8 CFAA 8 CFAA

18 U.S.C. § 1030

United States Code, 2018 Edition

Title 18 - CRIMES AND CRIMINAL PROCEDURE

PART I - CRIMES

CHAPTER 47 - FRAUD AND FALSE STATEMENTS

Sec. 1030 - Fraud and related activity in connection with computers

From the U.S. Government Publishing Office,

(a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) ¹ of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.²

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States; ³

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—

(A) threat to cause damage to a protected computer;

(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or

(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;

shall be punished as provided in subsection (c) of this section.

(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—

(i) the offense was committed for purposes of commercial advantage or private financial gain;

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii) the value of the information obtained exceeds $5,000; and

(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4),⁴ or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

(4)(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—

(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—

(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;

(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(III) physical injury to any person;

(IV) a threat to public health or safety;

(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or

(VI) damage affecting 10 or more protected computers during any 1-year period; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—

(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or

(ii) an attempt to commit an offense punishable under this subparagraph;

(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of—

(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of—

(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or

(ii) an attempt to commit an offense punishable under this subparagraph;

(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;

(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or

(G) a fine under this title, imprisonment for not more than 1 year, or both, for—

(i) any other offense under subsection (a)(5); or

(ii) an attempt to commit an offense punishable under this subparagraph.

(d)(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.

(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.

(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

(e) As used in this section—

(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

(2) the term "protected computer" means a computer—

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

(4) the term "financial institution" means—

(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;

(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

(D) a member of the Federal home loan bank system and any home loan bank;

(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;

(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

(G) the Securities Investor Protection Corporation;

(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and

(I) an organization operating under section 25 or section 25(a) ¹ of the Federal Reserve Act;

(5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;

(6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

(7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;

(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information;

(9) the term "government entity" includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;

(10) the term "conviction" shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;

(11) the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and

(12) the term "person" means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses ⁵ (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).

(i)(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States—

(A) such person's interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and

(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.

(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.

(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:

(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.

(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section ⁶

Notes

References in Text

Section 11 of the Atomic Energy Act of 1954, referred to in subsec. (a)(1), is classified to section 2014 of Title 42, The Public Health and Welfare.

Section 1602(n) of title 15, referred to in subsec. (a)(2)(A), was redesignated section 1602(o) of title 15 by Pub. L. 111–203, title X, §1100A(1)(A), July 21, 2010, 124 Stat. 2107.

The Fair Credit Reporting Act, referred to in subsec. (a)(2)(A), is title VI of Pub. L. 90–321, as added by Pub. L. 91–508, title VI, §601, Oct. 26, 1970, 84 Stat. 1127, as amended, which is classified generally to subchapter III (§1681 et seq.) of chapter 41 of Title 15, Commerce and Trade. For complete classification of this Act to the Code, see Short Title note set out under section 1601 of Title 15 and Tables.

The Farm Credit Act of 1971, referred to in subsec. (e)(4)(E), is Pub. L. 92–181, Dec. 10, 1971, 85 Stat. 583, as amended, which is classified generally to chapter 23 (§2001 et seq.) of Title 12, Banks and Banking. For complete classification of this Act to the Code, see Short Title note set out under section 2001 of Title 12 and Tables.

Section 15 of the Securities Exchange Act of 1934, referred to in subsec. (e)(4)(F), is classified to section 78o of Title 15, Commerce and Trade.

Section 1(b) of the International Banking Act of 1978, referred to in subsec. (e)(4)(H), is classified to section 3101 of Title 12, Banks and Banking.

Section 25 of the Federal Reserve Act, referred to in subsec. (e)(4)(I), is classified to subchapter I (§601 et seq.) of chapter 6 of Title 12. Section 25(a) of the Federal Reserve Act, which is classified to subchapter II (§611 et seq.) of chapter 6 of Title 12, was renumbered section 25A of that act by Pub. L. 102–242, title I, §142(e)(2), Dec. 19, 1991, 105 Stat. 2281.

The date of the enactment of this subsection, referred to in subsec. (h), is the date of enactment of Pub. L. 103–322, which was approved Sept. 13, 1994.

Amendments

2008—Subsec. (a)(2)(C). Pub. L. 110–326, §203, struck out "if the conduct involved an interstate or foreign communication" after "computer".

Subsec. (a)(5). Pub. L. 110–326, §204(a)(1), redesignated cls. (i) to (iii) of subpar. (A) as subpars. (A) to (C), respectively, substituted "damage and loss." for "damage; and" in subpar. (C), and struck out former subpar. (B) which read as follows:

"(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)—

"(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;

"(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

"(iii) physical injury to any person;

"(iv) a threat to public health or safety; or

"(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;".

Subsec. (a)(7). Pub. L. 110–326, §205, amended par. (7) generally. Prior to amendment, par. (7) read as follows: "with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;".

Subsec. (b). Pub. L. 110–326, §206, inserted "conspires to commit or" after "Whoever".

Subsec. (c)(2)(A). Pub. L. 110–326, §204(a)(2)(A), struck out "(a)(5)(A)(iii)," after "(a)(3),".

Subsec. (c)(3)(B). Pub. L. 110–326, §204(a)(2)(B), struck out "(a)(5)(A)(iii)," after "(a)(4),".

Subsec. (c)(4). Pub. L. 110–326, §204(a)(2)(C), amended par. (4) generally. Prior to amendment, par. (4) related to fines and imprisonment for intentionally or recklessly causing damage to a protected computer without authorization.

Subsec. (c)(5). Pub. L. 110–326, §204(a)(2)(D), struck out par. (5) which related to fine or imprisonment for knowingly or recklessly causing or attempting to cause serious bodily injury or death from certain conduct damaging a protected computer.

Subsec. (e)(2)(B). Pub. L. 110–326, §207, inserted "or affecting" after "which is used in".

Subsec. (g). Pub. L. 110–326, §204(a)(3)(B), in the third sentence, substituted "subsection (c)(4)(A)(i)(I)" for "subsection (a)(5)(B)(i)".

Pub. L. 110–326, §204(a)(3)(A), which directed substitution of "in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i)" for "in clauses (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)" in the second sentence, was executed by making the substitution for "in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)" to reflect the probable intent of Congress.

Subsecs. (i), (j). Pub. L. 110–326, §208, added subsecs. (i) and (j).

2002—Subsec. (a)(5)(B). Pub. L. 107–273, §4005(a)(3), realigned margins.

Subsec. (c)(2)(B). Pub. L. 107–273, §4002(b)(1), realigned margins.

Subsec. (c)(2)(B)(iii). Pub. L. 107–273, §4002(b)(12)(A), inserted "and" at end.

Subsec. (c)(3)(B). Pub. L. 107–273, §4005(d)(3), inserted comma after "(a)(4)".

Subsec. (c)(4)(A), (C). Pub. L. 107–296, §2207(g)(2), formerly §225(g)(2), as renumbered by Pub. L. 115–278, §2(g)(2)(I), inserted "except as provided in paragraph (5)," before "a fine under this title".

Subsec. (c)(5). Pub. L. 107–296, §2207(g)(1), (3), (4), formerly §225(g)(1), (3), (4), as renumbered by Pub. L. 115–278, §2(g)(2)(I), added par. (5).

Subsec. (e)(4)(I). Pub. L. 107–273, §4002(b)(12)(B), substituted semicolon for period at end.

2001—Subsec. (a)(5)(A). Pub. L. 107–56, §814(a)(1)–(3), designated existing provisions as cl. (i), redesignated subpars. (B) and (C) as cls. (ii) and (iii), respectively, of subpar. (A), and inserted "and" at end of cl. (iii).

Subsec. (a)(5)(B). Pub. L. 107–56, §814(a)(4), added subpar. (B). Former subpar. (B) redesignated cl. (ii) of subpar. (A).

Subsec. (a)(5)(C). Pub. L. 107–56, §814(a)(2), redesignated subpar. (C) as cl. (iii) of subpar. (A).

Subsec. (a)(7). Pub. L. 107–56, §814(b), struck out ", firm, association, educational institution, financial institution, government entity, or other legal entity," before "any money or other thing of value".

Subsec. (c)(2)(A). Pub. L. 107–56, §814(c)(1)(A), inserted "except as provided in subparagraph (B)," before "a fine", substituted "(a)(5)(A)(iii)" for "(a)(5)(C)", and struck out "and" at end.

Subsec. (c)(2)(B). Pub. L. 107–56, §814(c)(1)(B), inserted "or an attempt to commit an offense punishable under this subparagraph," after "subsection (a)(2)," in introductory provisions.

Subsec. (c)(2)(C). Pub. L. 107–56, §814(c)(1)(C), struck out "and" at end.

Subsec. (c)(3). Pub. L. 107–56, §814(c)(2), struck out ", (a)(5)(A), (a)(5)(B)," after "subsection (a)(4)" in subpars. (A) and (B) and substituted "(a)(5)(A)(iii)" for "(a)(5)(C)" in subpar. (B).

Subsec. (c)(4). Pub. L. 107–56, §814(c)(3), added par. (4).

Subsec. (d). Pub. L. 107–56, §506(a), amended subsec. (d) generally. Prior to amendment, subsec. (d) read as follows: "The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General."

Subsec. (e)(2)(B). Pub. L. 107–56, §814(d)(1), inserted ", including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States" before semicolon.

Subsec. (e)(7). Pub. L. 107–56, §814(d)(2), struck out "and" at end.

Subsec. (e)(8). Pub. L. 107–56, §814(d)(3), added par. (8) and struck out former par. (8) which read as follows: "the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information, that—

"(A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;

"(B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;

"(C) causes physical injury to any person; or

"(D) threatens public health or safety; and".

Subsec. (e)(10) to (12). Pub. L. 107–56, §814(d)(4), (5), added pars. (10) to (12).

Subsec. (g). Pub. L. 107–56, §814(e), substituted "A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages." for "Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages." and inserted at end "No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware."

1996—Subsec. (a)(1). Pub. L. 104–294, §201(1)(A), substituted "having knowingly accessed" for "knowingly accesses", "exceeding authorized access" for "exceeds authorized access", "such conduct having obtained information" for "such conduct obtains information", and "could be used to the injury of the United States" for "is to be used to the injury of the United States", struck out "the intent or" before "reason to believe", and inserted before semicolon at end "willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it".

Subsec. (a)(2). Pub. L. 104–294, §201(1)(B), inserted dash after "thereby obtains", redesignated remainder of par. (2) as subpar. (A), and added subpars. (B) and (C).

Subsec. (a)(3). Pub. L. 104–294, §201(1)(C), inserted "nonpublic" before "computer of a department or agency", struck out "adversely" after "and such conduct", and substituted "that use by or for the Government of the United States" for "the use of the Government's operation of such computer".

Subsec. (a)(4). Pub. L. 104–294, §201(1)(D), substituted "protected computer" for "Federal interest computer" and inserted "and the value of such use is not more than $5,000 in any 1-year period" before semicolon at end.

Subsec. (a)(5). Pub. L. 104–294, §201(1)(E), inserted par. (5) and struck out former par. (5) which related to fraud in connection with computers in causing transmission of program, information, code, or command to a computer or computer system in interstate or foreign commerce which damages such system, program, information, or code, or causes a withholding or denial of use of hardware or software, or transmits viruses which causes damage in excess of $1,000 or more during any one-year period, or modifies or impairs medical examination, diagnosis, treatment or care of individuals.

Subsec. (a)(5)(B)(ii)(II)(bb). Pub. L. 104–294, §604(b)(36)(A), which directed insertion of "or" at end of subsec., could not be executed because no subsec. (a)(5)(B)(ii)(II)(bb) existed subsequent to amendment by Pub. L. 104–294, §201(1)(E). See above.

Subsec. (a)(7). Pub. L. 104–294, §201(1)(F), added par. (7).

Subsec. (c)(1). Pub. L. 104–294, §201(2)(A), substituted "under this section" for "under such subsection" in subpars. (A) and (B).

Subsec. (c)(1)(B). Pub. L. 104–294, §604(b)(36)(B), struck out "and" after semicolon at end.

Subsec. (c)(2)(A). Pub. L. 104–294, §201(2)(B)(i), inserted ", (a)(5)(C)," after "(a)(3)" and substituted "under this section" for "under such subsection".

Subsec. (c)(2)(B). Pub. L. 104–294, §201(2)(B)(iii), added subpar. (B). Former subpar. (B) redesignated (C).

Subsec. (c)(2)(C). Pub. L. 104–294, §201(2)(B)(iv), substituted "under this section" for "under such subsection" and inserted "and" at end.

Pub. L. 104–294, §201(2)(B)(ii), redesignated subpar. (B) as (C).

Subsec. (c)(3)(A). Pub. L. 104–294, §201(2)(C)(i), substituted "(a)(4), (a)(5)(A), (a)(5)(B), or (a)(7)" for "(a)(4) or (a)(5)(A)" and "under this section" for "under such subsection".

Subsec. (c)(3)(B). Pub. L. 104–294, §201(2)(C)(ii), substituted "(a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7)" for "(a)(4) or (a)(5)" and "under this section" for "under such subsection".

Subsec. (c)(4). Pub. L. 104–294, §201(2)(D), struck out par. (4) which read as follows: "a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(5)(B)."

Subsec. (d). Pub. L. 104–294, §201(3), inserted "subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of" before "this section" in first sentence.

Subsec. (e)(2). Pub. L. 104–294, §201(4)(A)(i), substituted "protected" for "Federal interest" in introductory provisions.

Subsec. (e)(2)(A). Pub. L. 104–294, §201(4)(A)(ii), substituted "that use by or for the financial institution or the Government" for "the use of the financial institution's operation or the Government's operation of such computer".

Subsec. (e)(2)(B). Pub. L. 104–294, §201(4)(A)(iii), added subpar. (B) and struck out former subpar. (B) which read as follows: "which is one of two or more computers used in committing the offense, not all of which are located in the same State;".

Subsec. (e)(8), (9). Pub. L. 104–294, §201(4)(B)–(D), added pars. (8) and (9).

Subsec. (g). Pub. L. 104–294, §604(b)(36)(C), substituted "violation of this section" for "violation of the section".

Pub. L. 104–294, §201(5), struck out ", other than a violation of subsection (a)(5)(B)," before "may maintain a civil action" and substituted "involving damage as defined in subsection (e)(8)(A)" for "of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb)".

Subsec. (h). Pub. L. 104–294, §604(b)(36)(D), substituted "subsection (a)(5)" for "section 1030(a)(5) of title 18, United States Code" before period at end.

1994—Subsec. (a)(3). Pub. L. 103–322, §290001(f), inserted "adversely" before "affects the use of the Government's".

Subsec. (a)(5). Pub. L. 103–322, §290001(b), amended par. (5) generally. Prior to amendment, par. (5) read as follows: "intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby—

"(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or

"(B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or".

Subsec. (c)(3)(A). Pub. L. 103–322, §290001(c)(2), inserted "(A)" after "(a)(5)".

Subsec. (c)(4). Pub. L. 103–322, §290001(c)(1), (3), (4), added par. (4).

Subsec. (g). Pub. L. 103–322, §290001(d), added subsec. (g).

Subsec. (h). Pub. L. 103–322, §290001(e), added subsec. (h).

1990—Subsec. (a)(1). Pub. L. 101–647, §3533, substituted "paragraph y" for "paragraph r".

Subsec. (e)(3). Pub. L. 101–647, §1205(e), inserted "commonwealth," before "possession or territory of the United States".

Subsec. (e)(4)(G). Pub. L. 101–647, §2597(j)(2), which directed substitution of a semicolon for a period at end of subpar. (G), could not be executed because it ended with a semicolon.

Subsec. (e)(4)(H), (I). Pub. L. 101–647, §2597(j), added subpars. (H) and (I).

1989—Subsec. (e)(4)(A). Pub. L. 101–73, §962(a)(5)(A), substituted "an institution," for "a bank".

Subsec. (e)(4)(C) to (H). Pub. L. 101–73, §962(a)(5)(B), (C), redesignated subpars. (D) to (H) as (C) to (G), respectively, and struck out former subpar. (C) which read as follows: "an institution with accounts insured by the Federal Savings and Loan Insurance Corporation;".

1988—Subsec. (a)(2). Pub. L. 100–690 inserted a comma after "financial institution" and struck out the comma that followed a comma after "title 15".

1986—Subsec. (a). Pub. L. 99–474, §2(b)(2), struck out last sentence which read as follows: "It is not an offense under paragraph (2) or (3) of this subsection in the case of a person having accessed a computer with authorization and using the opportunity such access provides for purposes to which such access does not extend, if the using of such opportunity consists only of the use of the computer."

Subsec. (a)(1). Pub. L. 99–474, §2(c), substituted "or exceeds authorized access" for ", or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend".

Subsec. (a)(2). Pub. L. 99–474, §2(a), (c), substituted "intentionally" for "knowingly", substituted "or exceeds authorized access" for ", or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend", struck out "as such terms are defined in the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.)," after "financial institution,", inserted "or of a card issuer as defined in section 1602(n) of title 15," and struck out "or" appearing at end.

Subsec. (a)(3). Pub. L. 99–474, §2(b)(1), amended par. (3) generally. Prior to amendment, par. (3) read as follows: "knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend, and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer, if such computer is operated for or on behalf of the Government of the United States and such conduct affects such operation;".

Subsec. (a)(4) to (6). Pub. L. 99–474, §2(d), added pars. (4) to (6).

Subsec. (b). Pub. L. 99–474, §2(e), struck out par. (1) designation and par. (2) which provided a penalty for persons conspiring to commit an offense under subsec. (a).

Subsec. (c). Pub. L. 99–474, §2(f)(9), substituted "(b)" for "(b)(1)" in introductory text.

Subsec. (c)(1)(A). Pub. L. 99–474, §2(f)(1), substituted "under this title" for "of not more than the greater of $10,000 or twice the value obtained by the offense".

Subsec. (c)(1)(B). Pub. L. 99–474, §2(f)(2), substituted "under this title" for "of not more than the greater of $100,000 or twice the value obtained by the offense".

Subsec. (c)(2)(A). Pub. L. 99–474, §2(f)(3), (4), substituted "under this title" for "of not more than the greater of $5,000 or twice the value obtained or loss created by the offense" and inserted reference to subsec. (a)(6).

Subsec. (c)(2)(B). Pub. L. 99–474, §2(f)(3), (5)–(7), substituted "under this title" for "of not more than the greater of $10,000 or twice the value obtained or loss created by the offense", "not more than" for "not than", inserted reference to subsec. (a)(6), and substituted "; and" for the period at end of subpar. (B).

Subsec. (c)(3). Pub. L. 99–474, §2(f)(8), added par. (3).

Subsec. (e). Pub. L. 99–474, §2(g), substituted a dash for the comma after "As used in this section", realigned remaining portion of subsection, inserted "(1)" before "the term", substituted a semicolon for the period at the end, and added pars. (2) to (7).

Subsec. (f). Pub. L. 99–474, §2(h), added subsec. (f).

Effective Date of 2002 Amendment

Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.

Transfer of Functions

For transfer of the functions, personnel, assets, and obligations of the United States Secret Service, including the functions of the Secretary of the Treasury relating thereto, to the Secretary of Homeland Security, and for treatment of related references, see sections 381, 551(d), 552(d), and 557 of Title 6, Domestic Security, and the Department of Homeland Security Reorganization Plan of November 25, 2002, as modified, set out as a note under section 542 of Title 6.

Reports to Congress

Pub. L. 98–473, title II, §2103, Oct. 12, 1984, 98 Stat. 2192, directed Attorney General to report to Congress annually, during first three years following Oct. 12, 1984, concerning prosecutions under this section.

8.2 United States v. Nosal 8.2 United States v. Nosal

676 F.3d 854 (2012)

UNITED STATES of America, Plaintiff-Appellant,
v.
David NOSAL, Defendant-Appellee.

No. 10-10038.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted December 15, 2011.
Filed April 10, 2012.

[855] Jenny C. Ellickson (argued), Lanny A. Breuer, Jaikumar Ramaswamy, Scott N. Schools, Kyle Francis Waldinger, United States Department of Justice, San Francisco, CA, for the plaintiff-appellant.

Ted Sampsell Jones (argued), Dennis P. Riordan, Donald M. Horgan, Riordan & Horgan, San Francisco, CA, for the defendant-appellee.

Kathryn M. Davis, Law Office of Kathryn M. Davis, Pasadena, CA, filed a brief on behalf of amicus curiae En Pointe Technologies, Inc., in support of the plaintiff-appellant.

Geoffrey M. Howard, David B. Salmons, Bryan M. Killian, Bingham McCutchen, LLP, San Francisco, CA, filed a brief on behalf of amicus curiae Oracle America Inc., in support of the plaintiff-appellant.

Kenneth M. Stern, Law Offices of Kenneth M. Stern, Woodland Hills, CA, filed a brief in support of the plaintiff-appellant.

Marcia Hofmann, Electronic Frontier Foundation, San Francisco, CA, filed a brief on behalf of amicus curiae Electronic Frontier Foundation in support of the defendant-appellee.

Before: ALEX KOZINSKI, Chief Judge, HARRY PREGERSON, BARRY G. SILVERMAN, M. MARGARET McKEOWN, KIM McLANE WARDLAW, RONALD M. GOULD, RICHARD A. PAEZ, RICHARD C. TALLMAN, RICHARD R. CLIFTON, JAY S. BYBEE and MARY H. MURGUIA, Circuit Judges.

Opinion by Chief Judge KOZINSKI; Dissent by Judge SILVERMAN.

