections guaranteed to defendants.
What’s more, merely because a defendant may file a motion with the court to request a change of venue does not mean that their constitutional rights have not been degraded in the first instance. To supplant constitutional venue protections with the broad discretion of trial judges to consider change of venue motions does injustice to the whole scheme—especially considering that most change of venue requests are granted in response to prejudicial publicity, not the unfairness of distant trials.[273] These scenarios would have been unconscionable to the Framers, and the legal community would do well to update the relevant statutes and implement prudential restrictions to reaffirm the Constitution’s first principles.
As the foregoing hypotheticals demonstrate, the government has unbridled power to influence the location of cybercrimes. The modern technologies that grant such power should not be allowed to quash a defendant’s constitutional venue protections. By adopting the following reforms, the law can once again reassert the Constitution’s primacy as it relates to law enforcement tactics in prosecuting modern cybercrimes.
Today’s cybercrime defendants face trials based on the principles of a broken promise. This is a promise that our nation’s founders stamped into the Constitution at the very dawn of our democratic project: We will not force defendants to face prosecution in distant lands. This notion once rested at the very heart of our rebellious spirit, yet today, we have allowed technological progress to water down this promise to nothing more than illusory drivel.
This Part argues for three reforms, one statutory[274] and two prudential.[275] All elements of power within government are well‑positioned to correct the constitutional harm highlighted here. Now we must urge them to do so.
Congress Should Revise the Cybercrime Statutes to Integrate Constitutional Venue Protections
Though likely the most difficult to implement, this first recommendation represents a full‑throated endorsement of constitutional venue protections. Congress should add a provision to the CFAA that expresses explicit venue preferences.[276] It is important to note that this recommendation does not advocate for the creation of artificial venues, nor does it endorse eliminating certain venues from consideration. Rather, this provision merely would establish a hierarchy among the multiple potential venues in which cybercrimes may be prosecuted.
Operating much like a presumption, this hierarchy would control the government’s venue decision unless rebutted by clear and convincing evidence and approved by the court. Any potential venue must satisfy the traditional analysis, treated at length above, to serve as the trial location.
Critics may argue that advancements in modern technology make cybercrimes uniquely dangerous and therefore warrant government‑friendly venue rules. This claim attempts to prove too much: Establishing venue restrictions favorable to a defendant does nothing to neuter the government’s ability to investigate or prosecute cybercrime. Rather, by hierarchically preferencing potential trial venues with a bias for the defendant’s home venue, we merely align cybercrime jurisprudence with constitutional protections. I am not suggesting we eliminate valid venues—instead, I am arguing that the defendant’s home venue should control unless there is a strong reason justifying departure.
Turning to the preferred hierarchy itself, venue preferences will change slightly based on whether the statute references a cognizable victim, that is, whether a statute is defined in terms of its effects. Where a section 1030 violation implicates a cognizable victim, like those violations of section 1030(a)(5),[277] the victim’s district should be the first choice of venue. Absent a cognizable victim, the district in which the defendant committed the essential conduct elements necessary for the given offense should be the location of trial. Though most cybercrimes are “multidistrict” by nature, making prosecution appropriate in any of them, this provision would establish a default venue based on the defendant’s location.
A sticky default of this kind honors the foundational scheme the Constitution sought to establish. In this case, the government could attempt to seek trial in one of the other available districts if it can make a sufficient showing that it is warranted. The court would then balance the equities at issue to determine if a transfer of venue is warranted. Though the specific test would have to be developed within the courts, it should closely resemble that of a procedural due process analysis, balancing the government’s interests and burdens against the defendant’s interests and burdens.[278]
Additionally, Congress could add statutory language to ensure that law enforcement’s influence on the defendant’s conduct cannot serve as an independent basis for venue. Specifically for those subsections of the CFAA where the criminal conduct deals with “transmission” or trafficking,[279] by adding venue restrictions based on the “uninfluenced” or “unperturbed” flow of data, law enforcement’s own conduct would no longer factor into the analysis.
Instead, prosecutors would be obliged to lay venue only based on the defendant’s traffic that they did not intentionally divert or channel. So, in a situation like that illustrated by the second hypothetical,[280] the Colorado VPN would no longer be an adequate basis for venue in the District of Colorado. Rather, the only options available would be the agents’ location, the defendant’s location, and any district in which the communications would have flowed absent government intervention.
Critics might say that if a criminal violates the CFAA, they should be able to be prosecuted anywhere the traditional analysis allows.[281] Criminals, for their part, should not be allowed to dictate the venue in which they ultimately face their accusers. But this perspective conflates criminality with the appropriateness of venue. Simply because a defendant had the requisite criminal intent does not extinguish their constitutional right to a convenient trial free of prejudice. These are separate considerations: The former establishes substantive elements of the offense charged, and the latter mitigates the risk of unfair trials.
Courts Should Recognize and Prohibit Manufactured Venue in the Cybercrime Context
The next recommendation shifts responsibility from Congress to the courts. To reduce the risk of defendants being hauled to distant forums, judges should recognize manufactured venue in the cybercrime context. Any venue the court deemed to be manufactured would then be inappropriate for prosecution, and upon its authority to transfer trials, the court could require parties to litigate in a district fairer to the defendant.
To institute this restriction would do no violence to the basis for the substantive charge; rather it would simply reduce the number of districts in which the defendant may face trial. Revisiting the first hypothetical described above,[282] the Florida agents would be free to use a VPN in Colorado to mask their true location, but not as the basis for venue in Colorado. Under the system recommended here, the judge would be free to acknowledge that venue in that district only existed because of the government’s conduct. Consequently, prosecution would only be appropriate in Ohio or Texas: Ohio because that is where the defendant was located and Texas because the defendant’s VPN service was using a server located there when the essential conduct occurred. Even though venue is valid in Texas because the defendant opted into a service there, courts should prioritize trial in Ohio.
This structure would prioritize prosecution in either the defendant’s home district or the district where the harms were most significantly felt. Such a prioritization would animate the purposes underlying the Constitution’s venue and vicinage clauses: limiting defendants’ burdens in facing prosecution far from home while balancing the interest in localized justice.
