1

642 F.3d 781 United States Court of Appeals,

Ninth Circuit.

UNITED STATES of America, Plaintiff–Appellant, v.

David NOSAL, Defendant–Appellee.

No. 10–10038. | Argued and Submitted Feb. 14, 2011. | Filed April 28, 2011.

* * *

TROTT, Circuit Judge:

The United States appeals from the district court’s dismissal of several counts of an indictment charging David Nosal with, inter alia, numerous violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Subsection (a)(4), the subsection under which Nosal was charged, subjects to punishment anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” Id. § 1030(a)(4). The indictment alleges that Nosal’s co-conspirators exceeded their authorized access to their employer’s computer system in violation of § 1030(a)(4) by obtaining information from the computer system for the purpose of defrauding their employer and helping Nosal set up a competing business. The district court relied on our decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), in determining that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances—in other words, an employer’s restrictions on the use of the computer or of the information stored on that computer are irrelevant to determining whether an employee has exceeded his or her authorization. The government contends, on the other hand, that Brekka counsels in favor of its interpretation of the statute—that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information. We have jurisdiction under 18 U.S.C. § 3731, and we agree with the government. Although we are mindful of the concerns raised by defense counsel regarding the criminalization of violations of an employer’s computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal—but innocuous—reasons. We therefore reverse and remand to the district court with instructions to reinstate Counts 2, 4, 5, 6, and 7.

2

I

BACKGROUND

For purposes of our review, the indictment’s allegations must be taken as true. United States v. Fiander, 547 F.3d 1036, 1041 n. 3 (9th Cir.2008).

A

THE ALLEGATIONS AGAINST NOSAL

From approximately April 1996 to October 2004, Nosal worked as an executive for Korn/Ferry International (“Korn/Ferry”), an executive search firm. When Nosal left Korn/Ferry in October 2004, he signed a Separation and General Release Agreement and an Independent Contractor Agreement. Pursuant to these contracts, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with Korn/Ferry for one year. In return, Korn/Ferry agreed to pay Nosal two lump-sum payments in addition to twelve monthly payments of $25,000. *783 Shortly after leaving his employment, Nosal engaged three Korn/Ferry employees to help him start a competing business. The indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the “Searcher” database—a “highly confidential and proprietary database of executives and companies”—which was considered by Korn/Ferry “to be one of the most comprehensive databases of executive candidates in the world.” Paragraphs 9–11 of the indictment describe Korn/Ferry’s efforts to keep its database secure:

9. Korn/Ferry undertook considerable measures to maintain the confidentiality of the information contained in the Searcher database. These measures included controlling electronic access to the Searcher database and controlling physical access to the computer servers that contained the database. Korn/Ferry employees received unique usernames and created passwords for use on the company’s computer systems, including for use in accessing the Searcher database. These usernames and passwords were intended to be used by the Korn/Ferry employee only.

10. Korn/Ferry required all of its employees ... to enter into agreements that both explained the proprietary nature of the information disclosed or made available to Korn/Ferry employees (including the information contained in the Searcher database) and restricted the use and disclosure of all such information, except for legitimate

3

Korn/Ferry business....

11. Among other additional measures, Korn/Ferry also declared the confidentiality of the information in the Searcher database by placing the phrase “Korn/Ferry Proprietary and Confidential” on every Custom Report generated from the Searcher database. Further, when an individual logged into the Korn/Ferry computer system, that computer system displayed the following notification, in sum and substance:

This computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution....

(emphasis added) (third alteration in original).

B

DISTRICT COURT PROCEEDINGS

On June 26, 2008, the government filed a twenty-count superseding indictment against Nosal and one of his accomplices. Counts 2 through 9 of the indictment allege that the Korn/Ferry employees who conspired with Nosal—and Nosal himself as an aider and abettor—violated § 1030(a)(4). Nosal filed a motion to dismiss the indictment. He argued “that the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements.” In other words, the Korn/Ferry employees could not have acted “without authorization,” nor could they have “exceed[ed] authorized access,” because they had permission to access the computer and its information under certain circumstances.

* * * Because the conspirators had authority to obtain information from the Searcher database for legitimate Korn/Ferry business purposes, the district court held that they did not exceed their authorized access by doing so, even if they acted with a fraudulent intent. The government appealed.

II

4

STANDARD OF REVIEW

We review de novo a district court’s dismissal of an indictment, or of certain counts of that indictment, based on the district court’s interpretation of a federal statute. United States v. Boren, 278 F.3d 911, 913 (9th Cir.2002).

III

DISCUSSION

We are not faced in this appeal with an argument that Nosal’s accomplices accessed the Searcher database “without authorization.” The question we must answer here is whether those accomplices could have exceeded their authorized access by accessing information that they were entitled to access only under limited circumstances. We hold that an employee “exceeds authorized access” under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.

A

THE STATUTORY LANGUAGE

“The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.” Brekka, 581 F.3d at 1131. We begin our task of deciphering the meaning of this federal statute, as always, with its plain language.

* * * Although the statute does not define the phrase “without authorization,” it does state that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added). The government contends that Nosal’s interpretation of “exceeds authorized access” would render superfluous the word “so” in the statutory definition. We agree. “So” in this context means “in a manner or way that is indicated or suggested.” Webster’s Third New Int’l Dictionary 2159 (Philip Babcock Gove, ed.2002). Thus, an employee exceeds authorized access under § 1030(e)(6) when the employee uses that authorized access “to obtain or alter information in the computer that the accesser is *786 not entitled [in that manner] to obtain or alter.” We decline to render meaningless a word duly enacted by Congress. See Corley v. United States, 556 U.S. 303, 129 S.Ct. 1558, 1566, 173 L.Ed.2d

5

443 (2009) (“[O]ne of the most basic interpretive canons [is] that a statute should be construed so that effect is given to all its provisions, so that no part will be inoperative or superfluous, void or insignificant.” (internal quotation marks and alteration omitted)). Because the statute refers to an accesser who is not entitled to access information in a certain manner, whether someone has exceeded authorized access must be defined by those access limitations. The plain language of the statute supports the government’s interpretation.

B

LVRC HOLDINGS LLC V. BREKKA

We must now address Nosal’s argument that Brekka requires us to decide this appeal in his favor notwithstanding the plain meaning of the phrase “exceeds authorized access.” [In LVRC Holdings LLC v. Brekka, the Ninth Circuit rejected CFAA liability for an employee who misappropriated proprietary information. The basis for Brekka is deeply ambiguous, so I have not assigned the opinion. This panel construes Brekka narrowly, as holding only: 1) an employer must affirmatively set the scope of authorization (rejecting the Citrin agency interpretation), and 2) if an employee has some authorized access, there can be no “without authorization” liability (much like Pulte Homes). The panel does not address a footnote in Brekka that also rejected “exceeding authorization” liability.]

* * * Our decision today that an employer’s use restrictions define whether an employee “exceeds authorized access” is simply an application of Brekka ‘s reasoning. As we held in that case, “[i]t is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’ ” Id. at 1133. Based on the “ ‘ordinary, contemporary, [and] common meaning’ ” of the word “authorization,” id. at 1132 (quoting Perrin v. United States, 444 U.S. 37, 42, 100 S.Ct. 311, 62 L.Ed.2d 199 (1979)), we held that “an employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it,” id. at 1133. Therefore, the only logical interpretation of “exceeds authorized access” is that the employer has placed limitations on the employee’s “permission to use” the computer and the employee has violated—or “exceeded”—those limitations. We do face a substantial factual distinction in this case: the existence of access restrictions instituted by the employer. The employee in Brekka had unfettered access to the company computer—“LVRC and Brekka did not have a written employment agreement, nor did LVRC promulgate employee guidelines that would prohibit employees from emailing LVRC documents to personal computers.” Id. at 1129.

6

Therefore, Brekka did not exceed his authorized access any more than he acted without authorization: he was entitled to obtain the information because he had not acted in a way that violated any access restrictions. By contrast, Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular. By using their authorized access to defraud Korn/Ferry in violation of Korn/Ferry’s access restrictions, Nosal’s accomplices certainly had fair warning that they were subjecting themselves to criminal liability. For this reason, we conclude that the rule of lenity, *788 which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka. Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Id. at 1133, 1135. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.

* * *

D

INTENT AND CAUSATION

We do not dismiss lightly Nosal’s argument that our decision will make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email accounts or to check the latest college basketball scores. But subsection (a)(4) does not criminalize the mere violation of an employer’s use restrictions. Rather, an employee violates this subsection if the employee (1) violates an employer’s restriction on computer access, (2) with an intent to defraud, and (3) by that action “furthers the intended fraud and obtains anything of value.” 18 U.S.C. § 1030(a)(4) (emphasis added). The requirements *789 of a fraudulent intent and of an action that furthers the intended fraud distinguish this case from the Orwellian situation that Nosal seeks to invoke. Simply using a work computer in a manner that violates an employer’s use restrictions, without more, is not a crime under § 1030(a)(4).

IV

CONCLUSION

Brekka held that a person accesses a computer without authorization “when the person

7

has not received permission to use the computer for any purpose.” 581 F.3d at 1135. Today, we clarify that under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer. We reaffirm our previous conclusion that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed [ed] authorized access.’ ” Id. at 1133 (alteration in original). Therefore, we REVERSE the district court’s decision and REMAND with instructions to reinstate Counts 2 and 4–7 of the superseding indictment.

CAMPBELL, District Judge, dissenting: [Judge Campbell concludes that the majority’s view is inconsistent with Brekka and renders CFAA void for vagueness.]

1

676 F.3d 854 United States Court of Appeals,

Ninth Circuit.

UNITED STATES of America, Plaintiff–Appellant, v.

David NOSAL, Defendant–Appellee.

No. 10–10038. | Argued and Submitted Dec. 15, 2011. | Filed April 10, 2012.

* * *

KOZINSKI, Chief Judge:

Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

FACTS

[Omitted, see the panel opinion. There is no dispute about the relevant facts.]