[856] OPINION

KOZINSKI, Chief Judge:

Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

FACTS

David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information.^[1] The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. The CFAA counts charged Nosal with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in "exceed[ing their] authorized access" with intent to defraud.

Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. The district court initially rejected Nosal's argument, holding that when a person accesses a computer "knowingly and with the intent to defraud... [it] renders the access unauthorized or in excess of authorization." Shortly afterwards, however, we decided LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), which construed narrowly the phrases "without authorization" and "exceeds authorized access" in the CFAA. Nosal filed a motion for reconsideration and a second motion to dismiss.

The district court reversed field and followed Brekka's guidance that "[t]here is simply no way to read [the definition of `exceeds authorized access'] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate," as "[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense." Accordingly, the district court dismissed counts 2 and 4-7 for failure to state an offense. The government appeals. We have jurisdiction over this interlocutory appeal. 18 U.S.C. § 3731; United States v. Russell, 804 F.2d 571, 573 (9th Cir.1986). We review de novo. United States v. Boren, 278 F.3d 911, 913 (9th Cir.2002).

DISCUSSION

The CFAA defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who's authorized to access only certain [857] data or files but accesses unauthorized data or files — what is colloquially known as "hacking." For example, assume an employee is permitted to access only product information on the company's computer but accesses customer data: He would "exceed[] authorized access" if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

The government argues that the statutory text can support only the latter interpretation of "exceeds authorized access." In its opening brief, it focuses on the word "entitled" in the phrase an "accesser is not entitled so to obtain or alter." Id. § 1030(e)(6) (emphasis added). Pointing to one dictionary definition of "entitle" as "to furnish with a right," Webster's New Riverside University Dictionary 435, the government argues that Korn/Ferry's computer use policy gives employees certain rights, and when the employees violated that policy, they "exceed[ed] authorized access." But "entitled" in the statutory text refers to how an accesser "obtain[s] or alter[s]" the information, whereas the computer use policy uses "entitled" to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of "entitled" is as a synonym for "authorized."^[2] So read, "exceeds authorized access" would refer to data or files on a computer that one is not authorized to access.

In its reply brief and at oral argument, the government focuses on the word "so" in the same phrase. See 18 U.S.C. § 1030(e)(6) ("accesser is not entitled so to obtain or alter" (emphasis added)). The government reads "so" to mean "in that manner," which it claims must refer to use restrictions. In the government's view, reading the definition narrowly would render "so" superfluous.

The government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.^[3] Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so. See Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) ("[U]nless Congress conveys its purpose clearly, it will not be deemed to have significantly changed the federal-state balance in the prosecution of crimes." (internal quotation marks omitted)).

[858] In any event, the government's "so" argument doesn't work because the word has meaning even if it doesn't refer to use restrictions. Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not "entitled so to obtain." Or, let's say an employee is given full access to the information, provided he logs in with his username and password. In an effort to cover his tracks, he uses another employee's login to copy information from the database. Once again, this would be an employee who is authorized to access the information but does so in a manner he was not authorized "so to obtain." Of course, this all assumes that "so" must have a substantive meaning to make sense of the statute. But Congress could just as well have included "so" as a connector or for emphasis.^[4]

While the CFAA is susceptible to the government's broad interpretation, we find Nosal's narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, "[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system." S.Rep. No. 99-432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.). The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer "without authorization." According to the government, that prohibition applies to hackers, so the "exceeds authorized access" prohibition must apply to people who are authorized to use the computer, but do so for an unauthorized purpose. But it is possible to read both prohibitions as applying to hackers: "[W]ithout authorization" would apply to outside hackers (individuals who have no authorized access to the computer at all) and "exceeds authorized access" would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate.^[5]

[859] The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.

The government argues that defendants here did have notice that their conduct was wrongful by the fraud and materiality requirements in subsection 1030(a)(4), which punishes whoever:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

18 U.S.C. § 1030(a)(4). But "exceeds authorized access" is used elsewhere in the CFAA as a basis for criminal culpability without intent to defraud. Subsection 1030(a)(2)(C) requires only that the person who "exceeds authorized access" have "obtain[ed]... information from any protected computer." Because "protected computer" is defined as a computer affected by or involved in interstate commerce — effectively all computers with Internet access — the government's interpretation of "exceeds authorized access" makes every violation of a private computer use policy a federal crime. See id. § 1030(e)(2)(B).

The government argues that our ruling today would construe "exceeds authorized access" only in subsection 1030(a)(4), and we could give the phrase a narrower meaning when we construe other subsections. This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the "standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning." Powerex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007). The phrase appears five times in the first seven subsections of the statute, including subsection 1030(a)(2)(C). See 18 U.S.C. § 1030(a)(1), (2), (4) and (7). Giving a different interpretation to each is impossible because Congress provided a single definition of "exceeds authorized access" for all iterations of the statutory phrase. See id. § 1030(e)(6). Congress obviously meant "exceeds authorized access" to have the same meaning throughout section 1030. We must therefore consider how the interpretation we adopt will operate wherever in that section the phrase appears.

In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government's proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.

[860] Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it's unlikely that you'll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.^[6] Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.^[7]

Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government's proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a "nonbusiness purpose"? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?

Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.

The effect this broad construction of the CFAA has on workplace conduct pales by [861] comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody's Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.^[8]

For example, it's not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007 — March 1, 2012, § 2.3, http://www.google.com/intl/en/policies/terms/archive/20070416 ("You may not use the Services and may not accept the Terms if ... you are not of legal age to form a binding contract with Google....") (last visited Mar. 4, 2012).^[9] Adopting the government's interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents — and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms ("You will not share your password, ... let anyone else access your account, or do anything else that might jeopardize the security of your account.") (last visited Mar. 4, 2012). Yet it's very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

Or consider the numerous dating websites whose terms of use prohibit inaccurate or misleading information. See, e.g., eHarmony Terms of Service § 2(I), http://www.eharmony.com/about/terms ("You will not provide inaccurate, misleading or false information to eHarmony or to any other user.") (last visited Mar. 4, 2012). Or eBay and Craigslist, where it's a violation of the terms of use to post items in an [862] inappropriate category. See, e.g., eBay User Agreement, http://pages.ebay.com/help/policies/user-agreement.html ("While using eBay sites, services and tools, you will not: post content or items in an inappropriate category or areas on our sites and services ....") (last visited Mar. 4, 2012). Under the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist's policy, or describing yourself as "tall, dark and handsome," when you're actually short and homely, will earn you a handsome orange jumpsuit.

Not only are the terms of service vague and generally unknown — unless you look real hard at the small print at the bottom of a webpage — but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms ("YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.") (last visited Mar. 4, 2012). Accordingly, behavior that wasn't criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

The government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations. But we shouldn't have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, ___ U.S. ___, 130 S.Ct. 1577, 1591, 176 L.Ed.2d 435 (2010) ("We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly."). And it's not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17-year-old boy and cyber-bullied her daughter's classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace's terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D.Cal.2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

In United States v. Kozminski, 487 U.S. 931, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988), the Supreme Court refused to adopt the government's broad interpretation of a statute because it would "criminalize a broad range of day-to-day activity." Id. at 949, 108 S.Ct. 2751. Applying the rule of lenity, the Court warned that the broader statutory interpretation would "delegate to prosecutors and juries the inherently legislative task of determining what type of ... activities are so morally reprehensible that they should be punished as crimes" and would "subject individuals to the risk of arbitrary or discriminatory prosecution and conviction." Id. By giving that much power to prosecutors, we're inviting discriminatory and arbitrary enforcement.

We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); United States v. John, 597 F.3d 263 (5th Cir.2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of "exceeds authorized access." They therefore failed to apply the long-standing principle that we must [863] construe ambiguous criminal statutes narrowly so as to avoid "making criminal law in Congress's stead." United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008).

We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion. These courts recognize that the plain language of the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation." Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz.2008) (internal quotation marks omitted); see also Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (S.D.N.Y.2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper `access' of computer information. It does not prohibit misuse or misappropriation."); Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007) ("[A] violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted."); Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 499 (D.Md. 2005) ("[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.").

CONCLUSION

We need not decide today whether Congress could base criminal liability on violations of a company or website's computer use restrictions. Instead, we hold that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires "penal laws ... to be construed strictly." United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95, 5 L.Ed. 37 (1820). "[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite." Jones, 529 U.S. at 858, 120 S.Ct. 1904 (internal quotation marks and citation omitted).

The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. "[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity." United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971). "If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [Nosal] engaged, then `we must choose the interpretation least likely to impose penalties unintended by Congress.'" United States v. Cabaccang, 332 F.3d 622, 635 n. 22 (9th Cir.2003) (quoting United States v. Arzate-Nunez, 18 F.3d 730, 736 (9th Cir. 1994)).

This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking — the circumvention of technological access barriers — not misappropriation of trade secrets — a subject Congress has dealt with elsewhere. See supra note 3. Therefore, we hold that [864] "exceeds authorized access" in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.

Because Nosal's accomplices had permission to access the company database and obtain the information contained within, the government's charges fail to meet the element of "without authorization, or exceeds authorized access" under 18 U.S.C. § 1030(a)(4). Accordingly, we affirm the judgment of the district court dismissing counts 2 and 4-7 for failure to state an offense. The government may, of course, prosecute Nosal on the remaining counts of the indictment.

AFFIRMED.

SILVERMAN, Circuit Judge, with whom TALLMAN, Circuit Judge concurs, dissenting:

This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim's valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.

The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.

18 U.S.C. § 1030(a)(4) is quite clear. It states, in relevant part:

(a) Whoever —
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ...
shall be punished....

Thus, it is perfectly clear that a person with both the requisite mens rea and the specific intent to defraud — but only such persons — can violate this subsection in one of two ways: first, by accessing a computer without authorization, or second, by exceeding authorized access. 18 U.S.C. § 1030(e)(6) defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

"As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has `exceed[ed] authorized access.'" LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009).

"[T]he definition of the term `exceeds authorized access' from § 1030(e)(6) implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer. The plain language of the statute therefore indicates that `authorization' depends on actions taken by the employer." Id. at 1135. [865] In Brekka, we explained that a person "exceeds authorized access" when that person has permission to access a computer but accesses information on the computer that the person is not entitled to access. Id. at 1133. In that case, an employee allegedly emailed an employer's proprietary documents to his personal computer to use in a competing business. Id. at 1134. We held that one does not exceed authorized access simply by "breach[ing] a state law duty of loyalty to an employer" and that, because the employee did not breach a contract with his employer, he could not be liable under the Computer Fraud and Abuse Act. Id. at 1135, 1135 n. 7.

This is not an esoteric concept. A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself. A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled — he would "exceed his authority" — to take the vehicle to Mexico on a drug run. A person of ordinary intelligence understands that he may be totally prohibited from doing something altogether, or authorized to do something but prohibited from going beyond what is authorized. This is no doubt why the statute covers not only "unauthorized access," but also "exceed[ing] authorized access." The statute contemplates both means of committing the theft.

The majority holds that a person "exceeds authorized access" only when that person has permission to access a computer generally, but is completely prohibited from accessing a different portion of the computer (or different information on the computer). The majority's interpretation conflicts with the plain language of the statute. Furthermore, none of the circuits that have analyzed the meaning of "exceeds authorized access" as used in the Computer Fraud and Abuse Act read the statute the way the majority does. Both the Fifth and Eleventh Circuits have explicitly held that employees who knowingly violate clear company computer restrictions agreements "exceed authorized access" under the CFAA.

In United States v. John, 597 F.3d 263, 271-73 (5th Cir.2010), the Fifth Circuit held that an employee of Citigroup exceeded her authorized access in violation of § 1030(a)(2) when she accessed confidential customer information in violation of her employer's computer use restrictions and used that information to commit fraud. As the Fifth Circuit noted in John, "an employer may `authorize' employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer's business. An employee would `exceed[] authorized access' if he or she used that access to obtain or steal information as part of a criminal scheme." Id. at 271 (alteration in original). At the very least, when an employee "knows that the purpose for which she is accessing information in a computer is both in violation of an employer's policies and is part of[a criminally fraudulent] scheme, it would be `proper' to conclude that such conduct `exceeds authorized access.'" Id. at 273.

Similarly, the Eleventh Circuit held in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir.2010), that an employee of the Social Security Administration exceeded his authorized access under § 1030(a)(2) when he obtained personal information about former girlfriends and potential paramours and used that information to send the women flowers or to show up at their homes. The court rejected Rodriguez's argument that unlike the defendant in John, his use was "not criminal." The court held: "The problem with Rodriguez's argument is that his use of [866] information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access." Id.; see also EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir.2001) (holding that an employee likely exceeded his authorized access when he used that access to disclose information in violation of a confidentiality agreement).

The Third Circuit has also implicitly adopted the Fifth and Eleventh circuit's reasoning. In United States v. Teague, 646 F.3d 1119, 1121-22 (8th Cir.2011), the court upheld a conviction under § 1030(a)(2) and (c)(2)(A) where an employee of a government contractor used his privileged access to a government database to obtain President Obama's private student loan records.

The indictment here alleges that Nosal and his coconspirators knowingly exceeded the authority that they had to access their employer's computer, and that they did so with the intent to defraud and to steal trade secrets and proprietary information from the company's database for Nosal's competing business. It is alleged that at the time the employee coconspirators accessed the database they knew they only were allowed to use the database for a legitimate business purpose because the co-conspirators allegedly signed an agreement which restricted the use and disclosure of information on the database except for legitimate Korn/Ferry business. Moreover, it is alleged that before using a unique username and password to log on to the Korn/Ferry computer and database, the employees were notified that the information stored on those computers were the property of Korn/Ferry and that to access the information without relevant authority could lead to disciplinary action and criminal prosecution. Therefore, it is alleged, that when Nosal's co-conspirators accessed the database to obtain Korn/Ferry's secret source lists, names, and contact information with the intent to defraud Korn/Ferry by setting up a competing company to take business away using the stolen data, they "exceed[ed their] authorized access" to a computer with an intent to defraud Korn/Ferry and therefore violated 18 U.S.C. § 1030(a)(4). If true, these allegations adequately state a crime under a commonsense reading of this particular subsection.

Furthermore, it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA, such as subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that subsection (a)(4) has. Maldonado v. Morales, 556 F.3d 1037, 1044 (9th Cir.2009) ("The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases, but to adjudicate live cases or controversies.") (citation and internal quotation marks omitted). Other sections of the CFAA may or may not be unconstitutionally vague or pose other problems. We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals. I express no opinion on the validity or application of other subsections of 18 U.S.C. § 1030, other than § 1030(a)(4), and with all due respect, neither should the majority.

The majority's opinion is driven out of a well meaning but ultimately misguided concern that if employment agreements or internet terms of service violations could subject someone to criminal liability, all internet users will suddenly become criminals overnight. I fail to see how anyone can seriously conclude that reading ESPN. com in contravention of office policy could come within the ambit of 18 U.S.C. § 1030(a)(4), a statute explicitly requiring an intent to defraud, the obtaining of [867] something of value by means of that fraud, while doing so "knowingly." And even if an imaginative judge can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, ... that is what an as-applied challenge is for. Meantime, back to this case, 18 U.S.C. § 1030(a)(4) clearly is aimed at, and limited to, knowing and intentional fraud. Because the indictment adequately states the elements of a valid crime, the district court erred in dismissing the charges.

I respectfully dissent.

[1] The opening screen of the database also included the warning: "This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only."

[2] Fowler's offers these as usage examples: "Everyone is entitled to an opinion" and "We are entitled to make personal choices." "Fowler's Modern English Usage: Entitled," Answers.com, http://www.answers.com/topic/entitle (last visited Mar. 5, 2012).

[3] Congress did just that in the federal trade secrets statute — 18 U.S.C. § 1832 — where it used the common law terms for misappropriation, including "with intent to convert," "steals," "appropriates" and "takes." See 18 U.S.C. § 1832(a). The government also charged Nosal with violating 18 U.S.C. § 1832, and those charges remain pending.

[4] The government fails to acknowledge that its own construction of "exceeds authorized access" suffers from the same flaw of superfluity by rendering an entire element of subsection 1030(a)(4) meaningless. Subsection 1030(a)(4) requires a person to (1) knowingly and (2) with intent to defraud (3) access a protected computer (4) without authorization or exceeding authorized access (5) in order to further the intended fraud. See 18 U.S.C. § 1030(a)(4). Using a computer to defraud the company necessarily contravenes company policy. Therefore, if someone accesses a computer with intent to defraud — satisfying elements (2) and (3) — he would invariably satisfy (4) under the government's definition.

[5] Although the legislative history of the CFAA discusses this anti-hacking purpose, and says nothing about exceeding authorized use of information, the government claims that the legislative history supports its interpretation. It points to an earlier version of the statute, which defined "exceeds authorized access" as "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." Pub. L. No. 99-474, § 2(c), 100 Stat. 1213 (1986). But that language was removed and replaced by the current phrase and definition. And Senators Mathias and Leahy — members of the Senate Judiciary Committee — explained that the purpose of replacing the original broader language was to "remove[] from the sweep of the statute one of the murkier grounds of liability, under which a[n] ... employee's access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances." S.Rep. No. 99-432, at 21, 1986 U.S.C.C.A.N. 2479 at 2494. Were there any need to rely on legislative history, it would seem to support Nosal's position rather than the government's.

[6] Enforcement of the CFAA against minor workplace dalliances is not chimerical. Employers have invoked the CFAA against employees in civil cases. In a recent Florida case, after an employee sued her employer for wrongful termination, the company counterclaimed that plaintiff violated section 1030(a)(2)(C) by making personal use of the Internet at work — checking Facebook and sending personal email — in violation of company policy. See Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D.Fla. May 6, 2011). The district court dismissed the counterclaim, but it could not have done so if "exceeds authorized access" included violations of private computer use policies.

[7] This concern persists even if intent to defraud is required. Suppose an employee spends six hours tending his FarmVille stable on his work computer. The employee has full access to his computer and the Internet, but the company has a policy that work computers may be used only for business purposes. The employer should be able to fire the employee, but that's quite different from having him arrested as a federal criminal. Yet, under the government's construction of the statute, the employee "exceeds authorized access" by using the computer for non-work activities. Given that the employee deprives his company of six hours of work a day, an aggressive prosecutor might claim that he's defrauding the company, and thereby violating section 1030(a)(4).

[8] See, e.g., Craigslist Terms of Use (http://www.craigslist.org/about/terms.of.use), eBay User Agreement (http://pages.ebay.com/help/policies/user-agreement.html?rt=nc), eHarmony Terms of Service (http://www.eharmony.com/about/terms), Facebook Statement of Rights and Responsibilities (http://www.facebook.com/#!/legal/terms), Google Terms of Service (http://www.google.com/intl/en/policies/terms/), Hulu Terms of Use (http://www.hulu.com/terms), IMDb Conditions of Use (http://www.imdb.com/help/show_article?conditions), JDate Terms and Conditions of Service (http://www.jdate.com/Applications/Article/ArticleView.aspx?CategoryID=1948&ArticleID;=6498&HideNav;=True#service), LinkedIn User Agreement (http://www.linkedin.com/static?key=user_agreement), Match.com Terms of Use Agreement (http://www.match.com/registration/membagr.aspx?lid=4), MySpace.com Terms of Use Agreement (http://www.myspace.com/Help/Terms?pm_cmp=ed_footer), Netflix Terms of Use (https://signup.netflix.com/TermsOfUse), Pandora Terms of Use (http://www.pandora.com/legal), Spotify Terms and Conditions of Use (http://www.spotify.com/us/legal/end-user-agreement/), Twitter Terms of Service (http://twitter.com/tos), Wikimedia Terms of Use (http://wikimediafoundation.org/wiki/Terms_of_use) and YouTube Terms of Service (http://www.youtube.com/t/terms).

[9] A number of other well-known websites, including Netflix, eBay, Twitter and Amazon, have this age restriction.

8.3 United States v. Nosal 8.3 United States v. Nosal

United States Court of Appeals for the Ninth Circuit

844 F.3d 1024

Nos. 14-10037; 14-10275

2016-07-05

UNITED STATES of America, Plaintiff-Appellee, v. David NOSAL, Defendant-Appellant.

Nos. 14-10037 14-10275

United States Court of Appeals, Ninth Circuit.

Argued and Submitted October 20, 2015 San Francisco, California

Filed July 5, 2016

Amended December 8, 2016

*1027Dennis P. Riordan (argued) and Donald M. Horgan, Riordan & Horgan, San Francisco, California; Ted Sampsell-Jones, William Mitchell College of Law, St. Paul, Minnesota; for Defendant-Appellant.

Jenny C. Ellickson (argued), Trial Attorney, Criminal Division, Appellate Section; Sung-Hee Suh, Deputy Assistant Attorney General; Leslie R. Caldwell, Assistant Attorney General; United States Department of Justice, Washington, D.C.; J. Douglas Wilson, Assistant United States Attorney, Chief, Appellate Division; Kyle F. Wal-dinger and Matthew A. Parrella, Assistant United States Attorneys; United States Attorney’s Office, San Francisco, California; for Plaintiff-Appellee.

*1028Jamie Williams, Cindy Cohn, Andrew Crocker, and Stephanie Lacambra, Electronic Frontier Foundation, San Francisco, California; Esha Bhandari and Rachel Goodman, American CM Liberties Union Foundation, New York, New York; Linda Lye, Nicole Ozer, and Matthew T. Cagle, American Civil Liberties Union Foundation of Northern California; for Amici Curiae Electronic Frontier Foundation, American Civil Liberties Union, and American Civil Liberties Union of Northern California.-

Martin Hansen, Covington & Burling, Washington, D.C.; Simon J. Frankel and Matthew D. Kellogg, Convington & Bur-ling, San Francisco, California, for Amicus Curiae BSA %CO The Software Alliance.

