As Wikipedia explains, merger is a legal doctrine that prevents someone from being convicted of both a larger crime and what is called a lesser-included offense.
The doctrine of merger is to some extent based in the prohibition on double jeopardy; like the 5th Amendment’s Double Jeopardy Clause, the doctrine of merger prevents the prosecution from multiplying criminal liability by charging someone with a larger crime (murder, say) and with lesser offenses the commission of which was a necessary part of committing the murder.
Assume, for example, that the prosecution charges John Doe with the murder of his neighbor, Sam Roe. The elements of murder are (i) purposely (ii) causing (iii) the death of (iv) a human being. Assume the evidence shows the following: Doe purposely used a rifle to shoot Roe in order to kill him; the shot Doe fired killed Roe, who was a human being. The evidence therefore supports the charge of murder, and Doe will no doubt be convicted (unless he can present an affirmative defense, like self-defense or insanity).
People can also be prosecuted for and convicted of attempting to commit murder. If Doe had used the rifle to shoot at Roe, against intending to kill him, but missed, he could be charged with attempted murder; as I noted in an earlier post, attempt is an inchoate, or incomplete, crime. You embark on a course of action intending to commit the greater crime but either fail, as Doe did, or are interrupted before you’re able to commit the crime. If someone had stopped Doe before he was able to fire the shot, that would have been an interrupted attempt; if he’d fired the shot but Roe had died an hour earlier of a heart attack, that would be what’s called an impossible attempt, i.e., Doe would have done everything he could to commit murder but have failed, due to no fault of his own.
Attempt is a lesser-included offense of murder. As Wikipedia explains, the doctrine of merger prevents the prosecution from charging someone with murdering and attempting to murder someone when the charges arise out of the same incident. The premise is, as Wikipedia again explains, that the lesser crime merges into the greater crime. This is a basic principle of fairness, since the purpose of the criminal law is to punish you for what you did, not for more than you did. It’s also similar to the prohibition on double jeopardy, but that prohibition historically applied only to sequential prosecutions, i.e., to charging O.J. Simpson with assault after he’d been acquitted of murdering Nicole Simpson. The doctrine of merger applies when the charges are brought in a single prosecution.
Enough preface -- let’s get to how merger applies in cybercrime prosecutions. I got the idea for this post when I was thinking about a prosecutor’s ability to charge someone with both (i) gaining access to a computer system without being authorized to do so and (ii) using the system to commit fraud or extortion or basically any other non-hacking crime. I’ve always assumed that prosecutors can bring both charges without violating the merger doctrine, but then I began to wonder whether that’s really true or not.
To work through those issues, I’m going to use two provisions of the federal cybercrime statute, 18 U.S. Code § 1030. Section 1030(a)(4) makes it a crime to “knowingly and with intent to defraud, access a protected computer without authorization. . . and by means of such conduct further the intended fraud and obtain anything of value”. As I’ve noted before, a “protected computer” is one that’s used by the federal government, by a financial institution of in a way that affects interstate or foreign commerce. 18 U.S. Code § 1030(g)(2). Section 1030(a)(5)(B) makes it a crime to intentionally access a protected computer “without authorization, and as a result of such conduct, recklessly cause damage”. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information”. Most -- if not all -- states have similar provisions; I'm using the federal statute because it's representative of unauthorized access and unauthorized access-based crimes like fraud.
To avoid using so many citations, I’m going to call the § 1030(a)(5)(B) offense the “unauthorized access” crime and call the § 1030(a)(4) offense the “fraud” crime. A defense attorney could argue that the “unauthorized access” crime is a lesser-included offense of the “fraud” crime because someone necessarily commits the “unauthorized access” crime when they commit the “fraud” crime. That’s the rationale for merging attempts to commit murder and murder; when you commit murder, you necessarily commit attempted murder but you also go further and complete the attempt. So a defense attorney could claim something similar happens here: To commit the “fraud” crime, I have to hack into a computer system; I don’t commit this “fraud” crime (though I may commit other federal fraud crimes) if I just use information I’m authorized to access. An essential element of the § 1030 “fraud” crime is hacking into a computer system.
The defense attorney could analogize the “unauthorized access” crime to criminal trespass and the “fraud” crime to burglary. The Model Penal Code (which, as I’ve noted, is a template of criminal law provisions) defines criminal trespass as knowingly entering a building or occupied structure without being authorized to do so; it defines burglary as entering a building or occupied structure “with purpose to commit a crime therein”. Model Penal Code §§ 221.1 & 221.2. Many state courts have held that criminal trespass is a lesser-included offense of burglary. As the Iowa Supreme Court noted in State v. Sangster, 299 N.W.2d 661 (1980), the elements of criminal trespass “are entirely included in the burglary elements. It would be impossible for a person to commit the relevant burglary offense without also committing criminal trespass”.
