SUPREME COURT OF THE UNITED STATES

ORDER GRANTING WRIT OF CERTIORARI

DENNIS CRANE, Petitioner, v. UNITED STATES OF AMERICA, Respondent.

No. 10-1010 NOTICE IS HEREBY GIVEN THAT the petition for writ of certiorari by petitioner in the above named action is granted; the questions being limited to: Issue One: Unauthorized Access Whether the use of a "scraper" program that generates URLs and automatically downloads email addresses displayed on a publicly accessible website, in violation of the website's terms of use, constitutes "unauthorized access" within the meaning of the Computer Fraud and Abuse Act (CFAA). Issue Two: Warrantless Search of a Wireless Network Whether police officers' use of a "Shadow" device to locate an unsecured wireless network and the officers' subsequent opening of a shared folder within that network constitutes a search within the meaning of the Fourth Amendment. Cert. Granted 10/14/2013

Decision Below: United States v. Crane, 912 F.3d 1130 (12th Cir. 2013)

UNITED STATES COURT OF APPEALS FOR THE TWELFTH CIRCUIT

DENNIS CRANE, Appellant, v. UNITED STATES, Appellee.

Appeal from the United States District Court For the District of Ohiowa

Argued: December 15, 2012

Decided: April 8, 2013

Before RUTT, MILDEW & HADDOCK Circuit Judges.

RUTT, J.: FACTS AND PROCEDURAL HISTORY CommCorps Network and Tablet Devices

CommCorp is a major telecommunications corporation. CommCorp operates a nationwide mobile telephone network. Through partnerships with several technology corporations, CommCorp markets and sells a variety of cell phones, smartphones, and tablet devices that operate exclusively on CommCorps network. Each device that operates on CommCorps network has an individualized identification code consisting of several letters and numbers. The identification number is included in the paperwork accompanying each device when sold and is 2

also electronically stored within each device. A user can find his or her devices identification number by viewing the devices settings. CommCorp also operates a website and encourages its customers to register on this website so that they may access billing data, software updates, and other services. To register, users must enter their name, address, email address, and the identification code for their device. Users then choose a password for their account. After registering with CommCorp, users can enter their email address and password on CommCorps website and access their accounts. In 2011, CommCorp began marketing a tablet device to its users. Users can use the device to access the internet via CommCorps mobile telephone network or through wireless networks. To make account access easier for CommCorp customers, when users open CommCorps website using a tablet device, their email address automatically appears on the webpage so they can access their accounts simply by entering their passwords. CommCorp achieves this result by directing tablet users to specific web addresses (known as Uniform Resource Locators, or URLs) that correspond to their tablets identification number when users access the website from their tablets. At each of these URLs, the users email address is already entered into the page. To illustrate: CommCorps default login page has the URL, http://www.commcorp.com/login. When a preregistered tablet user accesses CommCorps website from his or her tablet, however, the user is automatically directed to a URL, for example: http://www.commcorp.com/login/user/openpage?ICCID=XXXXXXXXXXXXXXXXX XXX, where the string of Xs represents the users 20-digit tablet identification number. Under this URL, a tablet user1 will see CommCorps login page with his or her email address already entered into the page. CommCorps website terms of service prohibit website users from accessing web pages associated with devices they do not own. The terms of service specifically state that website users may not use their browsers2 to enter device identification numbers that correspond to
1 A computer user who attempts to access this URL will not be able to access an account login page for a tablet because the user agent string of a computer communicates to the website that the person attempting to access the page is a computer user and not a tablet user. A user agent string communicates with servers and identifies the operating system that is running a users web browser. 2 Web browsers are software applications that typically include address bars into which users may enter URLs for purposes of accessing the webpages associated with those URLs.

devices that the users do not own. The terms of service also prohibit users from copying email addresses from CommCorps login pages. These terms of service can be located by scrolling to the bottom of any page on CommCorps website, including the login page, and clicking on a Terms of Service link, which takes users to another webpage with a secondary list of various terms of service document links for users, businesses, and CommCorp employees. CommCorps terms of service are detailed, and each list of terms amounts to approximately ten pages of text if printed.

