MEMORANDUM OPINION AND ORDER ADDRESSING PROTOCOL FOR INNOVATIO’S WI-FI “SNIFFING”

JAMES F. HOLDERMAN, Chief Judge:

Plaintiff Innovatio IP Ventures, LLC (“Innovatio”) has sued various hotels, coffee shops, restaurants, supermarkets, and other commercial users of wireless internet technology located throughout the United States (collectively, the “Wireless Network Users”). (See Dkt. No. 198 (“Second Am. Compl.”).) Innovatio alleges that, by making wireless internet available to their customers or using it to manage internal processes, the Wireless Network Users infringe various claims of seventeen patents owned by Innovatio. (Id. ¶¶48-81.) In addition, several manufactures of the products that the Wireless Network Users use to provide wireless internet (collectively, the “Manufacturers”) have brought declaratory judgment actions against Innovatio seeking a declaration that their products, and the networks or systems of which they are a part, do not infringe Innovatio’s patents. See Compl. (Dkt. No. 1), Cisco Sys., Inc. v. Innovatio IP Ventures, No. 11-cv-9309 (N.D. Ill. May 13, 2011). All claims and parties were consolidated before this court by the Judicial Panel on Multidistrict Litigation. (Dkt. No. 1.) Pending before the court is Innovatio’s motion titled “Rule 16(c)(2) Motion for Entry of Protocol for Collection of Electronic Evidence and Preliminary Ruling on Admissibility of Evidence Collected Therefrom.” (Dkt. No. 329.) For *890the reasons explained below, that motion is granted.

BACKGROUND

The standard for the operation of wireless networks that access the internet is established by the Institute of Electrical and Electronic Engineers (“IEEE”), and is known as IEEE 802.11, or “Wi-Fi.” As discovery has proceeded in this case, Innovatio has been using commercially-available Wi-Fi network analyzers to collect information about the Wireless Network Users’ allegedly infringing Wi-Fi networks. (Dkt. No. 329, at 2.) That process, which is known in the industry as “sniffing,” requires Innovatio’s technicians to enter the Wireless Network Users’ premises during business hours with a laptop computer and a Riverbed AirPcap Nx packet capture adapter (or a similar device). (Id.) The packet capture adapter can intercept data packets that are traveling wirelessly between the Wi-Fi router provided by the Wireless Network Users and any devices that may be communicating with it, such as a customer’s laptop, smartphone, or tablet computer. Innovatio then uses Wireshark network packet analyzer software to analyze the data packets, revealing information about the configuration of the network and the devices in the network. The data packets also include any substantive information that customers using the Wi-Fi network may have been transmitting during the interception of the data packets, including e-mails, pictures, videos, passwords, financial information, private documents, and anything else a customer could transmit to the internet. Innovatio contends that the information it collects will assist in proving its infringement claims.

Before continuing to incur the expense of additional sniffing, Innovatio sought permission to obtain a preliminary ruling on the admissibility of the information that it gains in the sniffing process. (Dkt. No. 290.) The court granted permission to Innovatio to seek an admissibility ruling (Dkt. No. 323), but expressed some concern that Innovatio’s sniffing may implicate the privacy interests of the customers using the Wi-Fi networks under the federal Wiretap Act. 18 U.S.C. §§ 2510-2522. Accordingly, the court ordered Innovatio’s motion to describe its proposed sniffing protocol in detail and to address the applicability of the Wiretap Act. Innovatio has submitted a proposed protocol under seal (Dkt. No. 329, Ex. A), and now requests that the court approve that protocol and issue a preliminary ruling on the admissibility of any evidence Innovatio may gather through the use of that protocol.

ANALYSIS

I. The Federal Wiretap Act

The Federal Wiretap Act provides that, with certain exceptions, “any person who ... intentionally intercepts ... any wire, oral, or electronic communication” shall be subject to criminal and civil liability. 18 U.S.C. § 2511(l)(a); see also 18 U.S.C. § 2520(a). An “electronic communication” includes “any transfer of signals, -writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” Neither party disputes that the allegedly infringing Wi-Fi networks transmit information using radio waves (which are a type of electromagnetic radiation), and thus transmit “electronic communications.”

Nonetheless, Innovatio contends that the Wiretap Act does not apply because it has altered the source code of the Wireshark software so that it no longer intercepts the contents of any third-party communication.1 The Wiretap Act pro*891vides that “ ‘intercept’ means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The “contents” of a communication are “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). According to Innovatio, its modified Wireshark software “overwrites the data payload (i.e. the ‘substance’ of the [Wi-Fi] communication) before the results are provided to the user,” while still collecting the header information that it needs to analyze the configuration of the wireless network (such as the source of the data packet, the destination of the packet, the packet length, and the checksum2). (Dkt. No. 329, at 4.) Innovatio thus contends that it is not acquiring the contents of any communication, and that its sniffing does not violate the Wiretap Act.

In response, the defendants3 argue that the process of “overwriting” the data payload implies that Innovatio initially captures the data payload before deleting it. According to the defendants’ expert, James Edward Hung, the mere act of initially recording the data payload is sufficient to complete the acquisition of the data, regardless of whether the intercepted data is later overwritten before it is used. (Dkt. No. 349, Ex. 5 (“Hung Decl. ¶ 12”).) The defendants thus contend that Innovatio’s proposed protocol intercepts the contents of the communication. In support of that argument, the defendants note that § 2511(l)(d) of the Wiretap Act contains a separate provision prohibiting the use of intercepted communications and that, to avoid redundancy with that section, § 2511(l)(a)’s prohibition on interception must not require the use of the communication as an element of the offense. See Noel v. Hall, 568 F.3d 743, 749 (9th Cir.2009) (“No new interception occurs when a person listens to or copies the communication that has already been captured or redirected. Any subsequent use of the recorded conversation is governed not by the prohibition on interception, but by the prohibition in § 2511(c) and (d) on the ‘use’ and ‘disclosure]’ of intercepted wire communications.”).

Innovatio replies, however, that the defendants have misunderstood the relevant technology. According to Innovatio’s expert, Ray Nettleton, all Wi-Fi devices necessarily store an entire received data packet, including the packet’s substantive communications, while the device processes the packet. (Dkt. No. 384, Ex. U (“Nettleton Decl.”) ¶ 40.) During processing, if the Wi-Fi device determines that the data packet is not addressed to it or has been corrupted during transmission, the packet is deleted. (Id. ¶¶ 42-46.) Pri- or to that point, the entire data packet is retained only in the Wi-Fi device’s random access memory, and is not stored in a permanent medium. (Id. ¶ 47.) The entire process is momentary, so deleted packets are retained in memory for no more than milliseconds. (Id. ¶ 48.) Innovatio proposes to automatically overwrite all substantive communications in the data packets that it intercepts, making its protocol “intercept” substantive communica*892tions only to the extent that a normal Wi-Fi device would intercept all communications on a Wi-Fi network to which it is connected. (Id. ¶ 54.) If its proposal runs afoul of the Wiretap Act, Innovatio argues, then all Wi-Fi devices necessarily violate the Act whenever they are connected to a Wi-Fi network that also includes devices belonging to a another party, an absurd result.

In essence, Innovatio asks the court to conclude that a communication is not “intercepted” until it has been recorded in a permanent medium. The court is hesitant to adopt that conclusion, first because that requirement is nowhere found in the Wiretap Act. Moreover, an individual’s online activity can be chilled merely by the knowledge that a third party has the power to acquire, however briefly, the contents of his communications. See Amati v. City of Woodstock, 829 F.Supp. 998, 1008 (N.D.Ill.1993) (holding that the privacy interests of an individual whose conversations come under the power of another are implicated “even if the individual was assured no one would listen to his conversations, because the individual’s privacy interests are no longer autonomous”); see also United States v. Rodriguez, 968 F.2d 130, 136 (2d Cir.1992) (acquisition occurs “when the contents of a wire communication are captured or redirected in any way ” (emphasis added)).

The court need not, however, construe the term “intercept” in this case, nor must it resolve the dispute between the parties’ experts. The reason is that, even assuming that Innovatio’s proposed protocol intercepts Wi-Fi communications, Innovatio’s proposed protocol falls into the exception to the Wiretap Act allowing a person “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)(i).4 Most of the Wireless Network Users’ Wi-Fi networks are open and available to the general public, allowing any customer who so desires to access the internet through them. The question is not, however, whether the networks are “readily accessible to the general public,” but instead whether the network is configured in such a way so that the electronic communications sent over the network are readily accessible.

The only reported decision addressing that question is In re Google Inc. Street View Electronic Communications Litigation, 794 F.Supp.2d 1067, 1070 (N.D.Cal. 2011). In that case before Chief Judge Ware, the plaintiffs sued Google under the Wiretap Act for the intentional interception of data from their unencrypted home Wi-Fi networks during the collection of *893data for the Google Street View feature of Google Maps. In denying Google’s motion to dismiss, the court noted that the plaintiffs had alleged that the data packets transmitted over the Wi-Fi networks “were not readable by the general public without the use of sophisticated packet sniffer technology.” Id. at 1082. After accepting that allegation as true, the court held that the data packets were not readily accessible to the general public:

[CJommunications sent via Wi-Fi technology, as pleaded by Plaintiffs, are not designed or intended to be public. Rather, as alleged, Wi-Fi technology shares a common design with cellular phone technology, in that they both use radio waves to transmit communications, however they are both designed to send communications privately, as in solely to select recipients, and both types of technology are architected in order to make intentional monitoring by third parties difficult.5

The court’s conclusion thus depended on the proposition that data packets sent through unencrypted Wi-Fi networks are only readable with “sophisticated packet sniffer technology,” a proposition that the court accepted as true under the standards applicable to a motion to dismiss.

Here, by contrast, the court is not required to accept any such allegation. Moreover, upon examination, the proposition that Wi-Fi communications are accessible only with sophisticated technology breaks down. As mentioned above, Innovatio is intercepting Wi-Fi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. See Riverbed Technology Product Catalog, http:// www.cacetech.com/products/catalog' (last visited Aug. 21, 2012). A more basic packet capture adapter is available for only $198.00. Id. The software necessary to analyze the data that the packet capture adapters collect is available for download for free. See Wireshark Frequently Asked Questions, http://www.wireshark.org/faq. html#secl (last visited Aug. 21, 2012) (‘Wireshark® is a network protocol analyzer .... It is freely available as open source.... ”). With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted Wi-Fi network can begin intercepting communications sent on that network. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of “sniffing” Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily accessible to the general public.

To be sure, the majority of the public is likely unaware that communications on an unencrypted Wi-Fi network are so easily intercepted by a third party. See Predrag Klasnja et al., “When I Am on Wi-Fi, I am Fearless: ” Privacy Concerns & Prac *894 tices in Everyday Wi-Fi Use, in CHI '09 Proc. 27th Int’l Conf. (2009), available at http://appanalysis.org/jjung/jaeyeon-pub/ FormativeUserStudy4CHI.pdf (reporting the results of a study involving eleven participants and concluding that “users from the general public ... were largely unaware of ... the visibility of unencrypted communications,” which “led them to a false sense of security that reduced how much they thought about privacy and security while using Wi-Fi”); see also Press Release, Wi-Fi Alliance, Wi-Fi Security Barometer Reveals Large Gap Between What Users Know and What They Do (Oct. 5, 2011) (reporting that only 18% of users take steps to protect their communications when accessing a commercial Wi-Fi hotspot). The public still has a strong expectation of privacy in its communications on an unencrypted Wi-Fi network, even if reality does not match that expectation.

The public’s lack of awareness of the ease with which unencrypted Wi-Fi communications can be intercepted by a third party is, however, irrelevant to a determination of whether those communications are “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g)(i). The language of the exception does not, after all, refer to “communications that the general public knows are readily accessible to the general public.” Therefore, the public’s expectation of privacy in a particular communication is irrelevant to the application of the Wiretap Act as currently written. Because data packets sent over unencrypted Wi-Fi networks are readily accessible using the basic equipment described above, the Wiretap Act does not apply here. Accordingly, to the extent that Innovation proposed sniffing protocol accesses only communications sent over unencrypted Wi-Fi networks available to the general public, it is permissible under § 2511(2)(g)(i)’s exception to the Wiretap Act.6

Any tension between that conclusion and the public’s expectation of privacy is the product of the law’s constant struggle to keep up with changing technology. Five or ten years ago, sniffing technology might have been more difficult to obtain, and the court’s conclusion might have been different. But it is not the court’s job to update the law to provide protection for consumers against ever changing technology. Only Congress, after balancing any competing policy interests, can play that role. Indeed, one United States Senator has already called for changes to the Wiretap Act in light of the threat that unencrypted communications may be easily intercepted. See Elec. Privacy Info. Ctr., On Google Spy-Fi, Senator Durbin Calls for Update to Wiretap Law, FCC Chair Agrees Law Should Protect Unencrypted Communications (May 11, 2012), http://epic.org/2012/ 05/on-google-spy-fi-senator-durbi.html. Unless and until Congress chooses to amend the Wiretap Act, the interception of communications sent over unencrypted Wi-Fi networks is permissible.

