by Rachel Sang*


The Com­put­er Fraud and Abuse Act (“CFAA”) impos­es lia­bil­i­ty on any­one who access­es a com­put­er “with­out autho­riza­tion” or who “exceeds autho­rized access.”1 Those who vio­late the CFAA can incur both civ­il and crim­i­nal lia­bil­i­ty. While the mean­ing of “with­out autho­riza­tion” is not con­tro­ver­sial, what it means to “exceed autho­rized access” has been a point of con­tention among cir­cuit courts.2 The term “exceeds autho­rized access” (the “Access Pro­vi­sion”) appears in the CFAA in sec­tion 1030(a)(2), where the statute pro­hibits “inten­tion­al­ly access[ing] a com­put­er with­out autho­riza­tion or exceed[ing] autho­rized access . . . .”3 The Access Pro­vi­sion is also includ­ed in sec­tion 1030(a)(4), where it pro­hibits “know­ing­ly and with intent to defraud, access[ing] a pro­tect­ed com­put­er with­out autho­riza­tion, or exceed[ing] autho­rized access, and by means of such con­duct fur­thers [an] intend­ed fraud . . . .”4 Sec­tion 1030(e)(6) goes on to define the Access Provision:

The term “exceeds autho­rized access” means to access a com­put­er with autho­riza­tion and to use such access to obtain or alter infor­ma­tion in the com­put­er that the access­er [sic] is not enti­tled so to obtain or alter.5

Before the Supreme Court had inter­pret­ed the mean­ing of the Access Pro­vi­sion, cir­cuit courts inter­pret­ed the pro­vi­sion and its accom­pa­ny­ing def­i­n­i­tion in two main ways. On one side, some cir­cuit courts con­strued the phrase nar­row­ly: that the Access Pro­vi­sion only applied to peo­ple who accessed a part of a com­put­er that they were nev­er autho­rized to access.6 On the oth­er hand, oth­er cir­cuit courts inter­pret­ed the Access Pro­vi­sion more broad­ly to pro­scribe sit­u­a­tions in which a per­son was autho­rized to access cer­tain infor­ma­tion but then used that infor­ma­tion for an improp­er pur­pose.7 The main dif­fer­ence between the two inter­pre­ta­tions is that a broad interpretation—one that pro­scribes the mis­use of com­put­er access—embraces the view that an individual’s right to access a com­put­er is an enti­tle­ment that can be lim­it­ed by the man­ner in which they access that infor­ma­tion, includ­ing how they ulti­mate­ly use it; where­as a nar­row inter­pre­ta­tion views enti­tle­ment to access as a bina­ry mat­ter that does not impli­cate an analy­sis of autho­rized use or purpose.

Pri­or to the Supreme Court’s deci­sion in Van Buren, cir­cuit courts relied on tex­tu­al evi­dence, extra­tex­tu­al evi­dence, and canons of statu­to­ry con­struc­tion to deter­mine their inter­pre­ta­tion. As the Court acknowl­edged in Van Buren, a broad­er inter­pre­ta­tion of the Access Pro­vi­sion has far-reach­ing con­se­quences, because it cre­ates crim­i­nal lia­bil­i­ty for any mis­use of com­put­er access—including seem­ing­ly innocu­ous and com­mon activ­i­ties such as check­ing one’s per­son­al email on an employ­er-owned com­put­er.8 Ulti­mate­ly, this Con­tri­bu­tion argues that the nar­row inter­pre­ta­tion adopt­ed by the Supreme Court in the Van Buren deci­sion was the cor­rect inter­pre­ta­tion from a pol­i­cy per­spec­tive and that canons of statu­to­ry inter­pre­ta­tion also bet­ter sup­port the majority’s conclusion.