The Defendants Use of a Scraper Program on Companys Website

Defendants roommate, Mortimer Burns, purchased a CommCorp Tablet. Burns went to CommCorps website to register his tablet with his CommCorp account that he had previously established when he bought a CommCorp Smartphone. After registering his tablet, Burns found that if he accessed CommCorps website using the tablet, his email address would automatically appear requiring him to only enter his password in order to access his account. Burns told Defendant that CommCorps website automatically generated his email address. Defendant thought that this could be a potential security breach for CommCorp and decided to investigate further. When Defendant used his computer to enter the URL associated with Burns login page, Defendant found that he could not access Burns login page. Figuring that this had something to do with the user agent string, Defendant modified his computers user agent so that his web browser would identify his computer as a tablet device when accessing the Internet. After modifying this computer in this manner, Defendant discovered that he could access a login page with Burns email address already entered on the page by replicating the URL associated with Burns login page. Defendant noticed that a portion of the URL was identical to Burns tablet identification number and suspected that changing this portion of the URL could allow him to access other web pages with other users email addresses. Accordingly, Defendant developed a scraper program. This program, when activated, would repeatedly enter randomized CommCorp login URLs. The vast majority of these entries would not contain valid tablet identification numbers and would therefore fail to link to any valid webpages. When the entered URL would return a page with a users email address, the program 4

would copy the pre-entered email address and paste it into a spreadsheet. Defendant activated the scraper program and let it run for several days. When Defendant deactivated the program, he had collected over 150,000 email addresses. Among these email addresses were several addresses belonging to military personnel, government officials, and business executives. Defendant and Burns contacted several news websites, telling them about their discovery and use of the scraper program. When notifying these websites of what he had done, Defendant remarked that CommCorp users were vulnerable to the theft of their personal contact information. Defendant further explained that he had exploited that vulnerability and stolen that information. A popular technology blog, TechBlog, ended up reporting how CommCorp stored users email addresses and that these addresses could be accessed by simply entering a URL with a device identification number. TechBlog identified Defendant and Burns as the individuals who had called attention to the situation and reported that a scraper program had been developed that had downloaded the email addresses of thousands tablet users. TechBlog also displayed several redacted addresses of high profile tablet users that Defendant had downloaded. TechBlog did not report that Defendant had developed the scraper program and downloaded those email addresses.

The Police Officers Accessing of Defendants Wireless Network and Shared Folder

TechBlogs story led to an avalanche of negative publicity for CommCorp, with major newspapers labelling the scraper program as a major security breach. CommCorp contacted the Federal Bureau of Investigation (FBI) whose agents set out to determine who had developed the scraper program and downloaded the emails. Because TechBlog had mentioned Defendant and Burns, the FBI began to investigate them. Two agents, Boot and Block, drove to Defendants neighborhood and parked their vehicle at the side of the street, approximately 200 yards from Defendants house. Agent Boot had a Shadow, a handheld device that detects the presence of wireless networks. The Shadow is manufactured and sold to law enforcement by Dwayne Enterprises, a company that specializes in manufacturing police and military equipment. The Shadow is a standard piece of equipment in every police vehicle. It is not available for purchase by members 5

of the general public. The Shadow runs a scan for wireless networks within a 500 yard radius and displays the names and security status of each network that it detects. Moreover, the Shadow calculates the estimated distance of each wireless networks router by comparing the signal strength of each network signal with the type of signal detected. Agent Boot activated the Shadow and discovered a wireless network that was named after Defendant. Upon locating this network, Agent Block activated the laptop computer that the officers had in their car, which also detected the Defendant network. Agent Block noted that Defendants network was not password-protected, meaning that anybody with a laptop computer could access the network. Once Agent Block logged into this network, he discovered that he had access to a folder that was shared over that network. Agent Block accessed this folder and found evidence that identified the folder as belonging to Defendant. Agent Block also uncovered the spreadsheet with all of the email addresses that Defendants scraper program had downloaded. Once Agents Boot and Block viewed the spreadsheet, they obtained a warrant to search Defendants home to retrieve files, computers, and other electronic storage devices that were associated with Defendants access of CommCorps website. When they received the warrant, Agents Boot and Block entered Defendants home. They arrested Defendant, and seized a number of computers as well as physical documents. In an evidentiary hearing, Agent Boot testified that the Shadows ability to detect wireless networks, their names, and security statuses were functions that could be carried out by a laptop computer or Smartphone. Agent Boot testified that he was not aware of any Smartphone or laptop that could estimate the range of the router for each wireless network. Defendant was charged with violating the Computer Fraud and Abuse Act (CFAA). 18 U.S.C. 1030. The government argued that Defendant had accessed CommCorps webpages without authorization when he used the scraper program to enter and access the various URLs associated with tablets. The government further argued that defendant gained additional unauthorized access when he copied the email addresses using the scraper program. At trial, the government introduced the spreadsheet they had recovered from the shared network as well as several other files they had recovered from Defendants computer. The trial court denied Defendants Fourth Amendment motion to suppress the evidence and admitted the spreadsheet and other files.

