dissenting:
Because I believe that construing “exceeds authorized access” to include “violating an employer’s computer access restrictions — including use restrictions” does not further Congress’s stated purpose in enacting the CFAA, and in fact renders one of the statute’s provisions unconstitutionally vague, I must respectfully dissent.
The majority focuses on the intent requirement of 18 U.S.C. § 1030(a)(4) to explain why its interpretation of “exceeds authorized access” does not “make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email accounts or to check the latest college basketball scores.” The majority notes:
[S]ubsection (a)(4) does not criminalize the mere violation of an employer’s use restrictions. Rather, an employee violates this subsection if the employee (1) violates an employer’s restriction on computer access, (2) with an intent to defraud, and (3) by that action “furthers the intended fraud and obtains anything of value.” 18 U.S.C. § 1030(a)(4) (emphasis added). The requirements of a fraudulent intent and of an action that furthers the intended fraud distinguish this case from the Orwellian situation that Nosal seeks to invoke. Simply using a work computer in a manner that violates an employer’s use restrictions, without more, is not a crime under § 1030(a)(4).
But it is a firm rule of statutory construction that “identical words used in different parts of the same statute are generally presumed to have the same meaning.” IBP, Inc. v. Alvarez, 546 U.S. 21, 34, 126 S.Ct. 514, 163 L.Ed.2d 288 (2005). “Exceeds authorized access” appears in other provisions of the statute, including the much broader § 1030(a)(2)(C), which has no intent requirement.
Under § 1030(a)(2)(C), a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer,” is guilty of a crime, where a “protected computer” includes any computer connected to the internet, see 18 U.S.C. § 1030(e)(2)(B) (“[T]he term ‘pro*790tected computer’ means a computer ... which is used in or affecting interstate or foreign commerce or communication.... ”).
Accordingly, under the majority’s interpretation, any person who obtains information from any computer connected to the internet, in violation of her employer’s computer use restrictions, is guilty of a federal crime under § 1030(a)(2)(C). For example, Mr. Nosal’s employer, Korn/Ferry, prohibited use of its proprietary database except for legitimate Korn/Ferry business. Under the majority’s interpretation, had Mr. Nosal ever viewed any information in that database out of curiosity instead of for legitimate Korn/Ferry business, he would be guilty of a federal crime.1
Definiteness
“[T]he void-for-vagueness doctrine requires that a penal statute define the criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.” Kolender v. Lawson, 461 U.S. 352, 357, 103 S.Ct. 1855, 75 L.Ed.2d 903 (1983). A statute imposing criminal liability according to the terms of employers’ computer access restrictions would not give fair notice of what conduct is prohibited, because employers’ computer access restrictions are not necessarily drafted with the definiteness or precision that would be required for a criminal statute.2,3
Arbitrary Enforcement
If every employee who used a computer for personal reasons and in violation of her employer’s computer use policy were guilty of a federal crime, the CFAA would lend itself to arbitrary enforcement, rendering it unconstitutionally vague.
In United States v. Drew, 259 F.R.D. 449 (C.D.Cal.2009), the question before the district court was “whether an intentional breach of an Internet website’s terms of service, without more, is sufficient to constitute a misdemeanor violation of the CFAA; and, if so, would the statute, as so interpreted, survive constitutional challenges on the grounds of vagueness and related doctrines.” Drew, 259 F.R.D. at 451.
In holding that the government’s interpretation of the CFAA would render § 1030(a)(2)(C) unconstitutionally vague, the court explained that:
if every [breach of an Internet website’s terms of service] does qualify [as a violation of the CFAA], then there is absolutely no limitation or criteria as to which of the breaches should merit crim*791inal prosecution. All manner of situations will be covered.... All can be prosecuted. Given the ‘standardless sweep’ that results, federal law enforcement entities would be improperly free to ‘pursue their personal predilections.’
Drew, 259 F.R.D. at 467 (quoting Kolender v. Lawson, 461 U.S. 352, 358, 103 S.Ct. 1855, 75 L.Ed.2d 903 (1983)).
The majority’s reading of § 1030(a)(4) similarly renders § 1030(a)(2)(C) unconstitutionally vague.
Statutory Construction
It is a cardinal principle of statutory construction that an Act of Congress should be construed, where “fairly possible,” in a manner that does not result in its invalidity. Zadvydas v. Davis, 533 U.S. 678, 689, 121 S.Ct. 2491, 150 L.Ed.2d 653 (2001). Here, where “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” 18 U.S.C. § 1030(e)(6), “exceeds authorized access” could be interpreted as the majority has interpreted it, rendering § 1030(a)(2)(C) of the statute unconstitutionally vague.
Or, the “so” on which the majority’s interpretation hinges could have been added for emphasis alone, as was undoubtedly the case in another provision of the same statute. See 18 U.S.C. § 1030(a)(1) (proscribing theft of government secrets by someone “with reason to believe that such information so obtained could be used to the injury of the United States” (emphasis added)). This latter interpretation is consistent with this court’s interpretation of the same phrase in Brekka: “[A] person who ‘exceeds authorized access,’ ... has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009).
Because Congress enacted the CFAA to curb computer hacking, see S.Rep. No. 99-432 at 2-3 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480-2481, the latter interpretation is not only “fairly possible,” but in fact conforms more closely to what Congress intended. When the CFAA was enacted, “computer crime” was considered a new type of crime that existing criminal laws were insufficient to address. See S.Rep. No. 99-432 at 2 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2479. For example, exceeding one’s authorized access to a computer by hacking into a drive that one is never authorized to access would be a “computer crime,” which Congress intended to proscribe. On the other hand, under the majority’s interpretation of “exceeds authorized access,” the CFAA would proscribe fraud (a standalone crime) that happens to be effectuated through the use of a computer and in violation of a computer use policy. This was not Congress’s intent.
For the reasons stated above, I respectfully dissent.
. Further, Breklca's holding is rendered meaningless by the majority's holding, because, to invoke the federal criminal law, employers merely need to include in their computer access restrictions that an employee's authorization to access a computer ends when he breaches his duly of loyalty.
. By essentially incorporating privately drafted computer access restrictions into a criminal statute, the majority's construction binds Congress to the language of those restrictions.
. In addition, computer use policies can be altered without notice. Under the majority's interpretation of "exceeds authorization,” an employee would have an affirmative obligation to stay current on her employer’s computer use policy to know what conduct could be criminally punished. Implicitly addressing this issue, the majority builds in a necessary safeguard: Although it is the employer who determines whether an employee is "authorized” or "exceeds authorization,” the employee must "ha[ve] knowledge” of the employer’s limitations in order to exceed authorized access. This knowledge requirement is not found in the statute, and only becomes necessary upon adopting the majority’s interpretation of "exceeds authorization.”