*****

The peti­tion­er in Van Buren was a police offi­cer who was charged with exceed­ing autho­rized access under the CFAA because he had used his access to a law enforce­ment data­base to run a license plate search in exchange for mon­ey.9 The ques­tion for the Supreme Court was whether Van Buren had indeed “exceed[ed] autho­rized access” as defined by the CFAA because he was autho­rized to access the data­base, but not for that ille­git­i­mate pur­pose. The major­i­ty opin­ion in Van Buren, writ­ten by Jus­tice Amy Coney Bar­rett, and the dis­sent, writ­ten by Jus­tice Clarence Thomas, dif­fered in their inter­pre­ta­tions of both the text of the CFAA and the statute’s leg­isla­tive history.

The tex­tu­al analy­sis of both opin­ions focused on the def­i­n­i­tion of “exceeds autho­rized access” as set forth in 18 U.S.C. § 1030(e)(6). The major­i­ty opin­ion focused on the word “so” in the phrase “infor­ma­tion in the com­put­er that the access­er [sic] is not enti­tled so to obtain or alter.”10 The major­i­ty endorsed the Fourth and Ninth Cir­cuits’ rea­son­ing that the word “so” oper­at­ed as a ref­er­ence to an ear­li­er part of the def­i­n­i­tion: the words “access a com­put­er with autho­riza­tion.”11 Under this inter­pre­ta­tion, the phrase “exceeds autho­rized access” sole­ly applies to “inside hackers”—i.e., peo­ple who were autho­rized to access a por­tion of a com­put­er or its files, but then accessed oth­er por­tions or files that they were not autho­rized to access.12 For exam­ple, an employ­ee would “exceed autho­rized access” by using a com­put­er (which they were allowed to use) to obtain infor­ma­tion in a par­tic­u­lar fold­er that they were not autho­rized to open. This “inside hack­er” inter­pre­ta­tion of the statute lim­its lia­bil­i­ty under the CFAA to the spe­cif­ic cir­cum­stance in which some­one does have autho­rized access to a com­put­er but is not autho­rized to obtain all infor­ma­tion con­tained with­in it. This inter­pre­ta­tion leads to a nar­row­er con­struc­tion of the statute, mean­ing that the CFAA would not apply to sit­u­a­tions in which a per­son improp­er­ly used infor­ma­tion that they were oth­er­wise autho­rized to access. It also avoids the con­cern of broad lia­bil­i­ty that would poten­tial­ly crim­i­nal­ize com­mon behav­ior, such as vio­lat­ing an employer’s com­put­er use pol­i­cy to check per­son­al websites.

Jus­tice Thomas’s dis­sent agreed that “so” oper­at­ed as a ref­er­ent to the “means iden­ti­fied ear­li­er in the def­i­n­i­tion,” mean­ing that sec­tion 1030(e)(6) applies when some­one obtains infor­ma­tion from a com­put­er and that per­son is not autho­rized to access the com­put­er.13 How­ev­er, the dis­sent diverged from the major­i­ty by focus­ing more heav­i­ly on the word “enti­tled” in the statute, stat­ing that: “A per­son is enti­tled to do some­thing only if he has a ‘right’ to do it.”14 Jus­tice Thomas argued that in order for enti­tle­ment to exist, the “con­di­tion prece­dent” of a prop­er or autho­rized pur­pose had to be sat­is­fied, regard­less of whether the user was autho­rized to access the com­put­er in gen­er­al.15 There­fore, if a per­son is for­bid­den from using infor­ma­tion for a par­tic­u­lar pur­pose but does so any­way, that behav­ior should fall with­in the scope of the CFAA. Under this inter­pre­ta­tion, the peti­tion­er in Van Buren—a police offi­cer who improp­er­ly used his access to a law enforce­ment data­base for per­son­al gain—would be liable under the CFAA, but so too could a com­mon mis­user of a work com­put­er who uses it to check their per­son­al email.

