This appeal presents two narrow issues of statutory construction concerning a provision Congress recently adopted to strengthen protection against computer crimes. Section 2(d) of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. Section 1030(a)(5)(A) (1988), punishes anyone who intentionally accesses without authorization a category of computers known as "[f]ederal interest computers" and damages or prevents authorized use of information in such computers, causing loss of $1,000 or more. The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of "access without authorization."
These questions are raised on an appeal by Robert Tappan Morris from the May 16, 1990, judgment of the District Court for the Northern District of New York (Howard G. Munson, Judge) convicting him, after a jury trial, of violating 18 U.S.C. Section 1030(a)(5)(A). Morris released into Internet, a national computer network, a computer program known as a "worm" that spread and multiplied, eventually causing computers at various educational institutions and military sites to "crash" or cease functioning.
We conclude that section 1030(a)(5)(A) does not require the Government to demonstrate that the defendant intentionally prevented authorized use and thereby caused loss. We also find that there was sufficient evidence for the jury to conclude that Morris acted "without authorization" within the meaning of section 1030(a)(5)(A). We therefore affirm.
In the fall of 1988, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Through undergraduate work at Harvard and in various jobs he had acquired significant computer experience and expertise. When Morris entered Cornell, he was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. Morris engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate it.
In October 1988, Morris began work on a computer program, later known as the Internet "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into Internet, which is a group of national networks that connect university, governmental, and military computers around the country. The network permits communication and transfer of information between computers on the network.
Morris sought to program the Internet worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily. Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make the worm easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If it responded "no," then the worm would copy onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection.
Morris identified four ways in which the worm could break into computers on the network: (1) through a "hole" or "bug" (an error) in SEND MAIL, a computer program that transfers and receives electronic mail on a computer; (2) through a bug in the "finger demon" program, a program that permits a person to obtain limited information about the users of another computer; (3) through the "trusted hosts" feature, which permits a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and (4) through a program of password guessing, whereby various combinations of letters are tried out in rapid sequence in the hope that one will be an authorized user's password, which is entered to permit whatever level of activity that user is authorized to perform.
On November 2, 1988, Morris released the worm from a computer at the Massachusetts Institute of Technology. MIT was selected to disguise the fact that the worm came from Morris at Cornell. Morris soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.
Morris was found guilty, following a jury trial, of violating 18 U.S.C. Section 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.
I. The intent requirement in section 1030(a)(5)(A)
Section 1030(a)(5)(A), covers anyone who (5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby (A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; ... [emphasis added].
The District Court concluded that the intent requirement applied only to the accessing and not to the resulting damage. Judge Munson found recourse to legislative history unnecessary because he considered the statute clear and unambiguous. However, the Court observed that the legislative history supported its reading of section 1030(a)(5)(A).
Morris argues that the Government had to prove not only that he intended the unauthorized access of a federal interest computer, but also that he intended to prevent others from using it, and thus cause a loss. The adverb "intentionally," he contends, modifies both verb phrases of the section. The Government urges that since punctuation sets the "accesses" phrase off from the subsequent "damages" phrase, the provision unambiguously shows that "intentionally" modifies only "accesses." Absent textual ambiguity, the Government asserts that recourse to legislative history is not appropriate. See Burlington N.R. Co. v. Oklahoma Tax Comm'n, 481 U.S. 454, 461, 107 S.Ct. 1855, 1859, 95 L.Ed.2d 404 (1987); Consumer Product Safety Comm'n v. GTE Sylvania, Inc., 447 U.S. 102, 108, 100 S.Ct. 2051, 2056, 64 L.Ed.2d 766 (1980); United States v. Holroyd, 732 F.2d 1122, 1125 (2d Cir. 1984).
With some statutes, punctuation has been relied upon to indicate that a phrase set off by commas is independent of the language that followed. See United States v. Ron Pair Enterprises, Inc., 489 U.S. 235, 241, 109 S.Ct. 1026, 1030, 103 L.Ed.2d 290 (1989) (interpreting the Bankruptcy Code). However, we have been advised that punctuation is not necessarily decisive in construing statutes, see Costanzo v. Tillinghast, 287 U.S. 341, 344, 53 S.Ct. 152, 153, 77 L.Ed. 350 (1932), and with many statutes, a mental state adverb adjacent to initial words has been applied to phrases or clauses appearing later in the statute without regard to the punctuation or structure of the statute. See Liparota v. United States, 471 U.S. 419, 426-29, 105 S.Ct. 2084, 2088-90, 85 L.Ed.2d 434 (1985) (interpreting food stamps provision); United States v. Nofziger, 878 F.2d 442, 446-50 (D.C.Cir.) (interpreting government "revolving door" statute), cert. denied, --- U.S. ----, 110 S.Ct. 564, 107 L.Ed.2d 559 (1989); United States v. Johnson & Towers, Inc., 741 F.2d 662, 667-69 (3d Cir. 1984) (interpreting the conservation act), cert. denied, 469 U.S. 1208, 105 S.Ct. 1171, 84 L.Ed.2d 321 (1985). In the present case, we do not believe the comma after "authorization" renders the text so clear as to preclude review of the legislative history.
The first federal statute dealing with computer crimes was passed in 1984, Pub.L. No. 98-473 (codified at 18 U.S.C. Section 1030 (Supp. II 1984)). The specific provision under which Morris was convicted was added in 1986, Pub.L. No. 99-474, along with some other changes. The 1986 amendments made several changes relevant to our analysis.
First, the 1986 amendments changed the scienter requirement in section 1030(a)(2) from "knowingly" to "intentionally." SeePub.L. No. 99-474, section 2(a)(1). The subsection now covers anyone who (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). According to the Senate Judiciary Committee, Congress changed the mental state requirement in section 1030(a)(2) for two reasons. Congress sought only to proscribe intentional acts of unauthorized access, not "mistaken, inadvertent, or careless" acts of unauthorized access. S.Rep. No. 99-432, 99th Cong., 2d Sess. 5 (1986), reprinted in 1986 U.S. Code Cong. & Admin. News 2479, 2483 [hereinafter Senate Report].