DISCUSSION

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain *857 data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed [ ] authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor. The government argues that the statutory text can support only the latter interpretation of “exceeds authorized access.” In its opening brief, it focuses on the word “entitled” in the phrase an “accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis

2

added). Pointing to one dictionary definition of “entitle” as “to furnish with a right,” Webster’s New Riverside University Dictionary 435, the government argues that Korn/Ferry’s computer use policy gives employees certain rights, and when the employees violated that policy, they “exceed[ed] authorized access.” But “entitled” in the statutory text refers to how an accesser “obtain[s] or alter[s]” the information, whereas the computer use policy uses “entitled” to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of “entitled” is as a synonym for “authorized.”2 So read, “exceeds authorized access” would refer to data or files on a computer that one is not authorized to access. In its reply brief and at oral argument, the government focuses on the word “so” in the same phrase. See 18 U.S.C. § 1030(e)(6) (“accesser is not entitled so to obtain or alter” (emphasis added)). The government reads “so” to mean “in that manner,” which it claims must refer to use restrictions. In the government’s view, reading the definition narrowly would render “so” superfluous. The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.3 Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so. See Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) (“[U]nless Congress conveys its purpose clearly, it will not be deemed to have significantly changed the federal-state balance in the prosecution of crimes.” (internal quotation marks omitted)). *858 In any event, the government’s “so” argument doesn’t work because the word has meaning even if it doesn’t refer to use restrictions. Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not “entitled so to obtain.” Or, let’s say an employee is given full access to the information, provided he logs in with his username and password. In an effort to cover his tracks, he uses another employee’s login to copy information from the database. Once again, this would be an employee who is authorized to access the information but does so in a manner he was not authorized “so to obtain.” Of course, this all assumes that “so” must have a substantive meaning to make sense of the statute. But Congress could just as well have included “so” as a connector or for emphasis.4 While the CFAA is susceptible to the government’s broad interpretation, we find Nosal’s

3

narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, “[i]n intentionally trespassing into someone else’s computer files, the offender obtains at the very least information as to how to break into that computer system.” S.Rep. No. 99–432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.). The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer “without authorization.” According to the government, that prohibition applies to hackers, so the “exceeds authorized access” prohibition must apply to people who are authorized to use the computer, but do so for an unauthorized purpose. But it is possible to read both prohibitions as applying to hackers: “[W]ithout authorization” would apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing mandate.5 *859 The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer. The government argues that defendants here did have notice that their conduct was wrongful by the fraud and materiality requirements in subsection 1030(a)(4), which punishes whoever:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1–year period.

18 U.S.C. § 1030(a)(4). But “exceeds authorized access” is used elsewhere in the CFAA as a basis for criminal culpability without intent to defraud. Subsection 1030(a)(2)(C) requires only that the person who “exceeds authorized access” have “obtain[ed] ... information from any protected computer.” Because “protected computer” is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access—the government’s interpretation of “exceeds authorized access” makes every violation of a private computer use policy a federal crime. See id. § 1030(e)(2)(B).

4

The government argues that our ruling today would construe “exceeds authorized access” only in subsection 1030(a)(4), and we could give the phrase a narrower meaning when we construe other subsections. This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the “standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.” Powerex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007). The phrase appears five times in the first seven subsections of the statute, including subsection 1030(a)(2)(C). See 18 U.S.C. § 1030(a)(1), (2), (4) and (7). Giving a different interpretation to each is impossible because Congress provided a single definition of “exceeds authorized access” for all iterations of the statutory phrase. See id. § 1030(e)(6). Congress obviously meant “exceeds authorized access” to have the same meaning throughout section 1030. We must therefore consider how the interpretation we adopt will operate wherever in that section the phrase appears. In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct. *860 Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.6 Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.7 Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to

5

trigger criminal liability? Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars. The effect this broad construction of the CFAA has on workplace conduct pales by *861 comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu–Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody’s Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.8 For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007—March 1, 2012, § 2.3, http://www.google. com/intl/en/policies/terms/archive/20070416 (“You may not use the Services and may not accept the Terms if ... you are not of legal age to form a binding contract with Google....”) (last visited Mar. 4, 2012).9 Adopting the government’s interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password, ... let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so. Or consider the numerous dating websites whose terms of use prohibit inaccurate or misleading information. See, e.g., eHarmony Terms of Service § 2(I), http://www.eharmony.com/about/terms (“You will not provide inaccurate, misleading or false information to eHarmony or to any other user.”) (last visited Mar. 4, 2012). Or eBay and Craigslist, where it’s a violation of the terms of use to post items in an *862

6

inappropriate category. See, e.g., eBay User Agreement, http://pages.ebay.com/help/policies/user-agreement.html (“While using eBay sites, services and tools, you will not: post content or items in an inappropriate category or areas on our sites and services ....”) (last visited Mar. 4, 2012). Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit. Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms (“YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever. The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 559 U.S. 460, 130 S.Ct. 1577, 1591, 176 L.Ed.2d 435 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17–year–old boy and cyber-bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D.Cal.2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after. In United States v. Kozminski, 487 U.S. 931, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988), the Supreme Court refused to adopt the government’s broad interpretation of a statute because it would “criminalize a broad range of day-to-day activity.” Id. at 949, 108 S.Ct. at 2763. Applying the rule of lenity, the Court warned that the broader statutory interpretation would “delegate to prosecutors and juries the inherently legislative task of determining what type of ... activities are so morally reprehensible that they should be punished as crimes” and would “subject individuals to the risk of arbitrary or discriminatory prosecution and conviction.” Id. By giving that much power to prosecutors, we’re inviting discriminatory and arbitrary enforcement. We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty

7

of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); United States v. John, 597 F.3d 263 (5th Cir.2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.” They therefore failed to apply the long-standing principle that we must *863 construe ambiguous criminal statutes narrowly so as to avoid “making criminal law in Congress’s stead.” United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008). We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion. These courts recognize that the plain language of the CFAA “target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz.2008) (internal quotation marks omitted); see also Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (S.D.N.Y.2010) (“The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.”); Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007) (“[A] violation for ‘exceeding authorized access’ occurs where initial access is permitted but the access of certain information is not permitted.”); Int’l Ass’n of Machinists & Aerospace Workers v. Werner–Masuda, 390 F.Supp.2d 479, 499 (D.Md.2005) (“[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.”).

CONCLUSION

We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws ... to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95, 5 L.Ed. 37 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones, 529 U.S. at 858, 120 S.Ct. at 1912 (internal quotation marks and citation omitted). The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. “[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the

8

community, legislatures and not courts should define criminal activity.” United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971). “If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [Nosal] engaged, then ‘we must choose the interpretation least likely to impose penalties unintended by Congress.’ ” United States v. Cabaccang, 332 F.3d 622, 635 n. 22 (9th Cir.2003) (quoting United States v. Arzate–Nunez, 18 F.3d 730, 736 (9th Cir.1994)). This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. See supra note 3. Therefore, we hold that *864 “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use. Because Nosal’s accomplices had permission to access the company database and obtain the information contained within, the government’s charges fail to meet the element of “without authorization, or exceeds authorized access” under 18 U.S.C. § 1030(a)(4). Accordingly, we affirm the judgment of the district court dismissing counts 2 and 4–7 for failure to state an offense. The government may, of course, prosecute Nosal on the remaining counts of the indictment. AFFIRMED.

SILVERMAN, Circuit Judge, with whom TALLMAN, Circuit Judge concurs, dissenting: This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim’s valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men—far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy. The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.

* * *

9

A bank teller is entitled to access a bank’s money for legitimate banking purposes, but not to take the bank’s money for himself. A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled—he would “exceed his authority”—to take the vehicle to Mexico on a drug run. A person of ordinary intelligence understands that he may be totally prohibited from doing something altogether, or authorized to do something but prohibited from going beyond what is authorized. This is no doubt why the statute covers not only “unauthorized access,” but also “exceed[ing] authorized access.” The statute contemplates both means of committing the theft. The majority holds that a person “exceeds authorized access” only when that person has permission to access a computer generally, but is completely prohibited from accessing a different portion of the computer (or different information on the computer). The majority’s interpretation conflicts with the plain language of the statute. Furthermore, none of the circuits that have analyzed the meaning of “exceeds authorized access” as used in the Computer Fraud and Abuse Act read the statute the way the majority does. Both the Fifth and Eleventh Circuits have explicitly held that employees who knowingly violate clear company computer restrictions agreements “exceed authorized access” under the CFAA.

* * * The indictment here alleges that Nosal and his coconspirators knowingly exceeded the authority that they had to access their employer’s computer, and that they did so with the intent to defraud and to steal trade secrets and proprietary information from the company’s database for Nosal’s competing business. It is alleged that at the time the employee coconspirators accessed the database they knew they only were allowed to use the database for a legitimate business purpose because the co-conspirators allegedly signed an agreement which restricted the use and disclosure of information on the database except for legitimate Korn/Ferry business. Moreover, it is alleged that before using a unique username and password to log on to the Korn/Ferry computer and database, the employees were notified that the information stored on those computers were the property of Korn/Ferry and that to access the information without relevant authority could lead to disciplinary action and criminal prosecution. Therefore, it is alleged, that when Nosal’s co-conspirators accessed the database to obtain Korn/Ferry’s secret source lists, names, and contact information with the intent to defraud Korn/Ferry by setting up a competing company to take business away using the stolen data, they “exceed[ed their] authorized access” to a computer with an intent to defraud Korn/Ferry and therefore violated 18 U.S.C. § 1030(a)(4). If true, these allegations adequately state a crime under a commonsense reading of this particular subsection. Furthermore, it does not advance the ball to consider, as the majority does, the parade of

10

horribles that might occur under different subsections of the CFAA, such as subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that subsection (a)(4) has. Maldonado v. Morales, 556 F.3d 1037, 1044 (9th Cir.2009) (“The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases, but to adjudicate live cases or controversies.”) (citation and internal quotation marks omitted). Other sections of the CFAA may or may not be unconstitutionally vague or pose other problems. We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals. I express no opinion on the validity or application of other subsections of 18 U.S.C. § 1030, other than § 1030(a)(4), and with all due respect, neither should the majority. The majority’s opinion is driven out of a well meaning but ultimately misguided concern that if employment agreements or internet terms of service violations could subject someone to criminal liability, all internet users will suddenly become criminals overnight. I fail to see how anyone can seriously conclude that reading ESPN.com in contravention of office policy could come within the ambit of 18 U.S.C. § 1030(a)(4), a statute explicitly requiring an intent to defraud, the obtaining of *867 something of value by means of that fraud, while doing so “knowingly.” And even if an imaginative judge can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, ... that is what an as-applied challenge is for. Meantime, back to this case, 18 U.S.C. § 1030(a)(4) clearly is aimed at, and limited to, knowing and intentional fraud. Because the indictment adequately states the elements of a valid crime, the district court erred in dismissing the charges. I respectfully dissent.

Footnotes 3

Congress did just that in the federal trade secrets statute—18 U.S.C. § 1832—where it used the common law terms for misappropriation, including “with intent to convert,” “steals,” “appropriates” and “takes.” See 18 U.S.C. § 1832(a). The government also charged Nosal with violating 18 U.S.C. § 1832, and those charges remain pending.

4

The government fails to acknowledge that its own construction of “exceeds authorized access” suffers from the same flaw of superfluity by rendering an entire element of subsection 1030(a)(4) meaningless. Subsection 1030(a)(4) requires a person to (1) knowingly and (2) with intent to defraud (3) access a protected computer (4) without authorization or exceeding authorized access (5) in order to further the intended fraud. See 18 U.S.C. § 1030(a)(4). Using a computer to defraud the company necessarily contravenes company policy. Therefore, if someone accesses a computer with intent to defraud—satisfying elements (2) and (3)—he would invariably satisfy (4) under the government’s definition.

11

6

Enforcement of the CFAA against minor workplace dalliances is not chimerical. Employers have invoked the CFAA against employees in civil cases. In a recent Florida case, after an employee sued her employer for wrongful termination, the company counterclaimed that plaintiff violated section 1030(a)(2)(C) by making personal use of the Internet at work—checking Facebook and sending personal email—in violation of company policy. See Lee v. PMSI, Inc., No. 8:10–cv–2904–T–23TBM, 2011 WL 1742028 (M.D.Fla. May 6, 2011). The district court dismissed the counterclaim, but it could not have done so if “exceeds authorized access” included violations of private computer use policies.

