Case: 13-1816Document: 003111586090Page: 1Date Filed: 04/11/2014PRECEDENTIALUNITED STATES COURT OF APPEALSFOR THE THIRD CIRCUIT_____________No. 13-1816_____________UNITED STATES OF AMERICAv.ANDREW AUERNHEIMER,a/k/a Weeva/k/a Weelosa/k/a EscherANDREW AUERNHEIMER,AppellantOn Appeal from the United States District Courtfor the District of New Jersey(No. 2:11-cr-00470-001)District Judge: Hon. Susan D. WigentonArgued: March 19, 2014Before: CHAGARES, GREENAWAY, JR., andVANASKIE, Circuit Judges.(Filed: April 11, 2014)____________OPINION____________Tor B. Ekeland, Esq.Mark H. Jaffe, Esq.Tor Ekeland, P.C.155 Water Street.Sixth Floor, Suite TwoBrooklyn, NY 11201Case: 13-1816Document: 003111586090Page: 2Orin S. Kerr, Esq. [ARGUED]George Washington University2000 H Street, N.W.Washington, DC 20052Marcia C. Hofmann, Esq.25 Taylor StreetSan Francisco, CA 94102Hanni M. Fakhoury, Esq.Electronic Frontier Foundation815 Eddy StreetSan Francisco, CA 94109Attorneys for AppellantPaul J. Fishman, Esq.Glenn J. Moramarco, Esq. [ARGUED]Office of United States AttorneyCamden Federal Building & Courthouse401 Market StreetCamden, NJ 08101Mark E. Coyne, Esq.Office of United States Attorney970 Broad StreetNewark, NJ 07102Attorneys for AppelleeChristopher C. Walsh, Esq.Harvard Law SchoolCyberlaw Clinic23 Everett StreetSecond FloorCambridge, MA 02138Alexander C. Muentz, Esq.Temple UniversityDepartment of Criminal Justice1115 Pollett WalkPhiladelphia, PA 191222Date Filed: 04/11/2014Case: 13-1816Document: 003111586090Page: 3Date Filed: 04/11/2014Jennifer S. Granick, Esq.Stanford Law SchoolCenter for Internet & Society559 Nathan Abbott WayStanford, CA 94305Steven P. Ragland, Esq.Keker & Van Nest633 Battery StreetSan Francisco, CA 94111Attorneys for Amicus AppellantsCHAGARES, Circuit Judge.This case calls upon us to determine whether venue forAndrew Auernheimer’s prosecution for conspiracy to violatethe Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, and identity fraud under 18 U.S.C. § 1028(a)(7) wasproper in the District of New Jersey. Venue in criminal casesis more than a technicality; it involves “matters that touchclosely the fair administration of criminal justice and publicconfidence in it.” United States v. Johnson, 323 U.S. 273,276 (1944). This is especially true of computer crimes in theera of mass interconnectivity. Because we conclude thatvenue did not lie in New Jersey, we will reverse the DistrictCourt’s venue determination and vacate Auernheimer’sconviction.I.A.The relevant facts are fairly simple and not in dispute.Apple, Inc. introduced the first iPad, a tablet computer, in2010. Customers who purchased the version that had thecapability to send and receive data over cellular networks(commonly referred to as “3G”) had to purchase a datacontract from AT&T, Inc. (“AT&T”), which at the time wasthe exclusive provider of data services for this version of theiPad. Customers registered their accounts with AT&T overthe Internet on a website that AT&T controlled. In theregistration process, customers were assigned a user identifier3Case: 13-1816Document: 003111586090Page: 4Date Filed: 04/11/2014(“user ID”) and created a password — login credentials thatthey would need in order to access their accounts throughAT&T’s website in the future. The user ID assigned to eachcustomer was that customer’s email address.AT&T decided to make it easier for customers to loginto their accounts by prepopulating the user ID field on thelogin screen with their email addresses. To do this, AT&Tprogrammed its servers to search for an iPad user’s IntegratedCircuit Card Identifier (“ICC-ID”) when a user directed herbrowser to AT&T’s general login webpage (AT&T’s“URL”1). An ICC-ID is the unique nineteen- or twenty-digitnumber that identifies an iPad’s Subscriber Identity Module,commonly known as a SIM Card. The SIM Card is thecomputer chip that allows iPads to connect to cellular datanetworks.If AT&T’s servers recognized the ICC-ID asassociated with a customer who had registered her accountwith AT&T, then AT&T’s servers would automaticallyredirect the customer’s browser away from the general loginURL to a different, specific URL. That new specific URLwas unique for every customer and contained the customer’sICC-ID in the URL itself. Redirecting the customer’sbrowser to the new specific URL told AT&T’s servers whichemail address to populate in the user ID field on the loginpage. This shortcut reduced the amount of time it took acustomer to log into her account because, with her user IDalready populated, she had to enter only her password.21URL is shorthand for uniform resource locator, which isdefined as “a specific address . . . used by a browser inlocating the relevant document [on the Internet].” URL,Oxford Eng. Dictionary, http://www.oed.com/view/Entry/258858?redirectedFrom=URL#eid (last visited Mar. 27,2014). It is more commonly known as a “web address.”Appendix (“App.”) 255.2To make this more concrete, when an iPad user wanted tolog into her account, she would direct her browser to“https://dcp2.att.com/OEPNDClient/”. If AT&T’s serverrecognized the ICC-ID of the iPad that made the request as aniPad that was already registered with AT&T, its serverswouldautomaticallyredirecttheuserto4Case: 13-1816Document: 003111586090Page: 5Date Filed: 04/11/2014DanielSpitler,Auernheimer’sco-conspirator,discovered this feature of AT&T’s login process. Althoughhe did not own an iPad, he purchased an iPad SIM Card,hoping to install it on another computing device and then takeadvantage of the unlimited cellular data plan that AT&Toffered for $30 per month. At first, he did not know how toregister his SIM Card, so he downloaded the iPad operatingsystem onto his computer, decrypted it, and browsed throughthe operating system’s code to try to find a way to register it.In the course of doing so, he came across AT&T’sregistration URL. He noticed that one of the variables in theregistration URL was a field requiring an ICC-ID.Spitler then directed his computer’s web browser tothe registration URL and inserted his iPad’s ICC-ID in therequisite place. AT&T’s servers were programmed only topermit browsers that self-identified as iPad browsers to accessthe registration URL. This required him to change hisbrowser’s user agent. A user agent tells a website what kindof browser and operating system a user is running, so serversthat someone is attempting to access can format theirresponses appropriately. App. 256.After changing his browser’s user agent to appear asan iPad, Spitler was able to access the AT&T login page. Henoticed that his email address was already populated in thelogin field and surmised that AT&T’s servers had tied hisemail address to his ICC-ID. He tested this theory bychanging the ICC-ID in the URL by one digit and discoveredthat doing so returned a different email address. He changedthe ICC-ID in the URL manually a few more times, and eachtime the server returned other email addresses in the loginfield.Spitler concluded that this was potentially anoteworthy security flaw. He began to write a program thathe called an “account slurper” that would automate thisprocess. The account slurper would repeatedly access the“https://dcp2.att.com/OEPNDClient/openPage?ICCID=XXXXXXXXXXXXXXXXXXX&IMEI=0”, where the string of“X”s is the nineteen- or twenty-digit ICC-ID.5Case: 13-1816Document: 003111586090Page: 6Date Filed: 04/11/2014AT&T website, each time changing the ICC-ID in the URLby one digit. If an email address appeared in the login box,the program would save that email address to a file underSpitler’s control.Spitler shared this discovery with Auernheimer, whomhe knew through Internet-based chat rooms but had never metin person. Auernheimer helped him to refine his accountslurper program, and the program ultimately collected114,000 email addresses between June 5 and June 8, 2010.Its method — guessing at random — is called a “brute force”attack, a term of art in the computer industry referring to aninefficient method of simply checking all possible numbers.While Spitler’s program was still collecting emailaddresses, Auernheimer emailed various members of themedia in order to publicize the pair’s exploits. Some of thosemedia members emailed AT&T, which immediately fixed thebreach.One of the media members contacted byAuernheimer was Ryan Tate, a reporter at Gawker, a newswebsite. Tate expressed interest in publishing Auernheimer’sstory. To lend credibility to it, Auernheimer shared the list ofemail addresses with him. Tate published a story on June 9,2010 describing AT&T’s security flaw, entitled “Apple’sWorst Security Breach: 114,000 iPad Owners Exposed.”The article mentioned some of the names of those whoseemail addresses were obtained, but published only redactedimages of a few email addresses and ICC-IDs.Evidence at trial showed that at all times relevant tothis case, Spitler was in San Francisco, California andAuernheimer was in Fayetteville, Arkansas. The servers thatthey accessed were physically located in Dallas, Texas andAtlanta, Georgia. Although no evidence was presentedregarding the location of the Gawker reporter, it is undisputedthat he was not in New Jersey.B.Despite the absence of any apparent connection toNew Jersey, a grand jury sitting in Newark returned a twocount superseding indictment charging Auernheimer withconspiracy to violate the CFAA, 18 U.S.C. § 1030(a)(2)(C)and (c)(2)(B)(ii), in violation of 18 U.S.C. § 371 (count one),6Case: 13-1816Document: 003111586090Page: 7Date Filed: 04/11/2014and fraud in connection with personal information inviolation of 18 U.S.C. § 1028(a)(7) (count two, commonlyreferred to as “identity fraud”). To enhance the potentialpunishment from a misdemeanor to a felony, the Governmentalleged that Auernheimer’s CFAA violation occurred infurtherance of a violation of New Jersey’s computer crimestatute, N.J. Stat. Ann. § 2C:20-31(a). See 18 U.S.C. §1030(c)(2)(B)(ii).Auernheimer moved to dismiss the supersedingindictment shortly after it was returned by the grand jury. Inaddition to asserting several challenges concerning the CFAAviolation, he argued that venue was not proper in the Districtof New Jersey. The District Court acknowledged that neitherhe nor Spitler was ever in New Jersey while allegedlycommitting the crime, and that the servers accessed were notin New Jersey, but denied his motion nonetheless. It held thatvenue was proper for the CFAA conspiracy charge becauseAuernheimer’s disclosure of the email addresses of about4,500 New Jersey residents affected them in New Jersey andviolated New Jersey law. It further held that because venuewas proper for the CFAA count, it was also proper for theidentity fraud count because proving the CFAA violation wasa necessary predicate to proving the identity fraud violation.Auernheimer’s trial lasted five days and resulted in aguilty verdict on both counts. Initially, both parties requesteda jury instruction on venue. App. 575. Venue is a questionfor the jury and the court “must specifically instruct the juryon venue” if “(1) the defendant objects to venue prior to or atthe close of the prosecution’s case-in-chief, (2) there is agenuine