Also, Congress expressed concern that the "knowingly" standard "might be inappropriate for cases involving computer technology." Id. The concern was that a scienter requirement of "knowingly" might encompass the acts of an individual "who inadvertently 'stumble[d] into' someone else's computer file or computer data," especially where such individual was authorized to use a particular computer. Id. at 6, 1986 U.S.Code Cong. & Admin.News at 2483. The Senate Report concluded that "[t]he substitution of an 'intentional' standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another." Id., U.S.Code Cong. & Admin.News at 2484. Congress retained the "knowingly" standard in other subsections of section 1030. See 18 U.S.C. Section 1030(a)(1), (a)(4).
This use of a mens rea standard to make sure that inadvertent accessing was not covered is also emphasized in the Senate Report's discussion of section 1030(a)(3) and section 1030(a)(5), under which Morris was convicted. Both subsections were designed to target "outsiders," individuals without authorization to access any federal interest computer. Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. The rationale for the mens rea requirement suggests that it modifies only the "accesses" phrase, which was the focus of Congress's concern in strengthening the scienter requirement.
The other relevant change in the 1986 amendments was the introduction of subsection (a)(5) to replace its earlier version, subsection (a)(3) of the 1984 act, 18 U.S.C. Section 1030(a)(3) (Supp. II 1984). The predecessor subsection covered anyone who knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend, and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer, if such computer is operated for or on behalf of the Government of United States and such conduct affects such operation. The 1986 version changed the mental state requirement from "knowingly" to "intentionally," and did not repeat it after the "accesses" phrase, as had the 1984 version. By contrast, other subsections of section 1030 have retained "dual intent" language, placing the scienter requirement at the beginning of both the "accesses" phrase and the "damages" phrase. See, e.g., 18 U.S.C. Section 1030(a)(1).
Morris notes the careful attention that Congress gave to selecting the scienter requirement for current subsections (a)(2) and (a)(5). Then, relying primarily on comments in the Senate and House reports, Morris argues that the "intentionally" requirement of section 1030(a)(5)(A) describes both the conduct of accessing and damaging. As he notes, the Senate Report said that "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. The House Judiciary Committee stated that "the bill proposes a new section (18 U.S.C. 1030(a)(5)) which can be characterized as a 'malicious damage' felony violation involving a Federal interest computer. We have included an 'intentional' standard for this felony and coverage is extended only to outside trespassers with a $1,000 threshold damage level." H.R.Rep. No. 99-612, 99th Cong.2d Sess. at 7 (1986). A member of the Judiciary Committee also referred to the section 1030(a)(5) offense as a "malicious damage" felony during the floor debate. 132 Cong.Rec. H3275, 3276 (daily ed. June 3, 1986) (remarks of Rep. Hughes).
The Government's argument that the scienter requirement in section 1030(a)(5)(A) applies only to the "accesses" phrase is premised primarily upon the difference between subsection (a)(5)(A) and its predecessor in the 1984 statute. The decision to state the scienter requirement only once in subsection (a)(5)(A), along with the decision to change it from "knowingly" to "intentionally," are claimed to evince a clear intent upon the part of Congress to apply the scienter requirement only to the "accesses" phrase, though making that requirement more difficult to satisfy. This reading would carry out the Congressional objective of protecting the individual who "inadvertently 'stumble[s] into' someone else's computer file." Senate Report at 6, U.S. Code Cong. & Admin. News at 2483.
The Government also suggests that the fact that other subsections of section 1030 continue to repeat the scienter requirement before both phrases of a subsection is evidence that Congress selectively decided within the various subsections of section 1030 where the scienter requirement was and was not intended to apply. Morris responds with a plausible explanation as to why certain other provisions of section 1030 retain dual intent language. Those subsections use two different mens rea standards; therefore it is necessary to refer to the scienter requirement twice in the subsection. For example, section 1030(a)(1) covers anyone who (1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data ... with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation.
Since Congress sought in subsection (a)(1) to have the "knowingly" standard govern the "accesses" phrase and the "with intent" standard govern the "results" phrase, it was necessary to state the scienter requirement at the beginning of both phrases. By contrast, Morris argues, where Congress stated the scienter requirement only once, at the beginning of the "accesses" phrase, it was intended to cover both the "accesses" phrase and the phrase that followed it.
There is a problem, however, with applying Morris's explanation to section 1030(a)(5)(A). As noted earlier, the predecessor of subsection (a)(5)(A) explicitly placed the same mental state requirement before both the "accesses" phrase and the "damages" phrase. In relevant part, that predecessor in the 1984 statute covered anyone who "knowingly accesses a computer without authorization, ... and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer...." 18 U.S.C. Section 1030(a)(3) (Supp. II 1984) (emphasis added). This earlier provision demonstrates that Congress has on occasion chosen to repeat the same scienter standard in the "accesses" phrase and the subsequent phrase of a subsection of the Computer Fraud Statute. More pertinently, it shows that the 1986 amendments adding subsection (a)(5)(A) placed the scienter requirement adjacent only to the "accesses" phrase in contrast to a predecessor provision that had placed the same standard before both that phrase and the subsequent phrase.
Despite some isolated language in the legislative history that arguably suggests a scienter component for the "damages" phrase of section 1030(a)(5)(A), the wording, structure, and purpose of the subsection, examined in comparison with its departure from the format of its predecessor provision persuade us that the "intentionally" standard applies only to the "accesses" phrase of section 1030(a)(5)(A), and not to its "damages" phrase.
II. The unauthorized access requirement in section 1030(a)(5)(A)
Section 1030(a)(5)(A) penalizes the conduct of an individual who "intentionally accesses a Federal interest computer without authorization." Morris contends that his conduct constituted, at most, "exceeding authorized access" rather than the "unauthorized access" that the subsection punishes. Morris argues that there was insufficient evidence to convict him of "unauthorized access," and that even if the evidence sufficed, he was entitled to have the jury instructed on his "theory of defense."
We assess the sufficiency of the evidence under the traditional standard. Morris was authorized to use computers at Cornell, Harvard, and Berkeley, all of which were on INTERNET. As a result, Morris was authorized to communicate with other computers on the network to send electronic mail (SEND MAIL), and to find out certain information about the users of other computers (finger demon). The question is whether Morris's transmission of his worm constituted exceeding authorized access or accessing without authorization.