II. The Pen Registers and Trap and Trace Devices Act

The defendants also briefly contend that Innovatio’s proposed protocol violates *895the Pen Registers and Trap and Trace Devices Act. 18 U.S.C. §§ 8121-3127. That statute makes it a crime to “install or use a pen register or a trap and trace device.” 18 U.S.C. § 3121(a). A pen register is “a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication.” 18 U.S.C. § 3127(3). A trap and trace device is “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.” 18 U.S.C. § 3127(4).

The defendants’ argument is a single paragraph, and it cites no cases applying the Pen Registers and Trap and Trace Devices Act to Wi-Fi packet capture adapters. Because all Wi-Fi devices on a network necessarily receive addressing information to determine if a data packet is addressed to them, doing so would put any user of a Wi-Fi network on which a third party was also operating in violation of the Act. Moreover, there is some doubt that the Pen Registers and Trap and Trace Devices Act applies to any device that is also capable of collecting the contents of a communication. In Matter of Application of U.S. For an Order Authorizing the Installation & Use of a Pen Register & a Trap & Trace Device on E-Mail Account, 416 F.Supp.2d 13, 18 (D.D.C.2006) (“ ‘[P]en registers’ and ‘trap and trace devices’ are statutorily defined as processes or devices that are prohibited from collecting ‘the contents of any communication.’ 18 U.S.C. § 3127(3)-(4). Consequently, the argument could be made that any process or device that collects the content of an electronic communication is not, in fact, a pen register or trap and trace device but, instead, is an electronic intercepting device as defined in [the Wiretap Act].”). Operating as it is without adequate briefing on the subject, the court declines to apply the Pen Registers and Trap and Trace Devices Act to Wi-Fi packet capture adapters.

III. The Admissibility of the Information Innovatio Collects

In light of the court’s conclusion that Innovatio’s proposed sniffing protocol does not violate the Wiretap Act or the Pen Registers and Trap and Trace Devices Act, the evidence Innovatio collects through the use of that protocol will not be inadmissible because of a violation of those Acts. Accordingly, if Innovatio lays a proper foundation under the Federal Rules of Evidence at trial for the information it collects through the sniffing protocol, that evidence will be admissible.

CONCLUSION

Innovatio’s “Rule 16(c)(2) Motion for Entry of Protocol for Collection of Electronic Evidence and Preliminary Ruling on Admissibility of Evidence Collected Therefrom” (Dkt. No. 329) is granted. Innovatio may collect information from the defendants’ public-facing Wi-Fi networks according to its proposed protocol. (Dkt. No. 329, Ex. A.)

OPINION OF THE COURT

FUENTES, Circuit Judge:

This class action arises from allegations that the defendants, who run internet advertising businesses, placed tracking cookies on the plaintiffs’ web browsers in contravention of their browsers’ cookie blockers and defendant Google’s own public statements. At issue in this appeal is the District Court’s dismissal of each of the nine claims brought by the plaintiffs. As follows, we will affirm in part, vacate in part, and remand to the District Court for additional proceedings.

I. Background

A. Internet Advertising and Cookie-Based Tracking

In most users’ experience, webpages appear on browsers as integrated collages of text and images. As a technical matter, this content is delivered and aggregated from multiple independent servers. This includes advertising content, which is typically drawn from “third-party” servers owned by the advertisers themselves. The defendants in this case are internet advertising companies, and this suit concerns their practices in serving advertisements to the browsers of webpage visitors.

The delivery of advertising content from third party servers to webpage visitors’ browsers is a highly technical process involving a series of communications between the visitor’s browser, the server of the visited website, and the server of the advertising company. In its specifics:

The host website leaves part of its web-page blank where the third-party advertisements will appear. Upon receiving a “GET” request from a user seeking to display a particular webpage, the server for that webpage will subsequently respond to the browser, instructing the browser to send a “GET” request to the third-party company charged with serving the advertisements for that particular webpage.... The third-party server responds to the GET request by sending the advertisement to the user’s browser, which then displays it on the user’s device. The entire process occurs within milliseconds and the third-party content appears to arrive simultaneously with the first-party content so that the user does not discern any separate GET requests from the third-parties.1

*131As the defendants deliver their advertisements directly to users from their own servers, the defendants have the capacity to vary how they populate their rented webpage space. This capacity permits targeting by which the defendants may serve different advertisements to different visitors. The general principle is that the more that an advertisement is tailored to its audience — sneakers for runners, legal pads for lawyers — the greater the advertisement’s expected value. Here, the value of customization, combined with the capacity for individuated advertisement service, impels internet advertisers to surmise whatever they can about each particular person requesting webpage content.

As pled in the complaint:

To inject the most targeted ads possible, and therefore charge higher rates to buyers of the ad space, these third-party companies ... compile the [ijnternet histories of users. The third-party advertising companies use “third-party cookies” to accomplish this goal. In the process of injecting the advertisements into the first-party websites, the third-party advertising companies also place third-party cookies on user’s computing devices. Since the advertising companies place advertisements on multiple sites, these cookies allow these companies to keep track of and monitor an individual user’s web activity over every website on which these companies inject ads.2

These third-party cookies are used by advertising companies to help create detailed profiles on individuals ... by recording every communication request by ■ that browser to sites that are participating in the ad network, including all search terms the user has entered. The information is sent to the companies and associated with unique cookies — that is how the tracking takes place. The cookie lets the tracker associate the web activity with a unique person using a unique browser on a device. Once the third-party cookie is placed in the browser, the next time the user goes to a website with the same [defendant's advertisements, a copy of that request can be associated with the unique third-party cookie previously placed. Thus the tracker can track the behavior of the user.... 3

B. Cookie Blocking, Circumvention, Deceit, and Discovery

Individually tailored webpage advertisements are now ubiquitous. But, where cookie-based tracking is concerned, leading web browsers have designed built-in features to prevent the installation of cookies by third-party servers. The complaint calls them '“cookie blockers.” The cookie blockers of two browsers are at issue in this case. One is Microsoft’s Internet Explorer, which featured an “opt-in” cookie blocker that a user could elect to activate. The other is Apple’s Safari browser, which featured an “opt-out” cookie blocker that was activated by default. The complaint notes that the main Apple website page dedicated to Safari advertised its opt-out cookie blocker as a unique feature, stating that, “to better protect[] your privacy!,] Safari accepts cookies only from the websites you visit.”4 Likewise, the Safari browser labeled its default cookie setting as “Block cookies: From third parties and advertisers.”5

*132According to the complaint, the Safari and Internet Explorer cookie blockers were well-known to industry participants, including as to their existence, functionality, and purpose. More is alleged about Google in particular. Google’s Privacy Policy explained that “most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.”6 Google provided further assurances about the Safari cookie blocker specifically. Google offered a proprietary cookie blocker, a so-called “opt-out cookie” that, when downloaded, would prevent the installation of tracking cookies. On the public webpage Google maintained to describe its opt-out cookie, Google assured visitors that “Safari is set by default to block all third party cookies. If you have not changed those settings, this option essentially accomplishes the same thing as setting the opt-out cookie.”7

In February 2012, Stanford graduate student Jonathan Mayer published an online report revealing that Google and the other defendants had discovered, and were surreptitiously exploiting, loopholes in both the Safari cookie blocker and the Internet Explorer cookie blocker.8 Safari’s cookie blocker turns out to have had a few exceptions, one of which was that it permitted third-party cookies if the browser submitted a certain form to the third-party. Because advertisement delivery does not, in the ordinary course, involve such forms, the exception ought not have provided a pathway to installing advertiser tracking cookies. But according to Mayer’s report, Google used code to command users’ web browsers to automatically submit a hidden form to Google when users visited websites embedded with Google advertisements. This covert form triggered the exception to the cookie blocker, and, used widely, enabled the broad placement of cookies on Safari browsers notwithstanding that the blocker — as Google publicly acknowledged — was designed to prevent just that. Thé other defendants, meanwhile, accomplished similar circumventions. As a result, the defendants could — and did — place third-party cookies on browsers with activated blockers.

Mayer’s findings were concurrently published in the Wall Street Journal9 and drew the attention of the Federal Trade Commission and a consortium of state attorneys general. The Department of Justice filed suit under the Federal Trade Commission’s authorizing statute in the Northern District of California, and the action resolved by way of a stipulated order providing for a $22.5 million civil penalty.10 Google further agreed to certain forward-looking conditions related to internet privacy, but admitted no past acts or *133wrongdoing.11 Google similarly reached a $17 million settlement with 38 state attorneys general, including the California Attorney General.12

C. The Instant Suit

Following Mayer’s report, a series of lawsuits were filed in federal district courts around the country. Those lawsuits were consolidated by the Multi-District Litigation panel and assigned to Judge Sue Robinson of the District of Delaware. This appeal is from the District Court’s dismissal of that consolidated case.

The consolidated case was presented to the District Court as a putative class action, and four named plaintiffs — our appellants here — filed a consolidated class action complaint. The putative class consists of:

all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browsers and who visited a website from which doublechck.net (Google’s advertising serving service), PointRoll, Vibrant Media, Media Innovation Group, or WPP cookies were deployed as part of a scheme to circumvent the users’ browsers’ settings to block such cookies and which were ■ thereby used to enable tracking of the class membersf] [ijnter-net communications without consent.13

The complaint asserts three federal law claims against all defendants. Count I claims violation of the federal Wiretap Act, 18 U.S.C. § 2510 et seq. Count II claims violation of the Stored Communications Act, 18 U.S.C. § 2701. And Count III claims violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.

The complaint also asserts six California state law claims against Google only. Count IV claims violation of the privacy right conferred by the California Constitution. Count V claims intrusion upon seclusion under California tort law. Count VI claims violation of the Unfair Competition Law, Cal. Bus. & Prof.Code § 17200. Count VII claims violation of the California Comprehensive Computer Data Access and Fraud Act, CaLPenal Code § 502. Count VIII claims violation of the California Invasion of Privacy Act, CahPenal Code § 630 et seq. And Count IX claims violation of the California Consumers Legal Remedies Act, Cal. Civ.Code § 1750 et seq.

The defendants moved to dismiss the entire complaint for lack of Article III *134standing and for failure to state any claim. Without definitively resolving the standing challenge, the District Court agreed with the defendants that the allegations in the complaint did not give rise to any action, and on that basis dismissed the complaint under Rule 12(b)(6).14 On appeal, the plaintiffs challenge the dismissal of each of their nine claims, and the defendants renew their contention that the plaintiffs lack Article III standing.

II. Injury in Fact

Before we reach the merits, we address the defendants’ argument that the plaintiffs lack standing. “[T]he question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues.”15 A core requirement of standing is that the plaintiff have suffered an injury in fact. The defendants contend that the plaintiffs fail to demonstrate injury in fact because they make insufficient allegations of pecuniary harm.

For purposes of injury in fact, the defendants’ emphasis on economic loss is misplaced. In assessing injury in fact, we look for an “invasion ... which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.” 16 Though the “injury must affect the plaintiff in a personal and individual way,”17 this standard does not demand that a plaintiff suffer any particular type of harm to have standing. Consequently, and contrary to the contentions of the defendants, a plaintiff need not show actual monetary loss for purposes of injury in fact. Rather, “the actual or threatened injury required by Art. Ill may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” 18 Sure enough, the Supreme Court itself has permitted a plaintiff to bring suit for violations of federal privacy law absent any indication of pecuniary harm.19

The plaintiffs here base their claims on highly specific allegations that the defendants, in the course of serving advertisements to their personal web browsers, implanted tracking cookies on their personal computers. Irrespective of whether these allegations state a claim, the *135events that the complaint describes are concrete, particularized, and actual as to the plaintiffs. To the extent that the defendants believe that the alleged conduct implicates interests that are not legally protected, this is an issue of the merits rather than of standing.

The plaintiffs show injury in fact, and we have jurisdiction to address the merits of their claims.20

III. Federal Claims Against All Defendants

We first address the three federal law claims brought against all defendants. For the following reasons, we will affirm the dismissal of the plaintiffs’ Wiretap Act claim as well as the dismissal of plaintiffs’ claims under the Stored Communications Act and Computer Fraud and Abuse Act.