David Nied, Keenan W. Ng and Michael S. Dorsi, Ad Astra Law Group, San Francisco, California, for Amicus Curiae Novel-Poster.

Before: SIDNEY R. THOMAS, Chief Judge and STEPHEN REINHARDT and M. MARGARET McKEOWN, Circuit Judges.

Dissent by

Judge REINHARDT

ORDER

The opinion filed on July 5, 2016, and appearing at 828 F.3d 865, is hereby amended. An amended opinion is filed concurrently with this order.

With these amendments, Chief Judge Thomas and Judge McKeown vote to deny the petition -for rehearing en banc. Judge Reinhardt votes to grant the petition for rehearing en banc.

The full 'court has been advised of the petition for rehearing- en banc;- and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petition for rehearing en banc is denied. No further petitions for en banc or panel rehearing shall be permitted.

OPINION

McKEOWN, Circuit Judge:

This is the second time we consider the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, with respect to David Nosal. The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” Id. § 1030(a)(4) (emphasis added).

Only the first prong of the section is before us in this appeal: “knowingly and with intent to defraud” accessing a computer “without authorization.” Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, nontechnical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. Further, we have held that authorization is not pegged to website terms and conditions. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door. This provision, coupled with the requirement that access be “knowingly and with intent to defraud,” means that the statute will not sweep in innocent conduct, such as family password sharing.

Nosal worked at the executive search firm Korn/Ferry International when-he decided to launch a competitor along with a group of co-workers. Before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to usé at their new enterprise. Although they were authorized *1029to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies. In 2012, we addressed whether those employees “exceeded] authorized access” with intent to defraud under the CFAA. United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en banc). Distinguishing between access restrictions and use restrictions, we concluded that the “exceeds authorized access” prong of § 1030(a)(4) of the CFAA “does not extend to violations of [a company’s] use restrictions.” Id. at 863. We affirmed the district court’s dismissal of the five CFAA counts related to Nosal’s aiding and abetting misuse of data accessed by his co-workers with their own passwords.

The remaining counts relate to statutory provisions that were not at issue in Nosal I: access to a protected computer “without authorization” under the CFAA and trade secret theft under the Economic Espionage Act (“EEA”), 18 U.S.C. § 1831 et seq. When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. The company took the same precaution upon the departure of his accomplices, Becky Christian and Mark Jacobson. Nonetheless, they continued to access the database using the credentials of Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux (“FH”), who remained at Korn/Ferry at Nosal’s request. The question we consider is whether the jury properly convicted Nosal of conspiracy to violate the “without authorization” provision of the CFAA for unauthorized access to, and downloads from, his former employer’s database called Searcher.1 Put simply, we are asked to decide whether the “without authorization” prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.

We directly answered this question in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), and reiterate our holding here: “[A] person uses a computer ‘without authorization’ under [the CFAA] ... when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Id. at 1135. This straightforward principle embodies the common sense, ordinary meaning of the “without authorization” prohibition.

Nosal and various amici spin hypotheti-cals about the dire consequences of criminalizing" password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on “knowingly and with intent to defraud” accessing a computer “without au*1030thorization,” and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA.

The dissent mistakenly focuses on FH’s authority, sidestepping the authorization question for Christian and Jacobson. To begin, FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, in collapsing the distinction between FH’s authorization and that of Christian and Jacobson, the dissent would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.

We also affirm Nosal’s convictions under the EEA for downloading, receiving and possessing trade secrets in the form of source lists from Searcher. We vacate in. part and remand the restitution order for reconsideration of the reasonableness of the attorneys’ fees award.

Background

I. Factual Background

Nosal was a high-level regional director at the global executive search firm Korn/Ferry International. Korn/Ferry’s bread and butter was identifying and recommending potential candidates for corporate positions. In 2004, after being passed over for a promotion, Nosal announced his intention to leave Korn/Ferry. Negotiations ensued and Nosal agreed to stay on for an additional year as a contractor to finish a handful of open searches, subject to a blanket non-competition. agreement.As he put it, Korn/Ferry was giving him “a lot of money” to “stay out of the market.”

During this interim period, Nosal was very busy, secretly launching his own search firm along with other Korn/Ferry employees, including Christian, Jacobson and FH. As of December 8, 2004, Korn/Ferry revoked Nosal’s access to its computers, although it permitted him to ask Korn/Ferry employees for research help on his' remaining open assignments. In January 2005, Christian left Korn/Ferry and, under instructions from Nosal, set up an executive search firm—Christian & Associates—from which Nosal retained 80% of fees. Jacobson followed her a few months later. As Nosal, Christian and Jacobson began work for clients, Nosal used the name “David Nelson” to mask his identity when interviewing candidates.

The start-up company was missing Korn/Ferry’s core asset: “Searcher,” an internal database of infonnation on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since -1995. Searcher was central to Korn/Ferry’s work for clients. When launching a new search to fill an open executive position, Korn/Ferry teams started by compiling a “source list” of potential candidates. In constructing the list, the employees would run queries in Searcher to generate a list of candidates. To speed up the process, employees could look at old source lists in Searcher to see how a search for a similar position was constructed, or to identify suitable candidates. The resulting source list could include hundreds of names, but then was narrowed to a short list of candidates presented to the client. Korn/Ferry considered these source lists proprietary.

Searcher included data from a number of public and quasi-public sources like Linkedln, corporate filings and Internet searches, and also included internal, nonpublic sources, such as personal connections, unsolicited resumes sent to Korn/Ferry and data inputted directly by candidates via Korn/Ferry’s website. The data was coded upon entry; as a result, employees could run targeted searches for candidates by criteria such as age, indus*1031try, experience or other data points. However, once the information became part of the Searcher system, it was integrated with other data and there was no way to identify the source of the data.

Searcher was hosted on the company’s internal computer network and was considered confidential and for - use only in Korn/Ferry business. Korn/Ferry issued each employee a unique username and password to its computer system; no separate password was required to access Searcher. Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign. When a user requested a custom report in Searcher, Searcher displayed a message which stated: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”

Nosal and his compatriots downloaded information and source lists from Searcher in preparation to launch the new competitor. Before leaving Korn/Ferry, they used their own usernames and passwords, compiling proprietary Korn/Ferry data in violation of Korn/Ferry’s computer use policy. Those efforts were encompassed in the CFAA accounts appealed in Nosal I. See 676 F.3d at 856.

After Nosal became a contractor and Christian and Jacobson left Korn/Ferry, Korn/Ferry revoked each of their credentials to access Korn/Ferry’s computer system. Not to be deterred, on three occasions Christian and Jacobson borrowed access credentials from FH,' who stayed on at Korn/Ferry at Nosal’s request. In April 2005, Nosal instructed Christian to obtain some source lists from Searcher to expedite their work for a new client. Thinking it would be difficult to explain the request to FH, Christian asked to borrow FH’s access credentials, which Christian then used to log in to Korn/Fer-ry’s computer system and run queries in Searcher. Christian sent the results of her searches to Nosal. In July 2005, Christian again logged in as FH to. generate a custom report and search for information on three individuals. Later in July, Jacobson also logged in as FH, -to download information on 2,400 executives. None of these searches related to any open searches that fell under Nosal’s independent contractor agreement.

In March 2005, Korn/Ferry received an email from an unidentified person advising that Nosal was conducting his own business in violation of his non-compete agreement. The company launched an investigation and, in July 2005, contacted government authorities.

II. Procedural Background

In the first indictment, Nosal was charged with twenty criminal counts, including eight counts under the CFAA, two trade secrets counts under the Economic Espionage Act and one conspiracy count. Five of the eight CFAA counts were based on allegations that FH and Christian downloaded material from Searcher using their own credentials while employed by Korn/Ferry in violation of company policies. The district court dismissed these counts, citing our decision in Brehka, 581 F.3d 1127. That dismissal was affirmed by the en banc court in Nosal I, and the case was remanded for trial on the remaining counts. 676 F.3d at 864.

The government filed a second superseding indictment in February 2013 with three CFAA counts, two trade secrets counts and one conspiracy count. Nosal’s remaining CFAA counts were based on the three occasions when Christian and Jacobson accessed Korn/Ferry’s system for their new clients using FH’s login credentials. The district court denied Nosal’s motion to dismiss the three remaining CFAA counts, rejecting the argument that Nosal *1032 I limited the statute’s applicability “to' hacking crimes where the defendant circumvented technological barriers to access a computer.” United States v. Nosal, 930 F.Supp.2d 1051, 1060 (N.D. Cal. 2013). Alternatively, the court held that “the indictment sufficiently allege[d] such circumvention.” Id. at 1061. A jury convicted Nosal on all counts. The district court sentenced Nosal to one year and one day in prison, three years of supervised release, a $60,000 fine, a $600 special assessment and approximately $828,000 in restitution to Korn/Ferry.

Analysis

1. Convictions Under the Computer Fraud and Abuse Act

A. Background of the CFAA

The CFAA was originally enacted in 1984 as the Counterfeit Access Device and Computer Fraud and Abuse Act, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190 (1984). The act was aimed at “hackers who accessed computers to steal information or to disrupt or destroy computer functionality.” Brekka, 581 F.3d at 1130-31 (citing H.R. Rep. No. 98-894, at 8-9 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3694). The original legislation protected government and financial institution computers,2 and made it a felony to access classified information in a computer “without authorization.” Counterfeit Access Device and Computer Fraud and Abuse Act § 2102(a).

Just two-years later in 1986, Congress amended the statute to “deter[ ] and punish[-] certain ‘high-tech’ crimes,” and “to penalize thefts of property via computer that occur as part of a scheme to defraud,” S. Rep. No. 99-432, at 4, 9 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482, 2486-87. The amendment expanded the CFAA’s protections to private computers. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, § 2(g)(4), 100 Stat. 1213-15.3

The key section of the CFAA at issue is 18 U.S.C. § 1030(a)(4), which provides in relevant part:

Whoever ... knowingly and with intent to defraud, accesses a protected computer -without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ... shall be punished....

A key element of the statute is the requirement that the access be “knowingly and with intent to defraud.” Not surprisingly, this phrase is not defined in the CFAA as it is the bread and butter of many criminal statutes. Indeed, the district court borrowed the language from the Ninth Circuit model jury instructions in defining “knowingly” and “intent to defraud” for the jury, and Nosal does not renew any challenges to those instructions on appeal. This mens rea element of the statute is critical because imposing the “intent to defraud” element targets knowing and specific conduct and does not em*1033brace the parade of hypotheticals generated by Nosal and amici. -

The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alten” Id. § 1030(e)(6). The statute does not, however, define “without authorization.’’ Both terms are used throughout .§ 1030. Subsection 1030(a)(2), which mirrors (a)(4) but requires that access be intentional, penalizes access without authorization and exceeding authorization. Subsection 1030(a)(1) also incorporates both terms in relation to accessing a computer and obtaining national security information. Subsection 1030(a)(7)(B) criminalizes extortion by threats to obtain information “without authorization or in excess of authorization.” The remaining subsections pertain only to access “without authorization.” Subsection 1030(a)(3) prohibits access “without authorization” to nonpublic government computers. Subsections 1030(a)(5) and (6) employ the term “without authorization” with respect to, among other things, “transmission of a program, information, code, or command,” § 1030(a)(5)(A); intentional access that “causes damage and loss,” § 1030(a)(5)(C); and trafficking in passwords, § 1030(a)(6). In construing .the statute, we are cognizant, of the need for congruence among these subsections.

B. Meaning of “Authorization” Under the CFAA

The interpretive fireworks under § 1030(a)(4) of the CFAA have been reserved for its second prong, the meaning of “exceeds authorized access.” Not surprisingly, there has been no division among the circuits on the straightforward “without authorization” prong of this section. We begin with the two Ninth Circuit cases that bind our interpretation of “without authorization”—Brekka and Nosal I— and then move on to address the cases from our sister circuits that are in accord with Brekka, agreeing that “without authorization” is an unambiguous term that should be given its ordinary meaning.

Brekka involved a former employee in circumstances remarkably similar to Nosal: he wanted to compete using confidential data from his former company. Christopher Brekka worked as an internet marketer with LVRC Holdings, LLC (“LVRC”), a residential addiction treatment center. Brekka, 581 F.3d at 1129. LVRC assigned him a computer and gave him access credentials to a third-party website that tracked traffic and other information for LVRC’s website. Id. at 1129-30. When negotiations to become part owner of LVRC broke down, Brekka left the company. Id. at 1130. LVRC sued him, claiming that he violated the CFAA by emailing certain confidential company documents to' his personal email account while an employee and also by continuing to access LVRC’s account on the external website after he left the company. Id.

In Brekka we analyzed both the “without authorization” and “exceeds authorization” provisions of the statute under §§ 1030(a)(2) and (4). Id. at 1132-36. Because the CFAA does not define the term “authorization,” we looked to the ordinary, contemporaneous meaning of the term: “ ‘permission or power granted by an authority.’” Id. at 1133 (quoting Random House Unabridged Dictionary 139 (2001)). In determining whether an employee has authorization, we stated that, consistent with “the plain language of the statute ... ‘authorization’ [to use an employer’s computer] depends on actions taken by the employer.” Id. at 1135. We concluded that because Brekka had permission to use his employer’s computer, “[t]he most straightforward interpretation of §§ 1030(a)(2) and *1034(4) is that Brekka had authorization to use the computer” while an employee. Id. at 1133.

Brekka’s access after LVRC terminated his employment presented a starkly different situation: “There is no dispute that if Brekka accessed LVRC’s information on the. [traffic monitoring] website after he left the company ..., Brekka would have accessed a protected computer ‘without authorization’ for purposes of the CFAA.” Id. at 1136.4 Stated differently, we held that “a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) ... when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Id. at 1135.' In Brekka’s case, there was no genuine issue of material fact as to whether Brekka actually accessed the website, and thus we affirmed the district court’s grant of summary judgment. Id. at 1137.

Not surprisingly, in Nosal I as in this appeal, both the government and Nosal cited Brekka extensively. The focus of No-sal’s first appeal was whether the CFAA could be interpreted “broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.” Nosal I, 676 F.3d at 862. We unequivocally said “no”: “For our part, we continue to follow in the path blazed by Brekka and the growing number of courts that, have reached the same conclusion. These courts recognize that the plain language of the CFAA ‘target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.’” Id. at 863 (citations omitted) (alteration in original). In. line with Brekka, we stated that “‘[w]ithout authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorization access' would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).” Id. at 858 (emphases in original). Because Nosal’s accomplices had authority to access the company computers, we affirmed the district court’s dismissal of the CFAA counts related to the period when the accomplices were still employed at Korn/Ferry. Id. at 864.

In Nosal I, authorization was' not in doubt. The employees who accessed the Korn/Ferry computers unquestionably had authorization from the company to access the system; the question was whether they exceeded it. What Nosal I did not address was whether Nosal’s access to Korn/Ferry computers after both .Nosal and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was “without authorization.” Brekka is squarely on point on that issue: Nosal and his co-conspirators acted “without authorization” when they continued to access Searcher by other means after Korn/Ferry rescinded permission to access its computer system. As Nosal I made clear, the CFAA was not intended to cover unauthorized use of information. Such use is not at issue here. Rather, under § 1030(a)(4), Nosal is charged with unauthorized access—getting into the computer after categorically being barred from entry.

The text of the CFAA confirms Brekka’s approach. Employing classic statutory interpretation, we consider the plain and ordinary meaning of the words “without authorization.” See United States v. Stew *1035 art, 311 U.S. 60, 63, 61 S.Ct. 102, 85 L.Ed. 40 (1940). Under our analysis in Brekka, “authorization” means “ ‘permission or power granted by an authority.’ ” 581 F.3d at 1133 (quoting Random House Unabridged Dictionary 139 (2001)). Other sources employ similar definitions. Black’s Law Dictionary defines “authorization” as “[official permission to do something; sanction or warrant.” Black’s Law Dictionary 159 (10th ed. 2014). The Oxford English Dictionary defines it as “the action of authorizing,” which means to “give official permission for or approval to.” Oxford English Dictionary 107 (3d ed. 2014). That common sense meaning is not foreign to Congress or the courts: the terms “authorize,” “authorized” or “authorization” are used without definition over 400 times in Title 18 of the United States Code.5 We conclude that given its ordinary meaning, access “without authorization” under the CFAA is not ambiguous. See United States v. James, 810 F.3d 674, 681 (9th Cir. 2016) (concluding that the mere fact that a broad, but otherwise clear, statutory term is “susceptible to application .to. various factual situations that can come before a jury” does not by itself yender a term ambiguous).

That straightforward meaning is also unambiguous as applied to the facts of this case.6 Nosal and his co-conspirators did exactly what Brekka prohibits—a conclusion that is not affected by the co-conspirators’ use of FH’s legitimate access credentials. Implicit in the definition of authorization is the notion that someone, including an entity, can grant or revoke that permission. Here, that entity was Korn/Ferry, and FH -had no -mantle or authority to override Korn/Ferry’s authority to control access to its computers and confidential information by giving permission to former employees whose access had been categorically revoked by the company.7 Korn/Ferry owned and controlled access to its computers, including *1036thé Searcher database, and it retained exclusive discretion to issue or revoke access to the database. By revoking Nosal’s login credentials on December 8, 2004, Korn/Ferry unequivocally conveyed to Nosal that he was an “outsider” who was no longer authorized to access Korn/Ferry computers and confidential information, including Searcher.8 Korn/Ferry also rescinded Christian and Jacobson’s credentials after they left, at which point the three former employees were no longer “insiders” accessing company information. Rather, they had become “outsiders” with no authorization to access Korn/Ferry’s computer system.9 One can certainly pose hypotheticals in which a less stark revocation is followed by more sympathetic access through an authorized third party. But the facts before us—in which Nosal received particularized notice of his revoked access following a prolonged negotiation—present no such difficulties, which can be reserved for another day.

Our analysis is consistent with that of our sister circuits, which have also determined that the term “without authorization” is unambiguous.10 Although the meaning of “exceeds authorized access” in the CFAA has been subject to much debate among the federal courts,11 the definition of “without authorization” has not engendered dispute. Indeed, Nosal provides no contrary authority that a former em*1037ployee whose computer access has been revoked can access his former employer’s computer system and be deemed to act with authorization.

Beginning in 1991, in construing § 1030(a)(5)(A),12 the Second Circuit recognized that “authorization” is a word “of common usage, without any technical or ambiguous meaning.” United States v. Morris, 928 F.2d 504, 511 (2d Cir. 1991). The court reaffirmed this holding in 2015, citing BrekJca and stating that “common usage of ‘authorization’ suggests that one ‘accesses a computer without authorization’ if he accesses a computer without permission to do so at all.” United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015).

The Fourth Circuit’s analysis mirrors the conclusion that the “without authorization” language is unambiguous based on its ordinary meaning:

Recognizing that the distinction between [“exceeds authorized access” and access “without authorization”] is arguably minute, we nevertheless conclude based on the ordinary, contemporary, common meaning of “authorization,” that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer “without authorization” when he gains admission to a computer without approval. Similarly, we conclude that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access'to obtain or alter information that falls outside the bounds of his approved access.

WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (internal citations omitted).

Like the other courts, the Sixth Circuit noted that “[t]he plain meaning of ‘authorization’ is ‘[t]he conferment of legality; ... sanction.’- Commonly understood, then, a defendant who accesses a computer ‘without authorization’ does so without sanction or permission.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 303-04 (6th Cir. 2011) (quoting 1 Oxford English Dictionary 798 (2d ed. 1989)). Based on ordinary usage, the Sixth Circuit similarly reasoned that “‘a person who uses a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer in question.’ ” Id. at 304 (alteration in original) (quoting Brekka, 581 F.3d at 1133); see also United States v. Willis, 476 F.3d 1121, 1124-27 (10th Cir. 2007) (upholding a conviction for aiding and abetting access to a protected computer “without authorization” where an employee gave login credentials for a financial information website to an associate of his drug dealer who in turn used the accessed information for identity theft).

In the face of multiple circuits that agree with our plain meaning construction of the statute, the dissent would have us ignore common sense and turn the statute inside out. Indeed, the dissent frames the question upside down in assuming that permission from FH is at issue. Under this approach, ignoring reality and practice, an employee could undermine the company’s ability to control access to its own computers by willy nilly giving out passwords to anyone outside the company—former employees whose access had been revoked, competitors, industrious hackers or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery. See Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1179-80 (2016).

*1038Our conclusion does nothing to expand the scope of violations under the CFAA beyond Brekka; nor does it-rest on the grace of prosecutorial discretion. We are mindful of the examples noted in Nosal I—and reiterated by Nosal and various amici—that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of .people who would have little reason to suspect they are committing a federal crime.” Nosal I, 676 F.3d at 859. But these concerns are ill-founded because § 1030(a)(4) requires access be “knowingly and with intent to defraud” and further, we have held that violating use restrictions, like a website’s terms of use, is insufficient without more to form the basis for liability under the CFAA. See Nosal I, 676 F.3d at 862-63. The circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of No-sal I—“exceeds authorized access”—or even an ambiguous application of the phrase “without authorization,” but instead relate to the straightforward application of a common, unambiguous term to the facts and.context at issue.

The Brekka analysis of the specific phrase “without authorization”—which is consistent with our sister circuits—remains controlling and persuasive. We therefore hold that Nosal, a former employee whose computer access credentials were affirmatively revoked by Korn/Ferry acted “without authorization” in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee to gain access to confidential computer data owned by the former employer and to circumvent Korn/Ferry’s revocation of access.