Beyond the inter­pre­ta­tion of the statute’s text, there are also dif­fer­ing views on how the leg­isla­tive his­to­ry of the CFAA fur­ther informs the scope of the statute. An ear­li­er ver­sion of the statute from 1984 includ­ed lan­guage that held liable a per­son who is autho­rized to access a com­put­er but who “uses the oppor­tu­ni­ty such access pro­vides for pur­pos­es to which such autho­riza­tion does not extend,” and then obtains or inter­feres with spec­i­fied kinds of sen­si­tive infor­ma­tion.16 When the statute was amend­ed in 1986, this pur­pose-ori­ent­ed lan­guage was replaced with the cur­rent def­i­n­i­tion, which does not include the word “pur­pose” and instead says “to use such access to obtain or alter infor­ma­tion in the com­put­er that the access­er [sic] is not enti­tled so to obtain or alter.”17 Some courts have inter­pret­ed the replace­ment of the word “pur­pose” with new lan­guage as evi­dence that Con­gress intend­ed to elim­i­nate the mis­use of infor­ma­tion as a stand­alone vio­la­tion of the CFAA.18 This rea­son­ing was then adopt­ed by the major­i­ty opin­ion in Van Buren.19

Con­verse­ly, Jus­tice Thomas’s dis­sent viewed the cur­rent word­ing of “enti­tle­ment” as even broad­er than the pre­vi­ous lan­guage, encom­pass­ing both improp­er use as well as improp­er access to a com­put­er based on time or loca­tion.20 Jus­tice Thomas argues that requir­ing a user to be “enti­tled” means that the improp­er use of infor­ma­tion, as well as oth­er kinds of unau­tho­rized behav­ior, would be a vio­la­tion of the CFAA.

*****

While both the major­i­ty opin­ion and dis­sent in Van Buren pro­vide con­vinc­ing dis­sec­tions of the text of the CFAA, the plain mean­ing of the phrase “enti­tled so to alter” remains elu­sive. It is not clear whether an “appro­pri­ate­ly informed”21 Eng­lish speak­er read­ing the statu­to­ry def­i­n­i­tion would inter­pret it as enti­tle­ment to access a com­put­er in gen­er­al, or enti­tle­ment to use one’s access for a par­tic­u­lar pur­pose. The fact that sev­er­al cir­cuit courts dis­agreed on the tex­tu­al inter­pre­ta­tion pri­or to Van Buren demon­strates that the text of the Access Pro­vi­sion is less than clear and is sus­cep­ti­ble to more than one rea­son­able inter­pre­ta­tion. As such, it is dif­fi­cult to say whether Jus­tice Barrett’s laser focus on the word “so” or Jus­tice Thomas’s con­strained inter­pre­ta­tion of “enti­tled” is a more “nat­ur­al” inter­pre­ta­tion of the lan­guage, giv­en that the word­ing of sec­tion 1030(e)(6) is itself quite unnat­ur­al and confusing.

There is no clear win­ner of the leg­isla­tive his­to­ry argu­ment, either. The major­i­ty opin­ion high­lights the fact that the word “pur­pose” was removed by the 1986 amend­ment, and it not­ed that “[w]hen Con­gress amends leg­is­la­tion, courts must pre­sume it intends the change to have real and sub­stan­tial effect.”22 This is a strong argu­ment in favor of elim­i­nat­ing improp­er use of access from the scope of the CFAA. Yet, the dissent’s argu­ment that the shift from “pur­pose” to gen­er­al “enti­tle­ment” expands rather than nar­rows the statute’s scope is per­haps equal­ly valid. Hypo­thet­i­cal­ly, an employ­ee could be autho­rized to access a data­base only dur­ing cer­tain hours or while in a loca­tion that has secure inter­net con­nec­tion, and per­haps Con­gress’ shift to the “enti­tle­ment” lan­guage was intend­ed encom­pass those types of restric­tions, as well.23