A. The Federal Wiretap Act

The federal Wiretap Act is codified at 18 U.S.C. § 2510 et seq. A plaintiff pleads a prima facie case under the Act by showing that the defendant “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.”21 Of several statutory exceptions, one is the exception of § 2511(2)(d). Section 2511(2)(d) provides that, ordinarily, no cause of action will lie against a private person “where such person is a party to the communication or where one ■ of the parties to the communication has given prior consent to such-interception.”22

1. Acquisition of “Content”

The District Court dismissed the plaintiffs’ Wiretap Act claim on the basis that the defendants’ alleged conduct did not involve the acquisition of communications “content.” While the plaintiffs allege that the defendants acquired and tracked the URLs they visited, the Act defines “contents” as “any information concerning the substance, purport, or meaning of th[e] communication [at issue].”23 The District Court held that, “[a]s described by their name, ‘Universal Resource Locators,’.... a URL is a location identifier and does not ‘concern [ ] the substance, purport, or meaning’ of an electronic communication.’ ”24

In Smith v. Maryland, the Supreme Court made clear the important difference between extrinsic information used to route a communication and the communicated content itself.25 In Smith, the Su*136preme Court found no Fourth Amendment violation from the government’s warrant-less use of a pen register.26 Distinguishing its holding in Katz v. United States27 that warrantless wiretapping violated the Fourth Amendment, the Supreme Court explained that “a pen register differs significantly from the listening device employed in Katz, for pen registers do hot acquire the contents of communications.”28 Rather, the Court explained, pen registers “disclose only the telephone numbers that have been dialed' — a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.”29

Smith’s differentiation between the “means of establishing communication” and the “purport of a[ ] communication”30 looms large in federal surveillance law. Whereas the Wiretap Act governs the interception of communications “content[ ],”31 the separate federal Pen Register Act governs the acquisition of non-content “dialing, routing, addressing, [or] signaling information.”32 As the House of Representatives noted in its Report regarding the enactment of the PATRIOT Act, “the statutorily prescribed line between a communication’s contents and non-content information[ ] [is] a line identical to the constitutional distinction drawn by the U.S. Supreme Court in Smith v. Maryland.”33

Since Smith, location identifiers have classically been associated with non-content “means of establishing communication.” 34 Nevertheless, the District Court’s categorical assessment that location identifiers never “concern[ ] the substance, purport, or meaning” of a communication misses the mark.35 Often, a location identifier serves no routing function, but instead comprises part of a communication’s substance.36 As a leading treatise on criminal procedure explains:

[T]he line between content and non-content information is inherently relative. If A sends a letter to B, asking him to deliver a package to C at a particular address, the contents of that letter are contents from A to B but mere non-content addressing information with re*137spect to the delivery of the package to C. In the case of email, for example, a list of e-mail addresses sent as an attachment to an e-mail communication from one person to another are contents rather than addressing information. In short, whether an e-mail address is content or non-content information depends entirely on the circumstances.37

In essence, addresses, phone numbers, and URLs may be dialing, routing, addressing, or signaling information, but only when they are performing such a function. If an address, phone number, or URL is instead part of the substantive information conveyed to the recipient, then by definition it is “content.”

The different ways that an address can be used means, as Professor Orin Ken-puts it, that “the line between contents and metadata is not abstract but contextual with respect to each communication.”38 Thus, there'is no general answer to the question of whether locational information is content. Rather, a “content” inquiry is a case-specific one turning on the role the location identifier played in the “intercepted” communication.

Here, the complaint does not make clear whether the tracked URLs were acquired by the defendants from communications in which those URLs played a routing function. This is not, however, fatal to the plaintiffs’ claim.

In a declassified opinion analyzing whether there was statutory authority for a National Security Agency surveillance program, the Foreign Intelligence Surveillance Court observed that the government possessed trap and trace authority over “dialing, routing, addressing, and signaling information .■.. provided, however, that such information shall not include the contents of any information.”39 The Surveillance Court read this to mean that, for purposes of federal surveillance law, information may well serve both a routing function and a content function. Noting the breadth of the statutory descriptions of routing information and “content,” the Surveillance Court concluded that routing information and “content” are not mutually exclusive categories, but rather ones that Congress expressly contemplated to be occasionally coextensive.40 Proceeding to identify exemplary areas where routing information and “content” overlap, the Surveillance Court pointed, “in particular,” to URL queries that involve reproduction of a search phrase entered by a user into a search engine.41 Quoting the District of Massachusetts, the Surveillance Court explained that, “if a user runs a search using an [i]nternet search engine, the ‘search phrase would appear in the URL after the first forward slash’ as part of the addressing information, but would also reveal contents, ie., the “ ‘substance’ ” and “meaning” of the communication ... that the user is conducting a search for information on a particular topic.’ ”42 For an example from another context, the court pointed to post-cut-through digits in the phone context “as dialing information, some of which also constitutes contents.”43

*138The decision of the Surveillance Court is instructive in several ways relevant to our analysis here. The first of these is that, to the extent that the statutory definitions and conceptual categories of content and routing information overlap, Congress expressly contemplated the possibility of such an overlap. For the reasons stated by the Surveillance Court, we are persuaded that, under the surveillance laws, “dialing, routing, addressing, and signaling information” may also be “content.”

Second, the Surveillance Court takes the position that queried URLs can be content as well as routing information, for instance in the case of URLs that reproduce search engine inquiries. Though some district courts have held that a URL is never content, the Surveillance Court decision is part of a growing chorus that some, if not most, queried URLs do contain content. In In re Zynga Privacy Litigation, the Ninth Circuit took the position that queried URLs are content if, but only if, they reproduce words from a search engine query.44 In United States v. Forrester, meanwhile, a different panel of the Ninth Circuit noted that warrantless capture of URLs generally “might be more constitutionally problematic” than warrantless capture of IP addresses.45 The Forrester court explained that “[a] URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s [ijnternet activity.”46 Akin to Forrester is the stance taken by the House Judiciary Committee in its PATRIOT Act report, which stated that a pen register order “could not be used to collect information other than ‘dialing, routing, addressing, and signaling’ information, such as the portion of a URL (Uniform Resource Locator) specifying Web seárch terms or the name of a requested file or article.” 47 Though none of these authorities offer detailed reasoning on why they draw the “content” line where they do, what they have in common is that they assess whether a URL involves “contents” based on how much information would be revealed by disclosure of the URL.

Third, the Surveillance Court’s example of post-cut-through digits in the telephone context — i.e.. numbers dialed from a telephone after a call is already setup or “cut-through” — hints at a different reason why queried URLs might be considered content. A number of courts apart from the Surveillance Court — most prominently the. D.C. Circuit — have found such digits to comprise communications content beyond *139the permissible scope of a pen register.48 URL queries bear functional analogues to this process, in that different portions of a queried URL may serve to convey different messages to different audiences. For instance, the domain name portion of the URL — everything before the “.com” — instructs a centralized web server to direct the user to a particular website, but post-domain name portions of the URL are designed to communicate to the visited website which webpage content to send the user.49

As stated above, we agree with the Surveillance Court that routing information and content are not mutually exclusive categories. And between the information revealed by highly detailed URLs and their functional parallels to post-cut-through digits, we are persuaded that — at a minimum — some queried URLs qualify as content.50 Indeed, the defendants’ counsel acknowledged as much at argument.51 Because the complaint pleads a broad scheme in which the defendants generally acquired and tracked the plaintiffs’ internet usage, we are satisfied that this scheme, if it operated as alleged, involved the collection of at least some “content” within the meaning of the Wiretap Act.52

*1402. Section 2511(2)(d)

According to the defendants, even if we find that the plaintiffs adequately plead the acquisition of “content,” we may affirm nevertheless under § 2511(2)(d). Section 2511(2)(d) sets forth that “[i]t shall not be unlawful ... for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication ... unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The defendants contend that they were the intended recipients of — and thus “parties” to — any electronic transmissions that they acquired and tracked, and that, as they committed no secondary criminal or tortious act, their conduct cannot have been unlawful under the statute.

a. How the Information at Issue Was Acquired

Before we can assess whether the defendants were “parties” to the electronic transmissions at issue, we must first identify what, exactly, are the transmissions at issue.

In the portion of the complaint devoted to the plaintiffs’ Wiretap Act claim, the complaint states that “the [defendants’ third-party web tracking permitted them to record information that [c]lass [m]embers exchanged with first-party websites ... which [the defendants intercepted while not a party to those communications (hence third-party tracking)[J”53 It continues to plead that “the defendants’ third-party tracking intercepted the class members’ communications while they were in transit from the class members’ computing devices to the web servers of the first-party websites the class members used their browsers to visit.”54

The highly specific allegations contained in the body of the complaint, however, give no credence to the complaint’s later allegations that the defendants acquired their internet history information from transmissions between the plaintiffs’ browsers and first-party websites. With respect to the mechanics of the defendants’ acquisition of web browsing information, the interior of the complaint says that, “[u]pon receiving a [ ]GET[ ] request from a user seeking to display a particular webpage, the server for that webpage will subsequently respond to the browser, instructing the browser to send a []GET[] request to the third-party company charged with serving the advertisements for that particular webpage.”55 As to Google specifically, the complaint likewise pleads that “the server hosting the publisher’s web-page ... instructs the user’s web browser to send a GET request to Google to display the relevant advertising information for the space on the page for which Google has agreed to sell display advertisements.” 56

If users’ browsers directly communicate with the defendants about the webpages they are visiting — as the complaint pleads with particularity — then there is no need for the defendants to acquire that information from transmissions to which they are *141not a party. After all, the defendants would have the information at issue anyway. Underscoring that there are direct transmissions between the plaintiffs and the defendants, the complaint notes that the defendants place cookies on web browsers “in the process of injecting the advertisements,”57 which are “serve[d] ... directly from the third-party company’s servers, rather than going through the individual website’s server.”58

The complaint’s descriptions of how tracking is accomplished, meanwhile, further supports that thé information was captured from the plaintiffs’ GET requests to the defendants. According to the complaint:

The information is sent to the companies and associated with unique cookies— that is how the tracking takes place. The cookie lets the tracker associate the web activity with a unique person using a unique browser on a device. Once the third-party cookie is placed in the browser, the next time the user goes to a webpage with the same [defendant's advertisements, a copy of that request can be associated with the unique third-party cookie previously placed. Thus the tracker can track the behavior of the user[.]”59

If the information at issue is sent to the defendants in the ordinary course, then this description of the cookies makes sense. This is because in such a scenario the defendants need only associate information to track it, which can be successfully accomplished by affixing an identifier to that information. This is precisely how the complaint describes the defendants’ cookies’ function. With respect to Google, the complaint pleads installation of Goo-gle’s “id” cookie, “which is a unique and consistent identifier given to each user by Google for its use in tracking persons across the entire spectrum of websites on which Google places ... cookies.”60 Goo-gle allegedly uses this cookie to “identif[y] users,” such that “the .placement of the third-party cookies, placed by circumventing Plaintiffs’ and Class Members’ privacy settings, allows this identification to take place.”61 Likewise, as to two of the other defendants, the complaint says that “[t]he spokesman [for Vibrant] admitted Vibrant used the trick ‘for unique user identification,’ ”62 and that “Media’s ‘id’ cookie is just that — an ‘ID’ or ‘identification’ cookie.” 63

Just as the operative allegations in the complaint tend to support the inference that the cookies enabled the defendants to identify, and thus associate, information that the plaintiffs sent directly to them in the ordinary course, the operative allegations tend to negate any inference to the contrary. This is because, if the information at issue was not sent to the defendants in the ordinary course, mere identification cookies would not be sufficient for the defendants’ scheme. To accomplish their tracking in that instance, the defendants would have needed not an associative device, but one capable of capturing communications sent by the plaintiffs and intended for -first-party websites, and then transmitting them to the defendants.64 *142There is no pleading of any such device, nor is that function the ordinary function of a tracking cookie. As stated" above, in discussing the function of the defendants’ cookies, the complaint describes them as having an associative function only.65

In view of our common sense reading of the operative allegations of the complaint, we note the factual position that the defendants advanced at argument: “The cookie doesn’t acquire anything ... The cookie doesn’t look for anything. It just sits on the browser and gets sent along with information that would otherwise be sent.”66 The information at issue would be sent anyway because “the user’s web browser send[s] a GET request to Google to display the relevant advertising information for the space on the page for which Google has agreed to sell display advertisements.” 67 We note also that, at argument, the plaintiffs’ counsel was directly asked on six separate occasions to clarify what transmissions they believed were improperly acquired and/or how the defendants’ cookies functioned.68 The plaintiffs’ counsel did not provide a direct response on any of these occasions.

At the Rule 12(b)(6) stage “we accept the pleader’s description of what happened to him or her along with any conclusions that can reasonably be drawn therefrom.”69 This standard permits the dismissal of a complaint “when [the] defendant’s plausible alternative explanation is so convincing that plaintiffs explanation is im plausible.”70 Here, the operative allegations of the complaint support only the conclusion that the defendants acquired the plaintiffs’ internet history information by way of GET requests that the plaintiffs sent directly to the defendants, and that the defendants deployed identifier cookies to make the information received from GET requests associable and thus tracka-ble. And though the portion of the complaint pertaining to the Wiretap Act contains statements to the contrary, we need not give legal effect to “conclusory allegations” that are contradicted by the pleader’s actual description of what happened.71

In short, our understanding of the plaintiffs’ allegations is that the defendants acquired the plaintiffs’ internet history information when, in the course of requesting webpage advertising content at the direction of the visited website, the plaintiffs’ browsers sent that information directly to the defendants’ servers.

b. Application of § 2511(2) (d)

Because the defendants were the intended recipients of the transmissions at issue — i.e. GET requests that the plaintiffs’ browsers sent directly to the defendants’ servers — we agree that § 2511(2)(d) means the defendants have done nothing unlawful *143under the Wiretap Act. Tautologically, a communication will always consist of at least two parties: the speaker and/or sender, and at least one intended recipient. As the intended recipient of a communication is necessarily one of its parties, and the defendants were the intended recipients of the GET requests they acquired here, the defendants were parties to the transmissions at issue in this case. And under § 2511(2)(d), it is not unlawful for a private person “to intercept a wire, oral, or electronic communication where such person is a party to the communication.”72

In their reply brief, the plaintiffs raise three objections in response to the argument that their Wiretap Act claim must fail because the defendants were the intended recipients of the relevant communications. None are persuasive.