issue of material fact with regard to proper venue,and (3) the defendant timely requests a jury instruction.”United States v. Perez, 280 F.3d 318, 334 (3d Cir. 2002).Although Auernheimer objected to venue and requested aninstruction, the District Court held that there was no genuineissue of material fact. It concluded that the Government hadestablished that venue was proper in New Jersey as a matterof law and declined to instruct the jury on venue. App. 591.After denying Auernheimer’s post-trial motions, theDistrict Court sentenced him to forty-one months ofimprisonment. Auernheimer timely appealed.7Case: 13-1816Document: 003111586090Page: 8Date Filed: 04/11/2014II.The District Court had jurisdiction pursuant to 18U.S.C. § 3231. We have jurisdiction pursuant to 28 U.S.C. §1291. Our review of the District Court’s legal decisionregarding venue is plenary. United States v. Pendleton, 658F.3d 299, 302 (3d Cir. 2011).III.Although this appeal raises a number of complex andnovel issues that are of great public importance in ourincreasingly interconnected age, we find it necessary to reachonly one that has been fundamental since our country’sfounding: venue. The proper place of colonial trials was soimportant to the founding generation that it was listed as agrievance in the Declaration of Independence. See TheDeclaration of Independence para. 21 (U.S. 1776) (objectingto “transporting us beyond seas to be tried for pretendedoffences”). It was of such concern that the Constitution of theUnited States “twice safeguards the defendant’s venue right.”United States v. Cabrales, 524 U.S. 1, 6 (1998). Article IIIrequires that “the Trial of all Crimes . . . shall be held in theState where the said Crimes shall have been committed.”U.S. Const. art. III, § 2, cl. 3. The Sixth Amendment furtherprovides that “[i]n all criminal prosecutions, the accused shallenjoy the right to a speedy and public trial, by an impartialjury of the State and district wherein the crime shall havebeen committed.” Id. amend VI. This guarantee is codifiedin the Federal Rules of Criminal Procedure, which requirethat “the [G]overnment must prosecute an offense in a districtwhere the offense was committed.” Fed. R. Crim. P. 18.Congress may prescribe specific venue requirementsfor particular crimes. Pendleton, 658 F.3d at 303. Where ithas not, as is the case here, we must determine the crime’slocus delicti. Id.; see also Black’s Law Dictionary 1025 (9thed. 2009) (defining locus delicti as the “place where anoffense was committed”). “[T]he locus delicti must bedetermined from the nature of the crime alleged and thelocation of the act or acts constituting it.” United States v.Anderson, 328 U.S. 699, 703 (1946); accord United States v.8Case: 13-1816Document: 003111586090Page: 9Date Filed: 04/11/2014Rodriguez-Moreno, 526 U.S. 275, 279 (1999); Cabrales, 524U.S. at 6-7. To perform this inquiry, we “must [1] initiallyidentify the conduct constituting the offense . . . and then [2]discern the location of the commission of the criminal acts.”Rodriguez-Moreno, 526 U.S. at 279. Venue should benarrowly construed. Johnson, 323 U.S. at 276.Continuing offenses, such as conspiracy, that are“begun in one district and completed in another, or committedin more than one district, may be inquired of and prosecutedin any district in which such offense was begun, continued, orcompleted.” 18 U.S.C. § 3237(a). In the context of aconspiracy charge, “venue can be established wherever a coconspirator has committed an act in furtherance of theconspiracy.” Perez, 280 F.3d at 329; accord Hyde v. UnitedStates, 225 U.S. 347, 356-67 (1912). The Government mustprove venue by a preponderance of the evidence. UnitedStates v. Root, 585 F.3d 145, 155 (3d Cir. 2009).In performing our venue inquiry, we must be careful toseparate “essential conduct elements” from “circumstanceelement[s].” Rodriguez-Moreno, 526 U.S. at 280 & n.4. Forexample, in Cabrales the Supreme Court considered whethervenue for money laundering activities was proper in Missouri.524 U.S. at 4. The laundered proceeds were generated byillegal narcotics sales in Missouri, but all acts constituting themoney laundering offense took place in Florida. Id. TheCourt held that venue was improper in Missouri. Id. at 10.The Supreme Court, later reflecting on Cabrales, observedthat the “existence of criminally generated proceeds” wasonly a “circumstance element” of money laundering.Rodriguez-Moreno, 526 U.S. at 280 n.4. Although it was anelement of the crime that the Government had to prove to thejury, it was a “circumstance element” because it was simply afact that existed at the time that the defendant performed herlaundering acts. Only “essential conduct elements” canprovide the basis for venue; “circumstance elements” cannot.United States v. Bowens, 224 F.3d 302, 310 (4th Cir. 2000).A.Count one charged Auernheimer with conspiracy toviolate CFAA § 1030(a)(2)(C) and (c)(2)(B)(ii). In the9Case: 13-1816Document: 003111586090Page: 10Date Filed: 04/11/2014indictment and at trial, the Government identified the natureof the conduct constituting the offense as the agreement tocommit a violation of the CFAA in furtherance of a violationof New Jersey’s computer crime statute, N.J. Stat. Ann. §2C:20-31(a). Venue would be proper in any district wherethe CFAA violation occurred, or wherever any of the acts infurtherance of the conspiracy took place. See Perez, 280 F.3dat 329; see also Rodriguez-Moreno, 526 U.S. at 281-82(citing Hyde, 225 U.S. at 356-67).The charged portion of the CFAA provides that“[w]hoever . . . intentionally accesses a computer withoutauthorization or exceeds authorized access, and therebyobtains . . . information from any protected computer . . . shallbe punished as provided in subsection (c) of this section.” 