Because both the broad and nar­row inter­pre­ta­tion seem plau­si­ble based on the text and the leg­isla­tive his­to­ry, oth­er canons of con­struc­tion can be used to resolve the ambi­gu­i­ty: the rule of leni­ty and the canon of con­sti­tu­tion­al avoid­ance. The major­i­ty describes these argu­ments as “extra icing on a cake already frost­ed” since it argues that the “text, con­text, and struc­ture” already sup­port a nar­row­er read­ing.24 How­ev­er, set­ting aside the majority’s pref­er­ence for its own tex­tu­al read­ing of the statute, the rule of leni­ty and con­sti­tu­tion­al avoid­ance do become rel­e­vant when the statute and its his­to­ry leave it sus­cep­ti­ble to more than one rea­son­able inter­pre­ta­tion.25 Because there are valid argu­ments for both the broad and nar­row tex­tu­al inter­pre­ta­tion of the CFAA, the rule of leni­ty and canon of con­sti­tu­tion­al avoid­ance should not be rel­e­gat­ed to the redun­dant role of “icing on the already frost­ed cake.” Rather, these canons are cru­cial tools in choos­ing between two plau­si­ble read­ings of the statute, and they are the rea­son why the Van Buren majority’s ulti­mate conclusion—a nar­row read­ing of the CFAA—correctly prevailed.

With regards to the rule of leni­ty, the Court has pre­vi­ous­ly estab­lished that “when [a] choice has to be made between two read­ings of what con­duct Con­gress has made a crime, it is appro­pri­ate, before we choose the harsh­er alter­na­tive, to require that Con­gress should have spo­ken in lan­guage that is clear and def­i­nite.”26 Because vio­la­tions of the CFAA can be charged as crimes, Con­gress must be “clear and def­i­nite” in defin­ing what exact­ly it means to “exceed autho­rized access.” How­ev­er, the rel­e­vant def­i­n­i­tion­al sec­tion of the statute lacks clar­i­ty. Since there are two rea­son­able alter­na­tive mean­ings to the Access Pro­vi­sion, the nar­row construction—which would crim­i­nal­ize few­er types of behavior—should be cho­sen. The rule of leni­ty there­fore weighs in favor of the “inside hack­er” the­o­ry of the statute that pro­scribes a nar­row­er sub­set of con­duct, instead of crim­i­nal­iz­ing any and all mis­use of com­put­er access, no mat­ter how insignificant.

A broad inter­pre­ta­tion of the Access Pro­vi­sion also impli­cates the canon of con­sti­tu­tion­al avoid­ance. As the Court stat­ed in Clark v. Mar­tinez, when there are “two plau­si­ble statu­to­ry con­struc­tions . . . . and one of them would raise a mul­ti­tude of con­sti­tu­tion­al prob­lems, the oth­er should pre­vail.”27 By read­ing the statute to cov­er any mis­use of com­put­er access, the actions of thou­sands (if not mil­lions) of Amer­i­cans would become vio­la­tions of the CFAA, with the poten­tial for crim­i­nal penal­ties. The Court in Kozmin­s­ki explained that when an unclear statute is inter­pret­ed broad­ly to cov­er a “broad range of day-to-day activ­i­ty,” var­i­ous con­sti­tu­tion­al issues arise because it would inevitably mean that not all vio­la­tions could be pros­e­cut­ed.28 One con­sti­tu­tion­al issue is that the statute then del­e­gates author­i­ty to deter­mine which actions are “moral­ly rep­re­hen­si­ble” enough to be pun­ished from the leg­is­la­ture to pros­e­cu­tors and juries, in con­tra­ven­tion of the pri­vate non­del­e­ga­tion doc­trine.29 A sec­ond con­sti­tu­tion­al issue impli­cat­ed by such a statute is that it would “sub­ject indi­vid­u­als to the risk of arbi­trary or dis­crim­i­na­to­ry pros­e­cu­tion and con­vic­tion.”30 This would ren­der the statute void for vague­ness.31 Because this type of crim­i­nal­iza­tion runs the risk of uncon­sti­tu­tion­al­i­ty on mul­ti­ple fronts, the canon of con­sti­tu­tion­al avoid­ance con­trols its inter­pre­ta­tion. Since the statute is equal­ly sus­cep­ti­ble to either inter­pre­ta­tion, the canon requires that the unclear lan­guage of the Access Pro­vi­sion be inter­pret­ed in a nar­row­er way to avoid these con­sti­tu­tion­al concerns.