If courts adopted this restriction as mandatory, the venue determination would become much more predictable, stable, and fair. Law enforcement would likely be deterred from such tactics once it became known that courts would not lay venue in districts that were implicated solely due to government conduct. This would mean that venue in Colorado would be inappropriate under the facts in the second hypothetical.[283] There, the government’s influence in channeling communications through Colorado would spoil any chance of prosecuting the defendant there.
Alternatively, if judges addressed the situation on a case‑by‑case basis, they may arguably serve the goals of individualized justice, retributivism, and deterrence. Forcing courts to consider the nature of both the defendant’s and government’s conduct allows for a more reasoned and individualized approach to venue determinations. Furthermore, by undergoing such an analysis, courts may give communities more of a platform to morally condemn the conduct at issue. This would ground the criminal system in a sense of community justice and serve the retribution function of criminal law more directly.
Regardless of how the courts choose to apply the rule, they are the branch best positioned to determine when manufactured venue does injustice to a defendant considering the relevant constitutional safeguards.
Courts Should Adopt a Reasonable Foreseeability Requirement for Cybercrime Conspiracy Charges
Finally, courts should only find proper venue in cybercrime conspiracy cases where the venue in question was reasonably foreseeable by the defendant. Such a judicial restriction would limit the risk that a defendant could be pulled across the country simply because of how electronic communications flow.
The Second Circuit employs a test that should serve as a model. There, “venue is proper in a district where (1) the defendant intentionally or knowingly causes an act in furtherance of the charged offense to occur in the district of venue or (2) it is foreseeable that such an act would occur in the district of venue [and it does].”[284] For criminal defendants engaged in computer‑based conduct, the exposure to conspiracy liability is incredibly vast under current law. Sending a message to agree to commit a crime with another immediately subjects them to prosecution for conspiracy in any district through which that communication flowed.[285] Because modern networks often divert traffic in unpredictable ways, the defendant could properly face charges in numerous and distant districts.
By adopting the Second Circuit’s rule, courts limit the potential venues in a manner consistent with the Constitution without completely undermining the government’s legitimate law enforcement objectives. Under this limitation, laying venue in a situation like the second hypothetical becomes very different. The bent‑pipe tactic would crumble under this standard since the defendant could not reasonably foresee that his communications would travel through Colorado. Instead, venue would be limited to the defendant’s venue and the agents’ venue, based on whether the defendant knew he was communicating with someone in Florida.
Again, this sort of prudential limitation does not mean the defendant escapes liability altogether. It only means that the law acknowledges that the realities of computer crimes expose defendants to an inappropriate number of potential venues, especially for conspiracy charges. Understanding that this situation would be contrary to the Framers’ original intent in crafting venue protections, judges can limit this unconstitutional exposure and channel venue to those districts that respect the first principles.
Even under this improved system, the government likely retains the advantage. Since venue only needs to be shown by a preponderance of the evidence, juries may properly find venue where even a reasonable inference would allow them to conclude that the defendant more likely than not knew his conduct would occur in the district at issue. A test like the Second Circuit’s does not grant cybercrime defendants a windfall. Rather, it merely ensures that the underdog is not forced to play an away game when the Constitution prefers they have home field advantage.
Conclusion
Advancements in technology and the sophistication of cybercrime do not justify a departure from constitutional venue protections. For those crimes that include interstate commerce hooks or that are defined in terms of their effects, venue will be appropriate in any district in which the criminal activity began, continued, was completed, or where the damage was felt by the victim. For the remainder, venue is restricted to the locus delicti of the charged offense, the specific location of the “essential conduct elements.”
Modern day investigators and prosecutors are challenged to define with certainty where in the physical world these cybercrimes occur. But with an understanding of the relevant venue architecture and threshold considerations, sophisticated government actors approach cybercrime investigations and prosecutions with a level of insight that enables them to vastly expand a defendant’s venue exposure.
Because these practices are fundamentally opposed to the Constitution’s venue and vicinage protections, Congress and the courts should take action to reassert the primacy of these fundamental liberties. Modern technology makes catching and prosecuting cybercriminals more difficult, certainly. But this reality does not grant law enforcement or, by association, the courts the freedom to ignore defendants’ rights merely because they may inconvenience the government during its prosecution.
* Articles Editor, University of Colorado Law Review, Volume 97; J.D. Candidate, University of Colorado Law School, Class of 2026. I want to thank every Colorado Law Review member who contributed to this Note. In particular, I owe a debt of gratitude to M.R. Dickey, Aidan Meadows, Sydney Poppe, and McKenzie Porter for their careful attention and incredibly in-depth edits. All mistakes are my own.
