dissenting:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
The first time this case came before us we examined whether Nosal’s former colleagues acted “without authorization, or exceeded] authorized access” when they downloaded information from Searcher while still employed at Korn/Ferry and shared it with Nosal in violation of the firm’s policies. United States v. Nosal (Nosal I), 676 F.3d 854, 864 (9th Cir.2012) (en banc). We said “no,” rejecting the approach of a few other circuits which had interpreted the CFAA looking “only at the culpable behavior of the defendants before them, and failing] to consider the effect on millions of ordinary citizens.” Id. at 862. In doing so, we stated that they turned the CFAA into a “sweeping Internet-policing mandate,” instead of maintaining its “focus on hacking.” Id. at 858. We emphatically refused to turn violations of use restrictions imposed by employers or websites into crimes under the CFAA, declining to put so many citizens “at the mercy of [their] local prosecutor.” Id. at 862. Since then, both circuits to rule on the point have agreed with our interpretation. See United States v. Valle, 807 F.3d 508, 526-28 (2d Cir.2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 204 (4th Cir.2012).
Today, addressing only slightly different conduct, the majority repudiates important *889parts of Nosal I, jeopardizing most password sharing. It loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.
At issue are three incidents of password sharing. On these occasions while FH was still employed at Korn/Ferry, she gave her password to Jacobson or Christian, who had left the company. Her former colleagues then used her password to download information from Searcher. FH was authorized to access Searcher, but she did not download the information herself because it was easier to let Jacobson or Christian do it than to have them explain to her how to find it. It would not have been a violation of the CFAA if they had simply given FH step-by-step directions, which she then followed. Thus the question is whether because Jacobson and Christian instead used FH’s password with her permission, they are criminally liable for access “without authorization” under the Act.1
The majority finds the answer is “yes,” but in doing so commits the same error as the circuits whose views we rejected in Nosal I. My colleagues claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing. Notably this is the exact argument the dissent made in Nosal I: “This case has nothing to do with playing sudoku, checking email, [or] fibbing on dating sites.'... The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases.” 676 F.3d at 864, 866 (Silverman, J., dissenting) (internal quotation and citation omitted).
We, of course, rejected the dissent’s argument in Nosal I. We did so because we recognized that the government’s theory made all violations of use restrictions criminal under the CFAA, whether the violation was innocuous, like checking your personal email at work, or more objectionable like that at issue here.. Because the statute was susceptible to a narrower interpretation, we rejected the government’s broader reading under which “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” Id. at 859. The same is true here. The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.
Therefore, despite the majority’s attempt to construe Nosal I as only applicable to “exceeds authorized access,” the case’s central lesson that the CFAA should not be interpreted to criminalize the ordinary conduct of millions of citizens applies equally strongly here. Accordingly, I would hold that consensual password sharing is not the kind of “hacking” covered by the CFAA. That is the case whether or not the voluntary password sharing is with a former employee and whether or not the former employee’s own password had expired or been terminated.
I.
“Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking,” Nosal I, 676 F.3d at 858. United States v. Morris, the first appellate case under the CFAA, illustrates *890the core type of conduct criminalized by the Act. 928 F.2d 504 (2d Cir. 1991). There a student created a worm which guessed passwords and exploited bugs in computer programs to access military and university computers, eventually causing them to crash. The Second Circuit found that the student had accessed those computers “without authorization” in violation of the Act. Id. at 506, 509-511.
“Without authorization” is used in a number of places throughout the CFAA, but is not defined in the Act. The phrase appears in two subsections relevant to this case: § 1030(a)(2)(C) and (a)(4). Subsection (a)(2)(C) criminalizes “intentionally accessing] a computer without authorization or - exceeding] authorized access, and thereby obtaining] ... information from any protected computer.” This is the “broadest provision” of the CFAA. Nosal 1. 676 F.3d at 859. Subsection (a)(4) in essence increases the penalty for violating (a)(2)(C) if the perpetrator also acts “with intent to defraud,” and “obtains anything of value.”2 Nosal was charged and convicted under (a)(4).