7

This concern persists even if intent to defraud is required. Suppose an employee spends six hours tending his FarmVille stable on his work computer. The employee has full access to his computer and the Internet, but the company has a policy that work computers may be used only for business purposes. The employer should be able to fire the employee, but that’s quite different from having him arrested as a federal criminal. Yet, under the government’s construction of the statute, the employee “exceeds authorized access” by using the computer for non-work activities. Given that the employee deprives his company of six hours of work a day, an aggressive prosecutor might claim that he’s defrauding the company, and thereby violating section 1030(a)(4).

8

See, e.g., Craigslist Terms of Use (http://www.craigslist. org/about/terms.of.use), eBay User Agreement (http://pages.ebay. com/help/policies/user-agreement.html?rt=nc), eHarmony Terms of Service (http://www.eharmony.com/about/terms), Facebook Statement of Rights and Responsibilities (http://www.facebook.com/#!/legal/terms), Google Terms of Service (http://www.google.com/intl/en/policies/terms/), Hulu Terms of Use (http://www.hulu.com/terms), IMDb Conditions of Use (http://www.imdb. com/help/show_article?conditions), JDate Terms and Conditions of Service (http://www.jdate.com/Applications/Article/ArticleView.aspx?Category ID=1948&ArticleID=6498&HideNav=True#service), LinkedIn User Agreement (http://www.linkedin.com/static?key=user_agreement), Match.com Terms of Use Agreement (http://www.match.com/registration/membagr.aspx?lid=4), MySpace.com Terms of Use Agreement (http://www.myspace.com/Help/Terms?pm_ cmp=ed_footer), Netflix Terms of Use (https://signup.netflix.com/TermsOf Use), Pandora Terms of Use (http://www.pandora.com/legal), Spotify Terms and Conditions of Use (http://www.spotify.com/us/legal/end-user-agreement/), Twitter Terms of Service (http://twitter.com/tos), Wikimedia Terms of Use (http://wikimediafoundation.org/wiki/Terms_of_use) and YouTube Terms of Service (http://www.youtube.com/t/terms).

9

A number of other well-known websites, including Netflix, eBay, Twitter and Amazon, have this age restriction.

12

1

930 F.Supp.2d 1051 United States District Court,

N.D. California.

UNITED STATES of America, Plaintiff, v.

David NOSAL, Defendant.

No. CR–08–0237 EMC. | March 12, 2013.

ORDER DENYING DEFENDANT’S MOTION TO DISMISS

(Docket Nos. 274, 276)

EDWARD M. CHEN, District Judge.

* * *

III. DISCUSSION

* * *

D. Application to Remaining CFAA Counts

1. Defendant’s Definition of Hacking Defendant now argues that the Ninth Circuit’s opinion in Nosal limits the applicability of the CFAA to not just unauthorized access but to hacking crimes where the defendant circumvented technological barriers to access a computer. Thus, Defendant argues, the remaining CFAA claims must be dismissed because they do not include allegations that Defendant or his co-conspirators circumvented any technological access barriers. The Ninth Circuit acknowledged that the CFAA was passed “primarily to address the growing problem of computer hacking.” Id. at 858. The court further rejected the government’s argument that accessing a computer “without authorization” was intended to refer to hackers, while accessing a computer in a way that “exceeds authorized access” necessarily refers to authorized users who access a computer for an unauthorized purpose. . . . The court noted that the Defendant’s “narrower interpretation [of the CFAA] is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere.” Id. at 863. The court did not, however, explicitly hold that the CFAA is limited to hacking crimes, or

2

discuss the implications of so limiting the statute. . . . Nowhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4). Instead, Nosal holds only that it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement. 676 F.3d at 863–64. The court did not address limits on liability under the CFAA based on the manner in which access is limited, whether by technological barrier or otherwise. Id. Thus, Defendant’s interpretation is not a fair reading of Nosal on this front is simply incorrect. Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase *1061 “circumvention of technological access barriers” was an aside that does not appear to have been intended as having some precise definitional force.

* * *

IV. CONCLUSION

For the foregoing reasons, Defendant’s motion to dismiss the third, eighth, and ninth counts of the first superseding indictment is DENIED. This order disposes of Docket Nos. 274 and 276. IT IS SO ORDERED.

1

687 F.3d 199 United States Court of Appeals,

Fourth Circuit.

WEC CAROLINA ENERGY SOLUTIONS LLC, Plaintiff–Appellant, v.

Willie MILLER, a/k/a Mike; Emily Kelley; Arc Energy Services Incorporated, Defendants–Appellees.

No. 11–1201. | Argued: April 2, 2012. | Decided: July 26, 2012.

* * *

FLOYD, Circuit Judge:

In April 2010, Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. (WEC). Twenty days later, he made a presentation to a potential WEC customer on behalf of WEC’s competitor, Arc Energy Services, Inc. (Arc). The customer ultimately chose to do business with Arc. WEC contends that before resigning, Miller, acting at Arc’s direction, downloaded WEC’s proprietary information and used it in making the presentation. Thus, it sued Miller, his assistant Emily Kelley, and Arc for, among other things, violating the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The district court dismissed WEC’s CFAA claim, holding that the CFAA provides no relief for Appellees’ alleged conduct. We agree and therefore affirm.

I.

* * *

B.

WEC and Arc are competitors, providing specialized welding and related services *202 to the power generation industry. Both companies are incorporated in South Carolina and maintain their principal places of business in York County, South Carolina. Prior to April 30, 2010, WEC employed Mike Miller as a Project Director and Emily Kelley as his assistant. Both individuals now work for Arc. When Miller worked for WEC, the company provided him with a laptop computer and cell phone, and authorized his access to the company’s intranet and computer servers. According to WEC’s complaint, “Miller had access to numerous confidential and trade secret documents stored on ... computer servers, including pricing terms, pending projects[,] and the technical capabilities of WEC.” To protect its confidential information

2

and trade secrets, WEC instituted policies that prohibited using the information without authorization or downloading it to a personal computer. These policies did not restrict Miller’s authorization to access the information, however. On April 30, 2010, Miller resigned from WEC. WEC alleges that prior to resigning, Miller, at Arc’s direction, “either by himself or by his assistant, Kelley, downloaded a substantial number of WEC’s confidential documents” and emailed them to his personal e-mail address. WEC also alleges that Miller and Kelley downloaded confidential information to a personal computer. Twenty days after leaving WEC, Miller reportedly used the downloaded information to make a presentation on behalf of Arc to a potential WEC customer. The customer ultimately awarded two projects to Arc. WEC contends that as a result of Miller’s and Kelley’s actions, it “has suffered and will continue to suffer impairment to the integrity of its data, programs, systems or information, including economic damages, and loss aggregating substantially more than $5,000 during a one-year period.” In October 2010, WEC sued Miller, Kelley, and Arc, alleging nine state-law causes of action and a violation of the CFAA. Regarding its CFAA claim, WEC averred that Miller and Kelley violated the Act because “[u]nder WEC’s policies they were not permitted to download confidential and proprietary information to a personal computer.” Thus, by doing so, they “breache[d] their fiduciary duties to WEC” and via that breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization. WEC sought to hold Arc liable because it claimed that Miller and Kelley undertook this conduct as Arc’s agents. Appellees moved for dismissal pursuant to Federal Rule of Civil Procedure 12(b)(6), and the district court held that WEC failed to state a claim for which the CFAA provided relief:

[I]n this case, WEC’s company policies regulated use of information not access to that information. Thus, even if Miller and Kelley’s purpose in accessing the information was contrary to company policies regulating use, it would not establish a violation of company policies relevant to access and, consequently, would not support liability under the CFAA.

WEC Carolina Energy Solutions, LLC v. Miller, No. 0:10–cv–2775–CMC, 2011 WL 379458, at *5 (D.S.C. Feb. 3, 2011). Thus, it dismissed the CFAA claim and declined to exercise jurisdiction over the remaining state-law claims.

II.

We review de novo a district court’s dismissal pursuant to Rule 12(b)(6), accepting as

3

true all factual allegations contained in the complaint.

A.

WEC alleges that Appellees violated § 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C), each of which require that a party either access a computer “without authorization” or “exceed[ ] authorized access.” The district court held that Appellees’ alleged conduct—the violation of policies regarding the use and downloading of confidential information—did not contravene any of these provisions. Accordingly, the crux of the issue presented here is the scope of “without authorization” and “exceeds authorized access.” We particularly examine whether these terms extend to violations of policies regarding the use of a computer or information on a computer to which a defendant otherwise has access. Before delving into statutory analysis, however, we briefly review the perspectives of our sister circuits. In short, two schools of thought exist. The first, promulgated by the Seventh Circuit and advanced by WEC here, holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. See Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006). Thus, for example, the Seventh Circuit held that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. Id. at 419–21. It reasoned that his “breach of his duty of loyalty terminated his agency relationship ... and with it his authority to access the laptop, because the only basis of his authority had been that relationship.” Id. at 420–21. The second, articulated by the Ninth Circuit and followed by the district court here, interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. See United States v. Nosal, 676 F.3d 854, 863 (9th Cir.2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134–35 (9th Cir.2009). Thus, in Nosal, the Ninth Circuit, sitting en banc, held that the defendant’s co-conspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. Nosal, 676 F.3d at 856, 864. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded. Id. at 863–64. As we explain below, we agree with this latter view.

B.

As with any issue of statutory interpretation, we focus on the plain language of the

4

statute, seeking “first and foremost ... to implement congressional intent.” United States v. Abdelshafi, 592 F.3d 602, 607 (4th Cir.2010) (quoting United States v. Passaro, 577 F.3d 207, 213 (4th Cir.2009)) (internal quotation marks omitted). Thus, “ ‘we give the terms [of the statute] their ordinary, contemporary, common meaning, absent an indication [that] Congress intended’ the statute’s language ‘to bear some different import.’ ” Id. (quoting *204 Stephens ex rel. R.E. v. Astrue, 565 F.3d 131, 137 (4th Cir.2009)). Where, as here, our analysis involves a statute whose provisions have both civil and criminal application, our task merits special attention because our interpretation applies uniformly in both contexts. See Leocal v. Ashcroft, 543 U.S. 1, 11 n. 8, 125 S.Ct. 377, 160 L.Ed.2d 271 (2004). Thus, we follow “the canon of strict construction of criminal statutes, or rule of lenity.” United States v. Lanier, 520 U.S. 259, 266, 117 S.Ct. 1219, 137 L.Ed.2d 432 (1997). In other words, in the interest of providing fair warning “of what the law intends to do if a certain line is passed,” Babbitt v. Sweet Home Chapter of Communities for a Great Or., 515 U.S. 687, 704 n. 18, 115 S.Ct. 2407, 132 L.Ed.2d 597 (1995) (quoting United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971)) (internal quotation marks omitted), we will construe this criminal statute strictly and avoid interpretations not “clearly warranted by the text,” Crandon v. United States, 494 U.S. 152, 160, 110 S.Ct. 997, 108 L.Ed.2d 132 (1990).

1.