18U.S.C. § 1030(a)(2)(C). To be found guilty, the Governmentmust prove that the defendant (1) intentionally (2) accessedwithout authorization (or exceeded authorized access to) a (3)protected computer and (4) thereby obtained information.See United States v. Willis, 476 F.3d 1121, 1125 (10th Cir.2007) (delineating the elements in a similar manner). Thestatute’s plain language reveals two essential conductelements: accessing without authorization and obtaininginformation.3New Jersey was not the site of either essential conductelement. The evidence at trial demonstrated that the accessedAT&T servers were located in Dallas, Texas, and Atlanta,Georgia. App. 443-44. In addition, during the time that theconspiracy began, continued, and ended, Spitler wasobtaining information in San Francisco, California (App.233), and Auernheimer was assisting him from Fayetteville,Arkansas (App. 366). No protected computer was accessedand no data was obtained in New Jersey.3The Department of Justice’s own manual on prosecutingcomputer crimes provides in its section devoted to venue that“it would seem logical that a crime under section1030(a)(2)(C) is committed where the offender initiatesaccess and where the information is obtained.” ComputerCrime & Intellectual Prop. Section, Dep’t of Justice,Prosecuting Computer Crimes 118, available athttp://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf (last visited Mar. 26, 2014) (“DOJ Manual”).10Case: 13-1816Document: 003111586090Page: 11Date Filed: 04/11/2014This is not the end of our analysis, however, becausethe Government did not just charge Auernheimer withconspiracy to commit an ordinary violation of the CFAA, butalso with conspiring to violate the CFAA in furtherance of astate crime. The Government can increase the statutorymaximum punishment for a subsection (a)(2) violation fromone year to five years if it proves one of the enhancementscontained in § 1030(c)(2)(B). The enhancement relevant hereprovides for such increased punishment if “the offense wascommitted in furtherance of any criminal or tortious act inviolation of the . . . laws of . . . any State.” Id. §1030(c)(2)(B)(ii). “[A]ny ‘facts that increase the prescribedrange of penalties to which the criminal defendant is exposed’are elements of the crime” that must be proven to the jurybeyond a reasonable doubt.4 Alleyne v. United States, 133 S.Ct. 2151, 2160 (2013) (quoting Apprendi v. New Jersey, 530U.S. 466, 490 (2000)). This is true even if they are explicitlytermed “sentence enhancement[s]” in the statute. Apprendi,530 U.S. at 494 n.19 (quotation marks omitted).The New Jersey statute allows for criminal liability “ifthe person purposely or knowingly and without authorization,or in excess of authorization, accesses any . . . computer [or]computer system and knowingly or recklessly discloses, orcauses to be disclosed any data . . . or personal identifyinginformation.” N.J. Stat. Ann. § 2C:20-31(a). Its essentialconduct elements are accessing without authorization (or inexcess of authorization) and disclosing data or personalidentifying information.Here, none of the essential conduct elements of aviolation of the New Jersey statute occurred in New Jersey.As discussed, neither Auernheimer nor Spitler accessed a4Just because the enhancement is an “element” that theGovernment needed to prove beyond a reasonable doubt doesnot mean that it was an “essential conduct element” of a §1030(a)(2)(C) violation within the meaning of RodriguezMoreno that could establish venue. For the purposes of thisopinion, however, we will assume (without deciding) that theenhancement could contain “essential conduct elements.”11Case: 13-1816Document: 003111586090Page: 12Date Filed: 04/11/2014computer in New Jersey.5 The disclosure did not occur thereeither. The sole disclosure of the data obtained was to theGawker reporter. There was no allegation or evidence thatthe Gawker reporter was in New Jersey. Further, there wasno evidence that any email addresses of any New Jerseyresidents were ever disclosed publicly in the Gawker article.The alleged violation of the New Jersey statute thus cannotconfer venue for count one.Just as none of the conduct constituting the CFAAviolation or its enhancement occurred in New Jersey, none ofthe overt acts that the Government alleged in the supersedingindictment occurred in New Jersey either. The indictmentlisted four overt acts: writing the account slurper program,deploying the account slurper program against AT&T’sservers, emailing victims to inform them of the breach, anddisclosing the emails addresses obtained to Gawker. The coconspirators collaborated on the account slurper programfrom California and Arkansas and deployed it against serverslocated in Texas and Georgia. The Government offered noevidence whatsoever that any of the victims that Auernheimeremailed were located in New Jersey, or that the Gawkerreporter to whom the list of email addresses was disclosedwas in the Garden State.Because neither Auernheimer nor his co-conspiratorSpitler performed any “essential conduct element” of theunderlying CFAA violation or any overt act in furtherance ofthe conspiracy in New Jersey, venue was improper on countone.5We also note that in order to be guilty of accessing “withoutauthorization, or in excess of authorization” under NewJersey law, the Government needed to prove