Our definition of “without authorization” in this case will apply not only to (a)(4), but also to (a)(2)(C) and the rest of the Act. In Nosal I, the government contended that “exceeds authorization” could be interpreted more narrowly in (a)(2)(C) than in (a)(4), but we concluded: “This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the ‘standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.’ ” 676 F.3d at 859 (quoting Power ex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007)). That holds here. Indeed, the government so concedes.
It is thus necessary to consider the potential breadth of subsection (a)(2)(C) if we construe “without authorization” with less than the utmost care. Subsection (a)(2)(C) criminalizes nearly all intentional access of a “protected computer” without authorization.3 A “ ‘protected computer’ is defined as a computer affected by or involved in interstate commerce — effectively all computers with Internet access.” See Nosal I, 676 F.3d at 859. This means that nearly all desktops, laptops, servers, smart-phones, as well as any “iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device,” including even some thermostats qualify as “protected.” Id. at 861. Thus § 1030(a)(2)(C) covers untold millions of Americans’ interactions with these objects every day. Crucially, violating (a)(2)(C) does not require “any culpable intent.” Id. Therefore if we interpret “without authorization” in a way that in-*891eludes common practices like password sharing, millions of our citizens would become potential federal criminals overnight.
II.
The majority is wrong to conclude that a person necessarily accesses a computer account “without authorization” if he does so without the permission of the system owner.4 Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner’s access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank’s password sharing prohibition. There are other examples that readily come to mind, such as logging onto a computer on behalf of a colleague who is out of the office, in violation of a corporate computer access policy, to send him a document he needs right away. “Facebook makes it a violation of the terms of service to let anyone log into your account,” we noted in Nosal I, but “it’s very common for people to let close friends and relatives check their email or access their online accounts.” 676 F.3d at 861 (citing Face-book Statement of Rights and Responsibilities § 4.8).5
Was access in these examples authorized? Most people would say “yes.” Although the system owners’ policies prohibit password sharing, a legitimate account holder “authorized” the access. Thus, the best reading of “without authorization” in the CFAA is a narrow one: a person accesses an account “without authorization” if he does so without having the permission of either the system owner or a legitimate account holder.
This narrower reading is more consistent with the purpose of the CFAA.. The CFAA is essentially an anti-hacking statute, and Congress intended it as such. Nosal I, 676 F.3d at 858. Under the preferable construction, the statute would cover only those whom we would colloquially think of as hackers: individuals who steal or guess passwords or otherwise force their way into computers without the consent of an authorized user, not persons who are given the right of access by those who themselves possess that right. There is no doubt that a typical hacker accesses an account “without authorization”: the hacker gains' access without permission' — • either from the system owner or a legitimate account holder. As the 1984 House Report on the CFAA explained, “it is noteworthy that Section 1030 deals with an unauthorized access concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering.’ ” H.R. Rep. 98-894, 20, 1984 U.S.C.C.A.N. 3689, 3706. We would not convict a man for breaking and entering if he had been invited in by a houseguest, even if the homeowner objected. Neither should we convict a man under the CFAA for accessing a computer account with a shared password with the consent of the password holder.
Nosal’s conduct was, of course, unscrupulous. Nevertheless, as the Second Circuit found in interpreting the CFAA, *892“whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of [authorization] will govern many other situations.” Valle, 807 F.3d at 528. The construction that we adopt in Nosal’s case will apply with equal force to all others, and the reading of “without authorization” we adopt for subsection (a)(4) will apply with equal force to subsection (a)(2)(C). I would, therefore, hold that however reprehensible Nosal’s conduct may have been, he did not violate the CFAA.
III.
The majority insists that the text of the statute requires its broad construction, but that is simply not so. Citing our decision in Brekka, the majority defines “authorization” as “permission or power granted by an authority.” After appealing to “ordinary meaning,” “common sense meaning,” and multiple dictionaries to corroborate this definition, the majority asserts that the term is “not ambiguous.”
The majority is wrong. The majority’s (somewhat circular) dictionary definition of “authorization” — “permission conferred by an authority” — hardly clarifies the meaning of the text. While the majority reads the statute to criminalize access by those without “permission conferred by” the system owner, it is also proper (and in fact preferable) to read the text to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner. The question that matters is not what authorization is but who is entitled to give it. As one scholar noted, “there are two parties that have plausible claims to [give] authorization: the owner/operator of the computer, and the legitimate computer account holder.” Orin S. Kerr, Computer Crime Law 48 (3d ed. 2013). Under a proper construction of the statute, either one can give authorization.