The CFAA is concerned with the unauthorized access of protected computers. Thus, we note at the outset that “access” means “[t]o obtain, acquire,” or “[t]o gain admission to.” Oxford English Dictionary (3d ed.2011; online version 2012). Moreover, per the CFAA, a “computer” is a high-speed processing device “and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” § 1030(e)(1). A computer becomes a “protected computer” when it “is used in or affecting interstate or foreign commerce.” § 1030(e)(2). With respect to the phrase, “without authorization,” the CFAA does not define “authorization.” Nevertheless, the Oxford English Dictionary defines “authorization” as “formal warrant, or sanction.” Oxford English Dictionary (2d ed.1989; online version 2012). Regarding the phrase “exceeds authorized access,” the CFAA defines it as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). Recognizing that the distinction between these terms is arguably minute, see Citrin, 440 F.3d at 420, we nevertheless conclude based on the “ordinary, contemporary, common meaning,” see Perrin v. United States, 444 U.S. 37, 42, 100 S.Ct. 311, 62 L.Ed.2d 199 (1979), of “authorization,” that an employee is authorized to access a computer when his

5

employer approves or sanctions his admission to that computer. Thus, he accesses a computer “without authorization” when he gains admission to a computer without approval. See Brekka, 581 F.3d at 1133. Similarly, we conclude that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. See id. Notably, neither of these definitions extends to the improper use of information validly accessed.

2.

WEC presses instead an ostensibly plain-language interpretation articulated in the Nosal panel decision, which was subsequently *205 reversed en banc. See United States v. Nosal, 642 F.3d 781 (9th Cir.2011), rev’d en banc, 676 F.3d 854 (9th Cir.2012). In that decision, the panel fixated on the word “so” in the definition of “exceeds authorized access.” See id. at 785. The panel declared that, in context, this conjunction means “in a manner or way that is indicated or suggested.” Id. (quoting Webster’s Third New Int’l Dictionary 2159 (Philip Babcock Gove ed., 2002)) (internal quotation marks omitted). Thus, it found that an employee “exceed[s] [his] authorized access” if he uses such access “to obtain or alter information [on] the computer that [he] is not entitled [in that manner] to obtain or alter.” Id. at 785–86. (third alteration in original) (quoting § 1030(e)(6)) (internal quotation marks omitted). Armed with this interpretation, the court held that the defendant’s co-conspirators “exceed[ed] their authorized access” because although they had permission to access the proprietary information that they transferred to the defendant, they violated the company’s policy regarding the use and disclosure of that information. See id. at 787–89. The court reasoned that the co-conspirators’ violation of the use and disclosure policy constituted access “in a manner” to which they were not entitled. Thus, they violated the CFAA. See id. As an initial manner, we believe the Nosal panel’s conclusion is a non sequitur. To us, defining “so” as “in that manner” only elucidates our earlier conclusion that “exceeds authorized access” refers to obtaining or altering information beyond the limits of the employee’s authorized access. It does not address the use of information after access. Indeed, the Ninth Circuit indicated as much in its en banc reversal, when it declined to hold that the interpretation of “so” as “in that manner” necessarily means employees can be liable for use-policy violations. See 676 F.3d at 857. Instead, the court offered hypotheticals illustrating how the panel’s interpretation of “so” referred to the means of obtaining information, not the use of information. See id. For example, if an employee who has access to view information, but not to download it, disregards company policy by “cop[ying] the information to a thumb drive and walk[ing] out of the building with it,” he obtains information “in a manner” that lacks authorization. Id. at 858. Similarly, if an employee has complete access to information with his own username and password, but accesses information using another employee’s username and password, he also obtains information “in a manner” that is not authorized. Id. In contrast, however, where such an

6

employee uses his own username and password to access the information and then puts it to an impermissible use, his “manner” of access remains valid. Thus, in the Ninth Circuit’s view, and ours, interpreting “so” as “in that manner” fails to mandate CFAA liability for the improper use of information that is accessed with authorization. Nevertheless, because WEC alleges that Miller and Kelley obtained information by downloading it to a personal computer in violation of company policy, we go a step further. Although we believe that interpreting “so” as “in that manner” fails to subject an employee to liability for violating a use policy, we nonetheless decline to adopt the Nosal panel’s interpretation of the conjunction. The interpretation is certainly plausible, but it is not “clearly warranted by the text.” Crandon, 494 U.S. at 160, 110 S.Ct. 997. Indeed, Congress may have intended “so” to mean “in that manner,” but it “could just as well have included ‘so’ as a connector or for emphasis.” Nosal, 676 F.3d at 858. Thus, faced with the option of two interpretations, we yield to the rule of lenity and *206 choose the more obliging route. “[W]hen [a] choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” United States v. Universal C.I.T. Credit Corp., 344 U.S. 218, 221–22, 73 S.Ct. 227, 97 L.Ed. 260 (1952); see also Nosal, 676 F.3d at 863. Here, Congress has not clearly criminalized obtaining or altering information “in a manner” that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter. And lest we appear to be needlessly splitting hairs, we maintain that the Nosal panel’s interpretation would indeed be a harsher approach. For example, such an interpretation would impute liability to an employee who with commendable intentions disregards his employer’s policy against downloading information to a personal computer so that he can work at home and make headway in meeting his employer’s goals. Such an employee has authorization to obtain and alter the information that he downloaded. Moreover, he has no intent to defraud his employer. But under the Nosal panel’s approach, because he obtained information “in a manner” that was not authorized (i.e., by downloading it to a personal computer), he nevertheless would be liable under the CFAA. See § 1030(a)(2)(C). Believing that Congress did not clearly intend to criminalize such behavior, we decline to interpret “so” as “in that manner.” In so doing, we adopt a narrow reading of the terms “without authorization” and “exceeds authorized access” and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.

3.

In adopting these definitions, we reject any interpretation that grounds CFAA liability on

7

a cessation-of-agency theory. The deficiency of a rule that revokes authorization when an employee uses his access for a purpose contrary to the employer’s interests is apparent: Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems. We recognize that the Seventh Circuit applied its reasoning to egregious behavior that clearly violated the duty of loyalty. See Citrin, 440 F.3d at 419. Nevertheless, we believe that the theory has far-reaching effects unintended by Congress. See Nosal, 676 F.3d at 862 (noting that the Seventh Circuit “looked only at the culpable behavior of the defendant[ ] before [it], and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access’ ”); cf. Restatement (Third) of Agency § 8.01 (2012) (“An agent has a fiduciary duty to act loyally for the principal’s benefit in all matters connected with the agency relationship.”). Although an employer might choose to rescind an employee’s authorization for violating a use policy, we do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic.

III.

WEC founds its CFAA claim on Miller’s and Kelley’s violations of its policies “prohibiting *207 the use of any confidential information and trade secrets unless authorized” and prohibiting the “download[ing] [of] confidential and proprietary information to a personal computer.” Notably, however, WEC fails to allege that Miller and Kelley accessed a computer or information on a computer without authorization. Indeed, WEC’s complaint belies such a conclusion because it states that Miller “had access to WEC’s intranet and computer servers” and “to numerous confidential and trade secret documents stored on these computer servers, including pricing, terms, pending projects [,] and the technical capabilities of WEC.” Thus, we agree with the district court that although Miller and Kelley may have misappropriated information, they did not access a computer without authorization or exceed their authorized access. See 18 U.S.C. § 1030(a)(2)(C), (a)(4), (a)(5)(B)-(C). Moreover, because Miller’s and Kelley’s conduct failed to violate the CFAA, Arc cannot be liable under the statute for any role that it played in encouraging such conduct. Accordingly, we hold that WEC failed to state a claim for which the CFAA can grant relief, see Fed.R.Civ.P. 12(b)(6), and we affirm the district court’s dismissal of the claim.

IV.

Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy. See Nosal, 676 F.3d

8

at 863. (“We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.”). Providing such recourse not only is unnecessary, given that other legal remedies exist for these grievances, but also is violative of the Supreme Court’s counsel to construe criminal statutes strictly. Lanier, 520 U.S. at 266, 117 S.Ct. 1219. Thus, we reject an interpretation of the CFAA that imposes liability on employees who violate a use policy, choosing instead to limit such liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access. AFFIRMED

1

597 F.3d 263 United States Court of Appeals,

Fifth Circuit.

UNITED STATES of America, Plaintiff–Appellee, v.

Dimetriace Eva–Lavon JOHN, Defendant–Appellant.

No. 08–10459. | Feb. 9, 2010.

* * *

OWEN, Circuit Judge:

Dimetriace Eva–Lavon John was found guilty by a jury on all counts of a seven-count indictment arising out of her involvement in a scheme to incur fraudulent charges on accounts held by various Citigroup customers. John challenges her convictions and sentence in this appeal. We affirm the convictions but vacate her sentence and remand for further proceedings.

I Dimetriace Eva–Lavon John was employed as an account manager at Citigroup for approximately three years. By virtue of her position, she had access to Citigroup’s internal computer system and customer account information contained in it. In September 2005, John provided Leland Riley, her half-brother, with customer account information enabling Riley and other confederates to incur fraudulent charges. John accessed and printed information pertaining to at least seventy-six corporate customer accounts and provided it to Riley. The information was in the form of either scanned images of checks written by the account holders or printouts of computer screens containing detailed account information. Before he was apprehended, Riley and cohorts used information John had provided to incur fraudulent charges on four different accounts.

* * *

II

* * * Whether John’s convictions on Counts 6 and 7 may be sustained depends on the proper

2

interpretation of “exceeds authorized access” as used in § 1030(a)(2) and defined in § 1030(e)(6).

* * * John argues that she was authorized to use Citigroup’s computers and to view and print information regarding accounts in the course of her official duties. The evidence, she contends, reflects only that she was not permitted to use the information to which she had access to perpetrate a fraud, she could make changes to account information only in compliance with a customer’s request, and she was not permitted to take material she printed regarding accounts from her office building. She asserts that her mental state or motive at the time she accessed or printed account information cannot determine whether she violated 18 U.S.C. § 1030(a)(2). Specifically, she argues that the statute does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer. The statute only prohibits using authorized access to obtain information that she is not entitled to obtain or alter information that she is not entitled to alter, John contends.

* * * The question before us is whether “authorized access” or “authorization” may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime. To give but one example, an employer may “authorize” employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer’s business. An employee would “exceed [ ] authorized access” if he or she used that access to obtain or steal information as part of a criminal scheme. In United States v. Phillips, this court analyzed whether a criminal defendant had accessed university computers “without authorization” in violation of § 1030(a)(5)(A)(ii), as distinguished from “exceed[ing] authorized access,” and we recognized that “[c]ourts have ... typically analyzed the scope of a user’s authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.”6 We applied this “intended-use analysis” to conclude that a student who used his privilege of access to a university’s computer was not authorized to access parts of the system to which he had not been given a password. John’s situation differs from that of the student in Phillips because John was authorized to view and print all of the information that she accessed *272 and that she provided to Riley. However, John’s use of Citigroup’s computer system to perpetrate fraud was not an intended use of that system.