Defendant was convicted and sentenced to a prison term of ten years. He appeals, arguing that the trial courts interpretation of the CFAA was erroneous and that his actions had not constituted unauthorized access. Moreover, Defendant contends that the FBI agents violated his Fourth Amendment rights when they accessed his wireless network and shared folder.

DISCUSSION

Defendant Violated the CFAA

Defendant argues that his actions did not constitute unauthorized access under the meaning of the CFAA. Defendant claims that the trial courts determination that his conduct was unauthorized is erroneous and that the courts decision should be reversed. The CFAA is codified at 18 U.S.C. 1030. Defendant was convicted under 18 U.S.C. 1030(a)(2)(C). Under this provision, anybody who intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer shall be punished in accordance with subdivision (c) of the CFAA. 18 U.S.C. 1030(a). The trial court ruled that CommCorps website is a computer within the meaning of the CFAA because it fits the definition of a data storage facility that is used in conjunction with computers. 18 U.S.C. 1030(e)(1). Moreover, CommCorps website is a protected computer within the meaning of the CFAA because it is used in interstate commerce. 18 U.S.C. 1030(e)(2)(B). Defendant does not challenge this on appeal. Defendant challenges the trial courts conclusion that he accessed CommCorps website without authorization. Defendant argues that all the scraper program did was enter URLs that any member of the public could type into a web browser. Defendant argues further that any member of the public, upon entering a URL, could copy the email that would appear on the website. Because the scraper program merely duplicated activities that any member of the public could undertake, the program did not access the website without authorization. The trial court disagreed with Defendants interpretation of the CFAA and held that Defendants access of CommCorps website was unauthorized because Defendants access deviated from the intended use of CommCorps website and because Defendant violated the websites terms of service.

We begin our inquiry into whether Defendants access was unauthorized by looking to the text of the CFAA. The CFAA does not explicitly define what how an individual may access a website without authorization. The CFAA does define how defendants may exceed authorized access under 18 U.S.C. 1030(e)(6):

[T]he term exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. This portion of the CFAA does not define what unauthorized access entails, nor does it specifically describe the point where authorized access crosses the line and exceeds authorization in violation of the statute. In the absence of explicit definitions, we must look to the common, contemporary meaning of the terms in the statute. Authorization is defined as permission or power granted by an authority. LVRC Holdings, LLC. v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (citing Random House Unabridged Dictionary, 139 (2001)) (internal quotations omitted). Defendants use of the scraper program to access web pages associated with different CommCorp customers and Defendants copying of customer email addresses from these pages was unauthorized access under the CFAA. Defendants scraper program gained unauthorized access because it deviated from the intended use of CommCorps website. United States v. Phillips, 477 F.3d 215, 218-20 (5th Cir. 2007); see also United States v. Morris, 928 F.2d 504, 506, 510 (2d Cir. 1991) (defendants use of an early version of email to send a computer virus constituted unauthorized access within the meaning of the CFAA because defendants use of email deviated from the intended function of the feature). CommCorps website was designed to make it easier for CommCorp tablet users to access their CommCorp accounts. The website was designed so that tablet users would automatically be directed to a web page with their email address entered. The only other way to access these personalized pages would be to type out the websites URLsa tedious bit of guesswork that would require users to type in URLs and hope that they would happen across a URL contained an appropriate, 20-digit number that matched a CommCorp tablet. Defendants tactic of using the scraper program was similar to that of the defendant in Phillips, who developed a program thatby repeatedly entering nine-digit numbers intended to replicate social security numberswould gain access to websites. Phillips, supra, 477 F.3d at 218. Like the 8