The cases the majority cites to support its contention that the statute’s text requires a broad construction merely repeat dictionary definitions of “without authorization.” Those cases do nothing to support the majority’s position that authorization can be given only by the system owner. The Fourth Circuit, quoting the Oxford English Dictionary, found that “based on the ordinary, contemporary, common meaning of ‘authorization,’ ” an employee “accesses a computer ‘without authorization’ when he gains admission to a computer without approval.” WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir.2012). The Sixth Circuit, also quoting the Oxford English Dictionary, explained that “[t]he plain meaning of ‘authorization’ is ‘[t]he conferment of legality’ ” and concluded that “a defendant who accesses a computer “without authorization’ does so without sanction or permission.” Pulte Homes, Inc. V. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 303-04 (6th Cir.2011). In both of these cases, the important question in Nosal’s case — authorization from whom — went unanswered. The Second Circuit consulted the Random House Dictionary instead and concluded that the “common usage of ‘authorization’ suggests that one ‘accesses a computer without authorization’ if he accesses a computer without permission to do so at all.” Valle, 807 F.3d 508, 524 (2nd Cir.2015) (emphasis added). With that, I agree. Contrary to the majority’s suggestion, none of the cases on which it relies holds that the requisite permission must come from the system owner and not a legitimate account holder.6
*893At worst, the text of the statute is ambiguous as to who may give authorization. The First Circuit concluded that the meaning of the term “without authorization” in the CFAA “has proven to be elusive,” EF Cultural Travel EV v. Explorica, Inc., 274 F.3d 577, 582 n. 10 (1st Cir.2001), and an unambiguous definition eludes the majority even now. In that circumstance, the rule of lenity requires us to adopt the narrower construction — exactly the construction that is appropriate in light of the CFAA’s anti-hacking purpose and concern for the statute’s effect on the innocent behavior of millions of citizens. The text provides no refuge for the majority.
As the Supreme Court has repeatedly held, “where there is ambiguity in a criminal statute, doubts are resolved in favor of the defendant.” United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971); see also United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008) (“The rule of lenity requires ambiguous criminal laws to be interpreted in favor of the defendants subjected to them.”). If a “choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) (quoting United States v. Universal C.I.T. Credit Corp., 344 U.S. 218, 221-22, 73 S.Ct. 227, 97 L.Ed. 260 (1952)) (internal quotation marks omitted). We are therefore bound to adopt the construction of CFAA that criminalizes access only by those without permission from either an account holder or the system owner. See also, e.g., Nosal I, 676 F.3d at 863 (applying the rule of lenity to the CFAA); Valle, 807 F.3d at 527 (same); Miller, 687 F.3d at 204 (same).
The “venerable” rule of lenity ensures that individuals are on notice when they act. Santos, 553 U.S. at 514, 128 S.Ct. 2020. It “vindicates the fundamental principle that no citizen should be held accountable for a violation of a statute whose commands are uncertain.... ” Id. We must, therefore, read the CFAA not just in the harsh light of the courtroom but also from the perspective of its potential violators.7 In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe — and with good reason — that his access had been “authorized” by the account holder who shared his password with him. Such a person, accessing an account with the express authorization of its holder, would believe that he was acting not just lawfully but *894ethically.8 “It’s very common for people to let close Mends and relatives check then-email or access their online accounts,” we said in Nosal I. “Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.” 676 F.3d at 861. The majority’s construction thus conflicts with the natural interpretation its freshly minted CFAA violators would have given to “without authorization.” That alone should defeat the majority’s conclusion.
Worse, however, the majority’s construction would base criminal liability on system owners’ access policies. That is exactly what we rejected in Nosal I. See 676 F.3d at 860. Precisely because it is unacceptable in our legal system to impose criminal liability on actions that are not proscribed “plainly and unmistakably,” Bass, 404 U.S. at 348-49, 92 S.Ct. 515, it is also unacceptable to base “criminal liability on violations of private computer use policies.” Nosal I, 676 F.3d at 860. Not only are those policies “lengthy, opaque, subject to change and seldom read,” id. at 860, they are also private — by definition not addressed and perhaps not even accessible to shared password recipients who are not official users themselves. Just as the rule of lenity ensures that Congress, not the judiciary, creates federal crimes, Bass, 404 U.S. at 348, 92 S.Ct. 515, the rule also ensures that the clear (and public) words of Congress — not the obscure policies of system owners — delimit their scope.