3

John’s use of Citigroup’s computer system to perpetrate a fraud was also contrary to Citigroup employee policies, of which she was aware. The First Circuit has held that an employment agreement can establish the parameters of “authorized” access. [The court discusses the facts and holding of EF I.] While we do not necessarily agree that violating a confidentiality agreement under circumstances such as those in EF Cultural Travel BV would give rise to criminal culpability, we do agree with the First Circuit that the concept of “exceeds authorized access” may include exceeding the purposes for which access is “authorized.” Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded. In other words, John’s access to Citigroup’s data was confined. She was not authorized to access that information for any and all purposes but for limited purposes. In the present case, the Government demonstrated at trial that Citigroup’s official policy, which was reiterated in training programs that John attended, prohibited misuse of the company’s internal computer systems and confidential customer information. Despite being aware of these policies, John accessed account information for individuals whose accounts she did not manage, removed this highly sensitive and confidential information from Citigroup premises, and ultimately used this information to perpetrate fraud on Citigroup and its customers. We recognize that the Ninth Circuit may have a different view of how “exceeds authorized access” should be construed. [The court discusses LVRC Holdings LLC v. Brekka, the predecessor to United States v. Nosal. In that case, the Ninth Circuit rejected CFAA civil liability in an instance of employee misconduct. It expressed concerns about broad and nonobvious criminal liability under CFAA, and it invoked the rule of lenity in reaching its holding.] There are no such concerns in the present case. An authorized computer user “has reason to know” that he or she is not authorized to access data or information in furtherance of a criminally fraudulent scheme. Moreover, the Ninth Circuit’s reasoning at least implies that when an employee knows that the purpose for which she is accessing information in a computer is both in violation of an employer’s policies and is part of an illegal scheme, it would be “proper” to conclude that such conduct “exceeds authorized access” within the meaning of § 1030(a)(2).

* * * We AFFIRM John’s convictions. For the reasons considered above, we VACATE John’s sentence and REMAND for further proceedings.

4

* * * [Dissent on John’s sentencing is omitted.]

1

Claim Loss Damage Allowed Disallowed Allowed Disallowed

Misappropriation of Commercial Information X1 X2 X3 X4 Deletion of Commercial Information X5 X6 X7 Misappropriation of Personal Information X8 X9

1 Fiber Systems Int’l, Inc. v. Roehrs, 470 F.3d 1150, 1158-59 (5th Cir. 2006) (sustaining jury finding of loss where claim was predicated on misappropriation of information); Multiven, Inc. v. Cisco Systems, Inc. 725 F. Supp. 2d 887, 894-95 (N.D. Cal. 2010); Motorola, Inc. v. Lemko Corp., 609 F. Supp. 2d 760, 768 (N.D. Ill. 2009); Patrick Patterson Custom Homes v. Bach, 586 F. Supp. 2d 1026, 1036 (N.D. Ill. 2008); I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc., 307 F. Supp. 2d 521, 526 (S.D.N.Y. 2004); C.H. Robinson Worldwide, Inc. v. Command Transp., LLC, No. 05 C 3401, 2005 WL 3077998, at *3 (N.D. Ill. Nov. 16, 2005). 2 Nexans Wires S.A. v. Sark-USA, Inc., 166 Fed. App’x 559, 562-63 (2d Cir. 2006); Alliantgroup, LP v. Feingold, 803 F. Supp. 2d 610, 629-30 (S.D. Tex. 2011); M-I LLC v. Stelly, 733 F. Supp. 2d 759, 779-780 (S.D. Tex. 2010); ReMedPar, Inc. v. AllParts Medical, LLC, 683 F. Supp. 2d 605, 613-15 (M.D. Tenn. 2010); Continental Group, Inc. v. KW Property Management, LLC, 622 F. Supp. 2d 1357, 1371 (2009); American Family Mutual Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 770-72 (N.D. Ohio 2008); Harley Automotive Group, Inc. v. AP Supply, Inc., No. 12-1110, 2013 WL 6801221, at *5-7 (D. Minn. Dec. 23, 2013); Capitol Audio Access, Inc. v. Umemoto, No. 2:13-cv-00134-GEB-EFB, 2013 WL 5425324, at *2-3 (E.D. Cal. Sept. 27, 2013); Doyle v. Taylor, No. CV-09-158-RHW, 2010 WL 2163521, at *2-4 (E.D. Wa. May 24, 2010); Advantage Ambulance Group, Inc. v. Lugo, No. 08-3300, 2009 WL 839085, at *4 (E.D. Pa. Mar. 30, 2009); Cohen v. Gulfstream Training Acad., Inc., No. 07-60331-CIV, 2008 WL 961472, at *4 (S.D. Fla. Apr. 9, 2008); L-3 Communications Westwood Corp. v. Robicharux, No. 06-0279, 2007 WL 756528, at *3-4 (E.D. La. Mar. 8, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV1580-ORL-31, 2006 WL 2683058, at *3 (M.D. Fla. Aug. 1, 2006); Resdev, LLC v. Lot Builders Ass’n, No. 04-Civ-1374, 2005 WL 1924743, at *5, (M.D. Fla. Aug. 10, 2005). 3 Multiven, Inc. v. Cisco Systems, Inc. 725 F. Supp. 2d 887, 894-95 (N.D. Cal. 2010); I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc., 307 F. Supp. 2d 521, 525 (S.D.N.Y. 2004); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1126-29 (W.D. Wash. 2000) (making an argument from legislative history). 4 Landmark Credit Union v. Doberstein, 746 F. Supp. 2d 993-94 (N.D. Ill. 2010); U.S. Gypsum Co. v. Lafarge North Am. Inc., 670 F. Supp. 2d 737, 743-44 (N.D. Ill. 2009); Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int’l Inc. 616 F. Supp. 2d 805, 810-12 (N.D. Ill. 2009); Garelli Wong & Assoc., Inc. v. Nichols, 551 F. Supp. 2d 704, 709-12 (N.D. Ill. 2008); Capitol Audio Access, Inc. v. Umemoto, No. 2:13-cv-00134-GEB-EFB, 2013 WL 5425324, at *2-3 (E.D. Cal. Sept. 27, 2013); Mintel Int’l Group, Ltd. v. Neerghen, No. 08-cv-3939, 2010 WL 145786, at *9 (N.D. Ill. Jan. 12, 2010); Worldspan L.P. v. Orbitz LLC, No. 05-C-5386, 2006 WL 1069128, at *5 (N.D. Ill. Apr. 19, 2006); Resdev, LLC v. Lot Builders Ass’n, No. 04-Civ-1374, 2005 WL 1924743, at *5, (M.D. Fla. Aug. 10, 2005). 5 Lasco Foods, Inc. v. Hall & Shaw Sales, Mktg., & Consulting, LLC, 600 F. Supp. 2d 145, 1051-52 (E.D. Mo. 2009); B&B Microscopes v. Armogida, 532 F. Supp. 2d 744, 758-59 (W.D. Pa. 2007); Schaeffer v. Kessler, No. 12 Civ. 8576(PKC), 2013 WL 1155587, at *5-6 (S.D.N.Y. Mar. 20, 2013); Deloitte & Touche LLP v. Carlson, No. 11 C 327, 2011 WL 2923865, at *4-5 (N.D. Ill. 2011); Southeastern Mechanical Services v. Brody, No. 8:08-CV-1151-T-30EAJ, 2008 WL 4613046, at *13-15 (M.D. Fla. Oct. 15, 2008); Pharmerica, Inc. v. Arledge, No. 8:07-cv-486-T-26MAP, 2007 WL 865510, at *6-8 (M.D. Fla. Mar. 21, 2007). 6 Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 419 (7th Cir. 2006); Lasco Foods, Inc. v. Hall & Shaw Sales, Mktg., & Consulting, LLC, 600 F. Supp. 2d 145, 1051-53 (E.D. Mo. 2009). 7 Dana Ltd. v. American Axle & Mfg. Holdings, Inc., No. 1:10-CV-450, 2012 WL 2524008, at *5-6 (W.D. Mich. June 29, 2012) (rejecting file deletion alone as sufficient for damage, but suggesting permanent deletion of original files could be adequate); Cheney v. IPD Analytics, LLC, No. 08-23188-CIV, 2009 WL 1298405, at *5-7 (S.D. Fla. Apr. 16, 2009) (similar). 8 A number of opinions have rejected loss in the online advertising context. In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d. 497, 524-26 (S.D.N.Y. 2001); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *10 (N.D. Cal. Mar. 26, 2013); Del Vecchio v. Amazon.com, Inc., No. C11-366RSL, 2012 WL 1997697, at *3-6 (W.D. Wa. June 1, 2012); Bose v. Interclick, Inc., No. 10 Civ. 9183(DAB), 2011 WL 4343517, at *4-6 (S.D.N.Y. Aug. 17, 2011); LaCourt v. Specific Media, No. SACV 10-1256-GW(JCGx), 2011 WL 1661532, at

2

Spam X10 X11 Consumption of Computing Resources X12 X13 X14 Lost Revenue from Shared Access to a Paid Service