Sand­vig v. Ses­sions pro­vides an exam­ple of how con­sti­tu­tion­al avoid­ance should be applied in the con­text of the CFAA.32 In this case, the dis­trict court eval­u­at­ed the argu­ments of researchers who sought to cre­ate fake pro­files, or “bots,” to assess whether web­sites were dis­crim­i­nat­ing on the basis of race, gen­der, or oth­er fac­tors.33 The researchers con­tend­ed that under a broad con­cep­tion of the CFAA, their work would be con­sid­ered a vio­la­tion of the statute because many web­sites’ Terms of Ser­vice pro­hib­it the use of fake pro­files or bots.34 The court decid­ed in favor of a nar­row­er “inside hack­er” inter­pre­ta­tion of the CFAA, mean­ing that sim­ply vio­lat­ing a website’s Terms of Ser­vice would not put those researchers at risk of lia­bil­i­ty under the CFAA.35 The court also con­ced­ed that a “broad­er read­ing is not entire­ly implau­si­ble.”36 How­ev­er, because there was more than one plau­si­ble mean­ing, the Sand­vig Court cor­rect­ly took the addi­tion­al step of apply­ing the canon of con­sti­tu­tion­al avoid­ance and inquired “whether one read­ing ‘presents sig­nif­i­cant risk that [con­sti­tu­tion­al pro­vi­sions] will be infringed.’”37

In its con­sti­tu­tion­al analy­sis, the Sand­vig Court cit­ed Kozmin­s­ki and not­ed that a pur­pose-based inter­pre­ta­tion would crim­i­nal­ize a “broad range of day-to-day activ­i­ty.”38 This would, in turn, “del­e­gate to pros­e­cu­tors and juries the inher­ent­ly leg­isla­tive task of deter­min­ing what type of . . . activ­i­ties are so moral­ly rep­re­hen­si­ble that they should be pun­ished as crimes.”39 Allow­ing pros­e­cu­tors and juries to make those deci­sions impli­cates the Fifth Amend­ment, as it would risk “arbi­trary or dis­crim­i­na­to­ry pros­e­cu­tion or con­vic­tion.”40 If the statute did pro­hib­it using com­put­er access for any unau­tho­rized pur­pose, it would be uncon­sti­tu­tion­al­ly vague because it does not spec­i­fy what kind of mis­use can and should be charged as a crime. Should the gov­ern­ment decline to charge the many peo­ple who like­ly check their per­son­al emails at work in vio­la­tion of their employ­ers’ poli­cies, but then bring charges against peo­ple who cre­ate research “bots” in vio­la­tion of a website’s Terms of Ser­vice? With­out leg­isla­tive direc­tion as to what types of use-based vio­la­tions are “rep­re­hen­si­ble enough,” there is too much dis­cre­tion in the hands of pros­e­cu­tors to make those moral decisions.

A con­cern with adopt­ing a nar­row inter­pre­ta­tion of the CFAA is that peo­ple like the offi­cer in Van Buren, who mis­use or mis­ap­pro­pri­ate their access to infor­ma­tion, will not face con­se­quences. How­ev­er, this con­cern is mit­i­gat­ed by the fact that oth­er areas of law pro­vide reme­dies for those aggriev­ed by peo­ple who mis­use their com­put­er access. For exam­ple, busi­ness­es can rely on con­tract law to pro­tect them when their employ­ees vio­late a term of their employ­ment.41 The gov­ern­ment can also bring enforce­ment actions against those who mis­use cer­tain types of infor­ma­tion under statutes such as the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) and the Fam­i­ly Edu­ca­tion­al Rights and Pri­va­cy Act (FERPA).42 The fact that any mis­use of com­put­er infor­ma­tion is not, on its own, cov­ered by the CFAA does not nec­es­sar­i­ly mean that all such mis­con­duct will go unad­dressed. A lim­it­ed appli­ca­tion of the CFAA still allows for oth­er applic­a­ble law to pro­vide reme­dies, while also avoid­ing wide­spread crim­i­nal lia­bil­i­ty with­out the req­ui­site clar­i­ty from Congress.