- See United States v. Lallande, No. 23‑CR‑00057, 2023 WL 5035317, at *2 (D.N.J. Aug. 8, 2023) (describing this procedural history as it happened to the defendant in that case). ↑
- Id. at *1. ↑
- Id. ↑
- See id. at *3 (holding that these two facts were sufficient to “form a proper basis for venue” in New Jersey). ↑
- See infra Section I.A. ↑
- United States v. Auernheimer, 748 F.3d 525, 541 (3d Cir. 2014). ↑
- See U.S. Const. art. III, § 2, cl. 3; id. amend. VI. ↑
- See infra Part V. ↑
- See infra Part V. ↑
- This Note focuses on federal venue, in contrast to state venue rules, for three reasons. First, cybercrime is predominantly the realm of federal law enforcement under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Second, the Constitution’s venue protections are most relevant to federal criminal prosecutions. And third, federal cybercrime prosecutions risk the greatest harm to defendants—drawing them to distant states to face trial since the charges are not restricted to one particular state. ↑
- For a robust discussion of venue’s diminished constitutional force in federal criminal conspiracy prosecutions, see Robert L. Ullmann, One Hundred Years After Hyde: Time to Expand Venue Safeguards in Federal Criminal Conspiracy Cases?, 52 Santa Clara L. Rev. 1003, 1008 (2012) (“Unfairness and hardships that can result from being tried in a remote place can include traveling great distances, separation from family and friends, the potential difficulty in securing character witnesses, limitation on the choice of counsel, a deleterious effect on one’s livelihood, and being tried in an alien environment in a tribunal favorable to the prosecution.”). ↑
- Stephen E. Sachs, Originalism: Standard and Procedure, 135 Harv. L. Rev. 777, 779 (2022). ↑
- See id. at 778 (“Many debates over originalism seem to go in circles. . . . One way to escape these circles is to borrow a well‑recognized distinction from philosophy, that between a standard of rightness and a decision procedure.”). ↑
- Id. at 784. ↑
- See id. at 782–83 (“Discerning ‘the original understanding of an ancient text’ means wading through ‘an enormous mass of material,’ evaluating ‘the reliability of that material,’ and ‘immersing oneself in the political and intellectual atmosphere of the time—somehow placing out of mind knowledge that we have which an earlier age did not, and putting on beliefs, attitudes, philosophies, prejudices and loyalties that are not those of our day.’”). ↑
- See id. at 783 (“This disagreement ‘may not impeach the legitimacy of originalism as a theory,’ Farber and Sherry concede, but it does ‘suggest serious problems’ for originalism ‘as a practical way of deciding constitutional issues’: the ‘historical record cannot successfully constrain ideology’ if no one knows what it is.”). ↑
- Scott Kafker, The Right to Venue and the Right to an Impartial Jury: Resolving the Conflict in the Federal Constitution, 52 U. Chi. L. Rev. 729, 741 (1985). ↑
- See Peter L. Markowitz & Lindsay C. Nash, Constitutional Venue, 66 Fla. L. Rev. 1153, 1162–64 (2014) (“This broad authority to exercise personal jurisdiction meant that, initially, litigants were required to travel from the furthest reaches of England to defend themselves before the court, then centralized in Westminster, which was both inconvenient and prejudicial to the parties.”). ↑
- Kafker, supra note 17, at 741. ↑
- Emily C. Byrd, Note, When Does the Clock Stop? An Analysis of Point‑in‑Time and Continuing Offenses for Venue Purposes, 11 Loy. Mar. L.J. 175, 182 (2012). ↑
- Id. ↑
- Markowitz & Nash, supra note 18, at 1164. ↑
- 2 Wright & Miller’s Federal Practice & Procedure § 301 (4th ed. 2025) (quoting The Declaration of Independence para. 21 (U.S. 1776)). ↑
- Id. ↑
- Id. ↑
- U.S. Const. art. III, § 2, cl. 3. ↑
- Id. amend. VI. ↑
- Wright & Miller’s Federal Practice & Procedure, supra note 23, § 301. ↑
- Id. § 301 n.4 (citing United States v. Flaxman, 304 F. Supp. 1301, 1304 (S.D.N.Y. 1969)). ↑
- Fed. R. Crim. P. 18. ↑
- United States v. Salinas, 373 F.3d 161, 163–64 (1st Cir. 2004). ↑
- Steven A. Engel, The Public’s Vicinage Right: A Constitutional Argument, 75 N.Y.U. L. Rev. 1658, 1673–74 (2000) (“The public’s constitutional vicinage right grows out of the same soil as the public’s constitutional right of access to criminal proceedings. The common law presumed that a jury would be drawn from the community that suffered the crime, and the Framers of the Bill of Rights drafted the Sixth Amendment against this historical presumption. . . . At common law, the role of the vicinage was inherent in the concept of the jury. The jury was not simply any twelve laypersons; it was twelve representatives of the community that had suffered the crime.”). ↑
- Id. at 1661; see id. at 1698 (“Trial by the vicinage likewise is essential to bringing the community to accept the jury’s verdict as its own. As the Supreme Court has noted, ‘[c]ommunity participation in the administration of the criminal law . . . is not only consistent with our democratic heritage but is also critical to public confidence in the fairness of the criminal justice system.’” (alterations in original) (quoting Taylor v. Louisiana, 419 U.S. 522, 530 (1975))). ↑
- Id. at 1681. ↑
- Id. at 1718. ↑
- Id. at 1692. ↑
- Id. at 1694–95 (“While the vicinage right remains an important security to defendants, its objective is not to guarantee defendants the most favorable jury available. The Sixth Amendment’s crime‑committed formula emphasizes trying the accused before jurors drawn from the community in which the crime was committed, and not from the defendant’s residence, which presumably would be more favorable to the defendant. . . . [A] purpose of the vicinage presumption is to secure the jury best able to reach an accurate verdict, not the jury that the defendant would most prefer.”). ↑
- Id. at 1695. ↑
- Id. ↑