The Senate Report stated that section 1030(a)(5)(A), like the new section 1030(a)(3), would "be aimed at 'outsiders,' i.e., those lacking authorization to access any Federal interest computer." Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. But the Report also stated, in concluding its discussion on the scope of section 1030(a)(3), that it applies "where the offender is completely outside the Government, ... or where the offender's act of trespass is interdepartmental in nature." Id. at 8, U.S.Code Cong. & Admin.News at 2486 (emphasis added).
Morris relies on the first quoted portion to argue that his actions can be characterized only as exceeding authorized access, since he had authorized access to a federal interest computer. However, the second quoted portion reveals that Congress was not drawing a bright line between those who have some access to any federal interest computer and those who have none. Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers. See, e.g., id. (stating that a Labor Department employee who uses Labor's computers to access without authorization an FBI computer can be criminally prosecuted).
The evidence permitted the jury to conclude that Morris's use of the SEND MAIL and finger demon features constituted access without authorization. While a case might arise where the use of SEND MAIL or finger demon falls within a nebulous area in which the line between accessing without authorization and exceeding authorized access may not be clear, Morris's conduct here falls well within the area of unauthorized access. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.
Moreover, the jury verdict need not be upheld solely on Morris's use of SEND MAIL and finger demon. As the District Court noted, in denying Morris' motion for acquittal, although the evidence may have shown that defendant's initial insertion of the worm simply exceeded his authorized access, the evidence also demonstrated that the worm was designed to spread to other computers at which he had no account and no authority, express or implied, to unleash the worm program. Moreover, there was also evidence that the worm was designed to gain access to computers at which he had no account by guessing their passwords. Accordingly, the evidence did support the jury's conclusion that defendant accessed without authority as opposed to merely exceeding the scope of his authority. In light of the reasonable conclusions that the jury could draw from Morris's use of SEND MAIL and finger demon, and from his use of the trusted hosts feature and password guessing, his challenge to the sufficiency of the evidence fails.
Morris endeavors to bolster his sufficiency argument by contending that his conduct was not punishable under subsection (a)(5) but was punishable under subsection (a)(3). That concession belies the validity of his claim that he only exceeded authorization rather than made unauthorized access. Neither subsection (a)(3) nor (a)(5) punishes conduct that exceeds authorization. Both punish a person who "accesses" "without authorization" certain computers. Subsection (a)(3) covers the computers of a department or agency of the United States; subsection (a)(5) more broadly covers any federal interest computers, defined to include, among other computers, those used exclusively by the United States, 18 U.S.C. Section 1030(e)(2)(A), and adds the element of causing damage or loss of use of a value of $1,000 or more. If Morris violated subsection (a)(3), as he concedes, then his conduct in inserting the worm into the Internet must have constituted "unauthorized access" under subsection (a)(5) to the computers of the federal departments the worm reached, for example, those of NASA and military bases.
To extricate himself from the consequence of conceding that he made "unauthorized access" within the meaning of subsection (a)(3), Morris subtly shifts his argument and contends that he is not within the reach of subsection (a)(5) at all. He argues that subsection (a)(5) covers only those who, unlike himself, lack access to any federal interest computer. It is true that a primary concern of Congress in drafting subsection (a)(5) was to reach those unauthorized to access any federal interest computer. The Senate Report stated, "[T]his subsection [(a)(5)] will be aimed at 'outsiders,' i.e., those lacking authorization to access any Federal interest computer." Senate Report at 10, U.S. Code Cong. & Admin. News at 2488. But the fact that the subsection is "aimed" at such "outsiders" does not mean that its coverage is limited to them. Congress understandably thought that the group most likely to damage federal interest computers would be those who lack authorization to use any of them. But it surely did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department. Congress created the misdemeanor offense of subsection (a)(3) to punish intentional trespasses into computers for which one lacks authorized access; it added the felony offense of subsection (a)(5) to punish such a trespasser who also causes damage or loss in excess of $1,000, not only to computers of the United States but to any computer within the definition of federal interest computers. With both provisions, Congress was punishing those, like Morris, who, with access to some computers that enable them to communicate on a network linking other computers, gain access to other computers to which they lack authorization and either trespass, in violation of subsection (a)(3), or cause damage or loss of $1,000 or more, in violation of subsection (a)(5).
Morris also contends that the District Court should have instructed the jury on his theory that he was only exceeding authorized access. The District Court decided that it was unnecessary to provide the jury with a definition of "authorization." We agree. Since the word is of common usage, without any technical or ambiguous meaning, the Court was not obliged to instruct the jury on its meaning. See, e.g., United States v. Chenault, 844 F.2d 1124, 1131 (5th Cir. 1988) ("A trial court need not define specific statutory terms unless they are outside the common understanding of a juror or are so technical or specific as to require a definition.").
An instruction on "exceeding authorized access" would have risked misleading the jury into thinking that Morris could not be convicted if some of his conduct could be viewed as falling within this description. Yet, even if that phrase might have applied to some of his conduct, he could nonetheless be found liable for doing what the statute prohibited, gaining access where he was unauthorized and causing loss.
Additionally, the District Court properly refused to charge the jury with Morris's proposed jury instruction on access without authorization. That instruction stated, "To establish the element of lack of authorization, the government must prove beyond a reasonable doubt that Mr. Morris was an 'outsider,' that is, that he was not authorized to access any Federal interest computer in any manner." As the analysis of the legislative history reveals, Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses.
For the foregoing reasons, the judgment of the District Court is affirmed.
International Airport Centers, L.L.C. v. Citrin
440 F.3d 418( 2006)
POSNER, Circuit Judge.
This appeal from the dismissal of the plaintiffs' suit for failure to state a claim mainly requires us to interpret the word “transmission” in a key provision of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The complaint alleges the following facts, which for purposes of deciding the appeal we must take as true. The defendant, Citrin, was employed by the plaintiffs-affiliated companies engaged in the real estate business that we'll treat as one to simplify the opinion, and call “IAC”-to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets.
Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop to IAC, he deleted all the data in it-not only the data that he had collected but also data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the “delete” key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such “deleted” files are easily recoverable. But Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery. Thomas J. Fitzgerald, “Deleted But Not Gone: Programs Help Protect Confidential Data by Making Disks and Drives Unreadable,” New York Times (national ed.), Nov. 3, 2005, p. C9. IAC had no copies of the files that Citrin erased.
The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [a defined term that includes the laptop that Citrin used],” violates the Act. 18 U.S.C. § 1030(a)(5)(A)(i). Citrin argues that merely erasing a file from a computer is not a “transmission.” Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of “transmission” just because it transmits a command to the computer.
There is more here, however: the transmission of the secure-erasure program to the computer. We do not know whether the program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire. Oddly, the complaint doesn't say; maybe IAC doesn't know-maybe all it knows is that when it got the computer back, the files in it had been erased. But we don't see what difference the precise mode of transmission can make. In either the Internet download or the disk insertion, a program intended to cause damage (not to the physical computer, of course, but to its files-but “damage” includes “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8)) is transmitted to the computer electronically. The only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer. The difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.
There is the following contextual difference between the two modes of transmission, however: transmission via disk requires that the malefactor have physical access to the computer. By using the Internet, Citrin might have erased the laptop's files from afar by transmitting a virus. Such long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee. The inside attack, however, while easier to detect may also be easier to accomplish. Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer's data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii) (emphasis added), it can't make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
Citrin violated that subsection too. For his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee. United States v. Galindo, 871 F.2d 99, 101 (9th Cir.1989); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124-25 (W.D.Wash.2000); see Restatement (Second) of Agency §§ 112, 387 (1958).
Muddying the picture some, the Computer Fraud and Abuse Act distinguishes between “without authorization” and “exceeding authorized access,” 18 U.S.C. §§ 1030(a)(1), (2), (4), and, while making both punishable, defines the latter as “access[ing] a computer with authorization and ... us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). That might seem the more apt description of what Citrin did.
The difference between “without authorization” and “exceeding authorized access” is paper thin, see Pacific Aerospace & Electronics, Inc. v. Taylor, 295 F.Supp.2d 1188, 1196-97 (E.D.Wash.2003), but not quite invisible. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir.2001), for example, the former employee of a travel agent, in violation of his confidentiality agreement with his former employer, used confidential information that he had obtained as an employee to create a program that enabled his new travel company to obtain information from his former employer's website that he could not have obtained as efficiently without the use of that confidential information. The website was open to the public, so he was authorized to use it, but he exceeded his authorization by using confidential information to obtain better access than other members of the public.
Our case is different. Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent-he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship. “Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship.” State v. DiGiulio, 172 Ariz. 156, 835 P.2d 488, 492 (App.1992). “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” Id.; Restatement, supra, § 112; see also Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., supra, 119 F.Supp.2d at 1123, 1125; cf. Phansalkar v. Andersen Weinroth & Co., 344 F.3d 184, 201-02 (2d Cir.2003) (per curiam); Restatement, supra, § 409(1) and comment b and illustration 2.
Citrin points out that his employment contract authorized him to “return or destroy ” data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have-if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted. More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company's employ-the provision authorizing him to return or destroy data in the laptop was limited to “Confidential” information. There may be a dispute over whether the incriminating files that Citrin destroyed contained “confidential” data, but that issue cannot be resolved on this appeal.
The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC's federal claim.
REVERSED AND REMANDED.
Edwards v. The First American Corporation
610 F.3d 514 (2010)
GRABER, Circuit Judge:
Plaintiff Denise P. Edwards filed a complaint against Defendants The First American Corporation (“First American”) and its wholly owned subsidiary, First American Title Insurance Company (“First American Title”) (collectively, “Defendants”). The complaint alleged a violation of the Real Estate Settlement Procedures Act of 1974 (“RESPA”), 12 U.S.C. § 2607. According to Plaintiff, First American improperly paid millions of dollars to individual title companies and in exchange those title companies entered into exclusive referral agreements with First American. Plaintiff moved for class certification, and certain discovery, which the district court denied. Plaintiff's appeal from those rulings is addressed separately in a memorandum disposition filed this date. At the same time as Plaintiff filed her motions, Defendants moved to dismiss the complaint for lack of standing. The district court denied the motion, and Defendants brought this appeal. We have jurisdiction pursuant to 28 U.S.C. § 1292(b). See also 28 U.S.C. § 1292(e); Fed.R.Civ.P. 23(f). For the reasons that follow, we affirm.
First American is a publicly traded holding company that owns, in addition to First American Title, several other companies in the field of real estate-related information services. First American Title is a title insurance underwriter that issues title insurance policies to real estate owners and lenders in 47 states and the District of Columbia. Defendants assert that First American has an ownership interest in a small proportion of the thousands of title insurance agencies that are authorized to sell First American Title policies. Plaintiff contends that, in exchange for First American's purchase of a minority interest, many of these title agencies enter into “exclusive” agency agreements with First American Title, pursuant to which the agencies agreed to sell First American Title's title insurance policies generally. Defendants assert that few First American Title “exclusive” agency agreements are completely exclusive. Plaintiff claims that these agreements are actually exclusive and thus illegal under the anti-kickback provisions of RESPA.
According to Plaintiff's allegations, she was affected by one such exclusive agency agreement between First American and Tower City. In 1998, First American paid Tower City $2 million in cash and securities. According to Plaintiff's allegations, in exchange, First American received a 17.5% minority interest in Tower City, and Tower City entered into a “Captive Title Insurance Agreement” that required it to refer all future title insurance business “exclusively” to First American Title. Plaintiff further alleges that Tower City had agreements with and regularly referred business to at least three other title insurers prior to 1998, but then began referring customers exclusively to First American after they entered into the Captive Title Insurance Agreement.
Plaintiff, a resident of Cleveland, Ohio, bought a home in Cleveland in September 2006. Tower City was the settlement agent and conducted the closing at its office in Highland Heights, Ohio. At or before settlement, Plaintiff received a “HUD–1 Settlement Statement” showing, on line 1108, that she would pay $455.43 and the seller would pay $273.42 for title insurance. Plaintiff claims that her title insurance was referred to First American pursuant to an exclusive agency agreement, which Plaintiff alleges was illegal under RESPA.