*****

Because large swaths of com­mon­place behav­ior would become crim­i­nal­ized under a broad inter­pre­ta­tion of the CFAA’s Access Pro­vi­sion, the Supreme Court made the cor­rect pol­i­cy deci­sion in Van Buren to con­strue the statute nar­row­ly. While reach­ing the cor­rect deci­sion, the major­i­ty under­val­ued inter­pre­tive tools, name­ly the rule of leni­ty and canon of con­sti­tu­tion­al avoid­ance, that could have fur­ther sup­port­ed its ulti­mate deci­sion. Although the major­i­ty opin­ion viewed the word­ing and leg­isla­tive his­to­ry of the CFAA as defin­i­tive­ly in favor of a nar­row inter­pre­ta­tion, the plain mean­ing of the statute is not as clear-cut as the major­i­ty char­ac­ter­ized it. Jus­tice Barrett’s por­tray­al of the rule of leni­ty and canon of con­sti­tu­tion­al avoid­ance as “icing on a cake already frost­ed” lessens the cred­i­bil­i­ty of the Court’s analy­sis of the statute.43 Nev­er­the­less, a thor­ough analy­sis of those canons still sup­ports the majority’s ulti­mate con­clu­sion: a nar­row, more lim­it­ed appli­ca­tion of the CFAA that does not crim­i­nal­ize any and all mis­use of com­put­er access.


* Rachel Sang is a J.D. Can­di­date (2022) at New York Uni­ver­si­ty School of Law. This piece is a com­men­tary on the prob­lem at the 2021 Cyber­se­cu­ri­ty Moot Court Com­pe­ti­tion host­ed by UCLA School of Law. The ques­tion pre­sent­ed was whether a per­son is liable under Com­put­er Fraud and Abuse Act for using their com­put­er access for an improp­er pur­pose. This Con­tri­bu­tion is an analy­sis of the Supreme Court deci­sion that recent­ly resolved the cir­cuit split on the issue in June 2021.

1. 18 U.S.C. § 1030(a)(1), (2), (4).

2. See infra notes 6 and 7.

3. 18 U.S.C. § 1030(a)(2).

4. Id. § 1030(a)(4).

5. Id. § 1030(e)(6).

6. See, e.g., WEC Car­oli­na Ener­gy Sols. LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (hold­ing that one “exceeds autho­rized access” when a per­son “access­es a com­put­er with­out per­mis­sion or obtains or alters infor­ma­tion on a com­put­er beyond that which he is autho­rized to access”); Unit­ed States v. Nos­al, 676 F.3d 854, 858 (9th Cir. 2012) (find­ing a nar­row­er inter­pre­ta­tion of the Access Pro­vi­sion to be “more plau­si­ble”); Unit­ed States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015) (refus­ing to extend the Access Pro­vi­sion to mis­ap­pro­pri­a­tion of infor­ma­tion on grounds of lenity).

7. See, e.g., Unit­ed States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (find­ing that a for­mer bank employ­ee who used her access to obtain sen­si­tive and con­fi­den­tial infor­ma­tion of bank con­sumers “exceed­ed autho­rized access” because “she was not autho­rized to access that infor­ma­tion for any and all pur­pos­es but for lim­it­ed pur­pos­es”), abro­gat­ed by Van Buren v. Unit­ed States, 141 S. Ct. 1648 (2021); Unit­ed States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (affirm­ing the con­vic­tion of a for­mer employ­ee of the Social Secu­ri­ty Admin­is­tra­tion who vio­lat­ed the CFAA by using his access to per­son­al iden­ti­fy­ing infor­ma­tion for non­busi­ness pur­pos­es), abro­gat­ed by Van Buren v. Unit­ed States, 141 S. Ct. 1648 (2021); Int’l Air­port Ctrs., LLC v. Cit­rin, 440 F.3d 418, 420 (7th Cir. 2006) (find­ing that an employ­ee could have vio­lat­ed the CFAA by eras­ing all data on a com­put­er lent to him by the employ­er when he did so for an unau­tho­rized pur­pose), abro­gat­ed by Van Buren v. Unit­ed States, 141 S. Ct. 1648 (2021); EF Cul­tur­al Trav­el BV v. Explor­i­ca, Inc., 274 F.3d 577, 583 (1st Cir. 2001) (includ­ing improp­er use of access in the mean­ing of the CFAA and stat­ing that “use—and, indeed, abuse—of pro­pri­etary infor­ma­tion . . . goes beyond any autho­rized use of [the plaintiff’s] web­site”), abro­gat­ed by Van Buren v. Unit­ed States, 141 S. Ct. 1648 (2021).