- See, e.g., United States v. Johnson, 323 U.S. 273, 278 (1944) (justifying “the inconvenience of transporting the Government’s witnesses to trial at the place of the sender” by balancing it against “the serious hardship of defending prosecutions in places remote from home . . . as well as the temptation to abuses, already referred to, in the administration of criminal justice”). ↑
- Wright & Miller’s Federal Practice & Procedure, supra note 23, § 301 (quoting Johnson, 323 U.S. at 276). ↑
- Hyde v. Shine, 199 U.S. 62, 78 (1905). ↑
- United States v. Cores, 356 U.S. 405, 410 (1958). ↑
- Johnson, 323 U.S. at 275. ↑
- Id. ↑
- Id. at 276. ↑
- Id. at 278. ↑
- Cores, 356 U.S. at 407. ↑
- See Johnston v. United States, 351 U.S. 215, 220–21 (1956) (“This requirement of venue states the public policy that fixes the situs of the trial in the vicinage of the crime rather than the residence of the accused.”). ↑
- Wright & Miller’s Federal Practice & Procedure, supra note 23, § 301. ↑
- Id. ↑
- See Travis v. United States, 364 U.S. 631, 633–34, 637 (1961). ↑
- Id. at 632. ↑
- Id. at 633. ↑
- Id. ↑
- Id. at 634 (quoting 18 U.S.C. § 3237(a)). ↑
- Id. at 635–37 (“The words of the Act—‘unless there is on file with the Board’—suggest to us that the filing must be completed before there is a ‘matter within the jurisdiction’ of the Board within the meaning of the false statement statute. . . . We think that is the correct view when 18 U.S.C. § 3237 is read in light of the constitutional requirements and the explicit provision of § 9(h).”). ↑
- Id. at 635, 637 (emphasis removed). ↑
- Id. at 637. ↑
- Id. at 640 (Harlan, J., dissenting). ↑
- Id. at 637–38, 640. ↑
- United States v. Rodriguez‑Moreno, 526 U.S. 275, 279 (1999) (quoting United States v. Cabrales, 524 U.S. 1, 6–7 (1998)). ↑
- Id. (citing Cabrales, 524 U.S. at 6–7). ↑
- See id. at 280 & n.4 (“While the ‘verb test’ certainly has value as an interpretative tool, it cannot be applied rigidly, to the exclusion of other relevant statutory language. . . . In our view, the Third Circuit overlooked an essential conduct element of the § 924(c)(1) offense. Section 924(c)(1) prohibits using or carrying a firearm ‘during and in relation to any crime of violence . . . for which [a defendant] may be prosecuted in a court of the United States.’ That the crime of violence element of the statute is embedded in a prepositional phrase and not expressed in verbs does not dissuade us from concluding that a defendant’s violent acts are essential conduct elements.” (alteration in original)); cf. id. at 280 n.4 (“The existence of criminally generated proceeds was a circumstance element of the offense but the proscribed conduct—defendant’s money laundering activity—occurred ‘“after the fact” of an offense begun and completed by others.’” (quoting Cabrales, 524 U.S. at 7)). ↑
- Id. at 280; United States v. Auernheimer, 748 F.3d 525, 533 (3d Cir. 2014). ↑
- United States v. Golightley, 840 F. App’x 319, 323 (10th Cir. 2020) (“Threatening to damage a protected computer in violation of § 1030(a)(7)(A) requires the government to prove, among other elements, that Golightley transmitted at least one of his two threats ‘in interstate or foreign commerce.’ . . . Thus, the resolution of this issue depends on whether a reasonable jury could infer that one of Golightley’s threats traveled through an out‑of‑state server.”). ↑
- Auernheimer, 748 F.3d at 534–35 (explaining that venue in New Jersey was improper because “none of the conduct constituting the CFAA violation or its enhancement” or any of “the overt acts that the Government alleged in the superseding indictment occurred in New Jersey”). ↑
- 18 U.S.C. § 3237(a). ↑
- Id.; Auernheimer, 748 F.3d at 533. ↑
- § 3237(a); Auernheimer, 748 F.3d at 533 (citing United States v. Perez, 280 F.3d 318, 329 (3d Cir. 2002)). ↑
- “In networking, a packet is a small segment of a larger message. Each packet contains both data and information about that data. . . . When data gets sent over the Internet, it is first broken up into smaller packets, which are then translated into bits. The packets get routed to their destination by various networking devices such as routers and switches. . . . Packets are sent across the Internet using a technique called packet switching. Intermediary routers and switches are able to process packets independently from each other, without accounting for their source or destination. This is by design so that no single connection dominates the network.” How Does the Internet Work?, Cloudflare, https://www.cloudflare.com/learning/network-layer/how-does-the-internet-work [https://perma.cc/68CW-CPC4]. ↑
- This is primarily due to the fact that the modern internet has no central control center—“it is a distributed networking system, meaning it is not dependent on any individual machine.” Id. Any computer that uses the correct internet protocol (IP) can be part of the network architecture. Id. Though this results in a resilient network, this also means that senders and receivers have no insight nor control over the path their data takes to its destination. ↑
- United States v. Kelly, 535 F.3d 1229, 1232 (10th Cir. 2008) (citing United States v. Miller, 111 F.3d 747, 749 (10th Cir. 1997)). ↑
- Id. at 1233 (citing United States v. Rinke, 778 F.2d 581, 584 (10th Cir. 1985)). ↑
- Kafker, supra note 17, at 746. ↑
- Id. (emphasis removed). ↑
- Fed. R. Crim. P. 21. ↑
- Id. ↑
- Id. at R. 21(a) (emphasis added). ↑
- Id. at R. 21(b) (emphasis added). ↑
- Id. at R. 21(d). ↑
- United States v. DiJames, 731 F.2d 758, 761 (11th Cir. 1984) (quoting United States v. Abbott Lab’ys, 505 F.2d 565, 572 (4th Cir. 1974)). ↑
- Id. (citing Abbott Lab’ys, 505 F.2d at 572). ↑
- United States v. Kelly, 535 F.3d 1229, 1233–34 (10th Cir. 2008) (citing United States v. Jackson, 482 F.2d 1167, 1179 (10th Cir. 1973)) (“A defendant can waive improper venue when it is apparent on the face of the indictment that the case should have been tried in another jurisdiction, and yet the defendant allows the trial to proceed without objection.”). ↑