Plaintiff filed a complaint in district court. Defendants responded by filing a motion to dismiss for lack of subject matter jurisdiction. Specifically, Defendants claimed that Plaintiff lacked both Article III standing and statutory standing under RESPA. The district court denied Defendants' motion, holding that RESPA gave Plaintiff certain rights, the violation of which conferred standing. We review de novo. Mortensen v. County of Sacramento, 368 F.3d 1082, 1086 (9th Cir.2004).
There are three requirements for Article III standing—injury, causation, and redressability. Fulfillment Servs. Inc. v. UPS, 528 F.3d 614, 618 (9th Cir.2008). The parties disagree about the injury component only. Defendants argue that Plaintiff has not suffered a concrete injury in fact because she has not alleged that the charge for title insurance was higher than it would have been without the exclusivity agreement. Plaintiff does not and cannot make this allegation because Ohio law mandates that all title insurers charge the same price. Ohio Rev.Code Ann. §§ 3935.04, 3935.07 (West 2010). Nonetheless, Plaintiff counters that the damages provision in RESPA gives rise to a statutory cause of action whether or not an overcharge occurred. We agree with Plaintiff.
“The injury required by Article III can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.’ ” Fulfillment Servs., 528 F.3d at 618–19 (quoting Warth v. Seldin, 422 U.S. 490, 500, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975)). “Essentially, the standing question in such cases is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief.” Warth, 422 U.S. at 500, 95 S.Ct. 2197. Thus, we must look to the text of RESPA to determine whether it prohibited Defendants' conduct; if it did, then Plaintiff has demonstrated an injury sufficient to satisfy Article III.
It is well settled in this court that “statutory interpretation begins with the plain language of the statute.” United States v. Chaney, 581 F.3d 1123, 1126 (9th Cir.2009) (brackets and internal quotation marks omitted). “The preeminent canon of statutory interpretation requires us to presume that the legislature says in a statute what it means and means in a statute what it says there. Thus, our inquiry begins with the statutory text, and ends there as well if the text is unambiguous.” Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 951 (9th Cir.2009) (brackets and internal quotation marks omitted).
RESPA prohibits the payment of “any fee, kickback, or thing of value” in exchange for business referrals and also forbids that a “portion, split, or percentage of any charge made or received for the rendering of a real estate settlement service” be paid for services that are not actually rendered to the customer. 12 U.S.C. § 2607(a), (b). Whenever a violation of these prohibitions occurs, the statute provides that the defendants are liable to the “person or persons charged for the settlement service involved in the violation in an amount equal to three times the amount of any charge paid for such settlement service.” Id. § 2607(d)(2) (emphasis added).
These RESPA provisions are clear. A person who is charged for a settlement service involved in a violation is entitled to three times the amount of any charge paid. The use of the term “any” demonstrates that charges are neither restricted to a particular type of charge, such as an overcharge, nor limited to a specific part of the settlement service. Further, the term “overcharge” does not exist anywhere within the text of the statute.
Because the statutory text does not limit liability to instances in which a plaintiff is overcharged, we hold that Plaintiff has established an injury sufficient to satisfy Article III. The legislative history of RESPA supports our holding. As first enacted in 1974, RESPA entitled purchasers to damages “in an amount equal to three times the value or amount of the fee or thing of value” that changed hands. Pub.L. No. 93–533, § 8(D)(2), 88 Stat. 1724 (1974) (amended 1983). This provision failed to account for “controlled business arrangements” like the alleged agreement between Tower City and First American Title, whereby an entity could provide a referral without the direct payment of a referral fee. A 1982 House Committee Report noted that these practices could result in harm beyond an increase in the cost of settlement services:
[T]he advice of the person making the referral may lose its impartiality and may not be based on his professional evaluation of the quality of service provided if the referror or his associates have a financial interest in the company being recommended. [Because the settlement industry] almost exclusively rel[ies] on referrals ... the growth of controlled business arrangements effectively reduce[s] the kind of healthy competition generated by independent settlement service providers.
H.R.Rep. No. 97–532, at 52 (1982).
Acting on this concern, Congress exempted controlled business arrangements from liability only in limited circumstances, 12 U.S.C. § 2607(c)(4), and eliminated the “thing of value” phrasing in the damages provision, replacing it with “any charge paid” for the settlement service, id. § 2607(d)(2). Calculating the penalty with reference to the entire amount of the settlement service appears to address instances in which no direct referral fee has been paid. Indeed, these no-fee situations were the impetus behind Congress' enactment of the 1983 amendment. See H.R.Rep. No. 98–123, at 77 (1983) (expecting that RESPA violators “involved in controlled business arrangements ... shall be ... liable ... in the amount of three times the amount of the charge paid for the settlement service”).
Because RESPA gives Plaintiff a statutory cause of action, we hold that Plaintiff has standing to pursue her claims against Defendants. Our holding places us in agreement with two of our sister circuits. In Carter v. Welles–Bowen Realty, Inc., 553 F.3d 979, 989 (6th Cir.2009), the Sixth Circuit held that a plaintiff has standing to sue a settlement service provider under RESPA, even if that plaintiff was not overcharged for settlement services. The court came to that conclusion after looking at the text of RESPA and then examining its legislative history and the overall intent of RESPA. Id. at 986–88. The Third Circuit held similarly in Alston v. Countrywide Financial Corp., 585 F.3d 753, 755 (3d Cir.2009), stating that Congress created a private right of action without requiring an overcharge allegation.
AFFIRMED in part; REVERSED in part and REMANDED. The parties shall bear their own costs on appeal.
James R. Clapper, Jr., Director of National Intelligence v. Amnesty International USA
133 S.Ct. 1138 (2013)
Justice ALITO delivered the opinion of the Court.