First, the plaintiffs argue that we should not consider the defendants’ argument because the issue was not addressed by the District Court and because the defendants failed to raise the issue in the form of a cross-appeal. This is inapposite, for even if the defendants had never raised the issue at all, whether the plaintiffs have stated a claim is a matter of law to be determined from the face of their complaint. As always, we may affirm a district court’s judgment on grounds other than those considered by the district court itself.73

Second, the plaintiffs argue that the party exception should not apply for equitable reasons, in that the transmitted GET requests included cookie information that the communications included only because of the defendants’ surreptitious circumvention of the cookie blockers. The point here is that, though the plaintiffs sent the GET requests to the defendants voluntarily, they were induced to do so by deceit. Though we are no doubt troubled by the various deceits alleged in the complaint, we do not agree that a deceit upon the sender affects the presumptive non-liability of parties under § 2511(2)(d). “In the context of the statute, a party to the conversation is one who takes part in the conversation.”74 There is no statutory language indicating this excludes intended recipients who procured their entrance to a conversation through a fraud in the inducement, such as, here, by deceiving the plaintiffs’ browsers into thinking the cookie-setting entity was a first-party website.

It is not unimaginable that the Wiretap Act would give legal effect to the fraudulent participation of a party to a conversation.75 It is, after all, a wiretapping statute.76 Indeed, it appears the absence of an equitable exception to § 2511(2)(d) is no accident. In United States v. Pasha, the Seventh Circuit held that a police officer who impersonated the intended recipient of a phone call did not violate the Wiretap *144Act.77 And, as the Sixth Circuit has explained: We agree with the Sixth Circuit and the Fifth Circuit that, “[b]y citing Pasha, Congress strongly intimated that one who impersonates the intended receiver of a communication may still be a party to that communication for the purposes of the federal wiretap statute and that such conduct is not proscribed by the statute.”79 Likewise, we conclude it was by design that there is no statutory language by which the defendants’ various alleged deceits would vitiate their claims to. be parties to the relevant communications. The Wiretap Act is a wiretapping statute, and just because a scenario sounds in fraud or deceit does not mean it sounds in wiretapping.80

When amending the federal [W]iretap [A]ct in 1968 to its current state, Congress specifically mentioned Pasha in its discussions of the “party to the communication” provision. In discussing § 2511(2)(c), which is in pari materia with § 2511(2)(d) and differs from that provision only in that § 2511(2)(e) applies to persons acting under color of law, the Senate Judiciary Committee stated:

Paragraph 2(c) provides that it shall not be unlawful for a party to any wire or oral communication ... to intercept such communication. It largely reflects existing law. Where one of the parties consents, it is not unlawful.... “[P]arty” would mean the person actually participating in the communication. (United States v. Pasha, 332 F.2d 193 (7th Cir.1964)).78

Finally, the plaintiffs argue that § 2511(2)(d) should not apply because the defendants’ acquisition of the communications at issue was tortious under California law. The basis for this argument is that § 2511(2)(d) is inapplicable when the communication at issue is “intercepted for the purpose of committing any criminal or tor-*145tious act in violation of the Constitution or laws of the United States or of any State.” But the plaintiffs point to no legal authority providing that the exception to § 2511(2)(d) is triggered when, as here, the tortious conduct is the alleged wiretapping itself. By contrast, all authority of which we are aware indicates that the criminal or tortious acts contemplated by § 2511(2)(d) are acts secondary to the acquisition of the communication involving tortious or criminal use of the interception’s fruits.81

As the Second Circuit explained in Caro v. Weintraub, “to survive a motion to dismiss, a plaintiff must plead sufficient facts to support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording.”82 And though the plaintiffs may well plead facts that constitute violations of California laws related to intrusion upon seclusion, for purposes of the exception to § 2511(2)(d), “[i]nvasion of privacy through intrusion upon seclusion presents a problem ... — it is a tort that occurs through the act of interception itself.”83 As the plaintiffs plead no tortious or criminal use of the acquired internet histories, § 2511(2)(d) is not inapplicable on the basis of the criminal-tortious purpose exception.

Based on the facts alleged in the pleadings, the defendants were parties to any communications that they acquired, such that their conduct is within the § 2511(2)(d) exception.84 We will accordingly affirm the District Court’s dismissal of the plaintiffs’ Wiretap Act claim.

B. The Stored Communications Act

We next address the plaintiffs’ claim for violation of the Stored Communications Act, 18 U.S.C. § 2701. Enacted in 1986, the Stored Communications Act was born from congressional recognition that neither existing federal statutes nor the Fourth Amendment protected against potential intrusions on individual privacy arising from illicit access to “stored communications in remote computing operations and large data banks that stored emails.”85

To state a claim under the Stored Communications Act, a plaintiff must show that the defendant “(1) intentionally accesses without authorization a facility through which an electronic communication service *146is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.”86

The District Court dismissed this claim on the basis of the Act’s requirement that the illicit access be with respect to “a facility through which an electronic communication service is provided.”87 As pled in the complaint, the illicit access at issue was to the plaintiffs’ personal web browsers. But according to the District Court, “an individual’s personal computing device is not a ‘facility through which an electronic communications service is provided.’ ”88 We agree, and we find persuasive the analysis of the Fifth Circuit in Garcia v. City of Laredo, which held that “a home computer of an end user is not protected by the [Act].”89

As noted by the Garcia court, though the Act does not define the term “facility,” the Act does define the term “electronic communication service,” which it defines as “any service which provides to users thereof the ability to send or receive wire or electronic communications.”90 This most naturally describes network service providers, and, indeed,- “[c]ourts have interpreted the statute to apply to providers of a communication service such as telephone companies, [i]nternet or e-mail service providers, and bulletin board services.”91 The Act also defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”92 Temporary storage incidental to transmission and storage for purposes of backup protection are not how personal computing devices keep communications, but how third party network service providers do — or at least did, in 1986.93

There is then the language of 18 U.S.C. § 2701(c)(1), which provides that the prohibitory language of the Act “does not apply with respect to conduct authorized ... by the person or entity providing a wire or electronic communication service.” This makes sense when talking about third-party access to network service providers’ own facilities. But were the prohibitory language understood to apply to facilities other than those of network service providers, the language of the exeep*147tion becomes problematic. As one district court has explained, “[i]t would certainly seem odd that the provider of a communication service could grant access to one’s home computer to third parties, but that would be the result of [the plaintiffs’] argument.” 94

The origin of the Stored Communications Act confirms that Congress crafted the statute to specifically protect information held by centralized communication providers. “ ‘Sen. Rep. No. 99-541 (1986)’s entire discussion of [the Stored Communications Act] deals only with facilities operated by electronic communications services such as “electronic bulletin boards” and “computer mail facilities],” and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users’ computers....’”95

The plaintiffs take a different view, arguing that the plain language of the terms “facility” and “electronic communication service” are sufficiently flexible to encompass contemporary personal computing devices that are used to engage with telecommunications services. After all, when the Act was enacted, Black’s Law Dictionary defined “facilities” as “that which promotes the ease of any action, operations, transaction, or course of conduct.”96 And the plaintiffs here use their web browsers to access network services such as email and websurfing.

In considering the plaintiffs’ argument that we should give “facility” a broad, plain language meaning, we are reminded that “[a] fair reading of legislation demands a fair understanding of the legislative plan.”97 And we agree with the Fifth Circuit that the Act clearly shows a specific congressional intent to deal with the particular problem of private communications in network service providers’ possession. The textual cues surrounding the term “facility,” bolstered by the legislative history and enactment context of the Act, support the conclusion that “the words of the statute were carefully chosen: ‘[T]he statute envisions a provider (the [Internet Service Provider] or other network service provider) and a user (the individual with an account with the provider), with the user’s communication in the possession of the provider.’ ”98 And “[t]his is consistent with the [Act]’s purpose: home computers are already protected by the Fourth Amendment, so statutory protections are not needed.”99 In this context, “facility” is a term of art denoting where network service providers store private communications.

Other Courts of Appeals have understood the Act in a similar manner. In In re: Zynga Privacy Litigation, the Ninth Circuit explained that the Act “covers access to electronic information stored in third party computers.”100 So, too, the Eleventh Circuit in United States v. Steiger, which held that “the [Stored Communi*148cations Act] clearly applies, for example, to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system,” but that the Act “does not appear to apply to the [government’s] source’s hacking into [the plaintiffs personal] computer ... because there is no evidence that [the] computer maintained any ‘electronic communication service[.]’”101 The plaintiffs point to various district court decisions that have accepted that personal computers can be protected “facilities” under the Stored Communications Act.102 However, as another district court observes, these decisions “provide little analysis on this point of law, instead assuming [the plaintiffs’] position to be true due to lack of argument and then ultimately ruling on other grounds.”103 The plaintiffs point to no decision of any Court of Appeals holding that a personal computing device is protected by the Stored Communications Act.

In sum, the defendants’ alleged conduct implicates no protected “facility.” The District Court’s dismissal of the claim for violation of the Act will therefore be affirmed.

C. Computer Fraud and Abuse Act

The plaintiffs’ final federal claim is for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The Act creates a cause of action for persons “who suffer[] damage or loss” because, inter alia, a third party “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected comput-gj. ” 104

The District Court dismissed this claim for failing to meet the statutory requirement of “damage or loss.”105 Under the Act, “the term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.” 106 Meanwhile, “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because óf interruption of service.” 107

On appeal, the plaintiffs contend that they have properly pled “loss” under the statute because they have alleged that their “impermissibly seized ' [personally [identifiable [information is both ‘currency’ and a marketable ‘commodity.’ ”108 By capturing and making economic use of such information, the plaintiffs say, the defendants have taken the value of such information for themselves, depriving the *149plaintiffs of their own ability to sell their internet usage information. Insofar as the plaintiffs have a right to capture that value for themselves, the plaintiffs contend that the defendants’ conduct has caused them harm.

The complaint plausibly alleges a market for internet history information such as that compiled by the defendants. Further, the defendants’ alleged practices make sense only if that information, tracked and associated, had value. However, when it comes to showing “loss,” the plaintiffs’ argument lacks traction. They allege no facts suggesting that they ever participated or intended to participate in the market they identify, or that the defendants prevented them from capturing the full value of their internet usage information for themselves. For example, they do not allege that they sought to monetize information about their internet usage, nor that they ever stored their information with a future sale in mind. Moreover, the plaintiffs do not allege that they incurred costs, lost opportunities to sell, or lost the value of their data as a result of their data having been collected by others. To connect their allegations to the statutory “loss” requirement, the plaintiffs’ briefing emphasizes that lost revenue may constitute “loss” as that term is defined in the Act.109 This is inapposite, however, in that the plaintiffs had no revenue.

We see no “damage” or “loss” in the pleadings. We will therefore affirm the District Court’s dismissal of the claim for violation of the Computer Fraud and Abuse Act.

IV. State Law Claims Against Google

We now turn to the five California state law claims brought against, Google only.

A. Freestanding Privacy Claims

We first consider, in tandem, the plaintiffs’ freestanding privacy claims under the California Constitution110 and California tort law.

“A privacy violation based on the common law tort of intrusion has two elements.”111 “First, the defendant must intentionally intrude into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy.”112 This means “the defendant must have ‘penetrated some zone of physical or sensory privacy ... ■ or obtained unwanted access to data’ by electronic or other covert means, in violation of the law or social norms.”113 Second, “the intrusion must occur in a manner highly offensive to a reasonable person.”114

“The right to privacy in the California Constitution sets standards similar to the common law tort of intrusion.”115 “First, [the plaintiff] must possess a legally protected privacy interest.... Second, *150the plaintiffs expectations of privacy must be reasonable.... Third, the plaintiff must show that the intrusion is so serious ‘in nature, scope, and actual or potential impact as to constitute an egregious breach of the social norms.’ ”116

When presented with parallel privacy claims under tort law and the California Constitution, the California Supreme Court has performed a dual inquiry “under the rubric of both ... tests.”117 This “considers] (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests.”118 In evaluating the offensiveness of an invasion, the court is to consider “pragmatic policy concerns” such that “no cause of action will lie for accidental, misguided, or excusable acts of overstepping upon legitimate privacy rights.”119

In dismissing the freestanding privacy claims, the District Court concluded that Google’s alleged practices “did not rise to the level of a serious invasion of privacy or an egregious breach of social norms.”120 Contending the District Court got it right, Google says the plaintiffs voluntarily sent Google all the internet usage information at issue.121 Moreover, Google argues, tracking cookies are routine.122 Pointing to cases describing cookies as, more or less, innocuous,123 Google offers that courts “routinely” find no actionable privacy invasion in cases involving tracking, collation, and disclosure of internet usage information.124 Google gives particular attention to Low v. Linkedln, where the Northern District of California explained that “[e]ven disclosure of personal information, including social security numbers, does not constitute an ‘egregious breach of the social norms’ to establish an invasion of privacy claim.”125

For purposes of California privacy law, Google’s emphasis on tracking and disclosure amounts to a smokescreen. What is notable about this case is how Google accomplished its tracking. Allegedly, this was by overriding the plaintiffs’ cookie blockers, while concurrently announcing in its Privacy Policy that internet users could “reset your browser to refuse all cookies.” 126 Google further assured Safari users specifically that their cookie blockers meant that using Google’s in-house prophylactic would be extraneous. Characterized by deceit and disregard, the alleged conduct raises different issues than tracking or disclosure alone.127

*151Directly pertinent to whether Google’s alleged practices implicated a protected privacy interest, California tort law treats as actionable an “unwanted access to data by electronic or other covert means, in violation of the law or social norms.”128 Moreover, the California Constitution protects an interest in “conducting personal activities without observation,” with the reasonableness of any given expectation “resting] on an examination of customs ... as well as the opportunity to be notified in advance and consent to the intrusion.”129 To Google’s point, a sophisticated internet user may well have known that, in browsing the internet, her URL information was sent to Google. But such a user would also reasonably expect that-her activated cookie blocker meant her URL queries would not be associated with each other due to cookies.130 As the activated cookie blocker equates, in our view, to an express, clearly communicated denial of consent for installation of cookies, we find Google “intru[ded] upon reasonable expectations of privacy.”131

As for whether the alleged conduct is “so serious in nature[ ] [and] scope ... as to constitute an egregious breach of the social norms,”132 Google not only contravened the cookie blockers&emdash;it held itself out as respecting the cookie blockers. Whether or not data-based targeting is the internet’s pole star, users are entitled to deny consent, and they are entitled to rely on the public promises of the companies they deal with. Furthermore, Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent research of Mayer and the Wall Street Journal; and it was of indefinite duration, with Google’s counsel conceding at argument that their tracking cookies have no natural lifespan. Particularly as concerns Google’s public statements regarding the Safari cookie blocker, we see no justification. Neither, apparently, do the elected branches, as California and federal executive agencies have themselves sought to penalize Google for the events alleged in the complaint.133 Based on the pled facts, a reasonable factfinder could indeed deem Google’s conduct “highly offensive” or “an egregious breach of social norms.”134

A reasonable jury could conclude that Google’s alleged practices constitute the serious invasion of privacy contemplated by California law. We will vacate the dismissal of the plaintiffs’ claims under the *152California Constitution and California tort law.