If this were a civil statute, it might be possible to agree with the majority, but it is not. The plain fact is that the Act unquestionably supports a narrower interpretation than the majority would afford it. Moreover, the CFAA is not the only criminal law that governs computer crime. All fifty states have enacted laws prohibiting computer trespassing. A conclusion that Nosal’s actions do not run afoul of the CFAA need not mean that Nosal is free from criminal liability, and adopting the proper construction of the statute need not thwart society’s ability to deter computer crime and punish computer criminals— even the “industrious hackers” and “bank robbers” that so alarm the majority.9
IV.
In construing any statute, we must be wary of the risks of “selective or arbitrary enforcement.” United States v. Kozminski, 487 U.S. 931, 952, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988). The majority’s construction of the CFAA threatens exactly that. It criminalizes a broad category of common actions that nobody would expect *895tó be federal crimes. Looking at the fallout from the majority opinion, it is clear that the decision will have “far-reaching effects unintended by Congress.” See Miller, 687 F.3d at 206 (rejecting a broad interpretation of the CFAA producing such unintended effects).
Simply put, the majority opinion contains no limiting principle.10 Although the majority disavows the effects of its decision aside from dealing with former employees, it may not by fíat order that the reasoning of its decision stop, like politics used to, “at the water’s edge.” The statute says nothing about employment. Similarly, Nosal I discussed use restrictions, whether imposed by an employer or a third-party website, all in the same way. It did not even hint that employment was somehow special.11 676 F.3d at 860-61.
It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told1 customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.12 It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.
Even if the majority opinion could be limited solely to employment, the consequences would be equally untoward. Very often password sharing between a current and past employee serves the interest of the employer, even if the current employee is technically forbidden by a corporate policy from sharing his password. For example, if a current Korn/Ferry employee were looking for a source list for a pitch meeting which his former colleague had created before retirement, he might contact him to ask where the file had been saved. The former employee might say “it’s too complicated to explain where it is; send me your password and I’ll find it for you.” When the current employee complied *896and the former employee located the file, both would become federal criminals under the majority’s opinion. I am confident that such innocuous password sharing among current and former employees is more frequent than the improper password sharing at issue here. Both employees and Congress would be quite surprised to find that the innocent password sharing constitutes criminal conduct under the CFAA.13
Brekka, cited repeatedly in the majority opinion, did not threaten to criminalize the everyday conduct of millions of citizens. Nor does that case foreclose the preferable construction of the statute. Brekka primarily addressed the question of whether an employee’s violation of the duty of loyalty could itself render his access unauthorized. 581 F.3d at 1134-35. Although we found that authorization in that case depended “on actions taken by the employer,” that was to distinguish it from plaintiffs claim that authorization “turns on whether the defendant breached a state law duty of loyalty to an employer.” Id. Brekka’s alleged use of an expired log-in presented a very different situation. Brekka had no possible source of authorization, and acted without having permission from either an authorized user or the system owner. We therefore had no cause to consider whether authorization from a current employee for the use of his password (i.e. password sharing) would constitute “authorization” under the Act. Moreover, it is far less common for people to use an expired or rescinded log-in innocuously than to share passwords contrary to the rules promulgated by employers or website operators. Thus, unlike this case, Brekka did not place ordinary citizens in jeopardy for their everyday conduct. That difference alone is dispositive in light of Nosal I.
In sum, § 1030(a)(2)(C) covers so large a swath of our daily lives that the majority’s construction will “criminalize a broad range of day-to-day activity.” Kozminski, 487 U.S. at 949, 108 S.Ct. 2751. Such “[ujbiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Nosal I, 676 F.3d at 861.
V.