- Id. at 1233 (quoting United States v. Miller, 111 F.3d 747, 750 (10th Cir. 1997)). ↑
- Id. (quoting 2 Wright & Miller’s Federal Practice & Procedure § 306, at 343 (3d ed. 2000)). ↑
- Id. (quoting United States v. Teague, 443 F.3d 1310 (10th Cir. 2006)). ↑
- Id. at 1239 n.7 (quoting Miller, 111 F.3d at 751). ↑
- Id. at 1238 (citing United States v. Byrne, 171 F.3d 1231, 1235 (10th Cir. 1999)). ↑
- Id. at 1238–39 (quoting United States v. Goode, 483 F.3d 676, 681 (10th Cir. 2007)). ↑
- Id. (quoting Goode, 483 F.3d at 681). ↑
- S. Rep. No. 104‑357, at 3 (1996). ↑
- Id. ↑
- Id. at 5. ↑
- Id. ↑
- See supra Section I.B. ↑
- See United States v. Auernheimer, 748 F.3d 525, 537 (3d Cir. 2014) (“It punishes only the actions that the defendant takes to access and obtain. It does not speak in terms of the effects on those whose information is obtained.”). ↑
- 18 U.S.C. § 1030(a)(2). ↑
- Auernheimer, 748 F.3d at 533. ↑
- Id. ↑
- For example, if I broke into a house in State A but sold the pilfered goods in State B, I would only be subject to prosecution for burglary in State A because that is where the essential conduct elements of burglary (breaking into a structure to commit a crime) occurred. Likewise, I would only be subject to prosecution for trafficking in stolen goods in State B because that is where I sold the stolen property. ↑
- Auernheimer, 748 F.3d at 535. ↑
- Id. at 531. ↑
- Id. at 530–31. ↑
- Id. ↑
- Id. at 531. ↑
- Id. ↑
- Id. ↑
- Id. at 541. ↑
- Id. at 534 (emphasis added). ↑
- Id. at 535. ↑
- Id. at 537–38. ↑
- A “protected computer” is one that is (1) used “exclusively for the use of a financial institution or the United States Government,” (2) “used in or affecting interstate or foreign commerce,” (3) “part of a voting system that is used for the management, support, or administration of a Federal election,” or that “has moved in or otherwise affects interstate or foreign commerce.” 18 U.S.C. § 1030(e)(2). ↑
- See Auernheimer, 748 F.3d 525; United States v. Rodriguez‑Moreno, 526 U.S. 275, 275 (1999). ↑
- S. Rep. No. 99‑432, at 6 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479, 2484. ↑
- Id. ↑
- See United States v. Sullivan, 159 F.4th 579, 589 (9th Cir. 2025) (“The hackers’ use of stolen credentials to access protected, private servers was a typical CFAA violation.”). ↑
- See United States v. Record, 873 F.2d 1363, 1366 (10th Cir. 1989) (quoting United States v. Rinke, 778 F.2d 581, 584–85 (10th Cir. 1985)) (explaining that for conspiracy charges, venue lies in “the jurisdiction in which the conspiratorial agreement was formed or in any jurisdiction in which an overt act in furtherance of the conspiracy was committed by any of the conspirators”). ↑
- Id. (citing Rinke, 778 F.2d at 584–85). ↑
- 18 U.S.C. § 3237(a); cf. United States v. Rodriguez‑Moreno, 526 U.S. 275, 281–82 (1999) (discussing the substantive kidnapping charge at issue and how, because of § 3237(a), “[t]he kidnaping, to which the § 924(c)(1) offense is attached, was committed in all of the places that any part of it took place, and venue for the kidnaping charge against respondent was appropriate in any of them”). ↑
- See United States v. Klyushin, 684 F. Supp. 3d 1, 11–12 (D. Mass. 2023) (embodying the idea that venue is appropriate in districts where electronic communications traveled through on their way from the sender to the recipient). ↑
- See id. at 9 (collecting cases from multiple other circuits rejecting a foreseeability requirement and stating, without more, that “[g]iven the weight of the caselaw, the Court declines to adopt the foreseeability requirement for venue under the Constitution”). ↑
- United States v. Johnson, 510 F.3d 521, 527 (4th Cir. 2007). ↑
- See Klyushin, 684 F. Supp. 3d at 8–9 (highlighting the defendant’s unsuccessful argument “that the government failed to prove that any of the conspirators ‘purposely availed themselves of a Boston‑based IP address’ or could have reasonably foreseen that they were accessing confidential information via a Boston‑based server”). ↑
- See infra Section V.C. ↑
- Westlaw, +“venue” +“conspiracy” +“reasonably foreseeable”, 10 results (Dec. 18, 2025) (on file with the author) (filtered by “Cases”, “10th Cir.”). ↑
- 18 U.S.C. § 1030(a)(4). ↑
- See United States v. Auernheimer, 748 F.3d 525, 537–38 (3d Cir. 2014). ↑
- See id. at 533; United States v. Rodriguez‑Moreno, 526 U.S. 275, 280 (1999). ↑
- See United States v. Klyushin, 684 F. Supp. 3d 1, 12 (D. Mass. 2023). ↑
- Id. at 9, 12. ↑
- See id. at 10–12. ↑
- Id. at 5. ↑
- Id. ↑
- Id. at 5, 11. ↑
- “Standard protocol for transmission of data from source to destinations in packet‑switched communications networks and interconnected systems of such networks.” Internet Protocol, NIST, https://csrc.nist.gov/glossary/term/internet_protocol [https://perma.cc/J6EZ‑L662]. ↑
- A VPN is “[a] restricted‑use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.” Virtual Private Network (VPN), NIST, https://csrc.nist.gov/glossary/term/virtual_private_network [https://perma.cc/7L3X-8WVM]. ↑
- Klyushin, 684 F. Supp. 3d at 5. ↑
- Id. (quoting the defendant’s expert testimony given during trial). ↑
- Id. at 12. ↑
- Id. ↑
- Id. (citing United States v. Blecker, 657 F.2d 629, 622 (4th Cir. 1981)). ↑
- Id. at 11. ↑
- Id. (citing United States v. Auernheimer, 748 F.3d 525, 534–36 (3d Cir. 2014)). ↑
- Id. ↑
- Id. at 8–9. ↑
- Id. at 9. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- The court failed to engage in this reflection despite the defense raising concerns about venue and foreseeability. See id. (quoting United States v. Svoboda, 347 F.3d 471, 483 (2d Cir. 2003)) (“To support a foreseeability requirement, Klyushin relies primarily on caselaw from the Second Circuit, which held that venue is proper in a district where ‘(1) the defendant intentionally or knowingly causes an act in furtherance of the charged offense to occur in the district of venue or (2) it is foreseeable that such an act would occur in the district of venue.’”). ↑