So the argument that the “unauthorized access” crime is a lesser-included offense of the “fraud” crime seems like a really good argument, but whether it actually works depends on how a court parses the elements of the crimes. If one is a lesser-included offense of the other, then they don’t constitute two separate crimes and a defendant can only be convicted of one of them; a jury could convict the defendant of the greater crime (which I’m assuming is the “fraud” crime) or of the lesser-included crime (the “unauthorized access” crime), but not of both. As I explained in a recent post, the test courts use to decide if there are two separate crimes or if one crime is a lesser-included offense of the other is the Blockburger test. In Blockburger v. United States, 284 U.S. 299, 304 (1932), the U.S. Supreme Court held that the standard is “whether each provision requires proof of a fact which the other does not.”
Therefore, if the “fraud” crime requires proof of a fact which the “unauthorized access” crime does not, and vice versa, there are two crimes. If the “fraud” crime requires proof of a fact which the “unauthorized access” crime does not BUT the “unauthorized access” crime does not require proof of a fact other than the facts the prosecution has to prove to obtain a conviction for the “fraud” crime, the “unauthorized access” crime is a lesser-included offense of the “fraud crime. (If the “unauthorized access” crime requires proof of a fact which the “fraud” crime does not but the “fraud” crime does not require proof of a fact other than the facts the prosecution has to prove to obtain a conviction for the “unauthorized access” crime, then the “fraud” crime would be a lesser-included offense of the “unauthorized access” crime.)
In other words, attempt is a lesser-included offense of murder because while murder requires proof of a fact the prosecution doesn’t have to establish to convict someone of attempted murder (i.e., that the defendant actually killed the victim), the attempted murder charge doesn’t require proof of any fact that isn’t an element of the murder charge.
So where does that leave us with the defense argument that the “unauthorized access” crime is a lesser-included offense of the “fraud” crime? I haven’t been able to find any reported cases that deal with this issue, which makes me wonder if defense attorneys have ever raised it. I know federal prosecutors have charged both the “unauthorized access” and “fraud” offenses in a single prosecution, so the potential for making the argument has existed on at least a few occasions. See U.S. v. Salcedo, 189 Fed. Appx. 197 (U.S. Court of Appeals for the 4th Circuit 2006); U.S. v. Chavet Plea (U.S. District Court for the Northern District of California 2005).
The U.S. Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) takes the position that the “unauthorized access” crime isn’t a lesser-included offense of the “fraud” crime:
In many cases, intruders cause damage to systems even though their primary intent is to . . . commit a fraud in violation of section . . . 1030(a)(4). For example, intruders commonly try to make it difficult for system administrators to detect them by erasing log files that show that they accessed the computer network. Deleting these files constitutes intentional `damage’ for purposes of section 1030(a)(5). Similarly, intruders commonly modify system programs or install new programs to circumvent the computer's security so that they can access the computer again later. This activity impairs the integrity of the computer and its programs and therefore meets the damage requirement. As long as the government can meet . . . the . . . requirements. . . a charge under § 1030(a)(5) is appropriate in addition to any other charges under § 1030.
CCIPS, Prosecuting Computer Crimes Manual § F(5).
I can see the Justice Department’s point: To prove the “fraud” crime, the prosecution must prove that the defendant intentionally gained unauthorized access to a computer for the purposes of furthering a fraud scheme and used the unauthorized access to carry out the scheme and obtain something of value. To prove the “unauthorized access” crime, the prosecution must prove that the defendant intentionally gained unauthorized access to a computer and recklessly caused damage to the computer by impairing the integrity or availability of data, a program or the computer itself. (In other words, to prove this crime the prosecution has to prove beyond a reasonable doubt that the defendant intended to hack the system, didn’t intend to damage the system but was reckless in carrying out the hack and therefore caused damage.)
If we decide, as the Department of Justice has, that the “recklessly causes damage” element of the “unauthorized access” crime is an element the prosecution does not have to establish to win a conviction for the “fraud” crime, the two would be separate crimes under the Blockburger test . . . so merger would not apply and a defendant could be charged with and convicted of both. If we reach (or, more accurately, a federal court reaches) the opposite conclusion, then merger would presumably apply and bar a conviction for both crimes.