thatAuernheimer or Spitler circumvented a code- or passwordbased barrier to access. See State v. Riley, 988 A.2d 1252,1267 (N.J. Super. Ct. Law Div. 2009). Although we need notresolve whether Auernheimer’s conduct involved such abreach, no evidence was advanced at trial that the accountslurper ever breached any password gate or other code-basedbarrier. The account slurper simply accessed the publiclyfacing portion of the login screen and scraped informationthat AT&T unintentionally published.12Case: 13-1816Document: 003111586090Page: 13Date Filed: 04/11/2014B.We now turn to count two of the indictment becausevenue must be analyzed independently for each count. SeeRoot, 585 F.3d at 155. Count two charged Auernheimer withviolating 18 U.S.C. § 1028(a)(7), which punishes anyone who“knowingly transfers, possesses, or uses, without lawfulauthority, a means of identification of another person with theintent to commit, or to aid or abet, or in connection with, any[federal crime, or state or local felony].” The statute’s plainlanguage indicates that the statute punishes someone who (1)knowingly (2) transfers, possesses, or uses without lawfulauthority (3) a means of identification of another person (4)with the intent to commit, or in connection with, any violationof federal law or any state felony. See United States v.Abdelshafi, 592 F.3d 602, 607 (4th Cir. 2010) (delineating theelements of a violation of aggravated identity fraud in 18U.S.C. § 1028A(a)(1), which are virtually identical, in asimilar fashion); United States v. Stephens, 571 F.3d 401,404-05 (5th Cir. 2009) (same).The two essential conduct elements under § 1028(a)(7)are transfer, possession, or use, and doing so in connectionwith a federal crime or state felony. Cf. Rodriguez-Moreno,526 U.S. at 280 (noting that “during and in relation to anycrime of violence” was an essential conduct element of afirearms statute). Starting with the latter essential conductelement, the Government charged Auernheimer withcommitting identity fraud “in connection with” the ordinaryviolation of CFAA § 1030(a)(2)(C). As should be clear bynow, no conduct related to the ordinary CFAA violationoccurred in New Jersey.There was also no evidence that Auernheimer’stransfer, possession, or use occurred in New Jersey. TheGovernment advances two theories of how he could havesatisfied this essential conduct element. First, it contends thathe violated § 1028(a)(7) by knowingly using the ICC-IDs ofother people’s iPads to access AT&T’s servers. See Gov’tBr. 64-66. Venue fails under this theory because there was noallegation or evidence that he used the ICC-IDs in NewJersey. The alleged conspirators used the ICC-IDs in their13Case: 13-1816Document: 003111586090Page: 14Date Filed: 04/11/2014account slurper program, which was programmed fromCalifornia and Arkansas, and did not access any computer orobtain any information in New Jersey.The Government also argues that Auernheimerviolated the statute by transferring the list of email addressesthat he obtained to Gawker with the intent to violate the NewJersey computer crime statute. See Gov’t Br. 67-69. Butthere was no allegation in the indictment or evidence at trialthat the Gawker reporter to whom he transferred the emailaddresses was in New Jersey — and no essential conductelement of the alleged violation of New Jersey law occurredin New Jersey either.6Because Auernheimer did not commit any essentialconduct of the identity fraud charge in New Jersey, venue wasalso improper on count two.IV.The Government does not dispute the locations ofAuernheimer, Spitler, and AT&T’s servers during the periodof time that Auernheimer was committing the alleged crimes.Instead, it advances a series of other reasons why there wasno defect in venue that warrants vacating his conviction.None of them are availing.A.The Government argues that we need not rely on theessential conduct elements test mandated by Cabrales andRodriguez-Moreno because we have “adopted,” Gov’t Br. 71,6Further, count two of the indictment charged Auernheimerwith transferring, possessing, and using the means ofidentification of others in connection with only an ordinaryviolation of CFAA § 1030(a)(2)(C). It did not mention theviolation of New Jersey law or the § 1030(c)(2)(B)(ii)enhancement at all. This second theory thus “broaden[s] thepossible bases for conviction from that which appeared in theindictment.” United States v. McKee, 506 F.3d 225, 229 (3dCir. 2007) (quotation marks omitted). It cannot be apermissible basis upon which to find venue for count two.14Case: 13-1816Document: 003111586090Page: 15Date Filed: 04/11/2014a “substantial contacts test.” Under this approach, frequentlyemployed by the Court of Appeals for the Second Circuit, anumber of factors help to determine whether venue wasproper, including “the site of the defendant’s acts, theelements and nature of the crime, the locus of the effect of thecriminal conduct, and the suitability of each district foraccurate factfinding.” United States v. Reed, 773 F.2d 477,481 (2d Cir. 1985). The Government contends that venue isproper in New Jersey because about four percent(approximately 4,500 of 114,000) of the email addressesobtained from AT&T’s website belonged to New Jerseyresidents, thereby satisfying the “locus of the effect[s]”consideration. See id.It is far from clear that this Court has ever “adopted”this test. We have mentioned it only once. See United Statesv. Goldberg, 830 F.2d 459, 466 (3d Cir. 1987). The test wascited in a long block quote to Reed, and then analyzed in asingle sentence. Id. The