- Comp. Crime & Intell. Prop. Section Crim. Div., Prosecuting Computer Crimes, in Off. of Legal Educ. Litig. Series 1, 119 (Off. of Legal Educ. Exec. Off. for U.S. Att’y, 2d ed. 2010) [hereinafter Prosecuting Computer Crimes]. ↑
- See 18 U.S.C. § 1030(a)(2), (4); see also Klyushin, 684 F. Supp. 3d at 10 (discussing the statute as governing “multidistrict offenses” in which the government is required to prove that these essential conduct elements happened in some district where the offense “was begun, continued, or completed”). ↑
- See United States v. Wadford, 331 F. App’x 198, 204 (4th Cir. 2009) (discussing pass through in the context of identifying whether emails were sent in interstate commerce by noting “the evidence indicates that these e‑mails were sent from South Carolina and travelled through servers located in Italy before they were received by these employees back in South Carolina”). This same principle applies to situations where an email travels through a United States‑based server—if instead of Italy the email passed over a server in Florida, venue would be proper there. ↑
- See United States v. Auernheimer, 748 F.3d 525, 534–35 (3d Cir. 2014) (concluding that venue was not proper in New Jersey because no protected computer was accessed and no data was obtained there). See generally United States v. Rodriguez‑Moreno, 526 U.S. 275 (1999) (holding that offenses may be prosecuted in any venue where the offense was begun, continued, or completed). ↑
- See Klyushin, 684 F. Supp. 3d at 12 (citations omitted) (concluding that venue was proper even though the primary basis was the use of “‘pass through’ intermediaries”). ↑
- Auernheimer, 748 F.3d at 537. ↑
- 18 U.S.C. § 1030(a)(5)(A) (emphasis added). ↑
- Id. § 1030(a)(5)(B)–(C) (emphasis added). ↑
- United States v. Goodyear, 795 F. App’x 555, 559 (10th Cir. 2019) (quoting § 1030(e)(11)). ↑
- § 1030(e)(8). ↑
- See United States v. Nicolescu, 17 F.4th 706, 715 (6th Cir. 2021) (“[T]he jury heard testimony from multiple witnesses that Nicolescu’s computer virus caused its victims’ computers to run slowly because the virus was using their computers’ processing power to mine for bitcoin. Such testimony was enough for a reasonable juror to find that Nicolescu conspired to damage a protected computer . . . .”). ↑
- United States v. Auernheimer, 748 F.3d 525, 537 (3d Cir. 2014). ↑
- Prosecuting Computer Crimes, supra note 152, at 120. ↑
- United States v. Calonge, 74 F.4th 31, 35 (2d Cir. 2023). ↑
- Id. at 33. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- Id. ↑
- Id. at 33–34. ↑
- Id. at 34. ↑
- Id. ↑
- Id. at 34, 36. ↑
- Id. at 36. ↑
- Id. at 35. ↑
- Id. at 36. ↑
- Id. at 37 (quoting United States v. Tang Yuk, 885 F.3d 57, 69 (2d Cir. 2018)). ↑
- See 18 U.S.C. § 1030(e)(8) (“[T]he term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information . . . .”); United States v. Keys, No. 13‑CR‑00082, 2021 WL 1549732, at *4 (E.D. Cal. Apr. 20, 2021) (noting that the “damage” threshold was met when defendant transmitted a command that deleted a YouTube channel); United States v. Goodyear, 795 F. App’x 555, 559–60 (10th Cir. 2019) (noting that the “damage” threshold was met by defendant’s request for, and incitement of, a distributed denial of service attack); Mitchell v. United States, No. 13‑CR‑00201, 2018 WL 3653794, at *1 (S.D.W. Va. June 19, 2018) (noting that the damage threshold was met when defendant “deleted two volumes of data” from a “test” storage network and “initiated a ‘reset’ command for” two “production” storage networks). ↑
- See Calonge, 74 F.4th at 36; United States v. Nicolescu, 17 F.4th 706, 715 (6th Cir. 2021). ↑
- § 1030(a)(6)(A). ↑
- Id. § 1030(a)(6) (emphasis added). ↑
- Id. § 3237(a). ↑
- Id. § 1029(e)(5). ↑
- S. Rep. No. 99‑432, at 13, as reprinted in 1986 U.S.C.C.A.N. 2479, 2491. ↑
- Id. ↑
- T‑Mobile USA, Inc. v. Terry, 862 F. Supp. 2d 1121, 1126 (W.D. Wash. 2012). ↑
- Id. ↑
- Id. (“These representations were false, as George Collett’s store and the service plans he offered were not sanctioned by T–Mobile.”). ↑
- Id. at 1131. ↑
- Id. ↑
- See supra notes 186–187 and accompanying text. ↑
- See MetroPCS v. Devor, 215 F. Supp. 3d 626, 635–36 (N.D. Ill. 2016) (finding a section 1030(a)(6) violation where perpetrators fraudulently acquired new handsets from MetroPCS, trafficked in the confidential codes and passwords contained therein, and gained access to MetroPCS’s protected computer networks). “Defendants’ transfer of the Handsets and confidential codes/passwords to others constitutes ‘trafficking’ of the codes/passwords as defined in 18 U.S.C. § 1029.” Id. at 636. “[T]he illegally unlocked Handsets [we]re trafficked and resold as new by Defendants, at a premium, under the MetroPCS trademarks.” Id. at 631. ↑
- See 18 U.S.C. § 3237(a) (“[A]ny offense against the United States begun in one district and completed in another . . . [may be] prosecuted in any district in which such offense was begun, continued, or completed.”). ↑
- See, e.g., 2021 Trends Show Increased Globalized Threat of Ransomware, Cybersecurity & Infrastructure Sec. Agency, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-040a [https://perma.cc/FPB4-T23Z] (last updated Feb. 10, 2022) (“In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high‑impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors.”). ↑
- S. Rep. No. 104‑357, at 12 (1996). ↑
- Id. (emphasis added). ↑
- 18 U.S.C. § 1030(a)(7)(A)–(C) (emphasis added). ↑
- Id. § 1030(a)(7). ↑
- Id. § 3237(a). ↑
- See United States v. Kieffer, 681 F.3d 1143, 1155 (10th Cir. 2012) (“[O]ne individual’s use of the internet, ‘standing alone,’ does not establish an interstate transmission.” (citing United States v. Schaefer, 501 F.3d 1197, 1200–01 (10th Cir. 2007))). ↑
- United States v. Golightley, 840 F. App’x 319, 321–22 (10th Cir. 2020). ↑
- Id. at 321–22. ↑
- Id. at 322–23. ↑