Phillips defendants program, here, Defendants program used a similar brute force technique of repeatedly guessing the URLs for CommCorps users web pages until the program happened to enter a URL that matched an existing page. See id. (describing how a brute force attack on a web page works). Because Defendant accessed CommCorps website in a manner that CommCorp did not intend, his access was unauthorized. Furthermore, Defendants access was far afield from what CommCorp intended because Defendant had to actively deceive CommCorps website by changing his user agent string to identify his computer as a tablet. This deception not only deviated from the websites intended use, but used deceptive practices to circumvent the websites barriers to access. Our approach is consistent with existing precedent. In EF Cultural Travel BV v. Explorica, Inc., Explorica developed a scraper program that accessed the website of the plaintiff, EF Cultural Travel (EF), a competing travel agency. 274 F.3d 577, 579 (1st Cir. 2001). The program entered URLs for EFs webpages, tailoring the URLs it searched to match codes provided by former EF employees. Id. These codes also appeared to users in publicly visible URLs as users accessed EFs website and Exploricas scraper program simply duplicated these URLs and downloaded information from the webpages that were generated. Id. at 579, 582-83. The First Circuit held that the trial court was not mistaken to find that Exploricas scraper program was unauthorized access under the meaning of the CFAA. Id. at 584-85. Here, like the defendant in Explorica, Defendants scraper program accessed URLs and copied information from CommCorps webpages. Like the URLs in Explorica, the URLs Defendant accessed were also publicly accessible. Defendant developed a scraper program to access CommCorps website in a manner similar to the program used by the Explorica defendant, using the programs ability to quickly enter URLs so that Defendant could eventually find those pages that corresponded to tablet users. Accordingly, Defendants access to CommCorps website was unauthorized. The Dissent contends that CommCorp implicitly authorized access to people like Defendant because any computer user could enter URLs, view, and copy the email addresses on CommCorps website. This framing of the issue underemphasizes the lengths through which Defendant needed to go to enter the proper URLs. Defendant relied upon a program that repeatedly entered URLsmany of which were invaliduntil, through the brute force of repeated attempts, he happened to come up with one including a series of numbers and letters 9

that matched a CommCorp tablet. This is analogous to repeated attempts to enter a password on a restricted webpagealso something that any member of the public can do, and that even critics of our approach would agree is unauthorized. See Orin S. Kerr, Cybercrimes Scope: Interpreting Access and Authorization in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1644-45 (2003) (describing a code-based definition of authorized access where users access computers without authorization by circumventing passwords); see also Morris, supra, 928 F.2d at 510 (holding that the password guessing feature of a computer worm constitutes access without authorization). Even if we chose not to find that Defendant gained unauthorized access by deviating from the intended use of CommCorps website, the websites terms of service provide us with an independent avenue of affirming the trial courts judgment. Because the Defendants scraper program violated the terms of service for CommCorps website, Defendants use of the program was unauthorized access under the CFAA. See America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444, 450 (E.D. Va. 1998); see also United States v. Rodriguez, 628 F.3d 1258, 1260, 1263 (10th Cir. 2010) (Social Security Administration employee gained unauthorized access to database by violating Administration policy against accessing the database for non-business reasons); America Online v. National Health Care Discount, Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa, 2001) (defendants access was unauthorized because defendant violated terms of service). This pattern is also consistent with decisions in the context of employee access to employer computers. See e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (Social Security Administration employees access of office records for personal reasons was unauthorized under the CFAA because it was contrary to Administration policy). In its terms of service, CommCorp clearly prohibited Defendants activity. The CFAA does not define authorization, and in the absence of a statutory definition, we look to the factual circumstances of this case to determine if CommCorp limited the ability of any of its users to access its website. CommCorps terms of service fill the gap that the CFAA leads open. The terms of service systematically describe what users on the website cannot do and clearly restrict CommCorp users from viewing and copying information from pages that are not associated with their own tablets. While users need to take some active measures to view the terms of service, every page on CommCorps website includes a clear link to these terms,

10

rendering implausible the claim that users cannot be reasonably expected to know the terms of service. In the absence of a statutory definition of unauthorized access, website terms of service may be the next best place to look for meaning. Each site provides its own terms of service and these terms are tailored to meet the needs of any individual or company with an online presence. The terms of service are generally accessible to every user of each webpage who clicks on the link to the terms. Terms of service provide a means to clearly define whether users access is unauthorized under the meaning of the CFAA. We believe that our interpretation of the CFAA effectively protects website owners and users. As the facts of this case reveal, an increasing quantity of personal information is stored in online repositories and technology-savvy individuals are always developing novel, intricate methods to access this information. Defining authorization by referencing the expectations of those who run websites is the most effective way to ensure that malicious hackers are held responsible even if their methods are new and creative.

The FBI Did Not Violate the Fourth Amendment by Accessing Defendants Wireless Network and Shared Folder

Defendant argues that Agents Boot and Blocks actions of accessing his wireless network and shared folder constituted searches within the meaning of the Fourth Amendment. Because the agents undertook these actions without a warrant, Defendant contends that his Fourth Amendment rights were violated and that the evidence obtained from the shared folder should have been excluded.3 The Fourth Amendment prohibits unreasonable searches and seizures. U.S. CONST. amend. IV. To determine whether the conduct of the police constituted a search under the Fourth Amendment, we look to Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court

At trial, the Government did not argue that the content of Defendants shared folder would have inevitably been discovered or could have been located as a result of an independent, lawful search that would have taken place without use of the information discovered in the shared folder. The Government has therefore waived the ability to argue on appeal that even if the search was unlawful, the evidence should not be excluded. Moreover, the government did not contend that there was any imminent risk of document destruction, thereby waiving the governments ability to argue that any probable cause justified a search in light of exigent circumstances. Contra Warden v. Hayden, 387 U.S. 294, 298-99 (1967).