X15 X16

Financial Fraud X17 X18 Assessment of Commercial Information X19 X20

*3-6 (C.D. Cal. Apr. 28, 2011). Courts have also rejected loss arising from personal email account breaches. Mintz v. Mark Bartelstein & Assoc. Inc., 906 F. Supp. 2d 1017, 1029-31 (C.D. Cal. 2012); Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 926-27 (W.D. Wisc. 2002); Gridiron Management Group LLC v. Allen Wranglers, No. 8:12CV3128, 2012 WL 5187839, at *10-11 (D. Ne. Oct. 18, 2012). 9 Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 926-27 (W.D. Wisc. 2002); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d. 497, 524-26 (S.D.N.Y. 2001); Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 1282980, at *10 (N.D. Cal. Mar. 26, 2013); LaCourt v. Specific Media, No. SACV 10-1256-GW(JCGx), 2011 WL 1661532, at *3-6 (C.D. Cal. Apr. 28, 2011). 10 America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444, 450-51 (E.D. Va. 1998); Hotmail Corp. v. Van$ Money Pie Inc., No. C 98-20064 JW, 1998 WL 388389, at *6 (N.D. Cal. Apr. 16, 1998). 11 Czech v. Wall Street on Demand, Inc., 674 F. Supp. 2d 1102, 1115-19 (D. Minn. 2009). 12 Del Vecchio v. Amazon.com, Inc., No. C11-366RSL, 2012 WL 1997697, at *5 (W.D. Wa. June 1, 2012) 13 Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 251-52 (S.D.N.Y. 2000); Hotmail Corp. v. Van$ Money Pie Inc., No. C 98-20064 JW, 1998 WL 388389, at *6 (N.D. Cal. Apr. 16, 1998). 14 In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1066-67 (N.D. Cal. 2012); Czech v. Wall Street on Demand, Inc., 674 F. Supp. 2d 1102, 1115-19 (D. Minn. 2009); Bose v. Interclick, Inc., No. 10 Civ. 9183(DAB), 2011 WL 4343517, at *4-6 (S.D.N.Y. Aug. 17, 2011). 15 Therapeutic Research Faculty v. NBTY, Inc., 488 F. Supp. 2d 991, 996-97 (E.D. Cal. 2007). 16 CoStar Realty Information, Inc. v. Field, 737 F. Supp. 2d 496, 512-15 (D. Md. 2010); AtPac, Inc. v. Aptitude Solutions, Inc., 730 F. Supp. 2d 1174 (E.D. Cal. 2010) (shared access used to migrate customer between software platforms). 17 Clinton Plumbing & Heating of Trenton, Inc. v. Ciaccio, No. 09-2751, 2010 WL 4224473, at *7 (E.D. Pa. Oct. 22, 2010). 18 Clinton Plumbing & Heating of Trenton, Inc. v. Ciaccio, No. 09-2751, 2010 WL 4224473, at *6 (E.D. Pa. Oct. 22, 2010). 19 Farmers Ins. Exchange v. Auto Club Group, 823 F. Supp. 2d 847, 855 (N.D. Ill. 2011); University Sports Publishing Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 387-88 (S.D.N.Y. 2010); Global Pol’y Partners, LLC v. Yessin, 686 F. Supp. 2d 642, 651-52 (E.D. Va. 2010); Penrose Computer Marketgroup, Inc. v. Camin, 682 F. Supp. 2d 202, 207-08 (N.D.N.Y. 2010); SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975, 980-81 (N.D. Cal. 2008); Navistar, Inc. v. New Baltimore Garage, Inc., No. 11-cv-6269, 2012 WL 4338816, at *8 (N.D. Ill. Sept. 20, 2012); Lapp Insulators LLC v. Gemignani, No. 09-CV-0694A(Sr), 2011 WL 1198648, at *7-8 (W.D.N.Y. Mar. 9, 2011); AssociationVoice, Inc. v. AtHomeNet, Inc. No. 10-cv-00109-CMA-MEH, 2011 WL 63508, at *6-7 (D. Colo. Jan. 6, 2011); Integrated Waste Solutions, Inc. v. Goverdhanam, No. 10-2155, 2010 WL 4910176, at *9 (E.D. Pa. Nov. 30, 2010); Southeastern Mechanical Services v. Brody, No. 8:08-CV-1151-T-30EAJ, 2008 WL 4613046, at *13-15 (M.D. Fla. Oct. 15, 2008); Dudick ex rel. Susquehanna Precision, Inc. v. Vaccarro, No. 3:06-CV-2175, 2007 WL 1847435, at *6 (M.D. Pa. June 25, 2007); Pharmerica, Inc. v. Arledge, No. 8:07-cv-486-T-26MAP, 2007 WL 865510, at *6-8 (M.D. Fla. Mar. 21, 2007); P.C. Yonkers, Inc. v. Celebrations! the Party and Seasonal Superstore, No. 04-4554 (JAG), 2007 WL 708978, at *4-6 (D.N.J. Mar. 5, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV1580-ORL-31, 2006 WL 2683058, at *3 (M.D. Fla. Aug. 1, 2006). 20 Nexans Wires S.A. v. Sark-USA, Inc., 166 Fed. App’x 559, 63 (2d Cir. 2006); Von Holdt v. A-1 Tool Corp., 714 F. Supp. 2d 863, 875-76 (N.D. Ill. 2010); ReMedPar, Inc. v. AllParts Medical, LLC, 683 F. Supp. 2d 605, 613-15 (M.D. Tenn. 2010); Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int’l Inc. 616 F. Supp. 2d 805, 811-12 (N.D. Ill. 2009); Harley Automotive Group, Inc. v. AP Supply, Inc., No. 12-1110, 2013 WL 6801221, at *5-7 (D. Minn. Dec. 23, 2013); Mintel Int’l Group, Ltd. v. Neerghen, No. 08-cv-3939, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010); Cassetica Software, Inc. v. Computer Sciences Corp., No. 09-C-0003, 2009 WL 1703015, at *4 (N. D. Ill. June 18, 2009); Chas S. Winner, Inc. v. Polistina, No. 06-4865 (NLH), 2007 WL 1652292, at *4 (D.N.J. 2007).

3

Misappropriation Assessment of Personal Information Misappropriation

X21

Assessment of Financial Fraud X22 Assessment of Password Theft X23 Consumer Data Breach Notification X24 X25 Loss of Future Business Value from Commercial Information Misappropriation

X26 X27

Diminished Reputation from Commercial Information Misappropriation

X28 X29

Loss of Present or Future Business from Commercial Information Deletion

X30

Diminished Reputation from Commercial Information Deletion

X31

Attorneys’ Fees in Remedying Misconduct X32 Attorneys’ Fees in Litigating Misconduct X33

21 In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d. 497, 524-26 (S.D.N.Y. 2001) (noting that costs of response to personal information misappropriation could be recoverable, but are negligible in online advertising). 22 Patrick Patterson Custom Homes v. Bach, 586 F. Supp. 2d 1026, 1036 (N.D. Ill. 2008). 23 Kaufman v. Nest Seekers LLC, No. 05 CV 6782(GBD), 2006 WL 2807177, at *7-8 (S.D.N.Y. Sept. 26, 2006). 24 United States v. Phillips, 477 F.3d 215, 224-25 (5th Cir. 2007); NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1065-66 (S.D. Iowa 2009). 25 Farmers Ins. Exchange v. Auto Club Group, 823 F. Supp. 2d 847, 855-56 (N.D. Ill. 2011). 26 Creative Computing v. Getloaded.com LLC 385 F. 3d 930, 935 (9th Cir. 2004); Andritz, Inc. v. Southern Maintenance Contractor, LLC, 626 F. Supp. 2d 1264, 1266-67 (M.D. Ga. 2009). 27 Nexans Wires S.A. v. Sark-USA, Inc., 166 Fed. App’x 559, 562-63 (2d Cir. 2006); Farmers Ins. Exchange v. Auto Club Group, 823 F. Supp. 2d 847, 855-56 (N.D. Ill. 2011); ReMedPar, Inc. v. AllParts Medical, LLC, 683 F. Supp. 2d 605, 613-15 (M.D. Tenn. 2010); SKF USA, Inc. v. Bjerkness, 636 F. Supp. 2d 696, 720-22 (N.D. Ill. 2009); American Family Mutual Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 770-72 (N.D. Ohio 2008); Crown Coal & Coke Co. v. Compass Point Resources, LLC, No. 07-1208, 2009 WL 1806659, at *7-8 (W.D. Pa. June 23, 2009); ES & H, Inc. v. Allied Safety Consultants, Inc., No. 3:08-cv-323, 2009 WL 2996340, at *4 (E.D. Tenn. Sept. 16, 2007); Dudick ex rel. Susquehanna Precision, Inc. v. Vaccarro, No. 3:06-CV-2175, 2007 WL 1847435, at *6 (M.D. Pa. June 25, 2007). 28 Creative Computing v. Getloaded.com LLC 385 F. 3d 930, 935 (9th Cir. 2004). 29 Farmers Ins. Exchange v. Auto Club Group, 823 F. Supp. 2d 847, 855-56 (N.D. Ill. 2011); Civic Center Motors, Ltd. v. Mason Street Import Cars, Ltd., 387 F. Supp. 2d 378, 381-82 (S.D.N.Y. 2005); Dudick ex rel. Susquehanna Precision, Inc. v. Vaccarro, No. 3:06-CV-2175, 2007 WL 1847435, at *6 (M.D. Pa. 2007). 30 Hasan v. Foley & Lardner, LLP, No. 04 C 5690, 2007 WL 2225831, at *5-6 (N.D. Ill. July 26, 2007). 31 Hasan v. Foley & Lardner, LLP, No. 04 C 5690, 2007 WL 2225831, at *5-6 (N.D. Ill. July 26, 2007). 32 NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1065-66 (S.D. Iowa 2009). 33 Mintz v. Mark Bartelstein & Assoc. Inc., 906 F. Supp. 2d 1017, 1029-31 (C.D. Cal. 2012); NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1065-66 (S.D. Iowa 2009).

1

West’s Ann. Cal. Penal Code § 502

§ 502. Unauthorized access to computers, computer systems and computer data

(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.

(b) For the purposes of this section, the following terms have the following meanings: [Definitions omitted.]

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

(3) Knowingly and without permission uses or causes to be used computer services.

(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.

(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.

(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.

2

(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network.

(9) Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network.

(d) [Criminal penalties.]

(e) [Civil cause of action.]

* * *

(h)(1) Subdivision (c) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment. For purposes of this section, a person acts within the scope of his or her employment when he or she performs acts which are reasonably necessary to the performance of his or her work assignment.

(2) Paragraph (3) of subdivision (c) does not apply to penalize any acts committed by a person acting outside of his or her lawful employment, provided that the employee’s activities do not cause an injury, as defined in paragraph (8) of subdivision (b), to the employer or another, or provided that the value of supplies or computer services, as defined in paragraph (4) of subdivision (b), which are used does not exceed an accumulated total of two hundred fifty dollars ($250).

(i) No activity exempted from prosecution under paragraph (2) of subdivision (h) which incidentally violates paragraph (2), (4), or (7) of subdivision (c) shall be prosecuted under those paragraphs.

* * *

1

2010 WL 3291750 Only the Westlaw citation is currently available.

United States District Court, N.D. California, San Jose Division.

FACEBOOK, INC., Plaintiff, v.

POWER VENTURES, INC., et al., Defendants. Power Ventures, Inc., et al., Counterclaimants,

v. Facebook, Inc., Counterdefendants.

No. C 08–05780 JW. | July 20, 2010.

* * *

JAMES WARE, District Judge.

I. INTRODUCTION

*1 Facebook, Inc. (“Plaintiff” or “Facebook”) brings this action against Power Ventures, Inc. (“Defendant” or “Power”) alleging, inter alia, violations of the California Comprehensive Computer Data Access and Fraud Act, Cal.Penal Code § 502 (“Section 502”). Facebook alleges that Power accessed the Facebook website in violation of Facebook’s Terms of Use, and when Facebook tried to stop Power’s unauthorized access, Power circumvented Facebook’s technical barriers. Power brings counterclaims against Facebook alleging, inter alia, violations of the Sherman Act, 15 U.S.C. § 2. [By way of factual background, Power offered a social network aggregation service. It would log into Facebook, Twitter, etc. on the user’s behalf and present a unified display of friends’ activity. Facebook objected, unsurprisingly, since Power supplanted Facebook’s interface (and advertising) with its own.]