8. Van Buren, 141 S. Ct. at 1662.

9. Id. at 1649.

10. 18 U.S.C. § 1030(e)(6) (empha­sis added).

11. Van Buren, 141 S. Ct. at 1655 (“Van Buren’s account of ‘so’—namely, that ‘so’ ref­er­ences the pre­vi­ous­ly stat­ed ‘man­ner or cir­cum­stance’ in the text of § 1030(e)(6) itself—is more plau­si­ble than the Gov­ern­men­t’s.”); see also Nos­al, 676 F.3d at 858 (dis­cussing ways that the word “so” could refer to unau­tho­rized access and not unau­tho­rized use); WEC Car­oli­na Ener­gy, 687 F.3d at 205 (agree­ing with the Ninth Circuit’s rea­son­ing that the word “‘so’ referred to the means of obtain­ing infor­ma­tion, not the use of information”).

12. See, e.g., Nos­al, 676 F.3d at 858 (find­ing that under the nar­row inter­pre­ta­tion, “‘with­out autho­riza­tion’ would apply to out­side hack­ers (indi­vid­u­als who have no autho­rized access to the com­put­er at all) and ‘exceeds autho­rized access’ would apply to inside hack­ers (indi­vid­u­als whose ini­tial access to a com­put­er is autho­rized but who access unau­tho­rized infor­ma­tion or files)”).

13. Van Buren, 141 S. Ct. at 1663 (Thomas, J., dissenting).

14. Id. (quot­ing Black­’s Law Dic­tio­nary 477 (5th ed. 1979)).

15. Id. at. 1664.

16. Com­pre­hen­sive Crime and Con­trol Act of 1984, Pub. L. No. 98–473, 98 Stat. 1837, 2190–91 (empha­sis added).

17. Com­put­er Fraud and Abuse Act of 1986, Pub. L. No. 99–474, 100 Stat. 1213, 1213–1215.

18. See, e.g., Sand­vig v. Ses­sions, 315 F. Supp. 3d 1, 25 (D.D.C. 2018) (“[I]t is notable that Con­gress did not sim­ply trans­pose the exist­ing, pur­pose-ori­ent­ed lan­guage into the def­i­n­i­tion section—which still would have sim­pli­fied the lan­guage of § 1030(a), as desired—but instead replaced it with new lan­guage that focus­es on autho­riza­tion to access par­tic­u­lar infor­ma­tion.”); Unit­ed States v. Nos­al, 676 F.3d at 858 n.5 (not­ing that the pur­pose-ori­ent­ed lan­guage from the 1984 ver­sion of the statute “was removed and replaced by the cur­rent phrase and def­i­n­i­tion,” and stat­ing that “[w]ere there any need to rely on leg­isla­tive his­to­ry, it would seem to sup­port” an inside-hack­er posi­tion rather than a pur­pose-based interpretation).

19. Van Buren, 141 S. Ct. at 1661 (“Con­gress’ choice to remove the statute’s ref­er­ence to pur­pose cuts against read­ing the statute to cap­ture that very con­cept.” (inter­nal quo­ta­tion marks omit­ted) (cita­tion omitted)).

20. Id. at 1668 (Thomas, J., dis­sent­ing) (“By replac­ing the specific,

lim­it­ed term ‘pur­pos­es’ with the broad­er, more gen­er­al phrase ‘not enti­tled,’ Con­gress gave force to . . . oth­er kinds of constraints.”).

21. See id. at 1657 (Bar­rett, J.) (quot­ing Caleb Nel­son, What is Tex­tu­al­ism?, 91 Va. L. Rev. 347, 354 (2005)) (argu­ing that a nar­row­er read­ing of the statute is con­sis­tent with the way an “appro­pri­ate­ly informed” speak­er of the lan­guage would under­stand the Access Provision).