11

noted that the Fourth Amendment protects people, not places, rejecting the traditional approach of analyzing whether the governments search infringes on a constitutionally protected area. Katz v. United States, 389 U.S. 347, 350-51 (1967). This approach requires us to determine whether the government violated the defendants subjective expectation of privacy and whether society was prepared to recognize this expectation of privacy as reasonable. Id. at 361 (Harlan, J., concurring); see also Kyllo v. United States, 533 U.S. 27, 33 (2001). We need not delve into whether Defendant subjectively expected his files to be private when stored in the shared folder. Under the Katz approach, the government must violate both a subjective and objective expectation of privacy in order for a search to have occurred. Katz, supra, 389 U.S. at 350-51. We find that Defendant did not have an objectively reasonable expectation of privacy in his wireless network, nor in the folder he shared over his wireless network. This question presents an issue of first impression for this court: whether individuals who store information on a shared wireless network have a reasonable expectation of privacy in that information. While the particular technology involved in this case is new territory for this court, we find that existing Fourth Amendment case law is rife with analogous situations. The United States Supreme Court has repeatedly held that observations by the police that may be readily made by members of the public do not constitute Fourth Amendment searches. There is no Fourth Amendment search when police officers approach a home, knock on the door, and speak to the occupant. Kentucky v. King, 131 S. Ct. 1849, 1862 (2011). There is no Fourth Amendment search when police officers use a helicopter to observe a fenced-in yard. California v. Ciraolo, 476 U.S. 207, 213-14 (1986). The Court reached these holdings using a similar justification: members of the public would have been able to make observations similar to those made by the police. Under Katz, [w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. Katz, supra, 389 U.S., at 351. Here, even if Defendant expected that folders shared over his wireless network would remain private, this expectation of privacy was not reasonable. The wireless network emanated from Defendants home. This was not a situation where the police needed to use specialized techniques or equipment. See Florida v. Jardines, 133 S. Ct. 1409, 1416-18 (police use of drugsniffing dog at front door of home was a search under the Fourth Amendment); Kyllo v. United 12

States, 533 U.S. 27, 40 (police use of thermal imaging device that is not in general public use was a search under the Fourth Amendment). Anybody with a laptop or Smartphone could have determined that the network existed and accessed the shared folder over that network, meaning that Defendant could not have held a reasonable expectation of privacy in the network or in his folder on that network. See United States v. Borowy, 595 F.3d 1045, 1048 (9th Cir. 2010); United States v. Sayer, 2012 WL 2180577 No. 2:11cr113DBH at *2 (D. Me. 2012). The Dissent concludes that Agent Boots Shadow device is not available for use by the public because it had the unique capacity to estimate the distance of Defendants wireless router. This conclusion does not affect our resolution of this case, however, because Agents Boot and Block did not rely on this function to locate and access the incriminating evidence. While the Shadow device itself may be unavailable to the public, the functions it carried out that were relevant to the prosecution were actions that any member of the public in the vicinity of Defendants home could have taken with a publicly available laptop or Smartphone. Moreover, when Defendant placed documents in a folder that he effectively broadcasted to the public using his wireless network, he assumed the risk that a third party would come across this information and notify the authorities. The governments monitoring of this broadcasted information is therefore not a search because it falls under the third party doctrine. See Smith v. Maryland, 442 U.S. 735, 743-44 (1979) ([t]his Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties). We are certainly not the first court to apply the third party doctrine in the internet context. See, e.g., United States v. Forrester, 512 F.3d 500, 509-10 (9th Cir. 2008) (holding that to/from addresses on email are analogous to phone numbers traced by pen register and therefore fall under the third party doctrine). Moreover, we are not the first to find that a defendants submission of information over a wireless network assumes the risk that the police will gain access to that information. See United States v. Stanley, 2012 WL 5512987 No. 11272 at *12 (W.D. Penn. 2012). Even if Agents Boot and Blocks actions intruded into Defendants home, as the Dissent worries, Defendants voluntary relinquishment of his documents to members of the public distinguishes this case from the cases the Dissent cites. See Stanley, supra, 2012 WL 5512987 at *16.

13

Defendant voluntarily relinquished the content of his folder to the public and thereby assumed the risk that a member of the public would refer that content to law enforcement authorities. Accordingly, the wireless network and its content falls within the third party doctrine and Defendant could not have had a reasonable expectation of privacy in his wireless network and the folders shared over this network.