Goldberg panel did not need to relyon the locus of the effects of the defendant’s conduct in thatcase because all of his acts took place in the district in whichhe was tried. Id. No panel of this Court has ever citedGoldberg, or any other case, for this test since — eitherbefore, or especially after, the Supreme Court clarified thevenue inquiry in Cabrales and Rodriguez-Moreno.Even if it could be said that we perhaps tacitlyendorsed this test once almost thirty years ago, the testoperates to limit venue, not to expand it. Cases from theCourt of Appeals for the Second Circuit make this clear. Thetest “does not represent a formal constitutional test,” butrather is merely “helpful in determining whether a chosenvenue is unfair or prejudicial to a defendant.” United Statesv. Saavedra, 223 F.3d 85, 93 (2d Cir. 2000). To satisfy thistest, there must be “more than ‘some activity in the situsdistrict’; instead, there must be ‘substantial contacts.’”United States v. Davis, 689 F.3d 179, 186 (2d Cir. 2012)(quoting Reed, 773 F.2d at 481). There “must be some senseof venue having been freely chosen by the defendant.” Id.(alteration and quotation marks omitted). If a defendantargues that the chosen venue is constitutionally infirm but thatit did not result in any hardship to him, the court onlydetermines the locus delicti and does not then analyze15Case: 13-1816Document: 003111586090Page: 16Date Filed: 04/11/2014whether there were “substantial contacts.” See United Statesv. Magassouba, 619 F.3d 202, 205 n.2 (2d Cir. 2010). Thistest thus serves to limit venue in instances where the locusdelicti constitutionally allows for a given venue, but tryingthe case there is somehow prejudicial or unfair to thedefendant.Even assuming that the substantial contacts test isviable within our Circuit, it cannot serve as a sufficient basisfor conferring venue. The Government argues only that it hasminimally satisfied one of the four prongs of the test — the“locus of the effect of the criminal conduct.” There was noevidence at trial that Auernheimer’s actions evinced anycontact with New Jersey, much less contact that was“substantial.” The Government has not cited, and we havenot found, any case where the locus of the effects, standing byitself, was sufficient to confer constitutionally sound venue.Undoubtedly there are some instances where thelocation in which a crime’s effects are felt is relevant todetermining whether venue is proper. See RodriguezMoreno, 526 U.S. at 279 n.2 (reserving the issue of whethervenue may also be permissibly based on the location where acrime’s effects are felt). But those cases are reserved forsituations in which “an essential conduct element is itselfdefined in terms of its effects.” Bowens, 224 F.3d at 311.For example, in a prosecution for Hobbs Act robbery, venuemay be proper in any district where commerce is affectedbecause the terms of the act themselves forbid affectingcommerce. See 18 U.S.C. § 1951(a); accord United States v.Smith, 198 F.3d 377, 383 (2d Cir. 1999). This is consistentwith Congress’s prerogative to “provide that the locality of acrime shall extend over the whole area through which forcepropelled by an offender operates.” Johnson, 323 U.S. at 275.Sections of the CFAA other than § 1030(a)(2)(C) dospeak in terms of their effects. For example, § 1030(a)(5)(B)criminalizes intentionally accessing a computer withoutauthorization and recklessly causing damage. Because that16Case: 13-1816Document: 003111586090Page: 17Date Filed: 04/11/2014crime is defined in terms of its effects — the damage caused— venue could be proper wherever that occurred.7Congress, however, did not define a violation of §1030(a)(2)(C) in terms of its effects. The statute simplycriminalizes accessing a computer without authorization andobtaining information. It punishes only the actions that thedefendant takes to access and obtain. It does not speak interms of the effects on those whose information is obtained.The crime is complete even if the offender never looks at theinformation and immediately destroys it, or the victim has noidea that information was ever taken.B.The Government also argues that venue was proper inNew Jersey because Auernheimer failed to obtainauthorization from approximately 4,500 New Jersey residentsto “use[] their ICC-ID numbers to access the AT&T servers.”Gov’t Br. 80. The Government argues that when a statutemakes it a crime to fail to do some required act, venue can liein the district in which the act should have been done. TheGovernment concludes that venue is proper becauseAuernheimer and Spitler failed to obtain authorization fromabout 4,500 people in New Jersey prior to accessing AT&T’sservers.This rule only applies, however, when a preexistinglegal duty requires the act that the defendant failed to do. See1 Wayne R. LaFave, Substantive Criminal Law § 6.2(a) (2ded. 2003) (noting that crimes of omission are generallylimited by specific duties such as relationship, statute,contract, assumption of care, creation of peril, controlling theconduct of others, and landowner); accord United States v.Sabhnani, 599 F.3d 215, 237 (2d Cir. 2010). Failure to7The Department of Justice manual again tailors its guidanceto this assessment, noting that a prosecution under §1030(a)(5) “may be brought where the effects are felt becausethose charges are defined in terms of ‘loss,’ even if the bulkof network crimes may not be prosecuted in a district simplybecause the effects of the crime are felt there.” DOJ Manualat 120.17Case: 13-1816Document: 003111586090Page: 18Date Filed: 04/11/2014perform