Section 702 of the Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1881a (2006 ed., Supp. V), allows the Attorney General and the Director of National Intelligence to acquire foreign intelligence information by jointly authorizing the surveillance of individuals who are not “United States persons” FN1 and are reasonably believed to be located outside the United States. Before doing so, the Attorney General and the Director of National Intelligence normally must obtain the Foreign Intelligence Surveillance Court's approval. Respondents are United States persons whose work, they allege, requires them to engage in sensitive international communications with individuals who they believe are likely targets of surveillance under § 1881a. Respondents seek a declaration that § 1881a is unconstitutional, as well as an injunction against § 1881a-authorized surveillance. The question before us is whether respondents have Article III standing to seek this prospective relief.
FN1. The term “United States person” includes citizens of the United States, aliens admitted for permanent residence, and certain associations and corporations. 50 U.S.C. § 1801(i); see § 1881(a).
Respondents assert that they can establish injury in fact because there is an objectively reasonable likelihood that their communications will be acquired under § 1881a at some point in the future. But respondents' theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be “certainly impending.” E.g., Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990). And even if respondents could demonstrate that the threatened injury is certainly impending, they still would not be able to establish that this injury is fairly traceable to § 1881a. As an alternative argument, respondents contend that they are suffering present injury because the risk of § 1881a-authorized surveillance already has forced them to take costly and burdensome measures to protect the confidentiality of their international communications. But respondents cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending. We therefore hold that respondents lack Article III standing.
In 1978, after years of debate, Congress enacted the Foreign Intelligence Surveillance Act (FISA) to authorize and regulate certain governmental electronic surveillance of communications for foreign intelligence purposes. See 92 Stat. 1783, 50 U.S.C. § 1801 et seq.; 1 D. Kris & J. Wilson, National Security Investigations & Prosecutions §§ 3.1, 3.7 (2d ed. 2012) (hereinafter Kris & Wilson). In enacting FISA, Congress legislated against the backdrop of our decision in United States v. United States Dist. Court for Eastern Dist. of Mich., 407 U.S. 297, 92 S.Ct. 2125, 32 L.Ed.2d 752 (1972) ( Keith ), in which we explained that the standards and procedures that law enforcement officials must follow when conducting “surveillance of ‘ordinary crime’ ” might not be required in the context of surveillance conducted for domestic national-security purposes. Id., at 322–323, 92 S.Ct. 2125. Although the Keith opinion expressly disclaimed any ruling “on the scope of the President's surveillance power with respect to the activities of foreign powers,” id., at 308, 92 S.Ct. 2125, it implicitly suggested that a special framework for foreign intelligence surveillance might be constitutionally permissible, see id., at 322–323, 92 S.Ct. 2125.
In constructing such a framework for foreign intelligence surveillance, Congress created two specialized courts. In FISA, Congress authorized judges of the Foreign Intelligence Surveillance Court (FISC) to approve electronic surveillance for foreign intelligence purposes if there is probable cause to believe that “the target of the electronic surveillance is a foreign power or an agent of a foreign power,” and that each of the specific “facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power.” § 105(a)(3), 92 Stat. 1790; see § 105(b)(1)(A), (b)(1)(B), ibid.; 1 Kris & Wilson § 7:2, at 194–195; id., § 16:2, at 528–529. Additionally, Congress vested the Foreign Intelligence Surveillance Court of Review with jurisdiction to review any denials by the FISC of applications for electronic surveillance. § 103(b), 92 Stat. 1788; 1 Kris & Wilson § 5:7, at 151–153.
In the wake of the September 11th attacks, President George W. Bush authorized the National Security Agency (NSA) to conduct warrantless wiretapping of telephone and e-mail communications where one party to the communication was located outside the United States and a participant in “the call was reasonably believed to be a member or agent of al Qaeda or an affiliated terrorist organization,” App. to Pet. for Cert. 403a. See id., at 263a–265a, 268a, 273a–279a, 292a–293a; American Civil Liberties Union v. NSA, 493 F.3d 644, 648 (C.A.6 2007) (ACLU ) (opinion of Batchelder, J.). In January 2007, the FISC issued orders authorizing the Government to target international communications into or out of the United States where there was probable cause to believe that one participant to the communication was a member or agent of al Qaeda or an associated terrorist organization. App. to Pet. for Cert. 312a, 398a, 405a. These FISC orders subjected any electronic surveillance that was then occurring under the NSA's program to the approval of the FISC. Id., at 405a; see id., at 312a, 404a. After a FISC Judge subsequently narrowed the FISC's authorization of such surveillance, however, the Executive asked Congress to amend FISA so that it would provide the intelligence community with additional authority to meet the challenges of modern technology and international terrorism. Id., at 315a–318a, 331a–333a, 398a; see id., at 262a, 277a–279a, 287a.
When Congress enacted the FISA Amendments Act of 2008 (FISA Amendments Act), 122 Stat. 2436, it left much of FISA intact, but it “established a new and independent source of intelligence collection authority, beyond that granted in traditional FISA.” 1 Kris & Wilson § 9:11, at 349–350. As relevant here, § 702 of FISA, 50 U.S.C. § 1881a (2006 ed., Supp. V), which was enacted as part of the FISA Amendments Act, supplements pre-existing FISA authority by creating a new framework under which the Government may seek the FISC's authorization of certain foreign intelligence surveillance targeting the communications of non-U.S. persons located abroad. Unlike traditional FISA surveillance, § 1881a does not require the Government to demonstrate probable cause that the target of the electronic surveillance is a foreign power or agent of a foreign power. Compare § 1805(a)(2)(A), (a)(2)(B), with § 1881a(d)(1), (i)(3)(A); 638 F.3d 118, 126 (C.A.2 2011); 1 Kris & Wilson § 16:16, at 584. And, unlike traditional FISA, § 1881a does not require the Government to specify the nature and location of each of the particular facilities or places at which the electronic surveillance will occur. Compare § 1805(a)(2)(B), (c)(1) (2006 ed. and Supp. V), with § 1881a(d)(1), (g)(4), (i)(3)(A); 638 F.3d, at 125–126; 1 Kris & Wilson § 16:16, at 585.FN2 FN2. Congress recently reauthorized the FISA Amendments Act for another five years. See 126 Stat. 1631.