- See id. at 323 (“Golightley argues that the government failed to present evidence that would allow the jury to reasonably infer that he transmitted any threat in interstate commerce. Instead, he argues, the government merely showed that he transmitted his threats over the internet, which is insufficient to prove the interstate‑commerce element.”). ↑
- Id. ↑
- Id. at 323–24. ↑
- Id. at 324. ↑
- Id. ↑
- Id. ↑
- Id. at 329. ↑
- See infra Part IV. ↑
- See supra Section I.B. ↑
- “The concept derives from a footnote in United States v. Myers, in which this court did no more than leave open the possibility of invalidating venue in circumstances where the ‘key events occur in one district, but the prosecution, preferring trial elsewhere, lures a defendant to a distant district for some minor event simply to establish venue.’” United States v. Rommy, 506 F.3d 108, 127 (2d Cir. 2007) (citing United States v. Myers, 692 F.2d 823, 847 n.21 (2d Cir. 1982)). ↑
- See, e.g., United States v. Spriggs, 102 F.3d 1245, 1250–51 (D.C. Cir. 1997) (discussing and refusing defendant’s arguments that the “Government’s goal in arranging these contacts was improper as it was aimed at illegally ‘manufacturing venue’ in the District”). ↑
- See infra Section V.B. ↑
- United States v. Rodriguez‑Rodriguez, 453 F.3d 458, 462 (7th Cir. 2006) (emphasis added). ↑
- Id.; United States v. Gonzalez, 683 F.3d 1221, 1227 (9th Cir. 2012). ↑
- United States v. Sitzmann, 893 F.3d 811, 823 (D.C. Cir. 2018) (first quoting United States v. Chi Tong Kuok, 671 F.3d 931, 938 (9th Cir. 2012); and then quoting Spriggs, 102 F.3d at 1251); Myers, 692 F.2d at 847 n.21 (2d Cir. 1982) (rejecting a similar claim made by defendants that the Government attempted to “manufacture[]” venue because “the key events occurred in the Eastern District of New York, and the Government cannot be faulted for selecting hotels near Kennedy Airport as the site for [the] transactions”). ↑
- Rodriguez‑Rodriguez, 453 F.3d at 462; accord United States v. Al‑Talib, 55 F.3d 923, 929 (4th Cir. 1995) (holding that the government “may not manipulate events to create federal jurisdiction,” but that “[t]his is not the same thing, however, as choice of venue”). ↑
- Al‑Talib, 55 F.3d at 929. ↑
- Id. ↑
- Id.; see also Sitzmann, 893 F.3d at 823 (quoting Spriggs, 102 F.3d at 1250) (stating, in the context of “whether there is such a thing as ‘venue entrapment,’” that “[i]t is a little hard to conceive of a person predisposed to commit a federal crime—but not in some specific district”). ↑
- United States v. Gonzalez, 683 F.3d 1221, 1225 (9th Cir. 2012). ↑
- Id. at 1223. ↑
- Id. at 1225–26. ↑
- Id. at 1227. ↑
- Id. at 1225 (first citing Andrews v. United States, 817 F.2d 1277, 1279 (7th Cir. 1987); and then citing United States v. Johnson, 323 U.S. 273, 275 (1944)). ↑
- Celia Kaechele, Note, Traditional Notions of Fair Play and Substantial Justice in the Age of Internet Interconnectivity: How Masking an IP Address Could Constitute Purposeful Availment, 21 Yale J.L. & Tech. 59, 69 (2019). ↑
- Id. at 70. ↑
- Id. at 71. ↑
- Id. ↑
- Cf. United States v. Al‑Talib, 55 F.3d 923, 929 (4th Cir. 1995) (“Moreover, government agents must have flexibility in conducting sting operations against drug conspiracies. Concerns of safety, efficiency, and convenience assume great importance in such circumstances, and are best assessed by the officers at the time. Here, for example, the motel in Virginia that the DEA selected was, in the government’s opinion, the most secure and effective place available for this particular operation. Law enforcement authorities engage in a dangerous undertaking when they attempt to trap drug dealers into revealing their activities by setting up controlled buys of narcotics. We will not further complicate their efforts by second‑guessing their choice of location for such operations under the guise of venue entrapment.”); Gonzalez, 683 F.3d. at 1225 (“It was sufficient [for laying venue] that, in furtherance of the conspiracy, Gonzalez conducted communications with someone located in the Northern District of California. . . . ‘[A] telephone call placed by a government actor within a district to a conspirator outside the district can establish venue within the district provided the conspirator uses the call to further the conspiracy.” (second alteration in original) (emphasis added) (quoting United States v. Rommy, 506 F.3d 108, 122 (2d Cir. 2007))). ↑
- See Rommy, 506 F.3d at 121–22 (explaining that concerns about alleged prosecutorial forum shopping are “more appropriately handled at the trial level by a transfer to a more reasonable forum, pursuant to” the Federal Rules of Criminal Procedure Rule 21 (quoting Andrews v. United States, 817 F.2d 1277, 1279–80 (7th Cir. 1987))). ↑
- See supra notes 62–65 and accompanying text. ↑
- United States v. Johnson, 323 U.S. 273, 275 (1944). ↑
- Over one hundred years ago, Justice Holmes remarked on the then‑modern risks of expansive federal venue in criminal conspiracy cases. In reference to a growing United States, he warned: “With the country extending from ocean to ocean, this requirement is even more important now than it was a hundred years ago, and must be enforced in letter and spirit if we are to make impossible hardships amounting to grievous wrongs. In the case of conspiracy the danger is conspicuously brought out.” Hyde v. United States, 225 U.S. 347, 386 (1912) (Holmes, J., dissenting). ↑
- Paul Marcus, Criminal Conspiracy Law: Time to Turn Back from an Ever Expanding, Ever More Troubling Area, 1 Wm. & Mary Bill Rts. J. 1, 1 (1992). ↑
- Id. at 3. ↑
- Id. (quoting United States v. Wallach, 935 F.2d 445, 470 (2d Cir. 1991)). ↑
- Id. ↑
- Id. ↑
- Id. (quoting United States v. Townsend, 924 F.2d 1385, 1394 (7th Cir. 1991)). ↑
- Id. (quoting Paul Marcus, Conspiracy: The Criminal Agreement in Theory and in Practice, 65 Geo. L.J. 925, 928 (1977)). ↑