a required act could confer venue where a defendantshould have performed that act when a statute penalizesinaction, such as failure to report to a military draft board(see, e.g., Johnston v. United States, 351 U.S. 215, 219-20(1956)), failure to report to prison after being sentenced (see,e.g., United States v. Overaker, 766 F.2d 1326, 1327 (9th Cir.1985)), or failure to file income tax returns (see, e.g., UnitedStates v. Garman, 748 F.2d 218, 219 (4th Cir. 1984)). Here,Auernheimer was under no such preexisting duty — legal orotherwise. Like most statutes, the charged portion of theCFAA punishes affirmative acts, not inaction. His failure toobtain authorization cannot confer venue in every district inwhich a potential victim lived.C.Finally, the Government argues that even if venuewere improper, we should apply harmless error analysis anddisregard the error because it did “not affect substantialrights.” Fed. R. Crim. P. 52(a). Although the Governmentmakes this argument only in passing — it occupies less thanone page of its 118-page brief — we feel obliged to addressit. The Government contends that its choice of forum actuallybenefitted Auernheimer, because locating his trial in Newark,New Jersey “enhance[d] his ability to attract and retainexperienced and capable counsel on a pro bono basis.” Gov’tBr. 98; see also id. at 97 (noting that Newark was a“relatively easy commute” for Auernheimer’s attorney fromhis office in Brooklyn, New York).At the outset, we are skeptical that venue errors aresusceptible to harmless error analysis. The Supreme Courthas divided constitutional errors into two classes: “trial” and“structural.” Arizona v. Fulminante, 499 U.S. 279, 307-10(1991). Trial errors occur “during the presentation of the caseto the jury” and can be “quantitatively assessed in the contextof other evidence presented” in order to determine whetherthey are “harmless beyond a reasonable doubt.” Id. at 30708. These include “most constitutional errors.” Id. at 306.Structural errors “defy” harmless error analysis because they“affect[] the framework within which the trial proceeds,” id.at 309-10, “or indeed [] whether it proceeds at all,” UnitedStates v. Gonzalez-Lopez, 548 U.S. 140, 150 (2006). These18Case: 13-1816Document: 003111586090Page: 19Date Filed: 04/11/2014include a “limited class of fundamental constitutional errors,”Neder v. United States, 527 U.S. 1, 7 (1999), such as thedenial of the rights to counsel, self-representation, or a publictrial. See Gonzales-Lopez, 548 U.S. at 149 (listing examplesand authority).An error regarding venue exhibits many of thecharacteristics of structural error. If the District Court hadfound venue lacking upon Auernheimer’s motion to dismiss,there would have been no trial in New Jersey at all. Even ifvenue had been raised only at trial, “if venue is improper noconstitutionally valid verdict could be reached regardless ofthe [potentially] overwhelming evidence against thedefendant.” United States v. Miller, 111 F.3d 747, 757 (10thCir. 1997) (Barrett, J., dissenting). The error thus “def[ies]analysis by harmless-error standards by affecting the entireadjudicatory framework.” Puckett v. United States, 556 U.S.129, 141 (2009) (quotation marks omitted). Holding thatdefective venue could ever be harmless would arguablyreduce this constitutional protection to a nullity because,under the Government’s formulation, the error would beharmless as long as the evidence against the accused of thesubstantive crime was overwhelming. It is doubtful that thisis the way the venue protections in the Constitution weremeant to operate. See also 4 Wayne R. LaFave et al.,Criminal Procedure § 16.1(g) (4th ed. 2007) (“Failure ofvenue will not be treated as harmless error.”).The Supreme Court has never held that impropervenue is subject to harmless error review. The Governmenthas pointed to only one case where a court subjecteddefective venue to harmless error review. See United Statesv. Hart-Williams, 967 F. Supp. 73, 78-81 (E.D.N.Y. 1997).In Hart-Williams, the district court found the venue errorharmless after the defendant was convicted at a courthouse inBrooklyn, New York, that was less than a mile from thecourthouse where venue would have been proper inManhattan, New York. See id. at 80. No court has citedHart-Williams for this proposition, and the Court of Appealsfor the Second Circuit has cast doubt on whether the districtcourt’s application of harmless error review remains goodlaw. See United States v. Brennan, 183 F.3d 139, 149 (2dCir. 1999) (holding that trial in Brooklyn, New York, where19Case: 13-1816Document: 003111586090Page: 20Date Filed: 04/11/2014venue was improper, was not harmless when the defendanttimely objected to venue, even though venue would havebeen proper in Manhattan, New York); see also Saavedra, 223F.3d at 100 n.5 (Cabranes, J., dissenting) (explicitly notingthat Brennan forecloses applying harmless error analysis todefective venue).Nonetheless, even assuming that defective venue couldbe amenable to harmless error review, the venue error hereclearly affected Auernheimer’s substantial rights. In order foran error to be harmless, “the Government must ‘prove beyonda reasonable doubt that the error complained of did notcontribute to the verdict obtained.’” Gov’t of V.I. v. Davis,561 F.3d 159, 165 (3d Cir. 2009) (quoting Chapman v.California, 386 U.S. 18, 24 (1967)). The question “is notwhether, in a trial that occurred without the error, a guiltyverdict would surely have been rendered, but whether theguilty verdict actually rendered in this trial