B. California Invasion of Privacy Act

We next consider the plaintiffs’ claim against Google for violation of the California Invasion of Privacy Act, Cal.Penal Code § 631(a). Like the federal Wiretap Act, § 631(a) “broadly prohibits the interception of wire communications and disclosure of the contents of such intercepted communications.”135 The California Supreme Court has explained that “Section 631 was aimed at one aspect of the privacy problem&emdash;eavesdropping, or the secret monitoring of conversations by third parties.”136

The District Court dismissed the § 631(a) claim for the same reasons that it dismissed the plaintiffs’ federal wiretapping claim. As discussed above, the pleadings demonstrate that Google was itself a party to all the electronic transmissions that are the bases of the plaintiffs’ wiretapping claims.137 Because § 631 is aimed only-at “eavesdropping, or the secret monitoring of conversations by third parties,” 138 we will affirm the dismissal of the California Invasion of Privacy Act claim for the same reasons we affirm the dismissal of the federal Wiretap Act claim.

C. Remaining State Law Claims

We will affirm the District Court’s dismissals of the remaining state law claims against Google.

The District Court dismissed the plaintiffs’ claim under the California Unfair Competition Law, Cal. Bus. & Prof.Code § 17200, on the basis that, under the statute, “private standing is limited to any ‘person who ... has lost money or property’ as a result of unfair competition.”139 Likewise, the District Court dismissed the plaintiffs’ claim under the California Comprehensive Computer Data Access and Fraud Act, CaLPenal Code § 502, on the basis of § 502’s requirement that a suit may only be brought by one who has “suffer[ed] damage or loss by reason of a violation.”140 As discussed above in connection with the Computer Fraud and Abuse Act, the complaint fails to show damage or actual loss. Accordingly, the dismissal of these claims was proper.

The California Consumers Legal Remedies Act, Cal. Civ.Code § 1770, proscribes various “unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result or which results in the sale or lease of goods or *153services to any consumer.”141 On appeal, the plaintiffs argue that they plead a forced “sale” whereby they gave their trackable internet history information in exchange for advertisements delivered to their browsers (i.e., the “services”). The plaintiffs present no caselaw in support of their expansive construction of “sale.” And California federal courts have expressly rejected defining “sale” as to include “transactions” based on non-tangible forms of payment, including internet usage information specifically.142 Likewise, Black’s Law Dictionary defines a sale as a “transfer or property or title for a price,” requiring specifically “a price in money paid or promised.”143 We follow the view of the California federal courts, and see no “sale ... of services” in the allegations of the complaint. The dismissal of this claim was thus proper, too.

V. Conclusion

In light of the foregoing, we will dispose of the plaintiffs’ claims in the following manner.

We will affirm the dismissal of the three federal law claims brought against all defendants. Because the defendants were parties to all electronic transmissions at issue in this case, and plaintiffs state no Wiretap. Act violation per 18 U.S.C. § 2511(2)(d). The alleged intrusion upon the plaintiffs’ personal computing devices does not implicate a “facility” protected by the Stored Communications Act. And the plaintiffs plead no cognizable losses as required by the Computer Fraud and Abuse Act.

We will vacate the District Court s dismissal of th'e plaintiffs’ freestanding privacy claims against Google under the California Constitution and California tort law. A reasonable factfinder could conclude that the means by which defendants allegedly accomplished their tracking, i.e., by way of a deceitful override of the plaintiffs’ cookie blockers, marks the serious invasion of privacy contemplated by California law. But we will affirm the dismissal of the remainder of the plaintiffs’ state law claims. The plaintiffs fail to plead a violation of the California Invasion of Privacy Act for the same reason that they fail to plead a violation of the federal Wiretap Act. Likewise, because they do not show loss, the plaintiffs fail to show violations of the California Unfair Competition Law or the California Comprehensive Computer Data Access and Fraud Act. Finally, the plaintiffs do not plead a “sale” as required by the California Consumers Legal Remedies Act.

J.P. Stadtmueller, U.S. District Judge *7841. INTRODUCTION

Defendant Marcus Hutchins is a hacker who received considerable attention for disabling a North Korean malware called WannaCry. He has a reputation as a "white hat" hacker, which implies a hacker who works for the benefit of the public. Hutchins has nevertheless been indicted for various crimes related to his activity with two forms of malware, "Kronos" and "UPAS Kit."

On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation ("FBI") agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket # 55). On July 13, 2018, Hutchins also filed three motions to dismiss various counts in the superseding indictment. (Docket # 92, # 95, and # 96).1 Magistrate Judge Nancy Joseph issued a report and recommendation in which she recommended denying all motions. (Docket # 109). Hutchins timely objected, and each party has fully briefed the issues. The Court will address each of the motions below. In accord with Magistrate Joseph's analyses, all motions will be denied. The Court will overrule Hutchins's objections and adopt Magistrate Joseph's recommendation in large measure.

2. LEGAL STANDARD

When reviewing a magistrate's recommendation, this Court is obliged to analyze de novo "those portions of the report or specified proposed findings or recommendations to which objection is made." 28 U.S.C. § 636(b)(1)(C). The Court can "accept, reject, or modify, in whole or in part, the findings or recommendations made by the magistrate." Id. The Court's review encompasses both the magistrate's legal analysis and factual findings. Id. ; see also Fed. R. Crim. P. 59(b).

3. RELEVANT FACTS

Hutchins, a citizen of the United Kingdom, is a coder and hacker of considerable repute. He is most well-known for finding the kill-switch to a North Korean malware called WannaCry in May 2017. According to the superseding indictment, several years ago, Hutchins developed two types of malware, UPAS Kit and Kronos (a "banking trojan").

The superseding indictment alleges that Hutchins developed UPAS Kit and, in 2012, sold it to Individual A, who then sold it to an individual in the Eastern District of Wisconsin. At some point before July 2014, Hutchins allegedly developed Kronos and provided it to Individual A, intending for Individual A to advertise, promote, and sell it. Hutchins used a YouTube video to demonstrate how Kronos worked, and referred prospective customers to Individual A. In December 2014, Hutchins hacked and analyzed a malware that competed with Kronos, and published a blog post describing the competing malware's vulnerability. In February 2015, Hutchins allegedly updated the Kronos malware, and distributed it to Individual B, who was *785located in California and was known to be involved in cyber-based criminal activities.

On July 11, 2017, a grand jury indicted Hutchins on various counts related to his activity with the malware. He was charged with conspiracy, fraud, and unlawfully intercepting communications. (Docket # 1). On June 5, 2018, the government filed a superseding indictment with additional charges. (Docket # 86). In Count One, the superseding indictment charges Hutchins with conspiring to violate the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, and the Electronic Communications Privacy Act ("Wiretap Act"), 18 U.S.C. § 2510 et seq. , in violation of 18 U.S.C. § 371. Counts Two and Three charge Hutchins with disseminating, aiding, and abetting an attempt to advertise the malware, in violation of the Wiretap Act. Counts Four and Five charge Hutchins with aiding and abetting the distribution of the malware, in violation of the Wiretap Act. Count Six charges Hutchins with using, or getting others to use, the malware to intercept communications in violation of the Wiretap Act. Count Seven charges Hutchins with causing, aiding, and abetting the transmission of malware in violation of the CFAA. Count Eight charges Hutchins with aiding and abetting the intentional access and damage to protected computers for the purpose of private financial gain, in violation of the CFAA. Count Nine charges Hutchins with lying to the FBI about whether he knew that his computer code was part of Kronos, in violation of 18 U.S.C. § 1001(a)(2). Finally, Count Ten charges Hutchins with conspiring to commit fraud in connection with his malware activities, in violation of 18 U.S.C. §§ 1343, 1349.

In the summer of 2017, Hutchins spent a week in Las Vegas to attend "Defcon," which is a conference for hackers. On August 2, 2017, Hutchins was about to embark on his journey back to the U.K. Hutchins was waiting in a lounge at the Las Vegas airport when a federal agent and two Customs and Border Patrol ("CBP") officials approached him. Unbeknownst to him, FBI Special Agents Lee Chartier ("Chartier") and Jamie Butcher ("Butcher") had been monitoring Hutchins's whereabouts all morning, and had followed him to the airport, through security, and to his lounge. Although the FBI had originally planned to arrest Hutchins as he boarded the flight, they opted to arrest him earlier in order to ensure that he did not consume any alcoholic beverages that might affect his ability to answer questions in an interrogation. Indeed, Hutchins had spent much of the week partying, which included ingesting various intoxicating substances. He had had very little sleep the night before. There are no allegations, however, that Hutchins was intoxicated whilst at the airport-only exhausted and, it can be assumed, terribly hungover.

Thus, at approximately 1:17 p.m., Hutchins was approached in the airport lounge by two CBP officers and a plainclothes FBI agent, Chartier. These officials escorted Hutchins to a stairwell, whereupon he was handcuffed. Chartier informed Hutchins that he was under arrest pursuant to a federal warrant. The officials then led Hutchins to an interview room, where Butcher was waiting. The agents observed Hutchins to be alert, engaged, and not visibly intoxicated or disoriented. Hutchins verbally confirmed that he was able to answer questions and was not drunk. Hutchins received his Miranda rights orally. He was also given an advisement of rights form. He listened to his rights and signed the advisement form in the presence of both agents. There is a dispute as to what time he signed it, but the Court does not find this to be material for reasons that will be explained below.

*786Hutchins then proceeded to respond to the questions asked by the agents, and gave consent for them to search his phones, laptops, backpacks, and USB drives. He did not request a lawyer or invoke his right to remain silent, although he did ask "what this is all about." The agents told him they would explain eventually, but continued questioning him. In total, Hutchins was questioned for approximately 105 minutes. He was offered food, an opportunity to use the restroom, and-eventually-allowed to contact his mother. He was not shown a copy of the arrest warrant until over an hour into the interrogation.2

Hutchins showed every indication of being voluntarily cooperative with the agents, but was also clearly confused about the nature of the interrogation. The interrogation began with broad questions about his career and his online activities, but about ten minutes in, the questions focused on Hutchins's involvement with malware. Hutchins acknowledged that when he was younger, he had written some code that ultimately ended up in malware, but denied that he developed malware. About eleven minutes into the interrogation, after looking at a string of code, Hutchins asked if they were looking for the developer of Kronos. Hutchins stated that he did not develop Kronos, and he had "gotten out" of writing code for malware before he was eighteen. Thirteen minutes in, he said that he had feared that law enforcement authorities would come after him, instead of the actual developer, because pieces of his code appeared in Kronos. Thus, Hutchins was aware that the criminal investigation was, at least in part, about Kronos, and that he was implicated in the investigation, although he expressed confusion about why he was being detained throughout the interrogation. Almost eighty minutes into the recorded interrogation, the agents finally provided him with the warrant, and told him that it had "nothing to do with WannaCry." The interrogation continued for about twenty minutes after that. Throughout the remainder of the interrogation, Hutchins tried to be helpful but noted that he had been "out" of so-called "black hat" hacking for so long that he did not have any helpful connections.

Hutchins was taken to a jail, where he proceeded to make two phone calls, which were recorded. Prior to making the phone calls, Hutchins was informed that the phone calls were subject to monitoring and recording. In the calls, Hutchins also made incriminating statements.

4. ANALYSIS

4.1 Motion to Suppress

Hutchins seeks to suppress his post-arrest statements and any evidence that may have been obtained as a result of his statements. He argues that he did not waive his Miranda rights, (Docket # 55 at 6-9), and submits that the government has not met its burden in rebutting the presumption against waiver, (Docket # 111 at 13). Hutchins calls into question whether (1) he received notice of his rights at all; and (2) whether he was able to voluntarily waive his rights due to his intoxication, his *787limited understanding of the American criminal procedural system, and the deceptive nature of the interrogation.