C. Jury instruction on “Without Authorization”

With respect to the meaning of “without authorization,” the district court instructed the jury as follows:

Whether a person is authorized to access the computers in this case depends on the actions taken by Korn/Ferry to grant or deny permission to that person to use the computer. A person uses a computer “without authorization” when the person has not received permission from Korn/Ferry to use the computer for any purpose (such as when a hacker accesses the computer without any permission), or when Korn/Ferry has rescinded permission to use .the computer and the person uses the computer anyway.

The instruction is derived directly from our decision in Brekka and is a fair and accurate characterization of the plain meaning of “without authorization.” Although the term.“without authorization” is unambiguous, it does not mean that, the facts don’t matter; the source and scope of authorization may well be at issue. Here, it was not disputed that Korn/Ferry was the source of permission to grant authorization. The jury instruction left to the jury to determine whether such permission was given.

Nosal challenges the instruction on the basis that the CFAA only criminalizes access where the party circumvents a technological access barrier.13 Not only is such *1039a requirement missing from the statutory language, but it would make little sense because some § 1030 offenses do not require access to a computer at all. For example, § (a)(6) imposes penalties for trafficking in passwords “through which- a computer can be accessed without authorization. ...” 18 U.S.C. § 1030(a).

In any event, Nosal’s argument misses the mark on the technological access point. Even if he were correct, any instructional error was without consequence in light of the evidence. The password system adopted by Korn/Ferry is unquestionably a technological barrier designed to keep out those “without authorization.” Had a thief stolen an employee’s password and then used it to rifle through Searcher, without doubt, access would have been without authorization.

The same principle holds true here..A password requirement is designed to be a technological access barrier.

D. Accomplice Liability Under the CFAA

Nosal’s convictions under the CFAA rest on accomplice liability. Nosal claims the government failed to prove the requisite mens rea. Two instructions bear on this issue: aiding and abetting and deliberate ignorance. As to the former, which is not challenged on appeal, the court instructed that the government must prove Nosal “knowingly and intentionally aided, counseled, commanded, induced or procured [a] person to commit each element of the crime” and did so “before the crime was completed .., with the knowledge and intention of helping that person commit the crime.” The court also instructed that the defendant acted “knowingly” if he was “aware of the act and [did] not act or fail to act through ignorance, mistake, or accident.” The adjunct deliberate ignorance instruction read: the defendant acted “knowingly” if he “was aware of a high probability that [Christian, Jacobson, or FH] had gained unauthorized access to a computer .,. or misappropriated trade secrets ,.. without authorization ... and deliberately avoided learning the truth.”

At trial, Nosal objected to the deliberate ignorance instruction on the ground that the facts alleged did not permit a deliberate ignorance theory. On appeal, for the first time, he argues that the instruction is erroneous because it undermines the requirement that Nosal had advance knowledge of the crime.14 We review this challenge for plain error. See Jones v. United States, 527 U.S. 373, 388, 119 S.Ct. 2090, 144 L.Ed.2d 370 (1999).

We have repeatedly held that a statutory requirement that a criminal defendant acted “knowingly” is “not limited to positive knowledge, but includes the state of mind of one who does not possess positive knowledge only because he consciously avoided it.” United States v. Heredia, 483 F.3d 913, 918 (9th Cir. 2007) (internal citation and alterations omitted); see also United States v. Jewell, 532 F.2d 697, 700 (9th Cir. 1976) (“To act ‘knowingly,’ therefore, is not necessarily to act only with positive knowledge, but also to act with an awareness of the high probability of the existence of the fact in question. When such awareness is present, ‘positive’ knowledge is not required.”). We have equated positive knowledge .and deliberate ignorance in upholding conspiracy convictions and see no reason to distinguish aid-*1040tog and abetting¡liability. See, e.g,, United States v. Ramos-Atondo, 732 F.3d 1113, 1120 (9th Cir. 2013) (holding the district court did not abuse its discretion by instructing the jury on a theory of deliberate ignorance in the context of a conspiracy to import marijuana as “‘[t]he Jewell standard eliminates the need to establish such positive knowledge to obtain a conspiracy conviction’ ” (alterations in original) (quoting United States v. Nicholson, 677 F.2d 706, 711 (9th Cir. 1982))).

Nor does the recent case Rosemond v. United States counsel a different result. — U.S. —, 134 S.Ct. 1240, 188 L.Ed.2d 248 (2014). In Rosemond, the Supreme Court held that an accomplice must have “advance knowledge” of the crime the principal is planning to commit, “knowledge that enables him to make the relevant legal (and indeed, moral) choice.” Id. at 1249. Nosal argues that the district court erred in not including Rosemond’s advance knowledge requirement. But as the Supreme Court notes, an advance knowledge requirement for accomplice liability is not new. Id. at 1248-49. Nothing in Rosemond suggests that the Court foreclosed a deliberate ignorance instruction, which was not an issue in the case. Instead, Rosemond focuses on when a defendant must have advance knowledge, meaning “knowledge at a time the accomplice can do something with it—most notably, opt to walk away.” Id. at 1249-50. The instructions here are perfectly consonant with our line of cases extending back to Jewell. If the Supreme Court had chosen to overturn decades of jurisprudence, we would expect clearer direction. See United States v. Ford, 821 F.3d 63, 74 (1st Cir. 2016) (holding that “willful blindness,” including ignoring “red flags,” meets the mens rea element of aiding and abetting liability, and discussing the impact of Rose-mond elsewhere in the opinion).

Apart from the instruction, Nosal challenges the sufficiency of the evidence, claiming evidence of intent was insufficient because he didn’t have advance knowledge that Christian and Jacobson would use FH’s password. This attack fails because, “after 'viewing the evidence in the light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime .beyond a reasonable doubt.” Jackson v. Virginia, 443 U.S. 307, 319, 99 S.Ct. 2781, 61 L.Ed.2d 560 (1979) (emphasis in original). Extensive testimony revealed that Nosal wanted his team to obtain information from Searcher all while maintaining his distance from their activities.

Although the conviction may be upheld solely under Pinkerton, which “ ‘renders all co-conspirators criminally liable for reasonably foreseeable overt acts committed by others in furtherance of the conspiracy,’ ” United States v. Bingham, 653 F.3d 983, 997 (9th Cir. 2011) (quoting United States v. Hernandez-Orellana, 539 F.3d 994, 1006-07 (9th Cir. 2008)), sufficient evidence independently supports the aiding and abetting counts.

Christian’s testimony is illustrative:

Q. Did the defendant know you were using [FH’s] password, after you left Korn/Ferry, to get source lists and other documents from Korn/Ferry?

A. Yes.

Q. Any doubt to your mind that he knew that?

A. No.

This unequivocal statement, which more than satisfies the Jackson v. Virginia standard, is bolstered by other evidence, including extensive testimony that Nosal wanted his team to obtain information from Searcher while maintaining his distance from their activities but knew and understood that none of them had access *1041credentials. A juror also could have easily surmised that Nosal, having worked with FH for years on a daily basis, would have known that she had herself never run custom reports, developed source lists or pulled old source lists. When Nosal specifically directed Christian to access Korn/Ferry’s computer system to “[g]et what I need,” Nosal knew that the only way Christian and Jacobson could access the source lists was • “without authorization” because Korn-Ferry had revoked their access credentials.

We affirm Nosal’s conviction on the CFAA counts.

II. Convictions Under the Economic Espionage Act (EEA)

The jury convicted Nosal of two counts of trade secret theft under the EEA: Count 5 charged “unauthorized downloading, copying and duplicating of trade secrets” in violation of 18 U.S.C. §§ 1882(a)(2) & (a)(4);- and Count 6 charged unauthorized receipt and possession of stolen trade secrets in .violation of 18 U.S.C. § 1832(a)(3) & (a)(4). Both counts relate to Christian’s use of FH’s login credentials to obtain three, source lists of CFOs from Searcher. Count 6 also included a “cut and paste” of a list of executives derived from Searcher. Christian emailed Nosal the resulting lists, which contained candidate names, company positions and phone numbers. Nosal primarily challenges the sufficiency of the evidence on the trade secret counts.

A. Sufficiency of the Evidence— Counts 5 and 6

Violation of the EEA requires, among other things, “intent to convert a trade secret” and “intending or knowing that the offense will[ ] injure [an] owner of that trade secret....” 18 U.S.C. § 1832(a). The jury instruction for-Count 5—down-loading, copying and duplicating trade secrets—set out the following elements:

1. At least one of the three source lists is a trade secret (requiring agreement on which one);

2. Nosal knew that the source list was a trade secret;

3. Nosal knowingly, and without' authorization, downloaded, copied of duplicated the trade secret;

4. Nosal intended to convert the trade secret to the economic benefit of someone other than the owner;

5. Nosal knew or intended that the offense would injure the trade secret owner; and

6. The trade secret was related to or included in a product in interstate commerce.

The instruction for Count 6—receiving and possessing trade secrets—replaced the third element with a requirement of knowing receipt or possession of a trade secret with the knowledge that it was “stolen or appropriated, obtained, or converted without authorization” and added the “cut and paste” list as one of the possible trade secrets.

Nosal argues that the government failed to prove: 1) secrecy and difficulty of development, because the search information was derived from public sources and because there was no evidence the source lists had not been circulated outside Korn/Ferry; 2) knowledge of trade secret status; and 3) knowledge of injury to, or an intent to injure, Korn/Ferry.

The notion-of a trade secret often conjures up magic formulas, like Coca Cola’s proprietary formula, technical drawings or scientific data. So it is no surprise that such technically complex cases have been brought under the EEA. See, e.g., United States v. Chung, 659 F.3d 815, 819 (9th Cir. 2011) (documents related to space shuttles and rockets); United States v. Yang, 281 F.3d 534, 540 (6th Cir. 2002) *1042(scientific research in adhesives); United States v. Hsu, 155 F.3d 189, 191-92 (3d Cir. 1998) (processes, methods and formulas for manufacturing an anthcancer drug).

But the scope of the EEA is not limited to these categories and the EEA, by its terms, includes financial and business information. The EEA defines a trade secret as

all forms and types of financial, business, scientific, technical, economic, or engineering information, including ... compilations ... if (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from .not being generally known to, and not being readily ascertainable through proper means by the public....

18 U.S.C. § 1839(3).15

The thrust of Nosal’s argument is that the source lists are composed largely, if not entirely, of public information and therefore couldn’t possibly be trade secrets. But he overlooks the principle that a trade secret may consist of a compilation of data, public sources or a combination of proprietary and public sources. It is well recognized that

it is the secrecy of the claimed. trade secret as a whole that is determinative. The fact that some or all'of the components of the trade secret are well-known does not preclude protection for a secret combination, compilation, or integration of the individual elements.... [T]he theoretical possibility of reconstructing the secret-from published materials containing scattered references to portions of the information or of extracting it. from public materials unlikely to come to the attention of the appropriator will not preclude relief against the wrongful conduct. ..:

Restatement (Third) of Unfair Competition § 39 cmt. f (1995); see also Computer Care v. Serv. Sys. Enters., Inc., 982 F.2d 1063, 1074 (7th Cir. 1992) (“A trade secret can exist in a combination of characteristics arid components, each of which, by itself, is in the public domain, but the unified process design and operation of which in unique combination affords a competitive advantage and is a protectable trade secret” (internal citation omitted)); Boeing Co. v. Sierracin Corp., 108 Wash.2d 38, 738 P.2d 665, 675 (1987) (holding that “trade secrets frequently contain elements that by themselves may be in the public domain but together qualify as trade secrets”). Expressed differently, a compilation that affords a competitive advantage and is not readily ascertainable falls within the definition of a trade secret.

The source lists in question are classic examples of a trade secret that derives from an amalgam of public and proprietary source data. To be sure, some of the data came from public sources and other data came from internal, confidential sources. But cumulatively, the Searcher database contained a massive confidential compilation of data, the product of years of effort and expense. Each source list was the result of a query run through a propriety algorithm that generates a custom subset of possible candidates, culled from a database of over one million executives. The source - lists were not unwashed, public-domain lists of all financial executives in the United States, nor otherwise related to a search that could be readily completed using public sources. Had the query been “who is the CFO of General Motors” or *1043“who are all of the CFOs in a particular industry,” our analysis might be different. Instead, the nature of the trade secret and its value stemmed from the unique integration, compilation, cultivation, and sorting of, and the aggressive protections applied to, the Searcher database.

Nosal takes the view that the source lists are merely customer lists that cannot be protected as trade secrets. This characterization attempts to sidestep the unique nature of the source lists, which are the customized product of a massive database, not a list of well-known customers. Regardless, courts have deemed customer lists protectable trade secrets. See, e.g., Hollingsworth Solderless Terminal Co. v. Turley, 622 F.2d 1324, 1332-33 (9th Cir. 1980) (setting out in detail how to analyze whether a customer list is a trade secret); Hertz v. Luzenac Grp., 576 F.3d 1103, 1114 (10th Cir. 2009) (holding that a customer list may be a trade secret where “it is the end result of a long process of culling the relevant information from lengthy and diverse sources, even if. the original sources are publicly available”).

Our approach is not novel. This case is remarkably similar to Conseco Finance Servicing Corp. v. North American Mortgage Co., 381 F.3d 811 (8th Cir. 2004). Conseco was a financial services company that issued subprime mortgages. Id. at 814. It generated potential customer leads through a database of information on over 40 million individuals. Id. at 815. A computer program compiled lists of potential customers, which were sent to branch offices as “customer lead sheets,” coded from most promising (red) to decent (blue). Id. Several departing staff took copies, of the lead sheets and went to work for a competitor. Id. at 816. Even though all the information in the lead sheets was public, the Eighth Circuit held that they were trade secrets: they “are a product of a specialized—and apparently quite effective—computer program that was uniquely Conseco’s.” Id. at 819.16

Nosal also takes aim at the secrecy of the three source lists in question,- an argument that is intertwined with his public domain/compilation claim. The jury heard more than enough evidence to support its verdict. Christian acknowledged that the only place she could obtain the source lists she needed was on Korn/Ferry’s computer system. Notably, some of the downloaded information came from a source list for an engagement that was opened only twelve days prior to the April 12 downloads underlying the trade secret counts.

Although Nosal claims that Korn/Fer-ry’s sharing of lists with clients and others undermined this claim of secrecy, witnesses who worked at Korn/Ferry did not budge in terms of procedures undertaken to -keep the data secret, both in terms of technology protections built into the computer system and the limitations on distribution of the search results. For example, the Vice-President of Information Services testified that, to her knowledge, the source lists had never been released by Korn/Fer-ry to any third parties. As a matter of practice, Korn/Ferry did not show source lists to clients. In ,the occasional instance when a client was given a source, list or shown one at a pitch, it was provided on an understanding of confidentiality, and disclosing the lists was contrary to company policy. It is also well established that “confidential disclosures to employees, li-*1044cens'ees, or others will not destroy the information’s status as a trade secret.” Restatement (Third) of Unfair Competition § 39 cmt. f (1995).

In light of the above, it would be naive to conclude that Nosal was unaware that the information pirated by Christian included trade secrets or that the piracy would harm Korn/Ferry. As a former senior executive at Korn/Ferry, Nosal was deeply familiar with the competitive advantage Searcher provided, and was cognizant of the measures the company took to protect the source lists generated. He signed a confidentiality agreement stating that “information databases and company records are extremely valuable assets of [Korn/Ferry’s] business and are accorded the legal protection applicable to a company’s trade secrets.” The source lists were also marked “Korn/Ferry Proprietary & Confidential.” While a label or proprietary marking alone does not confer trade secret status, the notice and protective measures taken by Kom/Ferry significantly undermine Nosal’s claim he was unaware the source lists were trade secret information.

Nosal’s argument that he and his colleagues‘were unaware their actions would harm Korn/Ferry also holds no water. They latinched a direct competitor to Korn/Ferry and went to great lengths to access the source lists, fully aware of the competitive advantage Searcher gave Korn/Ferry as they attempted to populate their own database. Christian underscored the value of the lists through her testimony that she and Nosal used the source lists to complete searches faster and gain credibility with clients. They recognized that the required substantial investment of time, money and elbow grease to even try to replicate the source lists would have destroyed their prime value—immediacy.

At trial, Nosal’s counsel endeavored to attack the secrecy, knowledge and other elements of the trade secret counts. The jury heard extensive testimony and argument. Construing the evidence in the light most favorable to the government, a rational juror could have concluded that the evidence supported convictions under §§ 1832(a)(2), (3) and (4) of the EEA. As the Supreme Court explained just this year, our “limited review does not intrude on the jury’s role £to resolve conflicts in the testimony, to weigh the evidence, and to draw reasonable inferences from basic facts to ultimate facts.’ ” Musacchio, 136 S.Ct. at 715 (quoting Jackson, 443 U.S. at 319, 99 S.Ct. 2781). It was no stretch for the jury to conclude that the source lists were trade secrets, that Nosal knew they were trade secrets and that Nosal knew stealing the source lists would harm Korn/Ferry by helping a competitor—Nosal’s own company.

B. Conspiracy Jury Instruction

With respect to trade secrets, the conspiracy jury instruction stated that “the government need not prove the existence of actual trade secrets and that Defendant knew that the information in question was a trade secret. However, the government must prove that Defendant firmly believed that certain information constituted trade secrets.” Nosal argues that the court constructively amended the indictment because the indictment alleges theft of actual trade secrets while the jury instruction did not require proof of actual trade secrets. Constructive amendment occurs where “the crime charged is substantially changed at trial, so that it is impossible to know whether the grand jury would have indicted for the crime actually proved.” United States v. Howick, 263 F.3d 1056, 1063 (9th Cir. 2001) (citations and alterations omitted). Here, there was no constructive amendment. In indicting Nosal for theft of trade secrets under 18 U.S.C. § 1832(a), the grand jury necessarily considered whether Nosal “knowingly” *1045stole the source lists; “firmly believed” is a lesser standard. A grand jury that indicted on this more inclusive “knowing” standard would necessarily have indicted on this lesser standard.

In a related vein, Nosal claims that the instruction unfairly removes the requirement to prove an actual trade secret. The instruction reflects our circuit’s precedent on conspiracy charges—a conviction may be upheld even where the object of the crime was not a legal possibility. See United States v. Rodriguez, 360 F.3d 949, 957 (9th Cir. 2004) (upholding convictions for conspiracy to rob cocaine traffickers where “neither the narcotics nor the narcotics traffickers actually existed” since “[i]mpossibility is not .a defense to [a] conspiracy charge”). We agree with the other circuits that have applied this same principle to trade secrets. See Yang, 281 F.3d at 544 (holding that the government did not need to prove theft of actual trade secrets because the defendants “intended to commit the crime and took a substantial step towards commission of the crime”); United States v. Martin, 228 F.3d 1, 13 (1st Cir. 2000) (holding the “key question is whether [the defendant] intended to steal secrets,” not whether he actually did); Hsu, 155 F.3d at 204 (“A defendant can be convicted of attempt or conspiracy pursuant to 18 U.S.C. §§ 1832(a)(4) or (a)(5) even if his intended acts were legally impossible.”). In any event, the jury found theft of actual trade secrets, and therefore any error was harmless. See Neder v. United States, 527 U.S. 1, 19, 119 S.Ct. 1827, 144 L.Ed.2d 35 (1999).

C. Evidentiary Challenges

Nosal disputes evidentiary rulings made regarding his non-competition agreement. Although Nosal was permitted to testify that he believed the agreement was illegal, the court struck certain testimony by government witnesses about the agreement and also precluded evidence about the enforceability of the agreement under California law. The jury was instructed that whether “Mr. Nosal breached or did not breach this covenant is not relevant to the question of whether he is guilty of the crimes charged in this case.” The district court did not abuse its discretion.

In closing rebuttal, the government argued that Nosal’s use of the name “David Nelson” showed his intent to conspire to steal information from Korn/Fer-ry. Importantly, the government did not link Nosal’s charade to the legality of the non-competition agreement. This passing reference, which was not objected to at trial, was harmless and certainly does not rise to the level of plain error.

III. Restitution Order

The district court awarded Korn/Ferry $827,983.25 in restitution. We review de novo the legality of the restitution order and review for clear error the factual findings that support the order. United States v. Luis, 765 F.3d 1061, 1065 (9th Cir. 2014), cert. denied, — U.S. —, 135 S.Ct. 1572, 191 L.Ed.2d 655 (2015) (citations omitted). If the order is “ ‘within the bounds of the statutory framework,..a restitution order is reviewed for abuse of discretion.’ ” Id. (citation omitted).

The restitution order identified three categories of recoverable losses; 1) Korn/Ferry’s internal investigation costs incurred in attempting to ascertain the nature and scope of Nosal’s breach, in the amount of $27,400; 2) the value of Korn/Ferry’s employee time spent participating in and assisting the government’s investigation and prosecution, in the amount of $247,695; and 3) the attorneys’ fees incurred by Korn/Ferry in aid of the investigation or prosecution of the offense, in the amount, of $595,758.25; While the government asked for a higher amount, *1046the district court reduced the award, prh marily by cutting the request for attorneys’ fees from $964,929.65 to $595,758.25 for invoices “not demonstrably reasonably necessary to the government’s investigation and prosecution,” for “staffing inefficiencies,” and for “time spent on ‘press’ and file/order reviewing charges.”