was surelyunattributable to the error.” Sullivan v. Louisiana, 508 U.S.275, 279 (1993). The venue error in this case is not harmlessbecause there was no evidence that any of the essentialconduct elements occurred in New Jersey. If Auernheimer’sjury had been properly instructed on venue, it could not havereturned a guilty verdict; the verdict rendered in this trialwould have been different. See United States v. Durades, 607F.2d 818, 820 (9th Cir. 1979) (failing to try defendant indistrict where crime was allegedly committed infringed thedefendant’s substantial rights); see also United States v.Glenn, 828 F.2d 855, 860 (1st Cir. 1987) (same); UnitedStates v. Stratton, 649 F.2d 1066, 1076 n.15 (5th Cir. 1981)(“A defendant’s interest in being tried only in a district wherevenue properly lay clearly constitutes a substantial right.”(quotation marks omitted)).The Supreme Court has repeatedly made clear that theconstitutional limitations on venue are extraordinarilyimportant. “[Q]uestions of venue are more than matters ofmere procedure. They raise deep issues of public policy inthe light of which legislation must be construed.” Travis v.United States, 364 U.S. 631, 634 (1961) (quotation marksomitted). “The provision for trial in the vicinity of the crimeis a safeguard against the unfairness and hardship involvedwhen an accused is prosecuted in a remote place.” United20Case: 13-1816Document: 003111586090Page: 21Date Filed: 04/11/2014States v. Cores, 356 U.S. 405, 407 (1958); accord UnitedStates v. Passodelis, 615 F.2d 975, 977 (3d Cir. 1980). Thefounders were so concerned with the location of a criminaltrial that they placed the venue requirement, which is“principally a protection for the defendant,” Cabrales, 524U.S. at 9, in the Constitution in two places. See U.S. Const.art. III, § 2, cl. 3 and amend. VI.They did so for good reason. A defendant who hasbeen convicted “in a distant, remote, or unfriendly forumsolely at the prosecutor’s whim,” United States v. Salinas,373 F.3d 161, 164 (1st Cir. 2004), has had his substantialrights compromised.Auernheimer was hauled over athousand miles from Fayetteville, Arkansas to New Jersey.Certainly if he had directed his criminal activity toward NewJersey to the extent that either he or his co-conspiratorcommitted an act in furtherance of their conspiracy there, orperformed one of the essential conduct elements of thecharged offenses there, he would have no grounds tocomplain about his uprooting. But that was not what wasalleged or what happened. While we are not prepared todayto hold that an error of venue never could be harmless,8 we donot need to because the improper venue here — far fromwhere he performed any of his allegedly criminal acts —8We note that we are not dealing with a situation where theerror complained of is that the trial judge failed to instruct thejury on venue. That claim may be reviewed for harmlesserror. See United States v. Casch, 448 F.3d 1115, 1117-18(9th Cir. 2006) (noting that when proof of venue is clear,failure to instruct the jury can be considered harmless error);United States v. Martinez, 901 F.2d 374, 377 (4th Cir. 1990)(same); United States v. Moeckly, 769 F.2d 453, 461 (8th Cir.1985) (same). In that situation, the failure to instruct wouldbe harmless if the Government demonstrates under theChapman standard that sufficient evidence of venue existedsuch that the jury would have come to that conclusion too.Cf. Neder, 527 U.S. at 7-11 (holding that an erroneous juryinstruction that omitted an element of the offense is subject toharmless error analysis). The question that we address todayis whether a venue defect could be harmless when there is nopossibility that the jury could have found venue proper.21Case: 13-1816Document: 003111586090Page: 22Date Filed: 04/11/2014denied Auernheimer’s substantial right to be tried in the placewhere his alleged crime was committed.9V.Venue issues are animated in part by the “danger ofallowing the [G]overnment to choose its forum free from anyexternal constraints.” Salinas, 373 F.3d at 169-70 (citingTravis, 364 U.S. at 634). The ever-increasing ubiquity of theInternet only amplifies this concern. As we progresstechnologically, we must remain mindful that cybercrimes donot happen in some metaphysical location that justifiesdisregarding constitutional limits on venue. People andcomputers still exist in identifiable places in the physicalworld. When people commit crimes, we have the ability andobligation to ensure that they do not stand to account forthose crimes in forums in which they performed no “essentialconduct element” of the crimes charged. Rodriguez-Moreno,526 U.S. at 280.“Though our nation has changed in ways which it isdifficult to imagine that the Framers of the Constitution couldhave foreseen, the rights of criminal defendants which theysought to protect in the venue provisions of the Constitutionare neither outdated nor outmoded.” Passodelis, 615 F.2d at977. Just as this was true when we decided Passodelis in1980 — after the advent of railroad, express mail, thetelegraph, the telephone, the automobile, air travel, andsatellite communications — it remains true in today’s Internetage. For the forgoing reasons, we will reverse the DistrictCourt’s venue determination and vacate Auernheimer’sconviction.9We in no way imply that venue cannot be waived by thedefendant by failing to object to it in a timely fashion. SeePerez, 280 F.3d at 328. Because Auernheimer explicitlymoved to dismiss the indictment for lack of venue, there is nocontention that he waived his venue right here.22