22. Id. at 1660 (quot­ing Ross v. Blake, 578 U.S. 632, 641–42 (2016)).

23. Id. at 1666 (Thomas, J., dis­sent­ing) (pro­vid­ing a hypo­thet­i­cal in which an employ­ee is instruct­ed not to access a com­put­er while in a coun­try where the net­work con­nec­tion is not secure).

24. Id. at 1661 (Bar­rett, J.) (quot­ing Yates v. Unit­ed States, 574 U.S. 528, 557 (2015) (Kagan, J., dissenting)).

25.  See Unit­ed States v. Kozmin­s­ki, 487 U.S. 931, 952 (1988) (apply­ing the “time-hon­ored inter­pre­tive guide­line that uncer­tain­ty con­cern­ing the ambit of crim­i­nal statutes should be resolved in favor of leni­ty” (cita­tions omit­ted)); cf. Clark v. Mar­tinez, 543 U.S. 371, 385 (2005) (“The canon of con­sti­tu­tion­al avoid­ance comes into play only when, after the appli­ca­tion of ordi­nary tex­tu­al analy­sis, the statute is found to be sus­cep­ti­ble of more than one con­struc­tion; and the canon func­tions as a means of choos­ing between them.” (cita­tions omitted)).

26. Unit­ed States v. Uni­ver­sal C. I. T. Cred­it Corp., 344 U.S. 218, 221–22 (1952).

27. 543 U.S. at 380–81.

28. Kozmin­s­ki, 487 U.S. at 949.

29. Id.; see also Carter v. Carter Coal Co., 298 U.S. 238, 311 (1936) (explain­ing that a statute which con­fers leg­isla­tive author­i­ty to pri­vate par­ties is uncon­sti­tu­tion­al because it vio­lates the Due Process Clause of the Fifth Amendment).

30. Kozmin­s­ki, 487 U.S. 931 at 949.

31. John­son v. Unit­ed States, 576 U.S. 591, 595 (2015) (explain­ing that a statute vio­lates the Fifth Amend­ment and is uncon­sti­tu­tion­al­ly vague if it “fails to give ordi­nary peo­ple fair notice of the con­duct it pun­ish­es, or [is] so stan­dard­less that it invites arbi­trary enforcement”).

32. 315 F. Supp. 3d 1 (D.D.C. 2018).

33. Id. at 9.

34. Id. at 10.

35. Id. at 23–24.

36. Id. at 25.

37. Id. (quot­ing NLRB v. Catholic Bish­op of Chica­go, 440 U.S. 490, 502 (1979)).

38. Id. (quot­ing Unit­ed States v. Kozmin­s­ki, 487 U.S. 931, 949 (1988)).

39. Kozmin­s­ki, 487 U.S. at 949.

40. Sand­vig, 315 F. Supp. 3d at 25 (quot­ing Kozmin­s­ki, 487 U.S. at 949).

41. See WEC Car­oli­na Ener­gy Sols. LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (not­ing that imput­ing crim­i­nal lia­bil­i­ty to employ­ees who “dis­re­gard a use pol­i­cy” is “unnec­es­sary, giv­en that oth­er legal reme­dies exist for these griev­ances”); id. at n.4 (“[N]ine oth­er state-law caus­es of action poten­tial­ly pro­vide relief, includ­ing con­ver­sion, tor­tious inter­fer­ence with con­trac­tu­al rela­tions, civ­il con­spir­a­cy, and mis­ap­pro­pri­a­tion of trade secrets.”).

42. See, e.g., Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act, 42 U.S.C. § 1320d‑6; Fam­i­ly Edu­ca­tion­al Rights and Pri­va­cy Act, 20 U.S.C. § 1232g.

43. Van Buren v. Unit­ed States, 141 S. Ct. at 1661 (quot­ing Yates v. Unit­ed States, 574 U.S. 528, 557 (2015) (Kagan, J., dissenting)).