It is axiomatic that law enforcement officers must inform suspects of their Miranda rights before a custodial interrogation. United States v. Thurman , 889 F.3d 356, 364 (7th Cir. 2018). "If the suspect invokes his rights, the officers must cease their questioning." Id. However, before officers must cease their questioning, the burden is on the suspect to assert his Miranda rights in a "clear and unambiguous" fashion. Id. (quoting United States v. Lee , 413 F.3d 622, 625 (7th Cir. 2005) ). Hutchins did not make any statements regarding his intent to invoke his Miranda rights; therefore, his rights were not invoked in a clear and unambiguous fashion. The interrogation properly proceeded.

However, "[e]ven if a suspect does not invoke his Miranda rights, his self-incriminating statements cannot be used against him in court unless the Government shows by a preponderance of the evidence that he voluntarily waived these rights." Thurman , 889 F.3d at 364 (citing Berghuis v. Thompkins , 560 U.S. 370, 382-84, 130 S.Ct. 2250, 176 L.Ed.2d 1098 (2010) ; United States v. Brown , 664 F.3d 1115, 1118 (7th Cir. 2011) ). Indeed, the Court must "indulge in every reasonable presumption against waiver." Brewer v. Williams , 430 U.S. 387, 404, 97 S.Ct. 1232, 51 L.Ed.2d 424 (1977). In order to rebut the presumption, the government must show that Hutchins's decision to give up his rights was "the product of a free and deliberate choice...made with a full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it." Berghuis , 560 U.S. at 382-83, 130 S.Ct. 2250 (internal quotations and citations omitted).

Voluntariness, or free and deliberate choice, is assessed in view of the totality of the circumstances. Brown , 664 F.3d at 1118. The Court will consider, among other things, a defendant's age, level of education, and prior experience with law enforcement, as well as the conditions of the interrogation itself and the attitude of the interrogating officials. Thurman , 889 F.3d at 364-65 ; Brown , 664 F.3d at 1118 ; United States v. Shabaz , 579 F.3d 815, 820 (7th Cir. 2009). "The law can presume that an individual who, with a full understanding of his or her rights, acts in a manner inconsistent with their exercise has made a deliberate choice to relinquish the protection those rights afford." Berghuis , 560 U.S. at 385, 130 S.Ct. 2250 ; Thurman , 889 F.3d at 364-65 (finding waiver despite refusal to sign a waiver form because the defendant understood his rights, the interrogation was "low key and informal," and defendant engaged in the interrogation); United States v. Smith , 218 F.3d 777, 781 (7th Cir. 2000) (finding waiver despite refusal to sign waiver form where a suspect "immediately began talking to the agents...[and] never requested an attorney and never asked that the questioning be stopped.").

4.1.1 Adequate Receipt of Miranda Rights

Hutchins argues that there is insufficient evidence that he received notice of his Miranda rights. This argument is a non-starter, in part because Hutchins acknowledges that he was read his rights. (Docket # 55 at 5-6) ("[T]here seems to be little doubt that the agents-in some unspecified fashion, at an uncertain time-advised Mr. Hutchins of his rights under Miranda ."). Hutchins makes much about the fact that there is no proof that he received his rights at the beginning of the interrogation, but he does not suggest when else they may have been given. Additionally, both agents have testified, under oath and in non-contradictory terms, that the rights were given at the beginning of *788the interrogation. Moreover, in the recorded portion of the interrogation, Butcher provided Hutchins with a consent form to search his computers and said, "because we're the government, there's a form for that, too," implying that Hutchins had previously received other consent forms. The Court sees no reasonable basis to conclude that Hutchins did not receive notice of his rights before the interrogation.

Additionally, it does not actually matter when Hutchins signed the advisement of rights form, so long as he was apprised of his Miranda rights prior to questioning. "[T]he rigidity of Miranda does not extend to the precise formulation of the warnings given a criminal defendant...[and] no talismanic incantation is required to satisfy its strictures." Duckworth v. Eagan , 492 U.S. 195, 202-03, 109 S.Ct. 2875, 106 L.Ed.2d 166 (1989) (quoting California v. Prysock , 453 U.S. 355, 359, 101 S.Ct. 2806, 69 L.Ed.2d 696 (1981) ) (internal quotation marks omitted). Courts merely look to whether the law enforcement officers "fully conveyed" the rights. Prysock , 453 U.S. at 361, 101 S.Ct. 2806 ; In re Terrorist Bombings of U.S. Embassies in E. Africa , 552 F.3d 177, 209 (2d Cir. 2008) (oral warnings sufficient to satisfy Miranda regardless of any alleged deficiencies in the advisement of rights form). In light of Hutchins's admission that he received his Miranda rights, and in light of the agents' corroborating testimony that this occurred before the interrogation, as well as the lack of any indication of when else he may have received them, the Court finds that Hutchins was sufficiently apprised of his rights before the interrogation.

4.1.2 Voluntariness of Waiver

The waiver of Hutchins's Miranda rights must have been "voluntary in the sense that it was the product of a free and deliberate choice rather than intimidation, coercion, or deception." Moran v. Burbine , 475 U.S. 412, 421, 106 S.Ct. 1135, 89 L.Ed.2d 410 (1986). Hutchins must also have waived his rights with "a full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it." Id. Hutchins argues he did not voluntarily waive his Miranda rights because he was intoxicated, unsure about American criminal procedure, and deceived by the questioning agents as to the nature of his arrest. These factors will be assessed in turn.

4.1.2.1 Intoxication

In assessing the validity of a Miranda waiver, courts may consider intoxication, lack of sleep, or other physical discomfort as they affect a defendant's susceptibility to coercion. See United States v. Brooks , 125 F.3d 484, 491 (7th Cir. 1997) (finding voluntary waiver despite the fact that defendant was high on crack, sleep deprived, and in pain). However, "intoxication...by itself-without some showing of coercion by the government-will not negate voluntariness." United States v. Chrismon , 965 F.2d 1465, 1469 (7th Cir. 1992) ; Andersen v. Thieret , 903 F.2d 526, 530-31 (7th Cir. 1990) (noting that impairment is unlikely where approximately 19 hours had elapsed between the defendant's last drink and his confession). Additionally, "mental state alone cannot make [a defendant's] confession involuntary...[I]t is relevant only to the extent it made him more susceptible to mentally coercive police tactics." Id. at 530 n.1 (citing Colorado v. Connelly , 479 U.S. 157, 163-67, 107 S.Ct. 515, 93 L.Ed.2d 473 (1986) ).

It is unlikely that Hutchins's alleged impairment significantly factored into his ability to give a voluntary waiver or made him more susceptible to deceptive interrogation tactics. The agents monitored *789Hutchins from the beginning of the day to ensure that he was sober when he was arrested. They ensured that he was in custody before he had the opportunity to drink at the airport. They walked him to two separate locations (first, the stairwell; second, the interview room) and engaged him in conversation, which gave them opportunity to evaluate whether Hutchins appeared to be somehow impaired by an intoxicant. Hutchins appeared to be alert, engaged, coordinated, and coherent. There is no evidence in the record to the contrary. There is also no evidence, nor does Hutchins claim, that he was under the influence of drugs that day-only that he was exhausted. But a terrible hangover alone does not, as a matter of law, render someone unable to exercise or waive their Miranda rights. This factor does not weigh in Hutchins's favor.

4.1.2.2 Intelligent Waiver

Hutchins next argues that he did not appreciate the nature of his Miranda rights, or the consequences of waiving them, because he was confused by the purpose of the interrogation, and believed, based on U.K. criminal procedure, that it would be helpful for him to speak in his defense. (Docket # 111 at 13).3

The Court takes judicial notice of the warning given to suspects upon arrest in the U.K., which advises: "You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in Court. Anything you do say may be given in evidence." Police and Criminal Evidence Act 1984 Code G 3.5, Revised Code of Practice for the Statutory Power of Arrest by Police Officers (revised July 2012), https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/117583/pace-code-g-2012.pdf. For comparison, an arrest warning in the United States reads to the effect of, "you have the right to remain silent, anything you say can and will be used against you in a court of law." See e.g., Miranda v. Arizona , 384 U.S. 436, 444, 86 S.Ct. 1602, 16 L.Ed.2d 694 (1966).

On its face, the U.K. warning appears to serve the same function as the U.S. warning, but there are important differences that theoretically would have affected whether Hutchins appreciated the consequence of giving up his right to remain silent. In the U.K., a defendant is told, "You do not have to say anything." There is neither right, nor waiver-the consequence stems, in fact, from not saying anything ("it may harm your defence if you do not mention when questioned..."). By contrast, in the U.S., a defendant is told "you have a right to remain silent," and the consequences of failing to remain silent are clear: "anything you say can and will be used against you ." The warnings-and their consequences-are substantively different, although their cadences are similar. It is conceivable that anyone-even a well-educated person-would find comfort in the broad similarities between the two, and believe that, wording aside, the substance is the same.

The Seventh Circuit has held that Miranda waivers are valid so long as the defendant has a general understanding of the nature of the right, and the consequences of waiver. See *790Collins v. Gaetz , 612 F.3d 574, 588 (7th Cir. 2010). In Gaetz , which evaluated a person of limited mental capacity's ability to waive his rights, the Court of Appeals referred to a "relatively low bar in proving an intelligent waiver," whereby a defendant need only comprehend the most basic concepts underlying Miranda . Id. Other circuits to consider this issue in the context of foreign citizens have invalidated a waiver only where the defendant's grasp on the interrogating language was so attenuated that he could not intelligently waive his rights. See United States v. Amano , 229 F.3d 801, 805 (9th Cir. 2000) (finding that a defendant's lack of contact with the U.S. criminal justice system and the Japanese consulate "did not render his waiver involuntary" in light of evidence that he understood English, was read his rights twice, and claimed to understand them); c.f. United States v. Garibay , 143 F.3d 534, 538-39 (9th Cir. 1998) (finding no valid waiver where the defendant was not fluent in English and had a low verbal IQ); United States v. Zaitar , 858 F.Supp.2d 103, 115-16 (D.D.C. 2012) (finding no valid waiver of counsel during an interview in Romania conducted in Portuguese by American officials, where the defendant, a native Lebanese speaker, responded affirmatively to all questions except the question regarding waiver of counsel, to which he replied, nonsensically, "I understand Portuguese.").

Hutchins is a well-educated English-speaker from a common law country. Although there is no language barrier, he claims that he did not understand the consequences of waiving his Miranda rights in light of the subtle, but substantive, differences between U.S. and U.K. arrest procedure. The Court is inclined to agree that these differences, though small, are elemental enough that they may have affected Hutchins's understanding of the basic concepts underlying Miranda (i.e., whether it would be helpful for him to speak). However, in light of Hutchins's mental acuity, the Court cannot find that his waiver was unintelligent. This factor does not weigh heavily in his favor.

4.1.2.3 Deception

In order to establish that his statement was the product of deception, Hutchins bears the burden of showing by "clear and convincing evidence that that the agents affirmatively mislead him as to the true nature of their investigation." United States. v. Serlin , 707 F.2d 953, 956 (7th Cir. 1983). "Defendant must also prove that the misinformation was material in his decision to speak with the agents." Id. "Simple failure to inform defendant that he was the subject of the investigation, or that the investigation was criminal in nature, does not amount to affirmative deceit unless defendant inquired about the nature of the investigation and the agents' failure to respond was intended to mislead." Id. The fact that an agent makes misrepresentations to a defendant, while relevant, is "insufficient...to make [an] otherwise voluntary confession inadmissible." Frazier v. Cupp , 394 U.S. 731, 739, 89 S.Ct. 1420, 22 L.Ed.2d 684 (1969) ; but see United States v. Giddins , 858 F.3d 870, 885 (4th Cir. 2017) (finding that a defendant's will was "overborne or his capacity for self-determination critically impaired" where he voluntarily went to the police station under the pretense of retrieving an impounded car, was repeatedly told that he was not under arrest or investigation, but was interrogated anyway).

In Serlin , a defendant was questioned by the IRS regarding a criminal investigation, but did not realize that he was the target of the investigation. 707 F.2d at 957. The agents initially told him they were investigating his business partners, but several minutes into the interview, warned the defendant not to make incriminating statements. Id. The defendant continued to speak. Id. The Seventh Circuit determined *791that the defendant's statements "were not the product of affirmative deceit," in large part because the statements that the agents made were true-the agents were, in fact, investigating the defendant's business partners as well. Id. Moreover, the agents warned the defendant not to incriminate himself, and then specifically asked about his own failure to file taxes. Id. On those facts, the Seventh Circuit determined that "even the most unsuspecting taxpayer [would be alerted that he] was, at least partly, the focus of the search." Id.

In this case, Hutchins received his Miranda rights and understood that he was under arrest for alleged criminal activity, and the investigation related, at least in some way, to Kronos. However, Hutchins's recent triumph with WannaCry had vaulted him into the public eye as a "white hat" hacker. Thus, Hutchins could have been reasonably confused about the FBI's interest in him. In assessing whether he voluntarily waived his rights, some consideration must be given to the fact that white hat hacking is a complex and relatively novel field that can toe an already blurry line vis-à-vis online criminal activity. The agents did not tell Hutchins why he was under arrest, and did nothing to explain the nature of the charges against him until the end of his interrogation. Hutchins, who had no cause for concern regarding his role in WannaCry, and who had distanced himself from nefarious internet activity, cooperated. The interrogation ended twenty minutes after he was presented with the warrant, though he continued to consent to searches and answer questions after he understood the charges against him.

