United States v. Nosal

*856OPINION

Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

FACTS

David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information.1 The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. The CFAA counts charged Nosal with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in “exceeding their] authorized access” with intent to defraud.

Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. The district court initially rejected Nosal’s argument, holding that when a person accesses a computer “knowingly and with the intent to defraud ... [it] renders the access unauthorized or in excess of authorization.” Shortly after-wards, however, we decided LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), which construed narrowly the phrases “without authorization” and “exceeds authorized access” in the CFAA. Nosal filed a motion for reconsideration and a second motion to dismiss.

The district court reversed field and followed Brekka’s guidance that “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.” Accordingly, the district court dismissed counts 2 and 4-7 for failure to state an offense. The government appeals. We have jurisdiction over this interlocutory appeal. 18 U.S.C. § 3731; United States v. Russell, 804 F.2d 571, 573 (9th Cir.1986). We review de novo. United States v. Boren, 278 F.3d 911, 913 (9th Cir.2002).

DISCUSSION

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain *857data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[ ] authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

The government argues that the statutory text can support only the latter interpretation of “exceeds authorized access.” In its opening brief, it focuses on the word “entitled” in the phrase an “aecesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added). Pointing to one dictionary definition of “entitle” as “to furnish with a right,” Webster’s New Riverside University Dictionary 435, the government argues that Korn/Ferry’s computer use policy gives employees certain rights, and when the employees violated that policy, they “exceedfed] authorized access.” But “entitled” in the statutory text refers to how an aecesser “obtain[s] or alter[s]” the information, whereas the computer use policy uses “entitled” to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of “entitled” is as a synonym for “authorized.”2 So read, “exceeds authorized access” would refer to data or files on a computer that one is not authorized to access.

In its reply brief and at oral argument, the government focuses on the word “so” in the same phrase. See 18 U.S.C. § 1030(e)(6) (“aecesser is not entitled so to obtain or alter” (emphasis added)). The government reads “so” to mean “in that manner,” which it claims must refer to use restrictions. In the government’s view, reading the definition narrowly would render “so” superfluous.

The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions— which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.3 Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so. See Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) (“[Ujnless Congress conveys its purpose clearly, it will not be deemed to have significantly changed the federal-state balance in the prosecution of crimes.” (internal quotation marks omitted)).

*858In any event, the government’s “so” argument doesn’t work because the word has meaning even if it doesn’t refer to use restrictions. Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not “entitled so to obtain.” Or, let’s say an employee is given full access to the information, provided he logs in with his username and password. In an effort to cover his tracks, he uses another employee’s login to copy information from the database. Once again, this would be an employee who is authorized to access the information but does so in a manner he was not authorized “so to obtain.” Of course, this all assumes that “so” must have a substantive meaning to make sense of the statute. But Congress could just as well have included “so” as a connector or for emphasis.4

While the CFAA is susceptible to the government’s broad interpretation, we find Nosal’s narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, “[i]n intentionally trespassing into someone else’s computer files, the offender obtains at the very least information as to how to break into that computer system.” S.Rep. No. 99-432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.). The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer “without authorization.” According to the government, that prohibition applies to hackers, so the “exceeds authorized access” prohibition must apply to people who are authorized to use the computer, but do so for an unauthorized purpose. But it is possible to read both prohibitions as applying to hackers: “[Wjithout authorization” would apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing mandate.5

*859The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.

The government argues that defendants here did have notice that their conduct was wrongful by the fraud and materiality requirements in subsection 1030(a)(4), which punishes whoever:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

18 U.S.C. § 1030(a)(4). But “exceeds authorized access” is used elsewhere in the CFAA as a basis for criminal culpability without intent to defraud. Subsection 1030(a)(2)(C) requires only that the person who “exceeds authorized access” have “obtain[ed] ... information from any protected computer.” Because “protected computer” is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access— the government’s interpretation of “exceeds authorized access” makes every violation of a private computer use policy a federal crime. See id. § 1030(e)(2)(B).