CONCLUSION

For the foregoing reasons, we find the trial court did not err in its determination that Defendants access of CommCorps website was unauthorized under the CFAA. Moreover, we find that the trial court did not err in admitting evidence obtained through the use of the Shadow device. Accordingly, the judgment of the trial court is

AFFIRMED

It is so ordered.

HADDOCK, C.J. dissenting

Because the Majoritys interpretation of the CFAA is mistaken and overbroad, and because Agents Boot and Block carried out a search under the Fourth Amendment, I respectfully dissent.

Defendant Did Not Violate the CFAA

The Majority contends that the trial court was correct to conclude that the Defendants use of the scraper program constituted unauthorized access of CommCorps website under the meaning of the CFAA. The Majority reaches this conclusion in two distinct ways. The Majority first concludes that CommCorp did not intend for users to access and download information from its website with a scraper program, and that this unexpected access constituted unauthorized access. The Majority separately contends that a violation of website terms of service constitutes 14

unauthorized access. Both of these conclusions rely on a dangerously broad definition of the CFAA that would criminalize massive amounts of common, online activity. See Pulte Homes, Inc. v. Laborers Intl. Union of North America, 648 F.3d 295, 299, 304 (6th Cir. 2011) (defendants tactic of sending numerous, repeated emails to website to overload the websites computer capacity was not unauthorized under the CFAA because any member of the public could send emails to the website). The CFAA does not define when an individual accesses a protected computer without authorization. Accordingly, we must determine the meaning of this terminology by looking to the contemporary, common meaning of the words in the statute. LVRC Holdings, LLC. v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Authorization is defined as permission or power granted by an authority. Id. at 1133 (citing Random House Unabridged Dictionary, 139 (2001)) (internal quotations omitted). When the language of a criminal statute is ambiguous, the rule of lenity requires courts to construe any ambiguity in favor of the defendant. LVRC Holdings, supra, 581 F.3d at 1134-35. The Majority concludes that Defendants scraper device went beyond the type of use CommCorp intended. Even if this were true, the Majoritys conclusion that such unintended use constitutes unauthorized access under the CFAA is both incorrect and dangerous. Here, Defendant accessed a series of websites that any member of the public could have accessed and copied information from these websitesjust as any member of the public could have. Because any member of the public could have accessed CommCorps website without needing to enter a password or overcome any barrier, CommCorp implicitly authorized members of the public to access the various websites where users email addresses were stored. See Pulte Homes, supra, 648 F.3d at 304. In Pulte Homes, the Sixth Circuit held that individuals have implied access to websites insofar as they may view content that is not password-protected and email that website without restriction. Id. Because any member of the public could have viewed the URLs that Defendant accessed, and because any member of the public could have copied the email information on these websites, Defendants scraper program was not unauthorized access. While Defendants scraper program may have operated on a scale far beyond the capacity of any individual user, the programs access to CommCorps website was only different in degree, not kind, from any individual users access of that site. CommCorps argument that scraper programs clearly violate the expected use of its website is unconvincing. Furthermore, as 15

a large public corporation with hundreds of thousands of customers, CommCorp should expect its websites to be accessed thousands of times each day. Here, Defendant visited CommCorps website thousands of times in a single day, a practice that, while unconventional, was no different from the day-to-day web traffic that CommCorp should have expected. Further, CommCorps subjective hopes and wishes that the public would not visit the website do not make an unexpected visitors access unauthorized. See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). In EF, a company used a scraper program to send queries to a competitors website to collect pricing information. Id. at 63. In spite of the fact that the court recognized that EF would dislike the use of a scraper, the court held that the use of the scraper was not unauthorized access under the CFAA. Id. CommCorp doubtless hoped that the public at large would not access its users login URLs but premising criminal liability on an owners hopes would severely chill everyday internet users willingness to explore the worldwide web due to fear of potential litigation. It is no help to the Majority to argue that Defendants actions deceived the website into thinking that Defendant was using a tablet. While Defendants manipulation of his user agent string sent an altered operating system signal to websites, the end result of this manipulation was simply that websites would read Defendants computer as a tablet, rather than as a computer. Anybody in the public can send this message to websites by accessing them using a tablet, and Defendants alteration of his user agent string merely allowed his computer to do so as well. The Majority finally contends that because Defendants use of the scraper program violated CommCorps terms of service, Defendant accessed CommCorps website without authorization. The Majority contends that this case is similar to situations where employees violate company policies. See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (finding unauthorized access when employee violated company policies). The case before this Court does not involve the clear-cut situations the Majority references. Here, CommCorps terms of service were accessible only to those users who took the positive actions of scrolling to the bottom of the webpage and clicking on the Terms of Service link. Users then needed to click on the secondary CommCorp Website Terms of Service link. This link leads users to CommCorps terms of service for its website, a dense, tenpage document.