The district court relied on the Mandatory Victim Restitution Act (MVRA),. which “makes restitution mandatory for particular crimes, including those offenses which involve fraud or deceit.” United States v. Gordon, 393 F.3d 1044, 1048 (9th Cir. 2004) (citing 18 U.S.C. § 3663A(c)(1)(A)(ii)). The MVRA requires that restitution awards “reimburse the victim for lost income and necessary child care, transportation, and other expenses incurred during participation in the investigation or prosecution of the offense or attendance at proceedings related to the offense.” 18 U.S.C. § 3663A(b)(4). Although the MVRA was passed as part of the Violence Against Women Act and directed in part to concerns related to women victims of crime, such as child care costs, see Pub. L. 103-322, § 40504, 108 Stat. 1796, 1947 (1994), we have joined other circuits in holding that the language “other expenses incurred during the participation in the investigation or prosecution” also authorizes the award of investigation costs and attorneys’ fees in some circumstances. See, e.g,, United States v. Abdelbary, 746 F.3d 570, 574-79 (4th Cir. 2014); United States v. Elson, 577 F.3d 713, 728 (6th Cir. 2009); United States v. Waknine, 543 F.3d 546, 558-59 (9th Cir. 2008); United States v. Amato, 540 F.3d 153, 159-62 (2d Cir. 2008); Gordon, 393 F.3d at 1056-57.

We must initially decide whether, as Nosal urges, the restitution award is invalid because it exceeds the actual loss that the district court determined for the purposes of the Sentencing Guidelines U.S.S.G. § 2Bl.l(b)—calculated at $46,907.88. The answer to that question is found in Our observation that “calculating loss under the guidelines is not necessarily identical to loss calculation for purposes of restitution.” United States v. Hunter, 618 F.3d 1062, 1065 (9th Cir. 2010). Rather, restitution loss is governed not by the criteria of the .Sentencing Guidelines, but by the MVRA’s purpose of “mak[ing] the victim[ ] whole.” Gordon, 393 F.3d at 1052 n.6. To this end, the plain language of 18 U.S.C. § 3663A(a)(1) makes restitution mandatory “Notwithstanding any other provision of law” and “in addition to ... any other penalty authorized by law,” including the Sentencing Guidelines. See also Amato, 540 F.3d at 160-62.

In contrast with the MVRA, which includes expenses related to investigation and prosecution, such costs are categorically excluded under the Sentencing Guidelines applicable here. The guidelines provision for actual loss for crimes of fraud explicitly excludes “costs incurred by victims primarily to aid the government in[ ] the prosecution and criminal investigation of an offense.” U.S.S.G. § 2.B.1.1 cmt. 3(D)(ii). From that, Nosal appears to assume, without any support, that “actual loss” is a term-of-art, such that in this category , of offenses a restitution order could never include investigation costs or attorneys’ fees in aid of the government. That assumption is not warranted under the plain language of the MVRA, which notably never uses the terminology of actual loss.

In an effort to overcome the differences between the MVRA and the guidelines, Nosal points to our decision, in United States v. Stoddard, 150 F.3d 1140, 1147 (9th Cir. 1998), which states that “[r]estitution can only be based on actual loss.” We acknowledge that Stoddard’s use .of the phrase “actual loss” in discussion of resti*1047tution generates some confusion, but Stoddard does not answer the question at hand. In Stoddard, the difference between the loss under the Sentencing Guidelines and the restitution award ($30,000 versus $116,223) related to profits that the defendant received from a business opportunity linked to the fraud, not for anything remotely resembling the investigation costs at issue here, See id. at 1147-48 (Ferguson, J., dissenting).

Nosal is also mistaken that this reading of the statute creates a circuit split with the Seventh Circuit. See United States v. Dokich, 614 F.3d 314, 318-20 (7th Cir. 2010). Dokich addressed whether a $56.9 million restitution award was calculated using intended loss or actual loss. . Based on an unclear record, the court was forced to conclude that the restitution award (which was higher than the $20-$50 million loss used for sentencing under the guidelines) was based on intended loss, not actual loss, and therefore barred. Id. As in Stoddard, the case had nothing to do with inclusion of investigation costs as part of the restitution loss calculation.

Having determined that the restitution award was “within the bounds of the statutory framework,” we turn to whether the district court nevertheless abused its discretion in awarding nearly $1 million in restitution. See Waknine, 543 F.3d at 555 (quoting Gordon, 393 F.3d at 1051). With respect to investigation costs and attorneys’ fees, our rule is clear: restitution for such losses “ ‘may be recoverable’ ” where the harm was the “ ‘direct and foreseeable result’ of the defendant’s wrongful conduct—” Gordon, 393 F.3d at 1057 (quoting United States v. Phillips, 367 F.3d 846, 863 (9th Cir. 2004)). But see Amato, 540 F.3d at 162 (disagreeing with Gordon’s approach of basing restitution on the foreseeable results of the criminal conduct). We require the government to present evidence “demonstrating] that it was reasonably necessary for [the victim] to incur attorneys’ and investigator’s fees to participate in the investigation or prosecution of the offense.” Waknine, 543 F.3d at 559. Unlike some other circuits, see, e.g., United States v. Papagno, 639 F.3d 1093, 1099-1100 (D.C. Cir. 2011), we have “ ‘adopted a broad view of the restitution authorization [for investigation costs].’” Gordon, 393 F.3d at 1056-57 (alteration in original) (quoting Phillips, 367 F.3d at 863).

We applaud the district court’s thorough review of the voluminous time and fee records submitted by the government and Korn/Ferry. We agree with the award for internal investigation costs to uncover the extent of the breach and for the value of employee time spent participating in the government’s investigation and prosecution. See, e.g., United States v. De La Fuente, 353 F.3d 766, 773 (9th Cir. 2003) (upholding an award for a “cleanup and decontamination” costs in response to an anthrax scare); United States v. Hosking, 567 F.3d 329, 332 (7th Cir. 2009) (holding that restitution included the value of “[t]he time and effort spent by the bank’s employees and outside professionals in unraveling the twelve-year embezzlement scheme”). However, we part ways with the district court and the government with respect to Korn/Ferry’s attorneys’ fees.

While the district court’s reduction of the fee award was a step in the right direction, our review of the record convinces us that the court should have gone further. Several principles guide this conclusion. To begin, the fees must be the direct and foreseeable result of the defendant’s conduct. Gordon, 393 F.3d at 1057 (quoting Phillips, 367 F.3d at 863). Next, as in other attorneys’ fee awards, reasonableness is the touchstone. Reasonableness is benchmarked against the necessity of *1048the fees under the terms of the statute, thus excluding duplicate effort, time that is disproportionate to the task and time that does not fall within the MVRA’s mandate.17 Finally, fees are only recoverable if incurred during “participation in the investigation or prosecution of the offense.” 18 U.S.C. § 3663A(b)(4) (emphasis added). The company’s attorneys are not a substitute for the work of the prosecutor, nor do they serve the role of a shadow prosecutor. To be sure, nothing is wrong with proactive participation. But participation does not mean substitution or duplication.

Even after reduction, the total amount of fees awarded is striking, particularly given that the trial ultimately involved only three discrete incidents of criminal behavior. Although resulting in multiple counts, at bottom the events were temporally circumscribed and limited in scope. We note that a highly disproportionate percentage of the fees arose from responding to requests and inquiries related to sentencing, damages, and restitution. The reasonableness of the fees needs to be reexamined to consider (i) whether the sizeable fee related to restitution matters was reasonable; (ii) whether there was unnecessary duplication of tasks between Korn/Ferry staff and its attorneys since the court awarded a substantial sum for the time of Korn/Ferry employees; and (iii) whether the outside attorneys were substituting for or duplicating the work of the prosecutors, rather than serving in a participatory capacity.

We vacate the restitution award with respect to the attorneys’ fees and remand for reconsideration in light of the principles and observations set out above.

AFFIRMED, EXCEPT VACATED IN PART AND REMANDED WITH RESPECT TO THE RESTITUTION AWARD.

. For example, Title 18 covers a number of offenses that stem from conduct "without authorization.” See, e.g., 18 U.S.C. § 1388(a)(2)(B) (holding liable any person who "willfully and without proper authorization imped[es]” access to a funeral of a member of the Armed Forces); 18 U.S.C. § 1831(a) (holding liable for economic espionage “[w]hoever, intending or knowing that the offense will benefit any foreign government ... knowingly ... without authorization appropriates, takes, carries away, or conceals" trade secrets); 18 U.S.C. § 2701 (holding liable any person who “intentionally, accesses without authorization a facility through which an electronic communication service is provided ... and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage”).

. We do not invoke the rule of lenity because "the touchstone of the rule of lenity is statutory ambiguity,” Bifulco v. United States, 447 U.S. 381, 387, 100 S.Ct. 2247, 65 L.Ed.2d 205 (1980) (internal quotation marks omitted), and "[t]he rule comes into operation at the end of the process of construing what Congress has expressed, not at the beginning as an overriding consideration of being lenient to wrongdoers,” Callanan v. United States, 364 U.S. 587, 596, 81 S.Ct. 321, 5 L.Ed.2d 312 (1961). Here, because the statute "unambiguously cover[s] the defendant’s conduct, the rule does, not come into play.” United States v. Litchfield, 986 F.2d 21, 22 (2d Cir. 1993). That the CFAA might support a narrower interpretation, as the dissent argues, does not change our analysis. See Moskal v. United States, 498 U.S. 103, 108, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990) (holding that the rule of lenity is not triggered because it is "possible to articulate” a narrower construction of a statute).

.See discussion in Nosal I, 676 F.3d at 862-63. Compare United States v. Valle, 807 F.3d 508, 526-28 (2d Cir. 2015) (holding that while there is support for both a narrow and broad reading of "exceeds authorized access,” the rule of lenity requires the court to adopt a narrower interpretation in the defendant's favor), with WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (concluding that "an employee ‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access”), and United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.”), and United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that an employee who violates employer use restrictions "exceeds authorized access”), and Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that while the “difference between access ‘without authorization’ and ‘exceeding authorized access' is paper thin,” an employee who breached a duty of loyalty terminated the agency relationship and exceeded authorized access in using company laptop), and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581-84 (1st Cir. 2001) (holding that former employees who violated confidentiality agreements exceeded authorized access).

REINHARDT, Circuit Judge,

dissenting:

This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.

The first time this case came before us wé examined whether Nosal’s former colleagues acted “without authorization, or exceeded] authorized access” when they downloaded information from Searcher while still employed at Korn/Ferry and shared it with Nosal in violation of the firm’s policies. United States v. Nosal (Nosal I), 676 F.3d 854, 864 (9th Cir. 2012) (en banc). We said “no,” rejecting the approach of a few other circuits which had interpreted the CFAA looking “only at the culpable behavior of the defendants before them, and fail[ing] to consider the effect on millions of ordinary citizens.” Id. at 862. In doing so, we stated that they turned the CFAA into a “sweeping Internet-policing mandate,” instead of maintaining its “focus on hacking.” Id. at 858. We emphatically refused to turn violations of use restrictions imposed by employers or websites into crimes under the CFAA, declining to put so many citizens “at the mercy of [their] local prosecutor.” Id. at 862. Since then, both circuits to rule on the point *1049have agreed with our interpretation. See United States v. Valle, 807 F.3d 508, 526-28 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012).

Today, addressing only slightly different conduct, the majority repudiates important parts of Nosal I, jeopardizing most password sharing. It loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.

At issue are three incidents of password sharing. On these occasions while FH was still employed at Korn/Ferry, she gave her password to Jacobson or Christian, who had left the company. Her former colleagues then used her password to download information from Searcher. FH was authorized to access Searcher, but she did not download the information herself because it was easier to let Jacobson or Christian do it than to have them explain to her how to find it. It would not have been a violation of the CFAA if they had simply given FH step-by-step directions, which she then followed. Thus the question is whether because Jacobson and Christian instead used FH’s password with her permission, they are criminally liable for access “without authorization” under the Act.1

The majority finds the answer is “yes,” but in doing so commits the same error as the circuits whose views we rejected in Nosal I. My colleagues claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing. Notably this is the exact argument the dissent made in Nosal I: “This case has nothing to do with playing sudoku, checking email, [or] fibbing on dating sites.... The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases.” 676 F.3d at 864, 866 (Silverman, J., dissenting) (internal quotation and citation omitted).

We, of course, rejected the dissent’s argument in Nosal I. We did so because we recognized that the government’s theory made all violations of use restrictions criminal under the CFAA, whether the violation was innocuous, like checking your personal email at work, or more objectionable like that at issue here. Because the statute was susceptible to a narrower interpretation, we rejected the government’s broader reading under which “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” Id. at 859. The same is true here. The majority does not provide, nor do I see, a workable fine which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.

Therefore, despite the majority’s attempt to construe Nosal I as only applicable to “exceeds authorized access,” the case’s central lesson that the CFAA should not be interpreted to criminalize the ordinary conduct of millions of citizens applies equally strongly here. Accordingly, I would hold that consensual password sharing is not the kind of “hacking” covered by the CFAA. That is the case whether or not the voluntary password sharing is with a former employee and whether or not the former employee’s own password had expired or been terminated.

*1050I.

“Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking,” Nosal I, 676 F.3d at 868. United States v. Morris, the first appellate case under the CFAA, illustrates the core type of conduct criminalized by the Act. 928 F.2d 504 (2d Cir. 1991). There a student created a worm which guessed passwords and exploited bugs in computer programs to access military and university computers, eventually causing them" to crash. The Second Circuit found that the student had accessed those computers “without authorization” in violation of the Act. Id. at 506, 509-511.

“Without authorization” is used in a number of places throughout the CFAA, but is not defined in the Act, The phrase appears in two subsections relevant to this case: § 1030(a)(2)(C) and (a)(4). Subsection (a)(2)(C) , criminalizes “intentionally accessing] a computer without authorization or exceeding] authorized access, and thereby obtaining] ... information from any protected computer.” This, is the “broadest provision” of the CFAA. Nosal 1. 676 F.3d at 859. Subsection (a)(4) in essence increases the penalty for violating (a)(2)(C) if the perpetrator also acts “with intent to defraud,” and “obtains anything of value.”2 Nosal was charged and convicted under (a)(4).

Our definition of “without authorization” in this case will apply not only to (a)(4), but also to (a)(2)(C) and the rest of the Act. In Nosal I, the government contended that “exceeds authorization” could be interpreted more narrowly in (a)(2)(C) than in (a)(4), but we concluded: “This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the ‘standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.’ ” 676 F.3d at 859 (quoting Powerex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007)). That holds here. Indeed, the government so concedes.

It is thus necessary to consider the potential breadth of subsection (a)(2)(C) if we construe “without authorization” with less than the utmost care. Subsection (a)(2)(C) criminalizes nearly all intentional access of a “protected computer” without authorization.3 A “ ‘protected computer’ is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access.” See Nosal I, 676 F.3d at 859. This means that nearly all desktops, laptops, servers, smart-phones, as well as any “iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device,” including even some thermostats qualify as “protected.” Id. at 861. *1051Thus § 1030(a)(2)(C) covers untold millions of Americans’ interactions with these objects every day. Crucially, violating (a)(2)(C) does not require “any culpable intent.” Id. Therefore if we interpret “without authorization” in a way that includes common practices like password sharing, millions of our citizens would.become potential federal criminals overnight.

II.

The majority'is wrong to conclude that a person necessarily accesses a computer account “without authorization” if he does so without the permission of the system owner.4 Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner’s access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank’s password sharing prohibition. There are other examples that readily come to mind, such as logging onto a computer on behalf of a colleague who is out of the office, in violation of a corporate computer access policy, to send him a document he needs right away. “Facebook makes it a violation of the terms of service to let anyone log into your account,” we noted in Nosal I, but “it’s very common for people to let close friends and relatives check their email or access their online accounts.” 676 F.3d at 861 (citing Facebook Statement of Rights and Responsibilities § 4.8).5

Was access in these examples authorized? Most people would say “yes.” Although the system owners’ policies prohibit password sharing, a legitimate account holder “authorized” the access. Thus, the best reading of “without authorization” in the CFAA is a narrow one: a person accesses an account “without authorization” if he does so without having the permission of either the system owner or a legitimate account holder.

This narrower 'reading 'is more consistent with the purpose of the CFAA. The CFAA is essentially an anti-hacking statute, and Congress intended it as such. Nosal /, 676 F.3d at 868. Under the preferable construction, the statute would cover only those whom we would colloquially think of as hackers: individuals who steal or guess passwords or otherwise force their way into computers without the consent of an authorized user, not persons who are given the right of access by those who themselves possess that right. There is no doubt that a typical hacker accesses an account “without authorization”: the hacker gains access without permission— either from the system owner or a legitimate account holder. As the 1984 House Report on the CFAA explained, “it is noteworthy that Section 1030 deals with an unauthorized access concept of computér fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering.’ ” H.R. Rep. 98-894, 20, 1984 U.S.C.C.A.N. 3689, 3706. We would not convict a man for breaking and entering if he had been invited in by a houseguest, even if the homeowner objected. Neither should we convict a man under the CFAA for accessing a *1052computer account with a shared password with the consent of the password holder.

Nosal’s conduct was, of course, unscrupulous; Nevertheless, as the Seeond Circuit found’ in interpreting the CFAA, “whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of [authorization] will govern many other situations.” Valle, 807 F.3d at 528. The construction that we adopt in Nosal’s case will apply with equal force to all others, and the reading of “without authorization” we adopt for subsection (a)(4) will apply with equal force to subsection (a)(2)(C). I would, therefore, hold that however reprehensible Nosal’s conduct may have been, he did not violate the CFAA,

III.

The majority insists that the text of the statute requires its broad construction, but that is simply not so. Citing our decision in Brekka, the majority defines “authorization” as “permission or power granted by an authority.” After appealing to “ordinary meaning,” “common sense meaning,” and multiple dictionaries to corroborate this definition, the majority asserts that the term is “not ambiguous.”

The majority is wrong. The majority’s (somewhat circular) dictionary definition of “authorization”—“permission conferred by an authority”—hardly clarifies the meaning of the text. While the majority reads the statute to criminalize access by those without “permission conferred by” the system owner, it is also proper (and in fact preferable) to read the text to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner. The question that matters is not what authorization is but who is entitled to give it. As one scholar noted, “there are two parties that have plausible claims to [give] authorization: the owner/operator of the computer, and the legitimate computer account holder.” Orin S. Kerr, Computer Crime Law 48 (3d ed. 2013). Under a proper construction of the statute, either one can give authorization.

The cases the majority cites to support its contention that the statute’s text, requires a broad construction merely repeat dictionary definitions of “without authorization.” Those cases do nothing to support the majority’s position that authorization can be given only by the system owner. The Fourth Circuit, quoting the Oxford English Dictionary, found that “based on the ordinary, contemporary, common meaning of ‘authorization,’ ” an employee “accesses, a computer ‘without authorization’ when he gains admission to a computer without approval.” WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012). The Sixth Circuit, also quoting the Oxford English Dictionary, explained that “[t]he plain meaning of ‘authorization’ is ‘[t]he conferment of legality’ ” and concluded that “a defendant who accesses a computer Vithout authorization’ does so without sanction or permission.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 303-04 (6th Cir 2011). In both of these cases, the important question in Nosal’s case—authorization from whom—went unanswered." The Second Circuit consulted the Random House Dictionary instead and concluded that the “common usage of ‘authorization’ suggests that one ‘accesses a computer without authorization’ if he accesses a computer without permission to do so at all.” Valle, 807 F.3d 508, 524 (2nd Cir. 2015) (emphasis added). With that, I agree. Contrary to the majority’s suggestion, none of the cases on which it relies holds that the requisite permission must come from the system owner and not a legitimate account holder.6

*1053At worst, the text of the statute is ambiguous as to who may give authorization. The First Circuit concluded that the meaning of the term “without authorization” in the CFAA “has proven to be elusive,” EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001), and an unambiguous definition eludes the majority even now. In that circumstance, the rule of lenity requires us to adopt the narrower construction—exactly the construction that is appropriate in light of the CFAA’s anti-hacking purpose and concern for the statute’s effect on the innocent behavior of millions of citizens. The text provides no refuge for the majority.

As the Supreme Court has repeatedly held, “where there is ambiguity in a criminal statute, doubts are resolved in favor of the defendant.” United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971); see also United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed,2d 912 (2008) (“The rule of lenity requires ambiguous criminal laws to be interpreted in favor of the defendants subjected to them.”). If a “choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) (quoting United States v. Universal C.I.T. Credit Corp., 344 U.S. 218, 221-22, 73 S.Ct. 227, 97 L.Ed. 260 (1952)) (internal quotation marks omitted). We are therefore bound to adopt the construction of CFAA that criminalizes access only by those without permission from either an account holder or the system owner. See also, e.g., Nosal I, 676 F.3d at 863 (applying the rule of lenity to the CFAA); Valle, 807 F.3d at 527 (same); Miller, 687 F.3d at 204 (same).

The “venerable” rule of lenity ensures that individuals are on notice when they act. Santos, 553 U.S. at 514, 128 S.Ct. 2020. It “vindicates the fundamental prin-cipié that no citizen should be held' accountable for a violation of a statute whose commands are uncertain....” Id. We must, therefore, read the CFAA not just in the harsh light of the courtroom but also from the perspective of its potential violators.7 In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe—and with good reason—that his access had been “authorized” by the account holder who shared his password with him. Such a person, accessing an account with the express authorization of its holder, would believe that he was acting not just lawfully but ethically.8 “It’s very common for people to *1054let close friends and relatives check their email or access their online accounts,” we said in Nosal I. “Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.” 676 F.3d at 861. The majority’s construction thus conflicts with the natural interpretation its freshly minted CFAA violators would have given to “without authorization.” That alone should defeat the majority’s conclusion.