Nosal’s case illustrates some of the special dangers inherent in criminal laws which are frequently violated in the commercial world, yet seldom enforced. To quote a recent comment by a justice of the Supreme Court with regard to a statute that similarly could be used to punish indiscriminately: “It puts at risk behavior that is common. That is a recipe for giving the Justice Department and prosecutors enormous power over [individuals].” Transcript of Oral Argument at 38, McDonnell v. United States, — U.S.-, 136 S.Ct. 891, 193 L.Ed.2d 784 (2016) (No. 15-474) (Breyer, J.). Indeed, as this opinion is being filed, the Supreme Court has issued its decision in McDonnell and reiterated that “we cannot construe a criminal statute on the assumption that the Government will use it responsibly.” McDonnell v. United States, 579 U.S.-, 136 S.Ct. 2355, 195 L.Ed.2d 639 (2016) (citation omitted). Here it is far worse. Broadly interpreted, the CFAA is a recipe for giving large corporations undue power over their rivals, their employees, and ordinary citizens, as well as affording such indiscriminate power to the Justice Department, should we have a president or attorney general who desires to do so.
*897Nosal was a senior member of Korn/Ferry and intended to start a competing business. He was also due a million dollars from Korn/Ferry if he abided by his departure agreement. When Korn/Fer-ry began its investigation of Nosal’s possible malfeasance, it brought on ex-FBI agents to search through Christian’s garbage and follow Jacobson around. It also hired a leading international corporate law firm consisting of over 600 lawyers, O’Mel-veny and Myers, which charged up to $1,100 per hour for the time of some its partners.14 One of O’Melveny’s lead attorneys had recently left the office of the United States Attorney who would prosecute any case against Nosal. She referred the case to her former colleagues personally. O’Melveny also told the prosecutor that the case was “time-sensitive” because Korn/Ferry would have to file its civil case shortly, but that it would provide the prosecutor with the facts necessary to “demonstrate the criminal culpability of those involved.” The law firm also provided the government with the liability theories it believed necessary to convict Nosal under the CFAA. Less than a month after O’Mel-veny approached the government, the FBI searched the residences of Jacobson, Christian, and the offices of Nosal’s new business. That same day Korn/Ferry filed its civil complaint. In total, Korn/Ferry sought almost a million' dollars in attorneys’ fees from Nosal to compensate it for the work O’Melveny did to “assist” with the criminal prosecution.
To be clear, I am not implying that there is any misconduct on the part of the prosecution in this case. Nevertheless, private assistance of such magnitude blurs the line between criminal and civil law. Courts have long held that “a private citizen lacks a judicially cognizable interest in the prosecution or nonprosecution of another.” Linda R.S. v. Richard D., 410 U.S. 614, 619, 93 S.Ct. 1146, 35 L.Ed.2d 536 (1973). Korn/Ferry and its counsel’s employment of their overwhelming resources to persuade prosecutors to bring charges against an economic competitor has unhealthy ramifications for the legal system. Civil suits ordinarily govern economic controversies. There, private parties may initiate any good-faith action at their own expense. In criminal cases, however, the prosecutor who “seeks truth and not victims, [and] who serves the law and not factional purposes” must decide which cases go forward and which do not. Robert H. Jackson, The Federal Prosecutor, Address Before Conference of U.S. Attorneys (April 1, 1940), in 24 J. Am. Judicature Soc’y 18, 20 (1940). These decisions are inevitably affected by a variety of factors including the severity of the crime and the amount of available resources that must be dedicated to a prosecution.
Prosecutors cannot help but be influenced by knowing that they can count on an interested private party to perform and finance much of the work required to convict a business rival. As the Supreme Court found recently: “Prosecutorial discretion involves carefully weighing the benefits of a prosecution against the evidence needed to convict, [and] the resources of the public fisc.” Bond v. United States, — U.S., 134 S.Ct. 2077, 2093, 189 L.Ed.2d 1 (2014).15 The balance weighs *898differently when a major international corporate firm will bear much of the cost which would otherwise have to be borne by the prosecutor’s office. Prosecutors will also be able to use the work product of the country’s finest and most highly paid corporate litigators, rather than investing its meager human resources in developing a complex commercial case different in kind from the cases it is ordinarily used to preparing.16 Undertaking such third-party financed cases which a United States attorney might not have prosecuted otherwise gives the appearance of well-financed business interests obtaining the services of the prosecutorial branch of government to accomplish their own private purposes, influencing the vast discretion vested in our prosecutors, and causing the enforcement of broad and ill-defined criminal laws seldom enforced except at the behest of those who can afford it. Moreover, to the extent that decisions to pursue such cases are influenced by such extraneous concerns, and prosecutorial discretion is tilted toward their enforcement, other criminal cases that might otherwise be chosen for prosecution may well be neglected and the criminal justice system itself become distorted.