16

CommCorps terms of service do not meaningfully protect its website. See Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 933 (E.D. Va. 2010). Unlike a signed confidentiality or employment agreement, CommCorps terms of service are effectively buried out of the sight of all but the most inquisitive users. While the Majority may be correct to conclude that website terms of service provide a clear guide to what CommCorp authorizes its users to do, the Majoritys decision embraces clarity at the expense of practicality. Realistically, no reasonable user could be expected to notice CommCorps terms of service. Id. at 932. Moreover, because website owners are entirely in control of their website terms of service, using these terms to define authorized and unauthorized access can lead to absurd results. See Orin S. Kerr, Cybercrimes Scope: Interpreting Access and Authorization in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1650-51 (2003) (a computer owner could set up a public web page, announce that no one is allowed to visit my web page, and then refer for prosecution anyone who clicks on the site out of curiosity). Because Defendants scraper program merely carried out actions that any member of the public could have taken, and because Defendant could not have been expected to notice CommCorps terms of service, Defendants use of the scraper program did not constitute unauthorized access under the meaning of the CFAA. Accordingly, Defendants conviction should be reversed.

The FBI Violated Defendants Fourth Amendment Rights by Trespassing on Defendants Home and by Infringing Upon His Reasonable Expectation of Privacy

The Majoritys exclusive focus on Katz all but ignores the property-based approach that the United States Supreme Court developed during its most recent terms. See Florida v. Jardines, 133 S. Ct. 1409 (2013); United States v. Jones, 132 S. Ct. 945 (2012). In these cases, the Supreme Court emphasized that intrusion onto an individuals property can constitute a search under the Fourth Amendment, whether or not the intrusion violates a reasonable expectation of privacy. Contrary to the Majoritys assertion, Katz did not reject an approach to Fourth Amendment analysis based in property law. See Jones, supra, 132 S. Ct. at 950-951. Rather, the Katz reasonable-expectation-of-privacy test has been added to, not substituted for, the 17

common-law trespassory test. Id. at 952 (emphasis in original). If police, while obtaining information about an individual, act in a manner that intrudes upon the home or that would constitute common-law trespass, that action is a search under the Fourth Amendment. Jardines, supra, 133 S. Ct. at 1415-16; Jones, supra, 132 S. Ct. at 949-51. With this framework in mind, the Fourth Amendment implications of Agents Boot and Blocks actions are clear. Agent Boots initial use of the Shadow device was a search within the meaning of the Fourth Amendment because this device revealed information about a device inside of Defendants home. This intrusion constitutes trespass to chattels, and is therefore a search under the Fourth Amendment. See id. (trespass to chattels is a search under the Fourth Amendment); Register.com, Inc. v. Verio, Inc., 126 F. Supp.2d 238, 249-50 (S.D.N.Y. 2000) (use of search robot to access an online database was sufficient to show likelihood of success in trespass to chattels claim); see also Ned Snow, Accessing the Internet Through the Neighbors Wireless Internet Connection: Physical Trespass in Virtual Reality, 84 NEB. L. REV. 1226 (2006) (arguing that access of wireless router constitutes trespass to chattels). Moreover, even if the Majority is convinced that the specifics of common law trespass could not have foreseen the development of wireless networks and the Shadow, the use of this device and the information it reveals about the interior of the home is intrusion that rises to the level of a Fourth Amendment search. See Jardines, supra, 133 S. Ct. at 1415-16. Agent Blocks further action of opening the shared folder revealed even more information than the initial search by the Shadow. Agent Block not only accessed the wireless network, but also manipulated information within this network, which further intruded into Defendants home and constituted an additional search. See id.; see also United States v. Ahrndt, 2013 WL 179326 No. 3:08CR00468KI at *6-8 (D. Or. 2013) (police officers directing private citizen to open a file shared over an unsecured wireless network constituted a search under the Fourth Amendment). The agents actions constituted searches within the meaning of the Fourth Amendment. Because these searches occurred without a warrant, they were unreasonable and the evidence that Agents Boot and Block retrieved from Defendants wireless network should have been excluded. This holding is warranted even if one concedes that Majoritys singular focus on Katz is the proper approach to this case. Agents Boot and Blocks actions used sensitive equipment that revealed information that Defendant had not sought to share with the public, and this infringed 18