The present case involves a constitutional challenge to § 1881a. Surveillance under § 1881a is subject to statutory conditions, judicial authorization, congressional supervision, and compliance with the Fourth Amendment. Section 1881a provides that, upon the issuance of an order from the Foreign Intelligence Surveillance Court, “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year ..., the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” § 1881a(a). Surveillance under § 1881a may not be intentionally targeted at any person known to be in the United States or any U.S. person reasonably believed to be located abroad. § 1881a(b)(1)–(3); see also § 1801(i). Additionally, acquisitions under § 1881a must comport with the Fourth Amendment. § 1881a(b)(5). Moreover, surveillance under § 1881a is subject to congressional oversight and several types of Executive Branch review. See § 1881a(f)(2), (l ); Amnesty Int'l USA v. McConnell, 646 F.Supp.2d 633, 640–641 (S.D.N.Y.2009).
Section 1881a mandates that the Government obtain the Foreign Intelligence Surveillance Court's approval of “targeting” procedures, “minimization” procedures, and a governmental certification regarding proposed surveillance. § 1881a(a), (c)(1), (i)(2), (i)(3). Among other things, the Government's certification must attest that (1) procedures are in place “that have been approved, have been submitted for approval, or will be submitted with the certification for approval by the [FISC] that are reasonably designed” to ensure that an acquisition is “limited to targeting persons reasonably believed to be located outside” the United States; (2) minimization procedures adequately restrict the acquisition, retention, and dissemination of nonpublic information about unconsenting U.S. persons, as appropriate; (3) guidelines have been adopted to ensure compliance with targeting limits and the Fourth Amendment; and (4) the procedures and guidelines referred to above comport with the Fourth Amendment. § 1881a(g)(2); see § 1801(h).
The Foreign Intelligence Surveillance Court's role includes determining whether the Government's certification contains the required elements. Additionally, the Court assesses whether the targeting procedures are “reasonably designed” (1) to “ensure that an acquisition ... is limited to targeting persons reasonably believed to be located outside the United States” and (2) to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known ... to be located in the United States.” § 1881a(i)(2)(B). The Court analyzes whether the minimization procedures “meet the definition of minimization procedures under section 1801(h) ..., as appropriate.” § 1881a(i)(2)(C). The Court also assesses whether the targeting and minimization procedures are consistent with the statute and the Fourth Amendment. See § 1881a(i)(3)(A).FN3 FN3. The dissent attempts to downplay the safeguards established by § 1881a. See post, at 1156 – 1157 (opinion of BREYER, J.). Notably, the dissent does not directly acknowledge that § 1881a surveillance must comport with the Fourth Amendment, see § 1881a(b)(5), and that the Foreign Intelligence Surveillance Court must assess whether targeting and minimization procedures are consistent with the Fourth Amendment, see § 1881a(i)(3)(A).
Respondents are attorneys and human rights, labor, legal, and media organizations whose work allegedly requires them to engage in sensitive and sometimes privileged telephone and e-mail communications with colleagues, clients, sources, and other individuals located abroad. Respondents believe that some of the people with whom they exchange foreign intelligence information are likely targets of surveillance under § 1881a. Specifically, respondents claim that they communicate by telephone and e-mail with people the Government “believes or believed to be associated with terrorist organizations,” “people located in geographic areas that are a special focus” of the Government's counterterrorism or diplomatic efforts, and activists who oppose governments that are supported by the United States Government. App. to Pet. for Cert. 399a.
Respondents claim that § 1881a compromises their ability to locate witnesses, cultivate sources, obtain information, and communicate confidential information to their clients. Respondents also assert that they “have ceased engaging” in certain telephone and e-mail conversations. Id., at 400a. According to respondents, the threat of surveillance will compel them to travel abroad in order to have in-person conversations. In addition, respondents declare that they have undertaken “costly and burdensome measures” to protect the confidentiality of sensitive communications. Ibid. C
On the day when the FISA Amendments Act was enacted, respondents filed this action seeking (1) a declaration that § 1881a, on its face, violates the Fourth Amendment, the First Amendment, Article III, and separation-of-powers principles and (2) a permanent injunction against the use of § 1881a. Respondents assert what they characterize as two separate theories of Article III standing. First, they claim that there is an objectively reasonable likelihood that their communications will be acquired under § 1881a at some point in the future, thus causing them injury. Second, respondents maintain that the risk of surveillance under § 1881a is so substantial that they have been forced to take costly and burdensome measures to protect the confidentiality of their international communications; in their view, the costs they have incurred constitute present injury that is fairly traceable to § 1881a.
After both parties moved for summary judgment, the District Court held that respondents do not have standing. McConnell, 646 F.Supp.2d, at 635. On appeal, however, a panel of the Second Circuit reversed. The panel agreed with respondents' argument that they have standing due to the objectively reasonable likelihood that their communications will be intercepted at some time in the future. 638 F.3d, at 133, 134, 139. In addition, the panel held that respondents have established that they are suffering “present injuries in fact—economic and professional harms—stemming from a reasonable fear of future harmful government conduct.” Id., at 138. The Second Circuit denied rehearing en banc by an equally divided vote. 667 F.3d 163 (2011).
Because of the importance of the issue and the novel view of standing adopted by the Court of Appeals, we granted certiorari, 566 U.S. ––––, 132 S.Ct. 2431, 182 L.Ed.2d 1061 (2012), and we now reverse.
Article III of the Constitution limits federal courts' jurisdiction to certain “Cases” and “Controversies.” As we have explained, “[n]o principle is more fundamental to the judiciary's proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.” DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006) (internal quotation marks omitted); Raines v. Byrd, 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997) (internal quotation marks omitted); see, e.g.,Summers v. Earth Island Institute, 555 U.S. 488, 492–493, 129 S.Ct. 1142, 173 L.Ed.2d 1 (2009). “One element of the case-or-controversy requirement” is that plaintiffs “must establish that they have standing to sue.” Raines,supra, at 818, 117 S.Ct. 2312; see also Summers, supra, at 492–493, 129 S.Ct. 1142; DaimlerChrysler Corp.,supra, at 342, 126 S.Ct. 1854; Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992).