VI.
“There is no doubt that this case is distasteful; it may be far worse than that.” McDonnell v. United States, 579 U.S. -, 136 S.Ct. 2355, 195 L.Ed.2d 639 (2016). As the Supreme Court said in McDonnell, “our concern is not with tawdry tales of Ferraris, Rolexes, and ball gowns. It is instead with the broader legal implications of the Government’s boundless interpretation” of a federal statute. Here, our concern is not with tawdry tales of corporate thievery and executive searches gone wrong. “It is instead with the broader legal implications of the Government’s boundless interpretation” of the CFAA. Nosal may have incurred substantial civil liability, and may even be subject to criminal prosecution, but I do not believe he has violated the CFAA, properly construed.171 respectfully dissent.
. Nosal was charged as criminally culpable for Jacobson’s and Christian’s alleged violations under a theory of either aiding and abetting or conspiracy.
. The penalty for violating § 1030(a)(2)(C) may also be increased if the government proves an additional element under (c)(2)(B).
. Computer is defined under the Act as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” 18 U.S.C. § 1030(e)(1). See also United States v. Mitra, 405 F.3d 492 (7th Cir.2005) (finding a radio system is a computer); United States v. Kramer, 631 F.3d 900, 902 (8th Cir. 2011) (noting the Act's definition of a computer "is exceedingly broad,” and concluding an ordinary cell phone is a computer).
To violate § 1030(a)(2)(C) a person must also "obtain information,” but it is nearly impossible to access a computer without also obtaining information. As we noted in Nosal I, obtaining information includes looking up a weather report, reading the sports section online, etc. See also Sen. Rep. No. 104-357, at 7 (1996) (" ‘[0]btaining information’ includes merely reading it.”).
. The term "system owner” refers to the central authority governing user accounts, whether the owner of a single computer with one or several user accounts, a workplace network with dozens, or a social networking site, bank website, or the like, with millions of user accounts.
. For example, a recent survey showed that 46% of parents have the password to their children’s social networking site, despite the fact that the largest site, Facebook, forbids password sharing. See USC Annenberg School Center for the Digital Future, 2013 Digital Future Report 135 (2013), http://www. digitalcenter.org/wp-contenVuploads/2013/06/ 2013-Report.pdf.
. The Tenth Circuit case the majority cites, United States v. Willis, 476 F.3d 1121 (10th *893Cir.2007), has nothing to do with the meaning of "without authorization.” In fact, Willis did "not contest that he provided ... unauthorized access” to the website at issue. "He merely argue[d] that he had no intent to defraud in so doing ...” Id. at 1126.
. Moskal v. United States, 498 U.S. 103, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990), relied on by the majority for the claim that "the rule of lenity is not triggered [simply] because it is 'possible to articulate’ a narrower construction of the statute,” is fully consistent with my reading. Here, the narrower reading rises above the possible and even the plausible: it is the natural reading from the perspective of a number of the law’s potential violators. Moreover, because the narrower interpretation better harmonizes with the anti-hacking purpose of the CFAA, the ambiguity here is exactly the kind Moskal said does trigger the rule of lenity: "reasonable doubt persists about [the] statute’s intended scope even after resort to ‘the language and structure, legislative history, and motivating policies’ of the statute.” Moskal v. United States, 498 U.S. 103, 108, 111 S.Ct. 461, 112 L.Ed.2d 449 (1990) (citing Bifulco v. United States, 447 U.S. 381, 387, 100 S.Ct. 2247, 65 L.Ed.2d 205 (1980)).
. It is evident that Nosal is not such a person. This case, however, differs from Bush v. Gore, 531 U.S. 98, 121 S.Ct. 525, 148 L.Ed.2d 388 (2000). It is not "a ticket for one train only.” Linda Greenhouse, Thinking About The Supreme Court After Bush v. Gore, 35 Ind. L. Rev. 435, 436 (2002). The majority's opinion criminalizes the conduct of all the friends and colleagues mentioned above.