on his reasonable expectation of privacy. See Jardines, supra, 133 S. Ct. at 1418-19 (Kagan, J. concurring). In addressing infrared scanning technology in Kyllo v. United States, the Supreme Court held that: Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a search and is presumptively unreasonable without a warrant. 533 U.S. 27, 40 (2001). Here, Agent Boot employed technology that was not in common use. The Shadow is not sold to members of the general public. Moreover, Agent Boot testified that the Shadow reveals not only the name and security status of wireless networks, but also calculates the distance of routers a function that publicly available devices do not perform. Accordingly, the Shadow fits directly into the category of devices that the Supreme Court described in Kyllo, and Agent Boots use of the Shadow constituted a search. See id. In light of Jardines, Jones, and Kyllo, the Majoritys final hope to salvage its ruling is its attempt to label Defendants shared folder as falling within the third party doctrine. Its attempt to do so stretches the doctrine beyond recognition. Unlike the defendants in Smith, Forrester, and Stanley, here, Defendant did not submit any information to a third party. Defendants wireless router was in his home and Defendant was not using another partys router, nor was he transferring any information to a website or phone service. The majority repeatedly employs the word share, in an apparent attempt to analogize this case with third party doctrine case law. Here there was no sharing in the common sense of the word defendant simply had a network that was not password protected, and had a folder that could be accessed using this network. There is no evidence of intent to transfer this information to any other party. Accordingly, this case does not fall within the third party doctrine, and Defendants expectation of privacy in his wireless network and folders on this network was reasonable. For these reasons, Agents Boot and Blocks actions were unreasonable searches under the Fourth Amendment and the spreadsheet and other files that these searches revealed should have been excluded by the trial court. Accordingly, Defendants conviction should be reversed.

19

Table of Authorities (Issue 1) Statutes 18 U.S.C. 1030 Cases EF Cultural Travel v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) United States v. Phillips, 477 F.3d 215 (5th Cir. 2007) United States v. Morris, 928 F.2d 504 (2d Cir. 1991) Cvent v. Eventbrite, 739 F.Supp. 2d 927 (E.D. Va. 2010) America Online v. National Health Care Discount, 174 F. Supp. 2d 890 (N.D. Iowa 2001) Davies v. Afilias Ltd., 293 F. Supp. 2d 1265 (M.D. Fla. 2003) America Online v. LCGM, 46 F. Supp.2d 444 (E.D. Va. 1998) United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) LVRC Holdings v. Brekka, 581 F.2d 1127 (9th Cir. 2009) Pulte Homes v. Laborers' International Union of North America, 648 F.3d 295 (6th Cir. 2011) Clarity Services v. Barney, 698 F. Supp. 2d 1309 (M.D. Fla. 2010) International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006) United States v. Mitra, 405 F.3d 492 (7th Cir. 2005) EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) Other Sources Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596 (2003) Password, MERRIAM WEBSTER, http://www.merriam-webster.com/dictionary/password.

20

Table of Authorities (Issue 2)

Constitutions U.S. CONST. amend. IV Cases United States v. Jones, 132 S. Ct. 945 (2012) Florida v. Jardines, 133 S. Ct. 1409 (2013) Katz v. United States, 389 U.S. 347 (1967) Kyllo v. United States, 533 U.S. 27 (2001) Kentucky v. King, 131 S. Ct. 1849 (2011) California v. Ciraolo, 476 U.S. 207 (1986) United States v. Knotts, 460 U.S. 276 (1983) United States v. Karo, 468 U.S. 705 (1984) Smith v. Maryland, 442 U.S. 735 (1979) United States v. Borowy, 595 F.3d 1045 (9th Cir. 2010) United States v. Forrester, 512 F.3d 500 (9th Cir. 2008) United States v. Broadhurst, 2012 WL 5985615 No. 3:11cr00121MO1 (D. Or. 2012) United States v. Stanley, 2012 WL 5512987 No. 11272 (W.D. Penn. 2012) United States v. Ahrndt, 2013 WL 179326 No. 3:08CR00468KI. (D. Or. 2013) United States v. Sayer, 2012 WL 2180577 No. 2:11cr113DBH. (D. Me. 2012) Intel Corp. v. Hamidi, 71 P.3d 296 (Cal. 1996) America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp.2d 1255 (N.D. Iowa 2000). Register.com, Inc. v. Verio, Inc., 126 F. Supp.2d 238 (S.D.N.Y. 2000). eBay, Inc. v. Bidders Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000)

Articles Orin S. Kerr, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 MICH. L. REV. 801 (2004) Ned Snow, Accessing the Internet Through the Neighbors Wireless Internet Connection: Physical Trespass in Virtual Reality, 84 NEB. L. REV. 1226 (2006) 21