Worse, however, the majority’s construction would base criminal liability on system owners’ access policies. That is exactly what we rejected in Nosal I. See 676 F.3d at 860. Precisely because it is unacceptable in our legal system to impose criminal liability on actions that are not proscribed “plainly and unmistakably,” Bass, 404 U.S. at 348-49, 92 S.Ct. 615, it is also, unacceptable to base “criminal liability on violations of private computer use policies.” Nosal I, 676 F.3d at 860. Not only are those policies “lengthy, opaque, subject to change and seldom read,” id. at 860, they are also private—by definition not addressed and perhaps not even accessible to shared password recipients who are not official users themselves. Just as the rule of lenity ensures that Congress, not the judiciary, creates federal crimes, Bass, 404 U.S. at 348, 92 S.Ct. 515, the rule also ensures that the clear (and public) words of Congress—not the obscure policies of system owners—delimit their scope. .

If this were a civil Statute, it might 'be possible to agree with the majority, but it-is not. The plain fact is that the Act unquestionably supports a narrower interpretation than the majority would afford it. Moreover, the CFAA is not the only criminal law that governs computer crime.' All fifty states have enacted laws prohibiting computer trespassing.' A conclusion that Nosal’s actions do not run afoul of the CFAA need not mean that Nosal is free from criminal liability, and adopting the proper construction of the statute need not thwart society’s ability to deter computer crime and punish computer criminals— even the “industrious hackers” and “bank robbers” that so alarm the majority.9

IV.

In construing any statute, we must be wary of the risks of “selective or arbitrary enforcement.” United States v. Kozminski, 487 U.S. 931, 952, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988). The majority’s construction of the CFAA threatens exactly that. It criminalizes a broad category of common actions that nobody would expect to be federal crimes. Looking at the fallout from the majority opinion, it is clear that the decision will have “far-reaching effects unintended by Congress.” See Miller, 687 F.3d at 206 (rejecting a broad interpreta*1055tion of the CFAA producing such unintended effects).

Simply put, the majority opinion contains no limiting principle.10 Although the majority disavows the effects of its decision aside from dealing with former employees, it may not by fiat order that the reasoning of its decision stop, like politics used to, “at the water’s edge.” The statute says nothing about employment. Similarly, Nosal I discussed use restrictions, whether imposed by an employer or a third-party website, all in the same way. It did not even hint that employment was somehow special.11 676 F.3d at 860-61.

It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.12 It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.

Even if the majority opinion could be limited solely to employment, the consequences would be equally untoward. Very often password sharing between a current and past employee éerves the interest óf the employer, even if the current employee is technically forbidden by a corporate policy from sharing his password. For example, if a current Korn/Ferry employee were looking for a source list for a pitch meeting which his former colleague had created before retirement, he might contact him to ask where the file had been saved. The former employee might say “it’s too complicated to explain where it is; send me your password and I’ll find it for you.” When the current employee complied and the former employee located the file, both would become federal criminals under the majority’s opinion. I am confident that such innocuous password sharing among current and former employees is more frequent than the improper password sharing *1056at issue here. Both employees and Congress would be quite surprised to find that the innocent password sharing constitutes criminal conduct under the CFAA.13

Brekka, cited repeatedly in the majority opinion, did not threaten to criminalize the everyday conduct of millions of citizens. Nor does that case foreclose the preferable construction of the statute. Brekka primarily addressed the question of whether an employee’s violation of the duty of loyalty could itself render his access unauthorized. 581 F.3d at 1134-35. Although we found that authorization in that case depended “on actions taken by the employer,” that was to distinguish it from plaintiffs claim that authorization “turns on whether the defendant breached a state law duty of loyalty to an employer.” Id. Brekka’s alleged use of an expired log-in presented a very different situation. Brekka had no possible source of authorization, and acted without having permission from either ah authorized user or the system owner. We therefore had nó cause to consider whether authorization from a current employee for the use of his password (i.e. password sharing) would constitute “authorization” under the Act. Moreover, it is far less common for people to use an expired or rescinded log-in innocuously than to share passwords contrary to the rules promulgated by employers or website operators. Thus, unlike this case, Brekka did not place ordinary citizens in jeopardy for their everyday conduct. That difference alone is dispositive in light of Nosal I.

In sum, § 1030(a)(2)(C) covers so large a swath of our daily lives that the majority’s construction will “criminalize a broad range of day-to-day activity.” Kozminski, 487 U.S. at 949, 108 S.Ct. 2751. Such “[u]biquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Nosal I, 676 F.3d at 861.

Nosal’s case illustrates some of the special dangers inherent in criminal laws which are frequently violated in the commercial world, yet seldom enforced. To quote a recent comment by a justice of the Supreme Court with regard to a statute that similarly could be used to punish indiscriminately: “It puts at risk behavior that is common. That is a recipe for giving the Justice Department and prosecutors enormous power over [individuals].” Transcript of Oral Argument at 38, McDonnell v. United States, 136 S.Ct. 891 (2016) (No. 15-474) (Breyer, J.). Indeed, as this opinion is being filed, the Supreme Court has issued its decision in McDonnell and reiterated that “we cannot construe a criminal statute on the assumption that the Government will use it responsibly.” McDonnell v. United States, 579 U.S. —, 136 S.Ct. 2355, 195 L.Ed.2d 639 (2016) (citation omitted). Here it is far worse. Broadly interpreted, the CFAA is a recipe for giving large corporations undue power over their rivals, their employees, and ordinary citizens, as well as affording such indiscriminate power to the Justice Department, should we have a president or attorney general who desires to do so.

Nosal was a senior member of Korn/Ferry and intended to start a competing business. He was also due a million dollars from Korn/Ferry if he abided by his departure agreement. When Korn/Ferry began its investigation of Nosal’s possible malfeasance, it brought on ex-FBI agents to search through Christian’s garbage and follow Jacobson around. It also *1057hired a leading international corporate law firm consisting of over 600 lawyers, O’Mel-veny and Myers, which charged up to $1,100 per hour for the time of some its partners.14 One of O’Melveny’s lead attorneys had recently left the office of the United States Attorney who would prosecute any case against Nosal. She referred the case to her former colleagues personally. O’Melveny also told the prosecutor that the case was “time-sensitive” because Korn/Ferry would have to file its civil case shortly, but that it would provide the prosecutor with the facts necessary to “demonstrate the criminal culpability of those involved.” The law firm also provided the government with the liability theories it believed necessary to convict Nosal under the CFAA. Less than a month after O’Mel-veny approached the government, the FBI searched the residences of Jacobson, Christian, and the offices of Nosal’s new business. That same day Korn/Ferry filed its civil complaint. In total, Korn/Ferry sought almost a million dollars in attorneys’ fees from Nosal to compensate it for the work O’Melveny did to “assist” with the criminal prosecution.

To be clear, I am not implying that there is any misconduct on the part of the prosecution in this case. Nevertheless, private assistance of such magnitude blurs the line between criminal and civil law. Courts have long held that “a private citizen lacks a judicially cognizable interest in the prosecution or nonprosecution of another.” Linda R.S. v. Richard D., 410 U.S. 614, 619, 93 S.Ct. 1146, 35 L.Ed.2d 536 (1973). Korn/Ferry and its counsel’s employment of their overwhelming resources to persuade prosecutors to bring charges against an economic competitor has unhealthy ramifications for the legal system. Civil suits ordinarily govern economic controversies. There, private parties may initiate any good-faith action at their own expense. In criminal cases, however, the prosecutor who “seeks truth and not victims, [and] who serves the law and not factional purposes” must decide which eases go forward and which do not. Robert H. Jackson; The Federal Prosecutor, Address Before Conference of U.S. Attorneys (April 1, 1940), in 24 J. Am. Judicature Soc’y 18, 20 (1940). These decisions are inevitably affected by a variety of factors including the severity of the crime and the amount of available resources’that must be dedicated to a prosecution.

Prosecutors cannot help but be influenced by knowing that they can count on an interested private party to perform and finance much of the work required to com vict a business rival. As the Supreme Court found recently: “Prosecutorial discretion involves carefully weighing the benefits of a prosecution against the evidence needed to convict, [and] the resources of the public fisc.” Bond v. United States, — U.S. —, 134 S.Ct. 2077, 2093, 189 L.Ed.2d 1 (2014).15 The balance weighs differently when a major international corporate firm will bear much of the cost *1058which would otherwise have to be borne by the prosecutor’s office. Prosecutors will also be able to use the work product of the country’s finest and most highly paid corporate litigators, rather than investing its meager human resources in developing a complex commercial case different in kind from the eases it is ordinarily used to preparing.16 Undertaking such third-party financed cases which a United States attorney might not have prosecuted otherwise gives the appearance of well-financed business interests obtaining the services of the prosecutorial branch of government to accomplish their own private purposes, influencing the vast discretion vested in our prosecutors, and causing the enforcement of broad and ill-defined criminal laws seldom enforced except at the behest of those who can afford it. Moreover, to the extent that decisions to pursue such cases are influenced by such extraneous concerns, and prosecutorial discretion is tilted toward their enforcement, other criminal cases that might otherwise be chosen for prosecution may well be neglected and the criminal justice system itself become distorted.

VI.

“There is no doubt that this case is distasteful; it may be far worse than that.” McDonnell v. United States, 579 U.S. —, 136 S.Ct. 2355, 195 L.Ed.2d 639 (2016). As the Supreme Court said in McDonnell, “our concern is not with tawdry. tales of Ferraris, Rolexes, and ball gowns. It is instead with the broader legal implications of the Government’s boundless interpretation” of a federal statute. Here, our concern is not with tawdry tales of corporate thievery and executive searches gone wrong. “It is instead with the broader legal implications of the Government’s boundless interpretation” of the CFAA. Nosal may have incurred substantial civil liability, and may even be subject to criminal prosecution, but I do not believe he has violated the CFAA, properly construed.17 I respectfully dissent.

. Computer is defined under the Act as "an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” 18 U.S.C. § 1030(e)(1). See also United States v. Mitra, 405 F.3d 492 (7th Cir. 2005) (finding a radio system is a computer); United States v. Kramer, 631 F.3d 900, 902 (8th Cir. 2011) (noting the Act’s definition of a computer "is exceedingly broad,” and concluding an ordinary cell phone is a computer).

To violate § 1030(a)(2)(C) a person must also "obtain information,” but it is nearly impossible to access a computer without also obtaining information. As we noted in Nosal I, obtaining information includes looking up a weather report, reading the sports section online, etc. See also Sen. Rep. No. 104-357, at 7 (1996) (" ‘[O]btaining information', includes merely reading it.”).

. Moskal v. United States, 498 U.S. 103, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990), relied on by the majority for the claim that "the rule of lenity is not triggered [simply] because it is 'possible to articulate’ a narrower construction of the statute,” is fully consistent with my reading. Here, the narrower reading rises above the possible and even the plausible: it is the natural reading from the perspective of a number of the law’s potential violators. Moreover, because the narrower interpretation better harmonizes with the anti-hacking purpose of the CFAA, the ambiguity here is exactly the kind Moslcal said does trigger the rule of lenity: "reasonable doubt persists about [the] statute’s intended scope even after resort to ‘the language and structure, legislative history, and motivating policies’ of the statute.” Moskal v. United States, 498 U.S. 103, 108, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990) (citing Bifulco v. United States, 447 U.S. 381, 387, 100 S.Ct. 2247, 65 L.Ed.2d 205 (1980)).

. In fact, the ubiquity of state regulation targeting computer trespassing counsels in favor of the narrower interpretation of the federal statute. "Congress has traditionally been reluctant to define as a federal crime conduct readily denounced as criminal by the States.” Bond v. United States, — U.S. —, 134 S.Ct. 2077, 2093, 189 L.Ed.2d 1 (2014) (quoting Bass, 404 U.S. at 349, 92 S.Ct. 515). As such, “we will not be quick to assume that Congress has meant to effect a significant change in the sensitive relation between federal and state criminal jurisdiction.” Id. at 2089. Because the states are already regulating such conduct, we deemed it appropriate in Nosal I to presume that "Congress act[ed] interstitially” in passing the CFAA. We therefore refused to adopt a broader interpretation of the Act in the absence of a clear indication from Congress that such a reading was warranted. 676 F.3d at 857. The same is as true of Nosal II as of Nosal I.

. The majority tries to dismiss Nosal I as irrelevant because in the end it only interprets “exceeds authorized access.” This is wrong for two reasons. First,' while Nosal I's holding applies directly only to “exceeds authorized access,” its discussion of password sharing affects the meaning of “without authorization” as well. This is because the “close friends [or] relatives” have no right to access Facebook’s or the email provider’s servers, unless the account holder’s password sharing confers such authorization. Although in Nosal I we rejected the Seventh Circuit’s holding in Int’l Airport Centers, L.L.C. v. Citrin, that court correctly observed that the distinction between “exceeds authorized access” and “without authorization” is often paper thin.” 440 F.3d 418, 420 (7th Cir. 2006); see also Miller, 687 F.3d at 204 (recognizing the "distinction between these terms is arguably minute"). Second, and more important, Nosal I’s central message that we must consider the effect of our decision on millions of ordinary citizens applies with equal force to “without authorization” and "exceeds authorized access,”

8.4 Van Buren v. United States 8.4 Van Buren v. United States

(Slip Opinion) OCTOBER TERM, 2020 1

Syllabus

NOTE: Where it is feasible, a syllabus (headnote) will be released, as is being done in connection with this case, at the time the opinion is issued. The syllabus constitutes no part of the opinion of the Court but has been prepared by the Reporter of Decisions for the convenience of the reader. See United States v. Detroit Timber & Lumber Co., 200 U. S. 321, 337.

SUPREME COURT OF THE UNITED STATES

Syllabus

VAN BUREN v. UNITED STATES

CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR

THE ELEVENTH CIRCUIT

No. 19–783. Argued November 30, 2020—Decided June 3, 2021

Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Van Buren, his actions were part of a Federal Bureau of Investigation sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U. S. C. §1030(a)(2). The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). A jury convicted Van Buren, and the District Court sentenced him to 18 months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. Consistent with Eleventh Circuit precedent, the panel held that Van Buren had violated the CFAA.

Held: An individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him. Pp. 5–20.

(a) (1) The parties agree that Van Buren “access[ed] a computer with authorization” and “obtain[ed] . . . information in the computer.” They 2

dispute whether Van Buren was “entitled so to obtain” that information. Van Buren contends that the word “so” serves as a term of reference and that the disputed phrase thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. Black’s Law Dictionary 1246. He also notes that the only manner of obtaining information already stated in the definitional provision is by a computer one is authorized to access. Thus, he continues, the phrase “is not entitled so to obtain” plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. The Government argues that “so” sweeps more broadly, reading the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. And the manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. Van Buren’s account of “so” best aligns with the term’s plain meaning as a term of reference, as further reflected by other federal statutes that use “so” the same way. Pp. 5– 8.

The Government contends that Van Buren’s reading renders the word “so” superfluous. “So” makes a valuable contribution, the Government insists, only if it incorporates all of the circumstances that might qualify a person’s right to obtain information. The Court disagrees because without “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information. Pp. 8–9.
The dissent accepts Van Buren’s definition of “so,” but would arrive at the Government’s result by way of the word “entitled.” According to the dissent, the term “entitled” demands a “circumstance dependent” analysis of whether access was proper. But the word “entitled” is modified by the phrase “so to obtain.” That phrase in turn directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” And as already explained, the manner previously stated is using a computer one is authorized to access. To arrive at its interpretation, the dissent must write the word “so” out of the statute. 9–10.
The Government contends that in “common parlance,” the phrase “exceeds authorized access” would be understood to mean that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. The relevant question, however, is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. For reasons given elsewhere, he did not. Nor is it contrary to the meaning of the defined term to 3

equate “exceed[ing] authorized access” with the act of entering a part of the system to which a computer user lacks access privileges. Pp. 11– 12.

The statute’s structure further cuts against the Government’s position. Subsection (a)(2) specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6). Van Buren contends that the “without authorization” clause protects computers themselves from outside hackers, while the “exceeds authorized access” clause provides complementary protection for certain information within computers by targeting socalled inside hackers. Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. This treats the clauses consistently and aligns with the computer-context understanding of access as entry. By contrast, the Government proposes to read the first phrase “without authorization” as a gates-up-or-down inquiry and the second phrase “exceeds authorized access” as dependent on the circumstances—a reading inconsistent with subsection (a)(2)’s design and structure. The Government’s reading leaves unanswered why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.

Another structural problem for the Government: §1030(a)(2) also gives rise to civil liability, §1030(g), with the statute defining “damage” and “loss” to specify what a plaintiff in a civil suit can recover. §§1030(e)(8), (11). Both terms focus on technological harms to computer data or systems. Such provisions make sense in a scheme aimed at avoiding the ordinary consequences of hacking but are ill fitted to remediating “misuse” of sensitive information that employees permissibly access using their computers. Pp. 12–16.

The Government’s claims that precedent and statutory history support its interpretation are easily dispatched. This Court’s decision in Musacchio United States, 577 U. S. 237, did not address the issue here, and the Court is not bound to follow any dicta in the case. As for statutory history, the Government claims that the original 1984 Act’s precursor to the “exceeds authorized access” language—which covered any person who, “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend”—supports its reading. But that Congress removed any reference to “purpose” in the CFAA cuts against reading the statute to cover purpose-based limitations. Pp. 16–17.

The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated (as a “use” restriction or an “access” restriction). 17–20.

940 F. 3d 1192, reversed and remanded.

BARRETT, J., delivered the opinion of the Court, in which BREYER, SO-

TOMAYOR, KAGAN, GORSUCH, and KAVANAUGH, JJ., joined. THOMAS, J., filed a dissenting opinion, in which ROBERTS, C. J., and ALITO, J., joined.

NOTICE: This opinion is subject to formal revision before publication in the preliminary print of the United States Reports. Readers are requested to notify the Reporter of Decisions, Supreme Court of the United States, Washington, D. C. 20543, of any typographical or other formal errors, in order that corrections may be made before the preliminary print goes to press.

SUPREME COURT OF THE UNITED STATES

_________________

No. 19–783

_________________

NATHAN VAN BUREN, PETITIONER v.

UNITED STATES

ON WRIT OF CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT

[June 3, 2021]

JUSTICE BARRETT delivered the opinion of the Court.

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

Technological advances at the dawn of the 1980s brought computers to schools, offices, and homes across the Nation. But as the public and private sectors harnessed the power of computing for improvement and innovation, so-called hackers hatched ways to coopt computers for illegal ends. After a series of highly publicized hackings captured the public’s attention, it became clear that traditional theft and trespass statutes were ill suited to address cybercrimes that did not deprive computer owners of property in the traditional sense. See Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N. Y. U. L. Rev. 1596, 1605–1613 (2003).

Congress, following the lead of several States, responded by enacting the first federal computer-crime statute as part of the Comprehensive Crime Control Act of 1984. §2102(a), 98 Stat. 2190–2192. A few years later, Congress passed the CFAA, which included the provisions at issue in this case. The Act subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U. S. C. §1030(a)(2). It defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6).

Initially, subsection (a)(2)’s prohibition barred accessing only certain financial information. It has since expanded to cover any information from any computer “used in or affecting interstate or foreign commerce or communication.” §1030(e)(2)(B). As a result, the prohibition now applies—at a minimum—to all information from all computers that connect to the Internet. §§1030(a)(2)(C), (e)(2)(B).

Those who violate §1030(a)(2) face penalties ranging from fines and misdemeanor sentences to imprisonment for up to 10 years. §1030(c)(2). They also risk civil liability under the CFAA’s private cause of action, which allows persons suffering “damage” or “loss” from CFAA violations to sue for money damages and equitable relief. §1030(g).

This case stems from Van Buren’s time as a police sergeant in Georgia. In the course of his duties, Van Buren crossed paths with a man named Andrew Albo. The deputy chief of Van Buren’s department considered Albo to be “very volatile” and warned officers in the department to deal with him carefully. Notwithstanding that warning, Van Buren developed a friendly relationship with Albo. Or so Van Buren thought when he went to Albo to ask for a personal loan. Unbeknownst to Van Buren, Albo secretly recorded that request and took it to the local sheriff ’s office, where he com- plained that Van Buren had sought to “shake him down” for cash.

The taped conversation made its way to the Federal Bureau of Investigation (FBI), which devised an operation to see how far Van Buren would go for money. The steps were straightforward: Albo would ask Van Buren to search the state law enforcement computer database for a license plate purportedly belonging to a woman whom Albo had met at a local strip club. Albo, no stranger to legal troubles, would tell Van Buren that he wanted to ensure that the woman was not in fact an undercover officer. In return for the search, Albo would pay Van Buren around $5,000. Things went according to plan. Van Buren used his patrol-car computer to access the law enforcement database with his valid credentials. He searched the database for the license plate that Albo had provided. After obtaining the FBI-created license-plate entry, Van Buren told Albo that he had information to share.

The Federal Government then charged Van Buren with a felony violation of the CFAA on the ground that running the license plate for Albo violated the “exceeds authorized access” clause of 18 U. S. C. §1030(a)(2).^[1] The trial evidence showed that Van Buren had been trained not to use the law enforcement database for “an improper purpose,” defined as “any personal use.” App. 17. Van Buren therefore knew that the search breached department policy. And according to the Government, that violation of department policy also violated the CFAA. Consistent with that position, the Government told the jury that Van Buren’s access of the database “for a non[-]law[-]enforcement purpose” violated the CFAA “concept” against “using” a computer network in a way contrary to “what your job or policy prohibits.” Id., at 39. The jury convicted Van Buren, and the District Court sentenced him to 18 months in prison.