The government argues that our ruling today would construe “exceeds authorized access” only in subsection 1030(a)(4), and we could give the phrase a narrower meaning when we construe other subsections. This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the “standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.” Powerex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007). The phrase appears five times in the first seven subsections of the statute, including subsection 1030(a)(2)(C). See 18 U.S.C. § 1030(a)(1), (2), (4) and (7). Giving a different interpretation to each is impossible because Congress provided a single definition of “exceeds authorized access” for all iterations of the statutory phrase. See id. § 1030(e)(6). Congress obviously meant “exceeds authorized access” to have the same meaning throughout section 1030. We must therefore consider how the interpretation we adopt will operate wherever in that section the phrase appears.

In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.

*860Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with Mends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.6 Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.7

Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?

Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.

The effect this broad construction of the CFAA has on workplace conduct pales by *861comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody’s Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT. com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.8

For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007—March 1, 2012, § 2.3, http://www. google.com/intl/en/policies/terms/archive/ 20070416 (“You may not use the Services and may not accept the Terms if ... you are not of legal age to form a binding contract with Google____”) (last visited Mar. 4, 2012).9 Adopting the government’s interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http:// www.facebook.com/legal/terms (“You will not share your password, ... let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

Or consider the numerous dating websites whose terms of use prohibit inaccurate or misleading information. See, e.g., eHarmony Terms of Service § 2(1), http:// www.eharmony.com/abouVterms (“You will not provide inaccurate, misleading or false information to eHarmony or to any other user.”) (last visited Mar. 4, 2012). Or eBay and Craigslist, where it’s a violation of the terms of use to post items in an *862inappropriate category. See, e.g., eBay User Agreement, http://pages.ebay.com/ help/policies/user-agreement.html (“While using eBay sites, services and tools, you will not: post content or items in an inappropriate category or areas on our sites and services ____”) (last visited Mar. 4, 2012). Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit.

Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § l.B, http://www. youtube.com/t/terms (‘YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, - U.S. -, 130 S.Ct. 1577, 1591, 176 L.Ed.2d 435 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17-year-old boy and cyberbullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D.Cal.2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

In United States v. Kozminski, 487 U.S. 931, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988), the Supreme Court refused to adopt the government’s broad interpretation of a statute because it would “criminalize a broad range of day-to-day activity.” Id. at 949, 108 S.Ct. at 2763. Applying the rule of lenity, the Court warned that the broader statutory interpretation would “delegate to prosecutors and juries the inherently legislative task of determining what type of ... activities are so morally reprehensible that they should be punished as crimes” and would “subject individuals to the risk of arbitrary or discriminatory prosecution and conviction.” Id. By giving that much power to prosecutors, we’re inviting discriminatory and arbitrary enforcement.

We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); United States v. John, 597 F.3d 263 (5th Cir.2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.” They therefore failed to apply the long-standing principle that we must *863construe ambiguous criminal statutes narrowly so as to avoid “making criminal law in Congress’s stead.” United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008).

We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion. These courts recognize that the plain language of the CFAA “targetfs] the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz.2008) (internal quotation marks omitted); see also Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (S.D.N.Y.2010) (“The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.”); Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007) (“[A] violation for ‘exceeding authorized access’ occurs where initial access is permitted but the access of certain information is not permitted.”); Int’l Ass’n of Machinists & Aerospace Workers v. Wemer-Masuda, 390 F.Supp.2d 479, 499 (D.Md. 2005) (“[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.”).

CONCLUSION

We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws ... to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95, 5 L.Ed. 37 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones, 529 U.S. at 858, 120 S.Ct. at 1912 (internal quotation marks and citation omitted).

The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. “[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity.” United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971). “If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [Nosal] engaged, then ‘we must choose the interpretation least likely to impose penalties unintended by Congress.’ ” United States v. Cabaccang, 332 F.3d 622, 635 n. 22 (9th Cir.2003) (quoting United States v. Arzate-Nunez, 18 F.3d 730, 736 (9th Cir.1994)).

This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers— not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. See supra note 3. Therefore, we hold that *864“exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.

Because Nosal’s accomplices had permission to access the company database and obtain the information contained within, the government’s charges fail to meet the element of “without authorization, or exceeds authorized access” under 18 U.S.C. § 1030(a)(4). Accordingly, we affirm the judgment of the district court dismissing counts 2 and 4-7 for failure to state an offense. The government may, of course, prosecute Nosal on the remaining counts of the indictment.

AFFIRMED.