* * *

IV. DISCUSSION

* * *

B. Defendants’ Section 502 Liability Facebook contends that the undisputed facts prove that Defendants violated Section 502. (Facebook’s Motion for Judgment on the Pleadings at 1.) Facebook bases its Section 502 claim solely on facts that Defendants admit in their Amended Answer, which Facebook contends show beyond dispute that Power accessed the Facebook website in violation of

2

the Facebook terms of use, and that when Facebook tried to stop Power, Power worked around Facebook’s technical barriers. (Id.) Defendants respond, inter alia, that there is no evidence that Power ever accessed the Facebook website without the express permission of the user and rightful owner of the accessed data.11 On May 5, 2010, the Court granted the Electronic Frontier Foundation’s (“EFF”) Motion to File Amicus Curiae in support of Defendants’ Motion. EFF contends that in order to avoid constitutional vagueness concerns, the Court must construe the statutory phrase “without permission” narrowly to exclude access to a website or computer network that merely violates a term of use. Allowing criminal liability based only on violation of contractual terms of service, EFF contends, would grant the website or network administrator essentially unlimited authority to define the scope of criminality and potentially expose millions of average internet users to criminal sanctions without any meaningful notice. (Id.) *6 The Court finds that all of the subsections of Section 502(c) that potentially apply in this case require that the defendant’s actions be taken “without permission.” See Cal.Penal Code § 502(c)(2), (3), (7). However, the statute does not expressly define the term “without permission.” In interpreting any statutory language, the court looks first to the words of the statute. Lamie v. U.S. Trustee, 540 U.S. 526, 534, 124 S.Ct. 1023, 157 L.Ed.2d 1024 (2004). If the language is unambiguous, the statute should be interpreted according to the plain meaning of the text. Id. at 534. The structure and purpose of a statute can provide guidance in determining the plain meaning of its provisions. K–Mart Corp. v. Cartier, Inc., 486 U.S. 281, 291, 108 S.Ct. 1811, 100 L.Ed.2d 313 (1988). Statutory language is ambiguous if it is capable of being understood in two or more possible senses or ways. Chickasaw Nation v. United States, 534 U.S. 84, 90, 122 S.Ct. 528, 151 L.Ed.2d 474 (2001). If a statutory provision is ambiguous, the court turns to the legislative history for guidance. SEC v. McCarthy, 322 F.3d 650, 655 (9th Cir.2003). Here, the Court first looks to the plain language of the statute. However, the term “without permission” can be understood in multiple ways, especially with regard to whether access is without permission simply as a result of violating the terms of use. Thus, the Court must consider legislative intent and constitutional concerns to determine whether the conduct at issue here falls within the scope of the statute. See F.C.C. v. Fox Television Stations, Inc., ––– U.S. ––––, ––––, 129 S.Ct. 1800, 1811, 173 L.Ed.2d 738 (2009) (noting that “the canon of constitutional avoidance in an interpretive tool, counseling that ambiguous statutory language be construed to avoid serious constitutional doubts”).

1. Plain Language of the Statute Here, Facebook does not allege that Power has altered, deleted, damaged, or destroyed any data, computer, computer system, or computer network, so the subsections that

3

require that type of action are not applicable. However, the Court finds that . . . [subsections 502(c)(2), (c)(3), and (c)(7)] do not require destruction of data, and thus may apply here . . . . To support its claim that Defendants violated these provisions, Facebook relies solely on facts that Defendants admitted in their Amended Answer. Specifically, Facebook points to Defendants’ admissions that: (1) “Power permits users to enter their account information to access the Facebook site through Power.com;” (2) “Defendants developed computer software and other automated devices and programs to access and obtain information from the Facebook website for aggregating services;” (3) Facebook communicated to Vachani its claims that “Power.com’s access of Facebook’s website and servers was unauthorized and violated Facebook’s rights, including Facebook’s trademark, copyrights, and business expectations with its users;” (4) “Facebook implemented technical measures to block users from accessing Facebook through Power.com;” and (5) “Power provided users with tools necessary to access Facebook through Power.com.” Since all three of the subsections at issue here require that Defendants’ acts with respect to the computer or computer network be taken without permission, the Court analyzes that requirement first. *7 Defendants and EFF contend that Power’s actions could not have been without permission because Power only accessed the Facebook website with the permission of a Facebook account holder and at that account holder’s behest. (See Defendants’ Opposition re Summary Judgment at 11; Amicus Brief at 11.) Facebook, on the other hand, contends that regardless of whatever permission an individual Facebook user may have given to Power to access a particular Facebook account, Power’s actions clearly violated the website’s terms of use, which state that a Facebook user may not “collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without [Facebook’s] permission.” Since Power admits that it utilized “automated devices” to gain access to the Facebook website, the Court finds that it is beyond dispute that Power’s activities violated an express term of the Facebook terms of use.20 The issue then becomes whether an access or use that involves a violation of the terms of use is “without permission” within the meaning of the statute. In the modern context, in which millions of average internet users access websites every day without ever reading, much less understanding, those websites’ terms of use, this is far from an easy or straightforward question. Without clear guidance from the statutory language itself, the Court turns to case law, legislative intent, and the canon of constitutional avoidance to assist in interpreting the statute, and then analyzes whether the acts at issue here were indeed taken without permission.

2. Caselaw Since the California Supreme Court has not directly addressed the question of whether

4

the violation of a term of use constitutes access or use without permission pursuant to Section 502, the Court looks to analogous state appellate court cases and federal court cases from this district for guidance as to the statute’s proper construction. The Court also considers cases interpreting the Computer Fraud and Abuse Act (“CFAA”), the federal corollary to Section 502, in evaluating how broad an application Section 502 should properly be given. EFF relies on two state appellate cases for the proposition that Section 502 should not apply to persons who have permission to access a computer or computer system, but who use that access in a manner that violates the rules applicable to that system. Chrisman v. City of Los Angeles, 155 Cal.App.4th 29, 32, 65 Cal.Rptr.3d 701 (Cal.Ct.App.2007); Mahru v. Superior Court, 191 Cal.App.3d 545, 549, 237 Cal.Rptr. 298 (Cal.Ct.App.1987). In Chrisman, the court found that a police officer did not violate Section 502 when, while on duty, the officer “accessed the Department computer system [ ] for non-duty-related activities.” 155 Cal.App.4th at 32, 65 Cal.Rptr.3d 701. The court found that at essence, Section 502 is an anti-hacking statute, and “[o]ne cannot reasonably describe appellant’s improper computer inquiries about celebrities, friends, and others as hacking.” Id . at 35, 65 Cal.Rptr.3d 701. The officer’s “computer queries seeking information that the department’s computer system was designed to provide to officers was misconduct if he had no legitimate purpose for that information, but it was not hacking the computer’s ‘logical, arithmetical, or memory function resources,’ as [the officer] was entitled to access those resources.” Id. While Chrisman does not address the specific issue before the Court here, and focuses on the statutory definition of “access” rather than “without permission,” the Court finds that the case helps to clarify that using a computer network for the purpose that it was designed to serve, even if in a manner that is otherwise improper, is not the kind of behavior that the legislature sought to prohibit when it enacted Section 502. *8 In Mahru, the court found that the director and part owner of a data-processing firm was not liable under Section 502 when he instructed the company’s chief computer operator to make specified changes in the names of two files in a former customer’s computer program in retaliation for that customer terminating its contract with the company. 191 Cal.App.3d at 547–48, 237 Cal.Rptr. 298. These changes had the effect of preventing the former customer’s employees from being able to run their computer programs without the assistance of an expert computer software technician. Id. In finding that Section 502 had not been violated by the company’s actions, the court stated:

The Legislature could not have meant, by enacting section 502, to bring the Penal Code into the computer age by making annoying or spiteful acts criminal offenses whenever a computer is used to accomplish them. Individuals and organizations use computers for typing and other routine tasks in the conduct of their affairs, and sometimes in the course of these affairs they do vexing, annoying, and injurious things. Such

5

acts cannot all be criminal.

Id. at 549, 237 Cal.Rptr. 298. However, the court in Mahru based its finding of no liability in part on documentary evidence establishing that the company, and not the former customer, owned the computer hardware and software, which explains why the company’s manipulation of files stored on that computer hardware was merely vexatious and not unlawful hacking. The Court finds that Mahru is not applicable to the circumstances here, where it is undisputed that Power accessed data stored on Facebook’s server.

* * * Finally, in Facebook, Inc. v. ConnectU LLC, Judge Seeborg found that a competing social networking site violated Section 502 when it accessed the Facebook website to collect “millions” of email addresses of Facebook users, and then used those email addresses to solicit business for itself. 489 F.Supp.2d 1087, 1089 (N.D.Cal.2007). In that case, Judge Seeborg found unavailing ConnectU’s contention that it did not act without permission because it only “accessed information on the Facebook website that ordinarily would be accessible only to registered users by using log-in information voluntarily supplied by registered users.” Id . at 1090–91. Judge Seeborg found that ConnectU was subject to Facebook’s terms of use and rejected ConnectU’s contention that “a private party cannot define what is or what is not a criminal offense by unilateral imposition of terms and conditions of use.” Id. at 1091. The court held that “[t]he fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is not.” Id. *9 The Court finds that of the cases discussed so far, the holding in ConnectU is most applicable to the present case. However, the Court respectfully disagrees with ConnectU in one key respect. Contrary to the holding of ConnectU, the Court finds that allowing violations of terms of use to fall within the ambit of the statutory term “without permission” does essentially place in private hands unbridled discretion to determine the scope of criminal liability recognized under the statute. If the issue of permission to access or use a website depends on adhering to unilaterally imposed contractual terms, the website or computer system administrator has the power to determine which actions may expose a user to criminal liability. This raises constitutional concerns that will be addressed below. Although cases interpreting the scope of liability under the CFAA do not govern the Court’s analysis of the scope of liability under Section 502, CFAA cases can be instructive. EFF points to several CFAA cases for the proposition that the CFAA prohibits trespass and theft, not mere violations of terms of use.

* * *

6

In general, the Court finds that the more recent CFAA cases militate for an interpretation of Section 502 that does not premise permission to access or use a computer or computer network on a violation of terms of use. However, since none of the cases discussed provides a definitive definition of without permission under Section 502, the Court now looks to the legislative purpose of the statute to the extent that it can be discerned.

3. Legislative Purpose *10 Section 502 includes the following statement of statutory purpose: [The Court reproduces § 502(a).] Facebook contends that this language evidences legislative intent to address conduct beyond “straightforward hacking and tampering.” (Facebook’s Reply re Summary Judgment at 2.) Specifically, Facebook contends that the legislature’s use of the phrases “protection ... from ... unauthorized access” and “protection of the integrity of all types and forms of computers, computer systems, and computer data” demonstrates a far-reaching legislative purpose to protect the entire commercial computer infrastructure from trespass. (Id. at 2–3.) The Court declines to give the statute’s statement of legislative intent the sweeping meaning that Facebook ascribes to it. Section 502(a) speaks in general terms of a “proliferation of computer crime and other forms of unauthorized access to computers,” but does not offer any further guidance as to what specific acts would constitute such crime or unauthorized access. It is far from clear what conduct the legislature believed posed a threat to the integrity of computers and computer systems, or if the legislature could even fathom the shape that those threats would take more than twenty years after the statute was first enacted. Thus, the Court does not assign any weight to the statute’s statement of legislative intent in construing the liability provisions of Section 502.