Van Buren appealed to the Eleventh Circuit, arguing that the “exceeds authorized access” clause applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have. While several Circuits see the clause Van Buren’s way, the Eleventh Circuit is among those that have taken a broader view.^[2] Consistent with its Circuit precedent, the panel held that Van Buren had violated the CFAA by accessing the law enforcement database for an “inappropriate reason.” 940 F. 3d 1192, 1208 (2019). We

——————

granted certiorari to resolve the split in authority regarding the scope of liability under the CFAA’s “exceeds authorized access” clause. 590 U. S. ___ (2020).

Both Van Buren and the Government raise a host of policy arguments to support their respective interpretations. But we start where we always do: with the text of the statute. Here, the most relevant text is the phrase “exceeds authorized access,” which means “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” §1030(e)(6).

The parties agree that Van Buren “access[ed] a computer with authorization” when he used his patrol-car computer and valid credentials to log into the law enforcement database. They also agree that Van Buren “obtain[ed] . . . information in the computer” when he acquired the license-plate record for Albo. The dispute is whether Van Buren was “entitled so to obtain” the record.

“Entitle” means “to give . . . a title, right, or claim to something.” Random House Dictionary of the English Language 649 (2d ed. 1987). See also Black’s Law Dictionary 477 (5th ed. 1979) (“to give a right or legal title to”). The parties agree that Van Buren had been given the right to acquire license-plate information—that is, he was “entitled to obtain” it—from the law enforcement computer database. But was Van Buren “entitled so to obtain” the license-plate information, as the statute requires?

Van Buren says yes. He notes that “so,” as used in this statute, serves as a term of reference that recalls “the same manner as has been stated” or “the way or manner described.” Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary 887 (2d ed. 1989). The disputed phrase “entitled so to obtain” thus asks whether one has the right, in “the same manner as has been stated,” to obtain the relevant information. And the only manner of obtaining information already stated in the definitional provision is “via a computer [one] is otherwise authorized to access.” Reply Brief 3. Putting that together, Van Buren contends that the disputed phrase—“is not entitled so to obtain”—plainly refers to information one is not allowed to obtain by using a computer that he is authorized to access. On this reading, if a person has access to information stored in a computer— e.g., in “Folder Y,” from which the person could permissibly pull information—then he does not violate the CFAA by obtaining such information, regardless of whether he pulled the information for a prohibited purpose. But if the information is instead located in prohibited “Folder X,” to which the person lacks access, he violates the CFAA by obtaining such information.

The Government agrees that the statute uses “so” in the word’s term-of-reference sense, but it argues that “so” sweeps more broadly. It reads the phrase “is not entitled so to obtain” to refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. The manner or circumstances in which one has a right to obtain information, the Government says, are defined by any “specifically and explicitly” communicated limits on one’s right to access information. Brief for United States 19. As the Government sees it, an employee might lawfully pull information from Folder Y in the morning for a permissible purpose—say, to prepare for a business meeting—but unlawfully pull the same information from Folder Y in the afternoon for a prohibited purpose—say, to help draft a resume to submit to a competitor employer.

The Government’s interpretation has surface appeal but proves to be a sleight of hand. While highlighting that “so” refers to a “manner or circumstance,” the Government simultaneously ignores the definition’s further instruction that such manner or circumstance already will “‘ha[ve] been stated,’” “‘asserted,’” or “‘described.’” Id., at 18 (quoting Black’s Law Dictionary, at 1246; 15 Oxford English Dictionary, at 887). Under the Government’s approach, the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, “so” captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else. And while the Government tries to cabin its interpretation by suggesting that any such limit must be “specifically and explicitly” stated, “express,” and “inherent in the authorization itself,” the Government does not identify any textual basis for these guardrails.

Brief for United States 19; Tr. of Oral Arg. 41.

Van Buren’s account of “so”—namely, that “so” references the previously stated “manner or circumstance” in the text of §1030(e)(6) itself—is more plausible than the Government’s. “So” is not a free-floating term that provides a hook for any limitation stated anywhere. It refers to a stated, identifiable proposition from the “preceding” text; indeed, “so” typically “[r]epresent[s]” a “word or phrase already employed,” thereby avoiding the need for repetition. 15 Oxford English Dictionary, at 887; see Webster’s Third New International Dictionary 2160 (1986) (so “often used as a substitute . . . to express the idea of a preceding phrase”). Myriad federal statutes illustrate this ordinary usage.^[3] We agree with Van Buren: The phrase “is not entitled so to obtain” is best read to refer to information that a person is not entitled to obtain by using a computer that he is authorized to access.^[4]

The Government’s primary counterargument is that Van Buren’s reading renders the word “so” superfluous. Recall the definition: “to access a computer with authorization and to use such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.” §1030(e)(6) (emphasis added). According to the Government, “so” adds nothing to the sentence if it refers solely to the earlier stated manner of obtaining the information through use of a computer one has accessed with authorization. What matters on Van Buren’s reading, as the Government sees it, is simply that the person obtain information that he is not entitled to obtain—and that point could be made even if “so” were deleted. By contrast, the Government insists, “so” makes a valuable contribution if it incorporates all of the circumstances that might qualify a person’s right to obtain information. Because only its interpretation gives “so”

——————

other property to have been so embezzled, stolen, [or] converted . . . retains the same with intent to convert it to his use,” is subject to punishment); §1708 (“[W]hoever steals, takes, or abstracts, or by fraud or deception obtains, or attempts so to obtain,” parcels of mail is subject to punishment).

work to do, the Government contends, the rule against superfluity means that its interpretation wins. See Republic of Sudan v. Harrison, 587 U. S. ___, ___ (2019) (slip op., at 10).

But the canon does not help the Government because Van Buren’s reading does not render “so” superfluous. As Van Buren points out, without “so,” the statute would allow individuals to use their right to obtain information in nondigital form as a defense to CFAA liability. Consider, for example, a person who downloads restricted personnel files he is not entitled to obtain by using his computer. Such a person could argue that he was “entitled to obtain” the information if he had the right to access personnel files through another method (e.g., by requesting hard copies of the files from human resources). With “so,” the CFAA forecloses that theory of defense. The statute is concerned with what a person does on a computer; it does not excuse hacking into an electronic personnel file if the hacker could have walked down the hall to pick up a physical copy. This clarification is significant because it underscores that one kind of entitlement to information counts: the right to access the information by using a computer. That can expand liability, as the above example shows. But it narrows liability too. Without the word “so,” the statute could be read to incorporate all kinds of limitations on one’s entitlement to information. The dissent’s take on the statute illustrates why.

While the dissent accepts Van Buren’s definition of “so,” it would arrive at the Government’s result by way of the word “entitled.” One is “entitled” to do something, the dissent contends, only when “‘proper grounds’” are in place. Post, at 3 (opinion of THOMAS, J.) (quoting Black’s Law Dic- tionary, at 477). Deciding whether a person was “entitled” to obtain information, the dissent continues, therefore demands a “circumstance dependent” analysis of whether access was proper. Post, at 3. This reading, like the Government’s, would extend the statute’s reach to any circumstance-based limit appearing anywhere. The dissent’s approach to the word “entitled” fares fine in the abstract but poorly in context. The statute does not refer to “information . . . that the accesser is not entitled to obtain.” It refers to “information . . . that the accesser is not entitled so to obtain.” 18 U. S. C. §1030(e)(6) (emphasis added). The word “entitled,” then, does not stand alone, inviting the reader to consider the full scope of the accesser’s entitlement to information. The modifying phrase “so to obtain” directs the reader to consider a specific limitation on the accesser’s entitlement: his entitlement to obtain the information “in the manner previously stated.” Supra, at 7. And as already explained, the manner previously stated is using a computer one is authorized to access. Thus, while giving lipservice to Van Buren’s reading of “so,” the dissent, like the Government, declines to give “so” any limiting function.^[5]

The dissent cannot have it both ways. The consequence of accepting Van Buren’s reading of “so” is the narrowed scope of “entitled.” In fact, the dissent’s examples implicitly concede as much: They all omit the word “so,” thereby giving “entitled” its full sweep. See post, at 3–4. An approach that must rewrite the statute to work is even less persuasive than the Government’s.

——————

The Government falls back on what it describes as the “common parlance” meaning of the phrase “exceeds authorized access.” Brief for United States 20–21. According to the Government, any ordinary speaker of the English language would think that Van Buren “exceed[ed] his authorized access” to the law enforcement database when he obtained license-plate information for personal purposes. Id., at 21. The dissent, for its part, asserts that this point “settles” the case. Post, at 9.

If the phrase “exceeds authorized access” were all we had to go on, the Government and the dissent might have a point. But both breeze by the CFAA’s explicit definition of the phrase “exceeds authorized access.” When “a statute includes an explicit definition” of a term, “we must follow that definition, even if it varies from a term’s ordinary meaning.” Tanzin v. Tanvir, 592 U. S. ___, ___ (2020) (slip op., at 3) (internal quotation marks omitted). So the relevant question is not whether Van Buren exceeded his authorized access but whether he exceeded his authorized access as the CFAA defines that phrase. And as we have already explained, the statutory definition favors Van Buren’s reading.

That reading, moreover, is perfectly consistent with the way that an “appropriately informed” speaker of the language would understand the meaning of “exceeds authorized access.” Nelson, What Is Textualism? 91 Va. L. Rev. 347, 354 (2005). When interpreting statutes, courts take note of terms that carry “technical meaning[s].” A. Scalia & B. Garner, Reading Law: The Interpretation of Legal Texts 73 (2012). “Access” is one such term, long carrying a “well established” meaning in the “computational sense”— a meaning that matters when interpreting a statute about computers. American Heritage Dictionary 10 (3d ed. 1992). In the computing context, “access” references the act of entering a computer “system itself ” or a particular “part of a computer system,” such as files, folders, or databases.⁶ It is thus consistent with that meaning to equate “exceed[ing] authorized access” with the act of entering a part of the system to which a computer user lacks access privileges.^[6] The Government and the dissent’s broader interpretation is neither the only possible nor even necessarily the most natural one.

While the statute’s language “spells trouble” for the Government’s position, a “wider look at the statute’s structure gives us even more reason for pause.” Romag Fasteners, Inc. v. Fossil Group, Inc., 590 U. S. ___, ___–___ (2020) (slip op., at 2–3).

The interplay between the “without authorization” and “exceeds authorized access” clauses of subsection (a)(2) is particularly probative. Those clauses specify two distinct

——————

⁶1 Oxford English Dictionary 72 (2d ed. 1989) (“[t]o gain access to . . . data, etc., held in a computer or computer-based system, or the system itself ”); Random House Dictionary of the English Language 11 (2d ed. 1987) (“Computers. to locate (data) for transfer from one part of a computer system to another . . . ”); see also C. Sippl & R. Sippl, Computer Dictionary and Handbook 2 (3d ed. 1980) (“[c]oncerns the process of obtaining data from or placing data in storage”); Barnhart Dictionary of New English 2 (3d ed. 1990) (“to retrieve (data) from a computer storage unit or device . . . ”); Microsoft Computer Dictionary 12 (4th ed. 1999) (“[t]o gain entry to memory in order to read or write data”); A Dictionary of Computing 5 (6th ed. 2008) (“[t]o gain entry to data, a computer system, etc.”).

ways of obtaining information unlawfully. First, an individual violates the provision when he “accesses a computer without authorization.” §1030(a)(2). Second, an individual violates the provision when he “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain.” §§1030(a)(2), (e)(6). Van Buren’s reading places the provision’s parts “into an harmonious whole.” Roberts v. SeaLand Services, Inc., 566 U. S. 93, 100 (2012) (internal quotation marks omitted). The Government’s does not. Start with Van Buren’s view. The “without authorization” clause, Van Buren contends, protects computers themselves by targeting so-called outside hackers—those who “acces[s] a computer without any permission at all.” LVRC Holdings LLC v. Brekka, 581 F. 3d 1127, 1133 (CA9 2009); see also Pulte Homes, Inc. v. Laborers’ Int’l Union of North Am., 648 F. 3d 295, 304 (CA6 2011). Van Buren reads the “exceeds authorized access” clause to provide complementary protection for certain information within computers. It does so, Van Buren asserts, by targeting so-called inside hackers—those who access a computer with permission, but then “‘exceed’ the parameters of authorized access by en- tering an area of the computer to which [that] authorization does not extend.” United States v. Valle, 807 F. 3d 508, 524 (CA2 2015).

Van Buren’s account of subsection (a)(2) makes sense of the statutory structure because it treats the “without authorization” and “exceeds authorized access” clauses consistently. Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.^[7] And

——————

reading both clauses to adopt a gates-up-or-down approach aligns with the computer-context understanding of access as entry. See supra, at 11–12.^[8]

By contrast, the Government’s reading of the “exceeds authorized access” clause creates “inconsistenc[ies] with the design and structure” of subsection (a)(2). University of Tex. Southwestern Medical Center v. Nassar, 570 U. S. 338, 353 (2013). As discussed, the Government reads the “exceeds authorized access” clause to incorporate purposebased limits contained in contracts and workplace policies. Yet the Government does not read such limits into the threshold question whether someone uses a computer “without authorization”—even though similar purpose restrictions, like a rule against personal use, often govern one’s right to access a computer in the first place. See, e.g., Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756, 757 (CA6 2020). Thus, the Government proposes to read the first phrase “without authorization” as a gates-upor-down inquiry and the second phrase “exceeds authorized access” as one that depends on the circumstances. The Government does not explain why the statute would prohibit accessing computer information, but not the computer itself, for an improper purpose.¹⁰

The Government’s position has another structural problem. Recall that violating §1030(a)(2), the provision under which Van Buren was charged, also gives rise to civil liability. See §1030(g). Provisions defining “damage” and “loss” specify what a plaintiff in a civil suit can recover. “‘[D]amage,’” the statute provides, means “any impairment to the integrity or availability of data, a program, a system, or information.” §1030(e)(8). The term “loss” likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of “damage” and “loss” thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.” Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating “misuse” of sensitive information that employees may permissibly access using their computers. Ibid. Van Buren’s situation is illustrative: His run of the license plate did not impair the “integrity or availability” of data, nor did it otherwise harm the database system itself.

——————

¹⁰Unlike the Government, the dissent would read both clauses of subsection (a)(2) to require a circumstance-specific analysis. Doing so, the dissent contends, would reflect that “[p]roperty law generally protects against both unlawful entry and unlawful use.” Post, at 7. This interpretation suffers from structural problems of its own. Consider the standard rule prohibiting the use of one’s work computer for personal purposes. Under the dissent’s approach, an employee’s computer access would be without authorization if he logged on to the computer with the purpose of obtaining a file for personal reasons. In that event, obtaining the file would not violate the “exceeds authorized access” clause, which applies only when one accesses a computer “with authorization.” §1030(e)(6) (emphasis added). The dissent’s reading would therefore leave the “exceeds authorized access” clause with no work to do much of the time—an outcome that Van Buren’s interpretation (and, for that matter, the Government’s) avoids.

Pivoting from text and structure, the Government claims that precedent and statutory history support its interpretation. These arguments are easily dispatched. As for precedent, the Government asserts that this Court’s decision in Musacchio v. United States, 577 U. S. 237 (2016), bolsters its reading. There, in addressing a question about the standard of review for instructional error, the Court described §1030(a)(2) as prohibiting “(1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Id., at 240. This paraphrase of the statute does not do much for the Government. As an initial matter, Musacchio did not address—much less resolve in the Government’s favor—the “point now at issue,” and we thus “are not bound to follow” any dicta in the case. Central Va. Community College v. Katz, 546 U. S. 356, 363 (2006). But in any event, Van Buren’s interpretation, no less than the Government’s, involves “using [one’s] access improperly.” It is plainly “improper” for one to use the opportunity his computer access provides to obtain prohibited information from within the computer.

As for statutory history, the Government claims that the original 1984 Act supports its interpretation of the current version. In a precursor to the “exceeds authorized access” clause, the 1984 Act covered any person who, “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend,” and thus expressly alluded to the purpose of an insider’s computer access. 18 U. S. C. §1030(a)(2) (1982 ed. Supp. III). According to the Government, this confirms that the amended CFAA—which makes no mention of purpose in defining “exceeds authorized access”—likewise covers insiders like Van Buren who use their computer access for an unauthorized purpose.^[9] The Government’s argument gets things precisely backward. “When Congress amends legislation, courts must presume it intends the change to have real and substantial effect.” Ross v. Blake, 578 U. S. 632, 641–642 (2016) (internal quotation marks and brackets omitted). Congress’ choice to remove the statute’s reference to purpose thus cuts against reading the statute “to capture that very concept.” Brief for United States 22. The statutory history thus hurts rather than helps the Government’s position.

III

To top it all off, the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity. Van Buren frames the far-reaching consequences of the Government’s reading as triggering the rule of lenity or constitutional avoidance. That is not how we see it: Because the text, context, and structure support Van Buren’s reading, neither of these canons is in play. Still, the fallout underscores the implausibility of the Government’s interpretation. It is “extra icing on a cake already frosted.” Yates v. United States, 574 U. S. 528, 557 (2015) (KAGAN, J., dissenting).

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that— criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook. See Brief for Orin Kerr as Amicus Curiae 10–11; Brief for Technology Companies as Amici Curiae 6, n. 3, 11; see also Brief for Reporters Committee for Freedom of the Press et al. as Amici Curiae 10–13 (journalism activity); Brief for Kyratso Karahalios et al. as Amici Curiae 11–17 (online civil-rights testing and research).

In response to these points, the Government posits that other terms in the statute—specifically “authorization” and “use”—“may well” serve to cabin its prosecutorial power. Brief for United States 35; see Tr. of Oral Arg. 38, 40, 58 (“instrumental” use; “individualized” and “fairly specific” authorization). Yet the Government stops far short of endorsing such limitations. Cf. Brief for United States 37 (concept of “authorization” “may not logically apply”); id., at 38 (“‘use’” might be read in a more “limited” fashion, even though it “often has a broader definition”); see also, e.g., post, at 11–12 (mens rea requirement “might” preclude liability in some cases). Nor does it cite any prior instance in which it has read the statute to contain such limitations— to the contrary, Van Buren cites instances where it hasn’t. See Reply Brief 14–15, 17 (collecting cases); cf. Sandvig v. Barr, 451 F. Supp. 3d 73, 81–82 (DC 2020) (discussing Department of Justice testimony indicating that the Government could “‘bring a CFAA prosecution based’” on terms- of-service violations causing “‘de minimis harm’”). If any- thing, the Government’s current CFAA charging policy shows why Van Buren’s concerns are far from “hypothetical,” post, at 12: The policy instructs that federal prosecution “may not be warranted”—not that it would be prohibited—“if the defendant exceed[s] authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or website.”^[10] And while the Government insists that the intent requirement serves as yet another safety valve, that requirement would do nothing for those who intentionally use their computers in a way their “job or policy prohibits”—for example, by checking sports scores or paying bills at work. App. 39.

One final observation: The Government’s approach would inject arbitrariness into the assessment of criminal liability. The Government concedes, as it must, that the “exceeds authorized access” clause prohibits only unlawful information “access,” not downstream information “‘misus[e].’” Brief in Opposition 17 (statute does not cover “‘subse- quen[t] misus[e of] information’”). But the line between the two can be thin on the Government’s reading. Because purpose-based limits on access are often designed with an eye toward information misuse, they can be expressed as either access or use restrictions. For example, one police department might prohibit using a confidential database for a non-law-enforcement purpose (an access restriction), while another might prohibit using information from the database for a non-law-enforcement purpose (a use restriction). Conduct like Van Buren’s can be characterized either way, and an employer might not see much difference between the two. On the Government’s reading, however, the conduct would violate the CFAA only if the employer phrased the policy as an access restriction. An interpretation that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.

In sum, an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him. The parties agree that Van Buren accessed the law enforcement database system with authorization. The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could. Van Buren accordingly did not “excee[d] authorized access” to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose. We therefore reverse the contrary judgment of the Eleventh Circuit and remand the case for further proceedings consistent with this opinion.

It is so ordered.

SUPREME COURT OF THE UNITED STATES

_________________

No. 19–783

_________________

NATHAN VAN BUREN, PETITIONER v. UNITED STATES

ON WRIT OF CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT

[June 3, 2021]

JUSTICE THOMAS, with whom THE CHIEF JUSTICE and JUSTICE ALITO join, dissenting.

Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others. A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride. The Computer Fraud and Abuse Act extends that principle to computers and information. The Act prohibits exceeding the scope of consent when using a computer that belongs to another person. Specifically, it punishes anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains” information from that computer. 18 U. S. C. §1030(a)(2).

As a police officer, Nathan Van Buren had permission to retrieve license-plate information from a government database, but only for law enforcement purposes. Van Buren disregarded this limitation when, in exchange for several thousand dollars, he used the database in an attempt to unmask a potential undercover officer.

The question here is straightforward: Would an ordinary reader of the English language understand Van Buren to have “exceed[ed] authorized access” to the database when he used it under circumstances that were expressly forbidden? In my view, the answer is yes. The necessary precondition that permitted him to obtain that data was absent. The Court does not dispute that the phrase “exceeds authorized access” readily encompasses Van Buren’s conduct. It notes, instead, that the statute includes a definition for that phrase and that “we must follow that definition, even if it varies from a term’s ordinary meaning.” Tanzin v. Tanvir, 592 U. S. ___, ___ (2020) (slip op., at 3) (internal quotation marks omitted). The problem for the majority view, however, is that the text, ordinary principles of property law, and statutory history establish that the definitional provision is quite consistent with the term it defines.

The Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). For purposes of this appeal, it is agreed that Van Buren was authorized to log into a government database and that he used his entry to obtain fake license-plate information from that database. I thus agree with the majority that this case turns on whether Van Buren was “entitled so to obtain” the fake license-plate information. I also agree that “so” asks whether Van Buren had a right to obtain that information through the means identified earlier in the definition: (1) accessing a computer with authorization and (2) using that access to obtain information in the computer. In other words, Van Buren’s conduct was legal only if he was entitled to obtain that specific license-plate information by using his admittedly authorized access to the database. He was not. A person is entitled to do something only if he has a “right” to do it. Black’s Law Dictionary 477 (5th ed. 1979); see also American Heritage Dictionary 437 (def. 3a) (1981) (to “allow” or to “qualify”). Van Buren never had a “right” to use the computer to obtain the specific licenseplate information. Everyone agrees that he obtained it for personal gain, not for a valid law enforcement purpose. And without a valid law enforcement purpose, he was forbidden to use the computer to obtain that information.

The majority postulates an alternative reading of this definitional provision: So long as a person is entitled to use a computer to obtain information in at least one circumstance, this statute does not apply even if the person obtains the data outside that circumstance. In effect, the majority reads the statute to apply only when a person is “not entitled [under any possible circumstance] so to obtain” information. This interpretation is flawed for a number of reasons.

Foremost, that interpretation is contrary to the plain meaning of the text. Entitlements are necessarily circumstance dependent; a person is entitled to do something only when “proper grounds” or facts are in place. Black’s Law Dictionary, at 477. Focusing on the word “so,” the majority largely avoids analyzing the term “entitled,” concluding at the outset in a single sentence that Van Buren was entitled to obtain this license-plate information. Ante, at 5. But the plain meaning of “entitled” compels the opposite conclusion. Because Van Buren lacked a law enforcement purpose, the “proper grounds” did not exist. He was not entitled to obtain the data when he did so.

A few real-world scenarios illustrate the point. An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared. A valet who obtains a car from a restaurant patron is—to borrow the language from §1030(e)(6)—“entitled” to “access [the car]” and “entitled” to “use such access” to park and retrieve it. But he is not “entitled” to “use such access” to joyride. See, e.g., Ind. Code §35–43–4–3 (2020) (felonious criminal conversion to “knowingly or intentionally exer[t] unauthorized control over property of another” if “the property is a motor vehicle”); In re Clayton, 778 N. E. 2d 404, 405 (Ind. 2002) (interpreting this statute to cover misuse of property a person otherwise is entitled to access). And, to take an example closer to this statute, an employee of a car rental company may be “entitled” to “access a computer” showing the GPS location history of a rental car and “use such access” to locate the car if it is reported stolen. But it would be unnatural to say he is “entitled” to “use such access” to stalk his ex-girlfriend.

The majority offers no real response. It notes that “entitled” is modified by “so” and that courts must therefore consider whether a person is entitled to use a computer to obtain information. Ante, at 10. But if a person is not entitled to obtain information at all, it necessarily follows that he has no “right to access the information by using a computer.” Ante, at 9. Van Buren was not entitled to obtain this information at all because the condition precedent needed to trigger an entitlement—a law enforcement purpose—was absent.

Next, the majority’s reading is at odds with basic principles of property law. By now, it is well established that information contained in a computer is “property.” Nobody doubts, for example, that a movie stored on a computer is intellectual property. Federal and state law routinely define “property” to include computer data. E.g., 12 U. S. C. §5433; N. Y. Penal Law Ann. §155.00 (West 2010). And even the majority acknowledges that this statute is designed to protect property. Ante, at 2. Yet it fails to square its interpretation with the familiar rule that an entitlement to use another person’s property is circumstance specific. Consider trespass. When a person is authorized to enter land and entitled to use that entry for one purpose but does so for another, he trespasses. As the Second Restatement of Torts explains, “[a] conditional or restricted consent to enter land creates a privilege to do so only in so far as the condition or restriction is complied with.” §168, p. 311 (1964). The Restatement includes a helpful illustration:

“3. A grants permission to B, his neighbor, to enter A’s land, and draw water from A’s spring for B’s own use. A has specifically refused permission to C to enter A’s land and draw water from the spring. At C’s instigation, B enters A’s land and obtains for C water from the spring. B’s entry is a trespass.” Ibid., Comment b.

What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes.

Consider, too, the common understanding of theft. A person who is authorized to possess property for a limited purpose commits theft the moment he “exercises unlawful control over” it, which occurs “whenever consent or authority is exceeded.” ALI, Model Penal Code §223.2(1), pp. 162, 168 (1980). To again borrow the language from §1030(e)(6), a police officer may have authority to “access” the department’s bank account and “use such access” to cover law enforcement expenses, but he is nonetheless guilty of embezzlement if he “uses such access” to line his pockets. He would not be exonerated simply because he would be “entitled so to obtain” funds from the account under other circumstances.

Or take bailment. A bailee commits conversion—which many jurisdictions criminalize—when he, “having no authority to use the thing bailed, nonetheless uses it, or, having authority to use it in a particular way, uses it in a different way.” 8 C. J. S., Bailments §43, pp. 480–481 (2017) (footnote omitted). A computer technician may have authority to access a celebrity’s computer to recover data from a crashed hard drive, but not to use his access to copy and leak to the press photos stored on that computer. The majority makes no attempt to square its interpretation with this familiar principle. Instead, it sweeps away this context by stating that Congress did not include in this statute any common-law terms. Ante, at 8, n. 4. But the statute does use words like “exceed” and “authority” that are common to other property contexts. And the majority never identifies any particular property-law buzzwords that it thinks Congress was obliged to include.

The majority next says that relying on pre-existing concepts of property law is “ill advised” because Congress enacted this law in light of a “failure of pre-existing law to capture computer crime.” Ante, at 2, 8, n. 4 (citing Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N. Y. U. L. Rev. 1596 (2003)). Yet the reasons why pre-existing law was considered inadequate undermine the majority’s position. First, state laws were used to cover conduct like Van Buren’s, but doing so “require[d] considerable creativity” because those laws typically required either “physical” entry (which fit poorly with computers) or “depriv[ing]” a victim of property (which fit poorly where a person “merely copied” data or engaged in forbidden “personal uses”). Id., at 1607–1608, 1610–1611. Second, the fit was even more awkward for federal laws, which were “more limited in scope.” Id., at 1608. Congress did not enact this law to eliminate the established principle that entitlements to use property are circumstance specific, but instead to eliminate the deprivation and physical-entry requirements.

Unable to square its interpretation with established principles of property law, the majority contends that its interpretation is more harmonious with a separate clause in the statute that forbids “access[ing] a computer without authorization.” §1030(a)(2). In the majority’s telling, this clause requires “a gates-up-or-down inquiry—one either can or cannot access a computer system,” so it makes sense to read the “exceeds authorized access” clause in the same sentence to include the same approach. Ante, at 13–14. I agree that the two clauses should be read harmoniously, but there is no reason to believe that if the gates are up in a single instance, then they must remain up indefinitely. An employee who works with sensitive defense information may generally have authority to log into his employer-issued laptop while away from the office. But if his employer instructs him not to log in while on a trip to a country where network connections cannot be trusted, he accesses the computer without authorization if he logs in anyway. For both clauses, discerning whether the gates are up or down requires considering the circumstances that cause the gates to move.

In fact, my reading harmonizes both clauses with established concepts of property law. Property law generally protects against both unlawful entry and unlawful use after entry. E.g., Restatement (Second) of Torts §214, Comment e, at 408–409; 8 C. J. S., Bailments §43, at 480–481. The same is true here. The police department could protect information by prohibiting officers from logging in with an improper purpose, but that would do little good if an officer logged in at the start of his shift with proper intent and then, hours later while still logged in, conducted licenseplate searches in exchange for payment. By including both the “without authorization” and “exceeds authorized access” clauses, Congress ensured protection against improper login as well as misuse after proper login.

The majority’s interpretation—that criminality turns on whether there is a single exception to a prohibition—also leads to awkward results. Under its reading, an employee at a credit-card company who is forbidden to obtain the purchasing history of clients violates the Act when he obtains that data about his ex-wife—unless his employer tells him he can obtain and transfer purchase history data when an account has been flagged for possible fraudulent activity. The same is true of the person who, minutes before resigning, deletes every file on a computer. See Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756, 758 (CA6 2020). So long as an employee could obtain or alter each file in some hypothetical circumstance, he is immune. But the person who plays a round of solitaire is a criminal under the majority’s reading if his employer, concerned about distractions, categorically prohibits accessing the “games” folder in Windows. It is an odd interpretation to “stak[e] so much” on the presence or absence of a single exception.

Ante, at 20.

The majority’s interpretation is especially odd when applied to other clauses in the statute. Section 1030(a)(1) prohibits “exceeding authorized access” to obtain “restricted data . . . with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation,” and retaining or distributing that data. The term “restricted data” is defined to include “all data concerning (1) design, manufacture, or utilization of atomic weapons.” 42 U. S. C. §2014(y). Under the majority’s reading, so long as a scientist may obtain blueprints for atomic weapons in at least one circumstance, he would be immune if he obtained that data for the improper purpose of helping an unfriendly nation build a nuclear arsenal. It is difficult to see what force this provision—in place in substantially similar form since 1984— has under the majority’s reading.

Were there any remaining doubt about which interpretation better fits the statute, the defined term settles it. When a definition is susceptible of more than one reading, the one that best matches the plain meaning of the defined term ordinarily controls. See, e.g., Bond v. United States, 572 U. S. 844, 861 (2014) (considering the “ordinary meaning of a defined term”); id., at 870 (Scalia, J., concurring in judgment) (courts may “us[e] the ordinary meaning of the term being defined for the purpose of resolving an ambiguity in the definition” (emphasis deleted)). That is because “there is a presumption against” reading a provision contrary to the ordinary meaning of the term it defines. A. Scalia & B. Garner, Reading Law: The Interpretation of Legal Texts 232 (2012); see also id., at 228 (“[T]he meaning of the definition is almost always closely related to the ordinary meaning of the word being defined”).

The majority instead resolves supposed ambiguity in the definition against the plain meaning of the defined term. It adopts a “favor[ed]” interpretation of the definition and then asks whether the defined term can be interpreted in a way “consistent” with this “favor[ed]” view. Ante, at 11. But “[i]t should take the strongest evidence to make us believe that Congress has defined a term in a manner repugnant to its ordinary and traditional sense.” Babbitt v. Sweet Home Chapter, Communities for Great Ore., 515 U. S. 687, 719 (1995) (Scalia, J., dissenting). The majority identifies no such evidence. The most it says is that my reading of “exceeds authorized access” is not “necessarily” best because “access” can have a technical meaning: entering the computer system or a part of the computer system. Ante, at 11, 12, n. 6. But whatever meaning “access” might have, “authority”—like “entitled”—is circumstance dependent. The majority’s reading of “access” confirms that point. The definitions the majority cites reference not mere entry, but using entry to obtain specific data. Ante, at 12, n. 6. That accords with the definition here, which regulates a person’s “use” of a computer after entering it. §1030(e)(6). Here, as in other contexts of property law, a person’s authority to use his access to property is circumstance dependent. The majority’s focus on the term “access”—at the expense of “authority” and “entitled”—harms, not helps, its argument.

What the text and established concepts of property law make clear, statutory history reinforces. The original text of this Act expressly prohibited accessing a computer with authorization and then “us[ing] the opportunity such access provides for purposes to which such authorization does not extend.” 98 Stat. 2191. The Act thus applied when persons used computers for improper reasons—just like Van Buren indisputably did here.

The majority does not deny this. Instead, it notes that Congress amended the text in 1986 to its present definition, and it says that the Court can presume that Congress’ decision to omit the term “purpose” necessarily eliminated any prohibition against obtaining information for an improper purpose. Ante, at 17.

But the majority cannot so easily evade this history. True, the statute previously included the term “purpose” and now does not, but the majority fails to consider how that change affected the statute. Often, deleting a word expands, rather than constricts, the scope of a provision. If a city changes a sign in a park from “no unleashed dogs” to “no dogs,” nobody would presume that unleashed dogs are now allowed. The same is true when the specific is replaced by the general (“no dogs” to “no pets”).

Congress’ change to this statute similarly broadened the law. The original text prohibited accessing a computer with authorization then “us[ing] the opportunity such access provides for purposes to which such authorization does not extend.” The term “purpose” limited that clause to purposebased constraints. It did not naturally include other constraints, such as time and manner restrictions. By replacing the specific, limited term “purposes” with the broader, more general phrase “not entitled,” Congress gave force to those other kinds of constraints. Consider the previous example of the employee who violates an instruction not to log in while in an unfriendly foreign country with insecure networks. The original text would not cover him, so long as he logged in for a proper purpose like checking work e-mail. The newer text would cover him because his entitlement to obtain or alter data is context dependent. His purpose is innocent, but the time or manner of his use is not.

III

The majority ends with policy arguments. It suggests they are not needed. Ante, at 17 (“‘extra icing on a cake already frosted’”). Yet, it stresses them at length. Ante, at 17–20. Regardless, the majority’s reliance on these policy arguments is in error.

Concerned about criminalizing a “breathtaking amount of commonplace computer activity,” the majority says that the way people use computers today “underscores the implausibility of the Government’s interpretation.” Ante, at 17. But statutes are read according to their “‘ordinary meaning at the time Congress enacted the statute.’” Wisconsin Central Ltd. v. United States, 585 U. S. ___, ___ (2018) (slip op., at 2) (ellipsis omitted). The majority’s reliance on modern-day uses of computers to determine what was plausible in the 1980s wrongly assumes that Congress in 1984 was aware of how computers would be used in 2021. I also would not so readily assume that my interpretation would automatically cover so much conduct. Many provisions plausibly narrow the statute’s reach. For example, the statute includes the strict mens rea requirement that a person must “intentionally . . . excee[d] authorized access.” §1030(a)(2). The statute thus might not apply if a person believes he is allowed to use the computer a certain way because, for example, that kind of behavior is common and tolerated. Cf. Restatement (Second) of Contracts §223(2) (1979) (discussing how an established “course of dealing” can erase written limitations in certain contractual contexts). The Act also concerns only “obtain[ing] or alter[ing] information in the computer,” §1030(e)(6) (emphasis added), not using the Internet to check sports scores stored in some distant server (i.e., a different computer). The majority does not deny that many provisions plausibly narrow the focus of this statute. It simply faults the government for not arguing the point more forcefully. Ante, at 18–19. I would not give so much weight to the hypothetical concern that the Government might start charging innocuous conduct and that courts might interpret the statute to cover that conduct.

The majority’s argument also proves too much. Much of the Federal Code criminalizes common activity. Absent aggravating factors, the penalty for violating this Act is a misdemeanor. §1030(c)(2)(A). This Act thus penalizes minerun offenders about as harshly as federal law punishes a person who removes a single grain of sand from the National Mall, 40 U. S. C. §8103(b); breaks a lamp in a Government building, ibid.; or permits a horse to eat grass on federal land, 18 U. S. C. §1857. The number of federal laws and regulations that trigger criminal penalties may be as high as several hundred thousand. Fields & Emshwiller, Many Failed Efforts To Count Nation’s Federal Criminal Laws, Wall-Street Journal (July 23, 2011).* It is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.

——————

*www.wsj.com/article/SB10001424052702304319804576389601079 728920.html.

* * *

In the end, the Act may or may not cover a wide array of conduct because of changes in technology that have occurred since 1984. But the text makes one thing clear: Using a police database to obtain information in circumstances where that use is expressly forbidden is a crime. I respectfully dissent.

[1] Van Buren also was charged with and convicted of honest-services wire fraud. In a separate holding not at issue here, the United States Court of Appeals for the Eleventh Circuit vacated Van Buren’s honestservices fraud conviction as contrary to this Court’s decision in McDonnell v. United States, 579 U. S. 550 (2016).

[2] Compare Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F. 3d 756 (CA6 2020); United States v. Valle, 807 F. 3d 508 (CA2 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F. 3d 199 (CA4 2012); United States v. Nosal, 676 F. 3d 854 (CA9 2012) (en banc), with United States v. Rodriguez, 628 F. 3d 1258 (CA11 2010); United States v. John, 597 F. 3d 263 (CA5 2010); International Airport Centers, L.L.C. v. Citrin, 440 F. 3d 418 (CA7 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F. 3d 577 (CA1 2001).

[3] See, e.g., 7 U. S. C. §171(8) (authorizing Secretary of Agriculture “[t]o sell guayule or rubber processed from guayule and to use funds so obtained in replanting and maintaining an area”); 18 U. S. C. §648 (any person responsible for “safe-keeping of the public moneys” who “loans, uses, or converts to his own use . . . any portion of the public moneys . . . is guilty of embezzlement of the money so loaned, used, converted, deposited, or exchanged”); §1163 (“[W]hoever embezzles, steals, [or] knowingly converts to his use” money or property “belonging to any Indian tribal organization,” or “[w]hoever, knowing any such moneys . . . or

[4] The dissent criticizes this interpretation as inconsistent with “basic principles of property law,” and in particular the “familiar rule that an entitlement to use another person’s property is circumstance specific.” Post, at 4–5 (opinion of THOMAS, J.). But common-law principles “should be imported into statutory text only when Congress employs a commonlaw term”—not when Congress has outlined an offense “analogous to a common-law crime without using common-law terms.” Carter v. United States, 530 U. S. 255, 265 (2000) (emphasis deleted). Relying on the common law is particularly ill advised here because it was the failure of preexisting law to capture computer crime that helped spur Congress to enact the CFAA. See supra, at 2.

[5] For the same reason, the dissent is incorrect when it contends that our interpretation reads the additional words “under any possible circumstance” into the statute. Post, at 3 (emphasis deleted). Our reading instead interprets the phrase “so to obtain” to incorporate the single “circumstance” of permissible information access identified by the statute: obtaining the information by using one’s computer.

[6] The dissent makes the odd charge that our interpretation violates the “ ‘presumption against’ ” reading a provision “contrary to the ordinary meaning of the term it defines.” Post, at 9. But when a statute, like this one, is “addressing a . . . technical subject, a specialized meaning is to be expected.” Scalia, Reading Law, at 73. Consistent with that principle, our interpretation tracks the specialized meaning of “access” in the computer context. This reading is far from “ ‘repugnant to’ ” the meaning of the phrase “exceeds authorized access,” post, at 9—unlike, say, a definitional provision directing that “ ‘the word dog is deemed to include all horses.’ ” Scalia, supra, at 232, n. 29.

[7] For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).

[8] Van Buren’s gates-up-or-down reading also aligns with the CFAA’s prohibition on password trafficking. See Tr. of Oral Arg. 33. Enacted alongside the “exceeds authorized access” definition in 1986, the password-trafficking provision bars the sale of “any password or similar information through which a computer may be accessed without authorization.” §1030(a)(6). The provision thus contemplates a “specific type of authorization—that is, authentication,” which turns on whether a user’s credentials allow him to proceed past a computer’s access gate, rather than on other, scope-based restrictions. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016); cf. A Dictionary of Computing, at 30 (defining “authorization” as a “process by which users, having completed an . . . authentication stage, gain or are denied access to particular resources based on their entitlement”).

[9] While the Government insists that Congress made this change “ ‘merely to clarify the language’ ” of §1030(a)(2), Brief for United States 28, the dissent has a different take. In the dissent’s telling, the 1986 amendment in fact “expand[ed]” the provision to reach “time and manner” restrictions on computer access—not just purpose-based ones. Post, at 10–11. The dissent’s distinct explanation for why Congress removed §1030(a)(2)’s reference to “purpose” requires accepting that the “exceeds authorized access” definition supports a circumstance-specific approach. We reject the dissent’s premise for the textual and structural reasons already discussed.

[10] Memorandum from U. S. Atty. Gen. to U. S. Attys. & Assistant Attys. Gen. for the Crim. & Nat. Security Divs., Intake and Charging Policy for Computer Crime Matters 5 (Sept. 11, 2014), https://www. justice.gov/criminal-ccips/file/904941/download (emphasis added). Although the Government asserts that it has “[h]istorically” prosecuted only “core conduct” like Van Buren’s and not the commonplace violations that Van Buren fears, Brief for United States 40, the contrary examples Van Buren and his amici cite give reason to balk at that assurance. See Brief for Petitioner 32–33; Brief for Orin Kerr as Amicus Curiae 18–23; Brief for Technology Companies as Amici Curiae 11.

8 CFAA 8 CFAA

8.1 Fraud and related activity in connection with computers 8.1 Fraud and related activity in connection with computers

Notes

References in Text

Amendments

Effective Date of 2002 Amendment

Transfer of Functions

Reports to Congress

8.2 United States v. Nosal 8.2 United States v. Nosal

UNITED STATES of America, Plaintiff-Appellant, v. David NOSAL, Defendant-Appellee.

[856] OPINION

KOZINSKI, Chief Judge:

FACTS

DISCUSSION

CONCLUSION

SILVERMAN, Circuit Judge, with whom TALLMAN, Circuit Judge concurs, dissenting:

8.3 United States v. Nosal 8.3 United States v. Nosal

UNITED STATES of America, Plaintiff-Appellee, v. David NOSAL, Defendant-Appellant.

8.4 Van Buren v. United States 8.4 Van Buren v. United States

SUPREME COURT OF THE UNITED STATES

SUPREME COURT OF THE UNITED STATES

UNITED STATES of America, Plaintiff-Appellant,
v.
David NOSAL, Defendant-Appellee.