This case differs from Serlin in one salient way: Hutchins had already been indicted on a host of specific charges. Thus, the aim of the agents' questioning was not to cobble together enough information to establish probable cause for arrest, as it was in Serlin . Rather, the purpose of the interrogation was to continue collecting enough evidence to establish guilt beyond a reasonable doubt. The stakes were dramatically higher, and Hutchins's privilege against self-incrimination all the more precious. The government argues that this fact cuts against Hutchins-that is, he understood that the "nature" of the investigation was criminal, and should have known not to make incriminating statements. However, this ignores the context of Hutchins's work as a hacker. Hutchins had recently dealt with matters of international concern, and reasonably believed that it was in his best interest to answer their questions. At one point in the interrogation, he made a comment that showed that he did not realize he had even been indicted. There is no reason why the government could not have told him exactly why he was arrested, as he requested, and as was required of them by Federal Rule of Criminal Procedure 4(c), unless they were concerned that he would not be cooperative with them. There is certainly an element of deception to this set of events that the Court does not endorse.

On the other hand, the scope of the agents' questions should have put Hutchins on notice of the nature of the investigation. The agents did not try to "hide the ball," so to speak, about their interest in Kronos, and asked him about it early and often in the interrogation. And although the agents acted very familiarly with Hutchins, which may have put him at false ease, Chartier did remind him that he was in trouble. The Court is concerned by the abject failure of the agents to abide by the Federal Rules of Criminal Procedure 4(c), but their obvious interest in Kronos-including providing Hutchins with a string of code related to Kronos-leads the Court to conclude that there is not clear and convincing evidence that they acted with intent to deceive. Moreover, the fact that *792Hutchins continued to answer questions and consented to the search after he knew the substance of the indictment indicates that the deception was not material to his statements-that is, it seems that he would have attempted to be helpful even if he had seen the warrant.4

4.1.2.4 Totality of the Circumstances

Under the totality of the circumstances-considering Hutchins's exhausted state, his unfamiliarity with the American criminal procedure system, his high level of intelligence, and the lack of material deception, there is an insufficient basis for the Court to find that Hutchins's statements were involuntary. It is wholly improper that he was not provided with a warrant immediately upon arrest. But in light of the record of the post-arrest interrogation, the government has met its burden in proving that the waiver was voluntary. Thurman , 889 F.3d at 364.

4.2 Motion to Dismiss

Hutchins advances several motions to dismiss, all of which must be denied for the reasons given below. A motion to dismiss is proper where an indictment fails to state an offense. Fed. R. Crim. P. 12(b)(3)(B)(v). The indictment must contain a "plain, concise, and definite written statement of the essential facts constituting the offense charged." Fed. R. Crim. P. 7(c)(1). An indictment meets this rule's criteria if it "(1) states all the elements of the crime charged; (2) adequately informs the defendant of the nature of the charges so that he may prepare a defense; and (3) allows the defendant to plead the judgment as a bar to any future prosecutions." United States v. White , 610 F.3d 956, 958 (7th Cir. 2010). A charge that traces the language of the statute will typically suffice if it contains enough facts to provide the defendant with an understanding of the conduct at issue. United States v. Vaughn , 722 F.3d 918, 925 (7th Cir. 2013). "[T]he presence or absence of any particular fact is not dispositive." Id. (quoting White , 610 F.3d at 958-59 ). "A motion to dismiss is not intended to be a 'summary trial of the evidence.' " United States v. Yasak , 884 F.2d 996, 1001 (7th Cir. 1989) (quoting United States v. Winer , 323 F.Supp. 604, 605 (E.D. Pa. 1971) ). The Court will not assess "the strength or weakness of the government's case" at this stage-rather, it will consider whether the government is theoretically able to prove its case. White , 610 F.3d at 958 ; United States v. Castor , 558 F.2d 379, 384-85 (7th Cir. 1977).

As Magistrate Joseph noted, the superseding indictment is facially sufficient *793because each charge in it lists the date of the alleged wrongful conduct, the elements of the crime charged, and the nature of the offense charged-including the software at issue-such that Hutchins would be protected from double jeopardy. See (Docket # 109 at 20). The Court also agrees with Magistrate Joseph's analysis of United States v. Risk , 843 F.2d 1059 (7th Cir. 1988), wherein the Seventh Circuit dismissed an indictment where the government provided a set of undisputed facts that did not constitute a violation of any statute. In Risk , the issue was not that the government failed to allege enough facts-it was that the facts the government itself alleged could not, as a matter of law, result in a violation of a statute. Id. at 1061. By contrast, here, the government has alleged that Hutchins engaged in behavior that violated various statutes, and the government has not provided a set of undisputed facts to the contrary.

Accordingly, the Court agrees with Magistrate Joseph's determination that the superseding indictment is sufficient. In the interest of thoroughness, Hutchins's specific arguments will be addressed below.

4.2.1 Counts One and Seven Allege "Damage" Under 18 U.S.C. § 1030

Counts One and Seven are brought under the CFAA and allege that Hutchins conspired and attempted to cause damage to protected computers. Specifically, Count One alleges that between "July 2012 and September 2015, in the state and Eastern District of Wisconsin," Hutchins "knowingly conspired and agreed with Individual A ... to:

(a) knowingly cause and aid and abet the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage without authorization , to 10 or more protected computers during a 1-year period, in violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (c)(4)(A)(i)(VI) and 2." (Docket # 86 at 3) (emphasis added).

Relatedly, Count Seven alleges that:

"On or about June 11, 2015, in the state and Eastern District of Wisconsin and elsewhere, MARCUS HUTCHINS, aka 'Malwaretech,' aka 'irp@jabber.se,' knowingly caused and aided and abetted the transmission of a program, information, code and command and as a result of such conduct, attempted to cause damage without authorization , to 10 or more protected computers during a 1-year period. In violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (ii), (c)(4)(A)(i)(VI), 1030(b), and 2." (Docket # 86 at 12) (emphasis added).

Each count is facially sufficient because it traces the language of the statute, cites to the statute, and provides a date (and a location) for the alleged conduct. Vaughn , 722 F.3d at 925. Count One contains additional allegations, including that Hutchins developed UPAS Kit and provided it to Individual A, who sold it to an individual in the Eastern District of Wisconsin. (Docket # 86 at 4). The count goes on to allege that Hutchins developed Kronos intending for Individual A to advertise, promote, and sell it; used a YouTube video to demonstrate how Kronos worked; updated the Kronos malware; and evaluated competing malwares. Id. at 4-5. Finally, it alleges that Hutchins referred prospective customers to Individual A. Id. at 6.

Hutchins argues that the facts as alleged are insufficient to state an offense. He submits that Counts One and Seven "fail[ ] to allege any facts that would show that Mr. Hutchins had any intent to cause 'damage' to a protected computer" because the superseding indictment does not allege *794that the malware at issue "damage[s]" computers. (Docket # 95 at 1 and # 111 at 28). The CFAA defines damage as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). The superseding indictment states that UPAS Kit is a "malware" that allows for "unauthorized exfiltration," and Kronos is a "malware" that "recorded and exfiltrated" various data. (Docket # 86 at 2). Hutchins suggests that "exfiltrate" means "making a copy of the data and taking it away," (Docket # 95 at 5), which is not "damage" under the CFAA.

The Seventh Circuit has held that "damage encompasses clearly destructive behavior such as using a virus or worm or deleting data...[b]ut it may also include less obviously invasive conduct, such as flooding an email account." Fidlar Tech. v. LPS Real Estate Data Solutions, Inc. , 810 F.3d 1075, 1084-85 (7th Cir. 2016) (quotations omitted) (finding that a claim involving a web-harvester was "trespassory in nature" but "mere access" did not amount to damage under the CFAA). The word "exfiltrate" has several definitions, one of which is: "to steal (sensitive data) from a computer (as with a flash drive)." Exfiltrate, Merriam-Webster Dictionary Online , https://www.merriam-webster.com/dictionary/exfiltrate (accessed Jan. 19, 2019). When a person "steals (sensitive data)," as a matter of logic, they "impair[ ]...the integrity...of [the] data [or]...system." 18 U.S.C. § 1030(e)(8). This is more than merely accessing data. C.f. Landmark Credit Union v. Doberstein , 746 F.Supp.2d 990, 993-94 (E.D. Wis. 2010) (finding no damage where former employee accessed and disclosed client list by emailing it to herself). The superseding indictment also describes the software at issue as "malware" or "malicious computer code intended to damage a computer." (Docket # 86 at 2). These terms are sufficient to allege intent to cause damage. The burden will be on the government to prove this at trial.

4.2.2 Counts One Through Six Refer to a "Device" Under 18 U.S.C. § 2510(5)

Counts One through Six are brought under the Wiretap Act, which criminalizes activity involving "any device or apparatus which can be used to intercept a wire, oral, or electronic communication." 18 U.S.C. § 2510(5). Hutchins argues that software such as Kronos and UPAS Kit should not be considered "devices" for the purposes of the Wiretap Act because software is not an "electronic, mechanical, or other device" under Section 2510(5). Hutchins relies on United States v. Szymuszkiewicz , in which the Court of Appeals assumed that "devices" referred to computers and servers that carried out a program, rather than the program itself. 622 F.3d 701, 707 (7th Cir. 2010) (discussing a Microsoft Outlook "rule" for email forwarding). In Szymuszkiewicz , the Court of Appeals considered whether "the 'device' used to intercept a communication must differ from the device the intended audience uses to receive the message," and determined that it did not. Id. The opinion did not consider whether a program or a piece of software could be considered a "device." Hutchins also relies on Potter v. Havlicek for the proposition that a software "alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so." 2008 WL 2556723, at *8, 2008 U.S. Dist. LEXIS 122211, at *23-24 (S.D. Ohio June 23, 2008). The Havlicek court did not cite any cases directly in support of its conclusion, and this Court finds its definitional logic faulty: computers, alone, also cannot be used to intercept communications. They require some software or program installed in order to have this capability.

*795The majority of courts to consider this issue have entertained the notion that software may be considered a device for the purposes of the Wiretap Act. See Luis v. Zang , 833 F.3d 619, 630 (6th Cir. 2016) (accepting that a software could be a "device" for the purpose of the Wiretap Act); In re Carrier IQ, Inc. , 78 F.Supp.3d 1051, 1087 (N.D. Cal. 2015) (concluding that a software was an "electronic, mechanical or other device"); Klumb v. Goan , 884 F.Supp.2d 644, 661-62 (E.D. Ten. 2012) (analyzing spyware software as a device under Wiretap Act); Rene v. G.F. Fishers, Inc. , 817 F.Supp.2d 1090, 1094 (S.D. Ind. 2011) (holding that keystrokes are not electronic communications for the purpose of the Wiretap Act, but accepting the notion that software could be a device); Shefts v. Petrakis , 2012 WL 4049484, at *8-9 (C.D. Ill. 2012) (analyzing software as a device under the Wiretap Act); see also United States v. Barrington , 648 F.3d 1178, 1203 (11th Cir. 2011) (accepting that a keylogger software could be considered a scanning receiver, or a device, under 18 U.S.C. § 1029(e)(8) ).

The Court is in accord with the majority of courts to consider this issue. The Court also agrees with the government's position that Section 2510(5)'s reference to "mechanism," which is commonly defined as a "process, technique, or system for achieving a result" seems to encompass software. Mechanism, Merriam-Webster Dictionary , https://www.merriam-webster.com/dictionary/mechanism (accessed Jan. 22, 2019); see also United States v. Mitra , 405 F.3d 492, 495 (7th Cir. 2005) (acknowledging that general technology statute should be read broadly in order to accommodate new developments).

4.2.3 Counts One, Four Through Eight, and Ten Allege Intent and Causation

Hutchins argues that the superseding indictment does not allege the necessary intent and causation elements in Counts One, Four through Eight, and Ten. The aforementioned counts each contain an intent element in connection with allegedly distributing malware for illegal purposes. Hutchins argues that the superseding indictment fails to specifically allege that he "intended any specific result to occur" as a result of his activities, and therefore, the superseding indictment does not state offenses. (Docket # 95 at 12).

These are arguments that go to the merits of the case, i.e., whether Hutchins had the requisite intent to commit the crimes charged. As discussed above, the superseding indictment is facially valid, and Hutchins does not contend that these specific counts lack all elements of the crimes charged, fail to inform him of the nature of the offenses, or are so insufficiently pled that he would be prevented from asserting any judgment as a bar to future prosecutions of the same offense. Vaughn , 722 F.3d at 925. The superseding indictment does not need to establish intent-it merely needs to allege it, which it does by listing the elements of the crimes charged. As the magistrate noted, Hutchins "tries to impose a standard for civil pleading on a criminal indictment." (Docket # 109 at 26). Therefore, this motion to dismiss will be denied.

4.2.4 Counts Two and Three are not Multiplicitous

Hutchins contends that Counts Two and Three are multiplicitous and submits that Count Three should be dismissed. (Docket # 95 at 9-11). Count Two charges Hutchins with a violation of 18 U.S.C. § 2512(1)(c)(i), Count Three charges Hutchins with a violation of 18 U.S.C § 2512(1)(c)(ii). "If one element is required to prove the offense in one count which is not required to prove the offense in the second count, there is no multiplicity."