4. Rule of Lenity EFF contends that interpreting Section 502 broadly to allow liability where the absence of permission is based only on the violation of a contractual term of use or failure to fully comply with a cease and desist letter would render the statute unconstitutionally vague, stripping the statute of adequate notice to citizens of what conduct is criminally prohibited. (Amicus Brief at 24–28.) EFF further contends that giving the statute the broad application that Facebook seeks could expose large numbers of average internet users to criminal liability for engaging in routine web-surfing and emailing activity. (Id.) *11 “It is a fundamental tenet of due process that ‘[n]o one may be required at peril of

7

life, liberty or property to speculate as to the meaning of penal statutes.” Lanzetta v. New Jersey, 306 U.S. 451, 453, 59 S.Ct. 618, 83 L.Ed. 888 (1993). Thus, a criminal statute is invalid if it “fails to give a person of ordinary intelligence fair notice that his contemplated conduct is forbidden.” United States v. Harriss, 347 U.S. 612, 74 S.Ct. 808, 98 L.Ed. 989 (1954). Where a statute has both criminal and noncriminal applications, courts must interpret the statute consistently in both contexts. Leocal v. Ashcroft, 543 U.S. 1, 11 n. 8, 125 S.Ct. 377, 160 L.Ed.2d 271 (2004). In the Ninth Circuit, “[t]o survive vagueness review, a statute must ‘(1) define the offense with sufficient definiteness that ordinary people can understand what conduct is prohibited; and (2) establish standards to permit police to enforce the law in a non-arbitrary, non-discriminatory manner.’ ” United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007). The Court finds that interpreting the statutory phrase “without permission” in a manner that imposes liability for a violation of a term of use or receipt of a cease and desist letter would create a constitutionally untenable situation in which criminal penalties could be meted out on the basis of violating vague or ambiguous terms of use. In the words of one commentator, “By granting the computer owner essentially unlimited authority to define authorization, the contract standard delegates the scope of criminality to every computer owner.”21 Users of computer and internet services cannot have adequate notice of what actions will or will not expose them to criminal liability when a computer network or website administrator can unilaterally change the rules at any time and are under no obligation to make the terms of use specific or understandable to the general public. Thus, in order to avoid rendering the statute constitutionally infirm, the Court finds that a user of internet services does not access or use a computer, computer network, or website without permission simply because that user violated a contractual term of use.22 If a violation of a term of use is by itself insufficient to support a finding that the user’s access was “without permission” in violation of Section 502, the issue becomes what type of action would be sufficient to support such a finding. The Court finds that a distinction can be made between access that violates a term of use and access that circumvents technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.23 Limiting criminal liability to circumstances in which a user gains access to a computer, computer network, or website to which access was restricted through technological means eliminates any constitutional notice concerns, since a person applying the technical skill necessary to overcome such a barrier will almost always understand that any access gained through such action is unauthorized. Thus, the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502. *12 Applying this construction of the statute here, the Court finds that Power did not act “without permission” within the meaning of Section 502 when Facebook account holders

8

utilized the Power website to access and manipulate their user content on the Facebook website, even if such action violated Facebook’s Terms of Use. However, to the extent that Facebook can prove that in doing so, Power circumvented Facebook’s technical barriers, Power may be held liable for violation of Section 502. Here, Facebook relies solely on the pleadings for its Motion. In their Answer, Defendants do not directly admit that the tools Power provided to its users were designed to circumvent the technical barriers that Facebook put in place to block Power’s access to the Facebook website. Thus, the Court finds that there is a genuine issue of material fact as to whether Power’s access or use of the Facebook website was “without permission” within the meaning of Section 502. EFF contends that even if Power evaded the technical barriers that Facebook implemented to deny it access, Power’s conduct does not fall within the scope of Section 502 liability. (Amicus Brief at 19–28.) More specifically, EFF contends that it would be inconsistent to allow liability for ignoring or bypassing technical barriers whose sole purpose is to enforce contractual limits on access while denying liability for violating those same contractual limits when technological means of restricting access are not employed. (Id. at 19.) Thus, according to EFF, Power’s efforts to circumvent Facebook’s IP-blocking efforts did not violate Section 502 because Facebook was merely attempting to enforce its Terms of Use by other means.24 (Id. at 23–24.) The Court finds EFF’s contentions unpersuasive in this regard. EFF has not pointed to any meaningful distinction between IP address blocking and any other conceivable technical barrier that would adequately justify not finding Section 502 liability in one instance while finding it in the other. Moreover, the owners’ underlying purpose or motivation for implementing technical barriers, whether to enforce terms of use or otherwise, is not a relevant consideration when determining the appropriate scope of liability for accessing a computer or network without authorization. There can be no ambiguity or mistake as to whether access has been authorized when one encounters a technical block, and thus there is no potential failure of notice to the computer user as to what conduct may be subject to criminal liability, as when a violation of terms of use is the sole basis for liability.25 Accordingly, the Court DENIES Facebook’s Motion for Judgment on the Pleadings, and DENIES the parties’ Cross–Motions for Summary Judgment as to Facebook’s Section 502 cause of action.

* * *

Footnotes 20

This, of course, assumes that Power was in fact subject to the Facebook terms of use, an issue which was not briefed by either party. However, the terms of use state, “By

9

accessing or using our web site ..., you (the ‘User’) signify that you have read, understand and agree to be bound by these Terms of Use ..., whether or not you are a registered member of Facebook.” (FAC, Ex. A.) Thus, in the act of accessing or using the Facebook website alone, Power acceded to the Terms of Use and became bound by them.

21

Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1650–51 (2003).

22

This is not to say that such a user would not be subject to a claim for breach of contract. Where a user violates a computer or website’s terms of use, the owner of that computer or website may also take steps to remove the violating user’s access privileges.

23

See generally Kerr, supra note 20.

24

The Court notes that although both parties discuss IP address blocking as the form of technological barrier that Facebook utilized to deny Power access, Facebook’s use of IP-blocking and Power’s efforts to avoid those blocks have not been established as undisputed facts in this case. However, for purposes of this Motion, the Court finds that the specific form of the technological barrier at issue or means of circumventing that barrier are not relevant. Rather, the issue before the Court is whether there are undisputed facts to establish that such avoidance of technological barriers occurred in the first instance.

25

As Facebook contends in its Amicus Reply, the Court finds that evidence of Power’s efforts to circumvent Facebook’s technical barrier is also relevant to show the necessary mental state for Section 502 liability. (Amicus Reply at 10–11.) Since the facts relating to such circumvention efforts are still in dispute, the Court finds that there is also a genuine issue of material fact as to whether Defendants possessed the requisite mental state.

1

2013 WL 5582866 United States District Court, D. Delaware.

In re Google Inc. Cookie Placement Consumer Privacy Litigation

MDL Civ. No. 12–2358–SLR | Filed October 9, 2013

ROBlNSON, District Judge

I. INTRODUCTION *1 On December 19, 2012, four named plaintiffs (“plaintiffs”) filed a consolidated amended complaint (“CAC”) in this multidistrict consolidated litigation against Google Inc. (“Google”), Vibrant Media, Inc. (“Vibrant”), Media Innovation Group LLC (“Media”), and WPP, plc (“WPP”), (collectively “defendants”), as well as PointRoll, Inc. (D.I.46) On July 23, 2013, plaintiffs settled with PointRoll, Inc. (D.I.109) Plaintiffs allege that defendants “tricked” their Apple Safari (“Safari”) and/or Internet Explorer (“IE”) browsers into accepting cookies, which then allowed defendants to display targeted advertising.

* * *

II. BACKGROUND

* * *

B. Factual Background Internet “cookies” are used to track an individual’s activities and communications on a particular website and across the internet. Cookies are used in internet advertising to store website preferences, retain the contents of shopping carts between visits, and keep browsers logged into social networking services and webmail as individuals surf the internet. “First-party cookies” are set by the website the user is visiting at the time the cookie is set. “Third-party cookies” are placed on a user’s device by a website other than the site the user is visiting at the time the cookie is set. (D.I. 46 at ¶¶ 38–39, 45–46) “[T]hird-party cookies are used by advertising companies to help create detailed profiles on individuals, including, but not limited to an individual’s unique ID number, IP address, browser, screen resolution, and a history of all websites visited within the ad network by recording every communication request by that browser to sites that are participating in the ad network, including all search terms the user has entered. The information is sent to the companies and associated with unique cookies—that is how the tracking takes place.” (Id. at ¶ 46) *2 “Every document has a unique ‘URL’ (Universal Resource Locator) that identifies its physical location in the Internet’s infrastructure.” (D.I. 46 at ¶ 10 n.1) When a user

2

requests a website, “the user’s Safari browser starts by sending a GET request to the server which hosts the publisher’s webpage,” to retrieve the data for display on the user’s monitor. (Id. at ¶ 85) Many websites will leave part of their webpage blank for third-party companies to insert advertisements. Upon receiving a GET request from a user seeking to display a particular webpage, the server for that webpage will respond to the browser, instructing the browser to send a GET request to the third-party company charged with serving the advertisements for that particular webpage. The third party receives the GET request and a copy of the user’s request to the first-party website and responds by sending the advertisement to the user’s browser which displays it on the user’s device. (Id. at ¶ 41) Defendants used coding in advertisements to circumvent Apple’s Safari browser’s default blocker and deceive the IE browser into accepting third-party cookies. (D.I. 46 at ¶¶ 68–190) Google stopped only when caught and began removing the illicit cookies. (Id. at ¶ 119) If users are logged-in to a Google account, Google is then able “to synchronize the ads with the particular user’s personalized information,” allowing for targeted advertising. (Id. at ¶ 89) This information includes the information provided by the user, defined by Google to include “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google,” as well as address information and browsing history information. (Id. at ¶ 98) One of the third-party cookies set by defendants assigned a unique ID to the user’s computing device which allowed defendants to associate future information received to the unique ID. (Id. at ¶¶ 78, 95, 150, 153–54)

* * *

IV. MOTION TO DISMISS

* * * F. The California Computer Crime Law *9 The California Computer Crime Law (“CCL”) prohibits “tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” Cal. Pen. Code § 502(a). Only someone “who suffers damage or loss by reason of a violation” may bring a civil action under the law. Id. § 502(e). Each subsection of the CCL asserted by plaintiffs, with the exception of § 502(c)(8), requires a showing that Google acted “without permission.” Id. § 502(c)(1, 2, 6, 7). Courts have interpreted acting “without permission” under § 502 as “accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers.” Facebook, Inc. v. Power Ventures, Inc., No. C08–05780, 2010 WL 3291750, at *11 (N.D.Cal. July 20, 2010); In re Facebook Privacy Litig., 791 F.Supp.2d 705, 715–16

3

(N.D.Cal.2011). Section 502(c)(8) creates liability for any person who “knowingly introduces any computer contaminant into any computer, computer system, or computer network.” Cal. Penal Code § 502(c)(8). As discussed [above], plaintiffs have not sufficiently alleged damage or loss. Further, plaintiffs fail to sufficiently meet the “without permission” element of § 502. In this regard, plaintiffs allege that Safari’s default settings provide an exception to the third-party cookie blocking for situations where a user submits a form to the third-party’s website servers. Google exploited this exception by adding coding to ads, such that Safari believed the exception to be satisfied and that the user had submitted a form to Google. In doing so, Google exploited a standard Safari browser function. Although Google’s actions may be objectionable, Google did not access plaintiffs’ browsers by “overcom[ing] technical or code-based barriers.” Nor did Google introduce a “contaminant” to “usurp the normal operation” of plaintiffs’ browsers. The method of Google’s exploitation of a normal function of plaintiffs’ browsers is not in dispute and does not meet the requirements of the statute; therefore, Google’s motion to dismiss this count is granted.

* * *

V. CONCLUSION For the above reasons, defendants’ motions to dismiss are granted. Google’s request for judicial notice (D.I.58) is denied as moot as the court did not rely on the referenced documents.

* * *