. In fact, the ubiquity of state regulation targeting computer trespassing counsels in favor of the narrower interpretation of the federal statute. "Congress has traditionally been reluctant to define as a federal crime conduct readily denounced as criminal by the States.” Bond v. United States,-U.S.-, 134 S.Ct. 2077, 2093, 189 L.Ed.2d 1 (2014) (quoting Bass, 404 U.S. at 349, 92 S.Ct. 515). As such, "we will not be quick to assume that Congress has meant to effect a significant change in the sensitive relation between federal and state criminal jurisdiction.” Id. at 2089. Because the states are already regulating such conduct, we deemed it appropriate in Nosal I to presume that "Congress act[ed] interstitially” in passing the CFAA. We therefore refused to adopt a broader interpretation of the Act in the absence of a clear indication from Congress that such a reading was warranted. 676 F.3d at 857. The same is as true of Nosal II as of Nosal I.
. The government has not offered a workable standard for distinguishing Nosal's case from innocuous password sharing either in the context of employment or outside of it. With respect to things like Facebook password sharing, for example, the government gamely states that in other "categories of computer users,” aside from employees, defendants might be able to claim password sharing gave them authorization even if it was against the policy of the website, but does not offer any line of its own or even a hint as to what in the statute permits such a distinction.
. The majority tries to dismiss Nosal I as irrelevant because in the end it only interprets "exceeds authorized access.” This is wrong for two reasons. First, while Nosal I’s holding applies directly only to "exceeds authorized access,” its discussion of password sharing affects the meaning of "without authorization” as well. This is because the "close friends [or] relatives” have no right to access Facebook’s or the email provider’s servers, unless the account holder's password sharing confers such authorization. Although in Nosal I we rejected the Seventh Circuit’s holding in Int’l Airport Centers, L.L.C. v. Citrin, that court correctly observed that the distinction between "exceeds authorized access” and "without authorization” is often “paper thin." 440 F.3d 418, 420 (7th Cir.2006); see also Miller, 687 F.3d at 204 (recognizing the "distinction between these terms is arguably minute”). Second, and more important, Nosal /'s central message that we must consider the effect of our decision on millions of ordinary citizens applies with equal force to "without authorization” and "exceeds authorized access.”
.To make the analogy exact, assume the wife had recently closed her account with the bank or withdrawn as a member of a joint-account with her husband and thus had her credentials rescinded.
. This example also demonstrates the problem with the majority's reliance on the fact that — like all former Korn/Ferry employees— Christian and Jacobson’s credentials had expired. The expiration of someone's credentials is not a reliable indicator of criminal culpability in a password sharing case.
. It was recently reported that more than a few corporate firms, including O’Melveny’s rival Gibson, Dunn and Crutcher, charge as much as $2,000 per hour for some partners’ time. Natalie Rodriguez, Meet the $2,000 An Hour Attorney, Law360, June 11, 2016, http:// www.law360.com/articles/80442 l/meet-the-2-000-an-hour-attorney.
. Indeed, the Court has recognized that limited government funds sometimes play an important part in restraining potential executive overreach. See Illinois v. Lidster, 540 U.S. *898419, 426, 124 S.Ct. 885, 157 L.Ed.2d 843 (2004) (finding that limited police resources would be a practical impediment to the "proliferation” of sobriety checkpoints); see also United States v. Jones,-U.S.-, 132 S.Ct. 945, 956, 181 L.Ed.2d 911 (2012) (Sotomayor, J., concurring) (arguing that technologies like GPS which loosen the check of limited enforcement budgets may necessitate greater judicial oversight).
. The fact that the interested party may be able to recover its attorneys’ fees if the prosecution is successful does not affect this analysis.
. Nosal argues that because the jury was instructed under Pinkerton, if the conspiracy count and substantive CFAA counts are vacated or reversed, so too must both the trade secrets counts. The government does not contest this assertion in its answering brief. I would therefore vacate the trade secrets counts. See United States v. Gamboa-Cardenas, 508 F.3d 491, 502 (9th Cir.2007) ("Appellees ... did not raise the ... argument in their briefs and thus they have waived it.”). For that reason I express no independent view on the trade secrets counts, although I have substantial concerns about the legality of the convictions on those counts as well.