- Id. at 19 (first citing United States v. Juarez‑Fierro, 935 F.2d 672, 677 (5th Cir. 1991); then citing United States v. Adamo, 882 F.2d 1218, 1223 (7th Cir. 1989); and then citing United States v. Chang An‑Lo, 851 F.2d 547, 554 (2d Cir.), cert. denied, 488 U.S. 966 (1988)). ↑
- Id.; see also United States v. Keats, 937 F.2d 58, 63 (2d Cir. 1991) (allowing a conspiracy charge to stand based on the defendant’s stated link with an unknown coconspirator). ↑
- Marcus, supra note 239, at 6. ↑
- Id. ↑
- Pinkerton v. United States, 328 U.S. 640, 648 (1946). ↑
- Marcus, supra note 239, at 7 (quoting Letter from Jeffrey Weiner, President of the Nat’l Ass’n of Crim. Def. Lawyers, to Marcus (Feb. 1, 1991) (on file with author)). ↑
- Id. at 32. ↑
- Id. at 32–33. ↑
- Id. at 33. ↑
- U.S. Sent’g Guidelines Manual, § 2X1.1(b)(2) (U.S. Sent’g Comm’n 2025). ↑
- Id. ↑
- See 18 U.S.C. § 1030(b) (stating that those convicted of this subsection are also punished according to subsection (c), which similarly governs the substantive offense). ↑
- Jimmy A. Frazier, Recent Development, United States v. Pomranz: The Fifth Circuit Slights the Right to Proper Venue, 70 Tul. L. Rev. 361, 364 (1995) (quoting 18 U.S.C. § 3237(a)). ↑
- Id. ↑
- Even minor or extremely attenuated computer contacts may properly establish venue in the current system. At least one scholar has recognized the danger such a broad standard may pose: “The common law of what constitutes an overt act in furtherance of a conspiracy has expanded to the point where almost any conduct in a judicial district, no matter how trivial or removed from the defendants on trial, can provide a basis for venue in that district.” Ullmann, supra note 11, at 1024. ↑
- Frazier, supra note 258, at 369. ↑
- See infra Section V.C. ↑
- These hypotheticals are derived from a realistic imagining of how law enforcement tactics may be structured. Due to the inherently secret nature of these operations, no concrete information could be attained from reading current cases. Instead, these two scenarios were informed by conversations the author had while interning at the U.S. Attorney’s Office in the District of Colorado in conjunction with an understanding of the structure of modern computer infrastructure as illuminated by the cases discussed earlier in this Note. ↑
- “Whoever . . . knowingly and with intent to defraud traffics . . . in any password or similar information through which a computer may be accessed without authorization, if . . . such computer is used by or for the Government of the United States . . . shall be punished as provided in subsection (c) of this section.” 18 U.S.C. § 1030(a)(6)(B). ↑
- See supra Section I.B. ↑
- Ransomware 101, Cybersecurity & Infrastructure Sec. Agency: Stop Ransomware, https://www.cisa.gov/stopransomware/ransomware-101 [https://perma.cc/FQP8-3GP2]. ↑
- Id. ↑
- “Whoever . . . with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any . . . demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion . . . shall be punished as provided in subsection (c) of this section.” § 1030(a)(7)(C). ↑
- See supra notes 71–72 and accompanying text. ↑
- § 1030(a)(7)(C); see also supra note 199 and accompanying text. ↑
- § 3237(a). ↑
- See United States v. Al‑Talib, 55 F.3d 923, 929 (4th Cir. 1995) (“[G]overnment agents must have flexibility in conducting sting operations against drug conspiracies. . . . Law enforcement authorities engage in a dangerous undertaking when they attempt to trap drug dealers into revealing their activities by setting up controlled buys of narcotics. We will not further complicate their efforts by second‑guessing their choice of location for such operations under the guise of venue entrapment.”); United States v. Sitzmann, 893 F.3d 811, 824 (D.C. Cir. 2018) (“[T]here is nothing inherently reprehensible about a law enforcement officer’s decision to have a government cooperator . . . ask a target . . . to wire funds to Washington, D.C. in connection with a cocaine transaction in which the target was a willing participant. The overt acts in the charged conspiracy occurred in many places, so there was nothing unfair about having the case tried in the District of Columbia.”). ↑
- See Kafker, supra note 17, at 747 (“[T]he trial should be held in the district where the crime was committed, but if prejudicial publicity prevents the trial of that defendant in that district, the court should have the power to order a change of venue to another district.”). ↑
- See infra Section V.A. ↑
- See infra Sections V.B–V.C. ↑
- At least with respect to espionage and related offenses, Congress has allowed for a particular district (the District of Columbia) to serve as an “optional venue.” See 18 U.S.C. § 3239 (“The trial for any offense involving a violation, begun or committed upon the high seas or elsewhere out of the jurisdiction of any particular State or district, of [those subsections governing espionage and related offenses] . . . may be in the District of Columbia or in any other district authorized by law.”). ↑
- See supra Section II.C. ↑
- See Mathews v. Eldridge, 424 U.S. 319, 335 (1976) (“[T]he specific dictates of due process generally require[] consideration of three distinct factors: First, the private interest that will be affected by the official action; second, the risk of an erroneous deprivation of such interest through the procedures used, and the probable value, if any, of additional or substitute procedural safeguards; and finally, the Government’s interest, including the function involved and the fiscal and administrative burdens that the additional or substitute procedural requirement would entail.”). ↑
- 18 U.S.C. § 1030(a)(5)–(7). ↑
- See supra Section IV.B. ↑
- See United States v. Al‑Talib, 55 F.3d 923, 929 (4th Cir. 1995); see also supra Section IV.B. ↑
- See supra Section IV.A. ↑
- See supra Section IV.B. ↑
- United States v. Royer, 549 F.3d 886, 894 (2d Cir. 2008) (alteration in original) (quoting United States v. Svoboda, 347 F.3d 471, 483 (2d Cir. 2003)). ↑
- See supra Sections III.B, IV.B. ↑