*796United States v. Conley , 291 F.3d 464, 470 (7th Cir. 2002) (citing United States v. Briscoe , 896 F.2d 1476, 1522 (7th Cir. 1990) (quoting United States v. Marquardt , 786 F.2d 771, 778 (7th Cir. 1986) ) (internal citations and quotations omitted) ). Put another way, the Court must determine whether each count requires proof of a fact that the other does not.

The relevant portions of the statute make it unlawful for a person to intentionally:

"(c) place[ ] in any newspaper, magazine, handbill, or other publication or disseminate[ ] by electronic means any advertisement of-

(i) any electronic, mechanical, or other device knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or

(ii) any other electronic, mechanical, or other device, where such advertisement promotes the use of such device for the purpose of the surreptitious interception of wire, oral, or electronic communications." 18 U.S.C. § 2512(1)(c)(i),(ii).

In other words, Count Two, Section 2512(1)(c)(i), requires that Hutchins (1) made an advertisement with (2) knowledge or reason to know that the device's primary design was for surreptitiously infiltrating communication. There is no element requiring that Hutchins promoted the device as one that could be used for the surreptitious interception of communication, only that he knew its primary design was that.

By contrast, Count Three, Section 2512(1)(c)(ii), requires that Hutchins (1) made an advertisement with (2) the claim or promotion that a device could be used for the surreptitious interception of communication. Count Three does not require that Hutchins knew or had reason to know that its primary design was surreptitious interception of communication, as Count Two requires, only that he promoted it for that purpose.

Each count contains an element required to prove the offense that is not required in the other count, and the counts require proof of different facts. There is no multiplicity.

4.2.5 Count Seven does not Contain a Grand Jury Defect

As discussed above, Count Seven alleges violations of the CFAA, which criminalizes actions intended to damage protected computers. 18 U.S.C. § 1030(a)(5)(A) applies to one who "intentionally causes damage without authorization." Count Seven charges Hutchins with "attempt[ing] to cause damage without authorization." (Docket # 86 at 12). To prove an attempt to violate Section 1030(a)(5)(A), the government must prove that (1) Hutchins knowingly took a substantial step toward committing a violation of Section 1030(a)(5)(A) and (2) that he did so with the intent to violate § 1030(a)(5)(A). Seventh Circuit Pattern Jury Instruction 4.09 (2012) (emphasis added). It is fairly well settled that allegations of "attempt" necessarily encompasses the intent element. United States v. Resendiz-Ponce , 549 U.S. 102, 107, 127 S.Ct. 782, 166 L.Ed.2d 591 (2007) (holding that "the word 'attempt' as used in common parlance connote[s] action rather than mere intent, but more importantly, as used in the law for centuries, it encompasses both the overt act and intent elements.") (emphasis added). The indictment must "set forth all the elements necessary to constitute the offense intended to be punished" and allow defendant to "pin[ ] down the specific conduct at issue." United States v. Smith , 230 F.3d 300, 305 (7th Cir. 2000) (internal citations omitted). However, the absence of any particular fact is not necessarily dispositive, *797and indictments are reviewed "on a practical basis and in their entirety, rather than in a hypertechnical manner." Id. (quotations and citations omitted); see also (Docket # 109 at 29).

Hutchins argues that he cannot be charged with attempt to aid and abet an attempt to violate the CFAA because Count Seven is pled "without reference to the intentional causing of damage," as stated in the statute. (Docket # 92 at 5). The superseding indictment alleges that Hutchins attempted to cause damage, which encompasses the intent element. Whether the government can actually prove this at trial is a question for another time.

4.2.6 Extraterritorial Challenges

Hutchins argues that Counts Two and Three, which arise under the Wiretap Act, are an improper exercise of extraterritoriality because they do not charge domestic conduct. (Docket # 96 at 6). He further argues that Congress did not intend for the Wiretap Act, 18 U.S.C. § 1343, or 18 U.S.C. § 1001 to have extraterritorial application, "so the government must allege domestic violations of those statutes to state viable claims."Id. at 8.

The Court generally agrees with the magistrate's finding that the superseding indictment alleges domestic violations of all statutes, and therefore there is no extraterritoriality issue at hand. For example, the superseding indictment alleges that the criminal conduct in question occurred in the Eastern District of Wisconsin. (Docket # 86). Specifically, it alleges that Hutchins developed UPAS Kit and provided it to Individual A, who subsequently sold it to someone in the Eastern District of Wisconsin. Id. at 4. The superseding indictment further alleges that Hutchins developed Kronos and provided it to Individuals A and B, the former of whom advertised, marketed, and sold Kronos in the Eastern District of Wisconsin. Id. at 4-6. It also alleges that Hutchens used a YouTube video to promote the sale of Kronos, and referred interested purchasers of Kronos to Individual A. Id. at 4, 6. As Magistrate Joseph and this Court have repeatedly stated, "whether the government will be able to prove that is a question for another day." (Docket # 109 at 31). However, as stated, the charges sufficiently allege activity in the United States, specifically in the Eastern District of Wisconsin. There is no extraterritorial activity at issue.

However, because there is confusion about the proper standard to apply in the extraterritorial analysis, the Court takes this opportunity to clarify the issue in case it should arise in the future. There is a presumption against applying statutes extraterritorially because "Congress generally legislates with domestic concerns in mind." Small v. United States , 544 U.S. 385, 388, 125 S.Ct. 1752, 161 L.Ed.2d 651 (2005) (quotations and citations omitted). This broad presumption applies in all cases, "preserving a stable background against which Congress can legislate with predictable effects." Morrison v. Nat'l Australia Bank Ltd. , 561 U.S. 247, 261, 130 S.Ct. 2869, 177 L.Ed.2d 535 (2010). "[G]eneral reference to foreign commerce in the definition of 'interstate commerce' does not defeat the presumption against extraterritoriality." Id. at 263, 130 S.Ct. 2869. Although Congress does not need to explicitly state a rule of extraterritoriality and "context can be consulted," there must be an "affirmative indication" of Congress's extraterritorial intent. Id. at 265, 130 S.Ct. 2869.

Thus, the first step in any inquiry-civil or criminal-is "whether the presumption against extraterritoriality has been rebutted-that is, whether the statute gives a clear, affirmative indication that it applies extraterritorially."

*798RJR Nabisco, Inc. v. European Cmty. , --- U.S. ----, 136 S.Ct. 2090, 2101, 195 L.Ed.2d 476 (2016) (discussing RICO statute's extraterritorial hold). If there is no clear, affirmative indication of extraterritorial application, courts are instructed to consider

whether the case involves a domestic application of the statute...by looking to the statute's focus. If the conduct relevant to the statute's focus occurred in the United States, then the case involves a permissible domestic application even if other conduct occurred abroad; but if the conduct relevant to the focus occurred in a foreign country, then the case involves an impermissible extraterritorial application regardless of any other conduct that occurred in U.S. territory. Id. (quotation marks omitted).

In other words, if there is no clear Congressional intent for extraterritoriality, the Court must determine (1) the statute's focus and (2) whether the conduct relevant to the focus occurred in the United States. Id.

The government and the magistrate rely on United States v. Bowman , 260 U.S. 94, 98-99, 43 S.Ct. 39, 67 L.Ed. 149 (1922) and United States v. Leija-Sanchez , 602 F.3d 797, 799 (7th Cir. 2010) (" Leija-Sanchez I ") to stand for the broad proposition that the presumption against extraterritoriality does not apply to criminal cases. In light of Morrison and RJR Nabisco , this is not the correct standard. However, neither case has been overruled-and, indeed, there is no conflict with their holdings.

In Bowman, the Supreme Court held that a criminal fraud statute applied to certain extraterritorial conduct at sea and in foreign ports after finding that Congress must have intended it to apply to at-sea vessels and foreign ports. 260 U.S. at 102, 43 S.Ct. 39. Although the statute did not explicitly say that it applied extraterritorially, the Supreme Court determined that Congress's intent for extraterritorial application could be inferred from the function of the statute and from other sections in the statute's chapter, which was titled, "Offenses against the Operation of Government." Id. at 98-99, 43 S.Ct. 39 ; see also ; RJR Nabisco , 136 S.Ct. at 2102 ("an express statement of extraterritoriality is not essential."). Thus, the Bowman opinion shows the Supreme Court's determination that there was a "clear, affirmative indication" that the statute applied extraterritorially. See Morrison , 561 U.S. at 265, 130 S.Ct. 2869 ; RJR Nabisco , 136 S.Ct. at 2101.

In 2016, the Seventh Circuit upheld its decision in Leija-Sanchez I , which found that a criminal RICO statute applied extraterritorially to individuals who murdered a Mexican man in Mexico. United States v. Leija-Sanchez , 820 F.3d 899, 900 (7th Cir. 2016) ( Leija-Sanchez II ). Ten days after the Seventh Circuit denied rehearing in Leija-Sanchez II , the Supreme Court issued RJR Nabisco, which noted that "[t]he unique structure makes RICO the rare statute that clearly evidences extraterritorial effect despite lacking an express statement of extraterritoriality." RJR Nabisco , 136 S.Ct. at 2103. In the Leija-Sanchez cases, the murder was arranged and paid for in the United States in order to protect a criminal organization based in the United States, whose focus was defrauding the United States government. See Leija-Sanchez II, 820 F.3d at 901. The Court will not take it upon itself to re-write the Seventh Circuit's analysis in light of RJR Nabisco , but merely observes that it is possible to reconcile Leija-Sanchez I & II with the rule in RJR Nabisco .

Therefore, the proper rule to apply is that of RJR Nabisco : if Congress has not evinced an affirmative intent to apply the statute extraterritorially, the Court must assess the focus of the statute, and determine whether the conduct relevant to the *799focus occurred in the United States. Under RJR Nabisco , some conduct could occur outside of the United States as long as the conduct relevant to the focus of the statute occurred inside the United States. However, as stated above, the conduct that the superseding indictment alleges took place in the United States. Therefore, the Court need not evaluate Sections 2512, 1343, or 1001 for extraterritorial application.

4.2.7 Counts One Through Eight and Ten do not Violate Due Process

Hutchins argues that there is an insufficient nexus between his conduct and the United States, which violates his Due Process rights. Generally, a defendant must have adequate contacts with the United States in order to support United States jurisdiction. See In re Hijazi , 589 F.3d 401, 412 (7th Cir. 2009) ; Restatement (Third) of Foreign Relations Law §§ 402, 403 (1987) ; see also United States v. Yousef , 750 F.3d 254, 262 (2d Cir. 2014) ("The due process requirement that a territorial nexus underlie the extraterritorial application of a criminal statute... protects criminal defendants from prosecutions that are arbitrary or fundamentally unfair.") (citations and quotations omitted).

As the magistrate noted, the government's superseding indictment states the approximate date and location for each charge, and briefly describes the allegedly unlawful conduct that occurred in the United States. To the extent that the government prosecutes Hutchins's activities within the United States-specifically, the Eastern District of Wisconsin-the Court finds that there is adequate nexus as alleged in the superseding indictment. For example, if, as it is alleged, Hutchins promoted his malware to individuals in the Eastern District of Wisconsin, then he could reasonably foresee being haled before this Court for trial on that issue. See United States v. Perlaza , 439 F.3d 1149, 1168 (9th Cir. 2006) ("The nexus requirement is a judicial gloss applied to ensure that a defendant is not improperly haled before a court for trial.") (citations and quotations omitted). Whether Hutchins actually did any of the alleged conduct is a question for the jury.

4.2.8 The Superseding Indictment Properly Alleges Count Nine

Count Nine charges Hutchins with lying to the FBI in violation of 18 U.S.C. § 1001(a)(2). (Docket # 86 at 14). The crux of Hutchins's argument here is that Count Nine should be dismissed if Counts One through Eight and Ten are dismissed, because the FBI "had no power to exercise authority against Mr. Hutchins." (Docket # 105 at 17) (citations and quotations omitted). Because none of the charges above are dismissed, the Court finds that the FBI was properly within its jurisdiction to investigate these claims. Therefore, the charge that Hutchins lied to the FBI must also go forward.

5. Conclusion

The Court lacks a sufficient basis to grant the motion to suppress or the motions to dismiss. Indeed, many of Hutchins's contentions are not properly resolved at the motion to dismiss stage. Therefore, the Court adopts the magistrate's recommendation to deny all motions.

Accordingly,

IT IS ORDERED that Marcus Hutchins's motion to suppress (Docket # 55) be and the same is hereby DENIED ;

IT IS FURTHER ORDERED that Marcus Hutchins's motion to dismiss (Docket # 56) be and the same is hereby DENIED as moot ;

IT IS FURTHER ORDERED that Marcus Hutchins's motions to dismiss (Docket # 92, # 95, and # 96) be and the same are hereby DENIED ;

*800IT IS FURTHER ORDERED that Marcus Hutchins's objections to Magistrate Judge Nancy Joseph's Report and Recommendation (Docket # 111) be and the same are hereby OVERRULED in accordance with the terms of this Order; and

IT IS FURTHER ORDERED that Magistrate Judge Nancy Joseph's Report and Recommendation (Docket # 109) be and the same is hereby ADOPTED in accordance with the terms of this Order.