The law of Article III standing, which is built on separation-of-powers principles, serves to prevent the judicial process from being used to usurp the powers of the political branches. Summers, supra, at 492–493, 129 S.Ct. 1142; DaimlerChrysler Corp.,supra, at 341–342, 353, 126 S.Ct. 1854; Raines, supra, at 818–820, 117 S.Ct. 2312; Valley Forge Christian College v. Americans United for Separation of Church and State, Inc., 454 U.S. 464, 471–474, 102 S.Ct. 752, 70 L.Ed.2d 700 (1982); Schlesinger v. Reservists Comm. to Stop the War, 418 U.S. 208, 221–222, 94 S.Ct. 2925, 41 L.Ed.2d 706 (1974). In keeping with the purpose of this doctrine, “[o]ur standing inquiry has been especially rigorous when reaching the merits of the dispute would force us to decide whether an action taken by one of the other two branches of the Federal Government was unconstitutional.” Raines, supra, at 819–820, 117 S.Ct. 2312; see Valley Forge Christian College, supra, at 473–474, 102 S.Ct. 752; Schlesinger,supra, at 221–222, 94 S.Ct. 2925. “Relaxation of standing requirements is directly related to the expansion of judicial power,” United States v. Richardson, 418 U.S. 166, 188, 94 S.Ct. 2940, 41 L.Ed.2d 678 (1974) (Powell, J., concurring); see also Summers, supra, at 492–493, 129 S.Ct. 1142; Schlesinger, supra, at 222, 94 S.Ct. 2925, and we have often found a lack of standing in cases in which the Judiciary has been requested to review actions of the political branches in the fields of intelligence gathering and foreign affairs, see, e.g.,Richardson, supra, at 167–170, 94 S.Ct. 2940 (plaintiff lacked standing to challenge the constitutionality of a statute permitting the Central Intelligence Agency to account for its expenditures solely on the certificate of the CIA Director); Schlesinger, supra, at 209–211, 94 S.Ct. 2925 (plaintiffs lacked standing to challenge the Armed Forces Reserve membership of Members of Congress); Laird v. Tatum, 408 U.S. 1, 11–16, 92 S.Ct. 2318, 33 L.Ed.2d 154 (1972) (plaintiffs lacked standing to challenge an Army intelligence-gathering program).
To establish Article III standing, an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Monsanto Co. v. Geertson Seed Farms, 561 U.S. ––––, ––––, 130 S.Ct. 2743, 2752, 177 L.Ed.2d 461 (2010); see also Summers,supra, at 493, 129 S.Ct. 1142; Defenders of Wildlife, 504 U.S., at 560–561, 112 S.Ct. 2130. “Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending.” Id., at 565, n. 2, 112 S.Ct. 2130 (internal quotation marks omitted). Thus, we have repeatedly reiterated that “threatened injury must be certainly impending to constitute injury in fact,” and that “[a]llegations of possible future injury” are not sufficient. Whitmore, 495 U.S., at 158, 110 S.Ct. 1717 (emphasis added; internal quotation marks omitted); see also Defenders of Wildlife,supra, at 565, n. 2, 567, n. 3, 112 S.Ct. 2130; see DaimlerChrysler Corp.,supra, at 345, 126 S.Ct. 1854; Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 190, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000); Babbitt v. Farm Workers, 442 U.S. 289, 298, 99 S.Ct. 2301, 60 L.Ed.2d 895 (1979).
Respondents assert that they can establish injury in fact that is fairly traceable to § 1881a because there is an objectively reasonable likelihood that their communications with their foreign contacts will be intercepted under § 1881a at some point in the future. This argument fails. As an initial matter, the Second Circuit's “objectively reasonable likelihood” standard is inconsistent with our requirement that “threatened injury must be certainly impending to constitute injury in fact.” Whitmore, supra, at 158, 110 S.Ct. 1717 (internal quotation marks omitted); see also DaimlerChrysler Corp., supra, at 345, 126 S.Ct. 1854; Laidlaw,supra, at 190, 120 S.Ct. 693; Defenders of Wildlife, supra, at 565, n. 2, 112 S.Ct. 2130; Babbitt, supra, at 298, 99 S.Ct. 2301. Furthermore, respondents' argument rests on their highly speculative fear that: (1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will choose to invoke its authority under § 1881a rather than utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the Government's proposed surveillance procedures satisfy § 1881a's many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of respondents' contacts; and (5) respondents will be parties to the particular communications that the Government intercepts. As discussed below, respondents' theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending. See Summers, supra, at 496, 129 S.Ct. 1142 (rejecting a standing theory premised on a speculative chain of possibilities); Whitmore,supra, at 157–160, 110 S.Ct. 1717 (same). Moreover, even if respondents could demonstrate injury in fact, the second link in the above-described chain of contingencies—which amounts to mere speculation about whether surveillance would be under § 1881a or some other authority—shows that respondents cannot satisfy the requirement that any injury in fact must be fairly traceable to § 1881a.
First, it is speculative whether the Government will imminently target communications to which respondents are parties. Section 1881a expressly provides that respondents, who are U.S. persons, cannot be targeted for surveillance under § 1881a. See § 1881a(b)(1)–(3); 667 F.3d, at 173 (Raggi, J., dissenting from denial of rehearing en banc). Accordingly, it is no surprise that respondents fail to offer any evidence that their communications have been monitored under § 1881a, a failure that substantially undermines their standing theory. See ACLU, 493 F.3d, at 655–656, 673–674 (opinion of Batchelder, J.) (concluding that plaintiffs who lacked evidence that their communications had been intercepted did not have standing to challenge alleged NSA surveillance). Indeed, respondents do not even allege that the Government has sought the FISC's approval for surveillance of their communications. Accordingly, respondents' theory necessarily rests on their assertion that the Government will target other individuals—namely, their foreign contacts.
Yet respondents have no actual knowledge of the Government's § 1881a targeting practices. Instead, respondents merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired under § 1881a. See 667 F.3d, at 185–187 (opinion of Raggi, J.). For example, journalist Christopher Hedges states: “I have no choice but to assume that any of my international communications may be subject to government surveillance, and I have to make decisions ... in light of that assumption.” App. to Pet. for Cert. 366a (emphasis added and deleted). Similarly, attorney Scott McKay asserts that, “[b]ecause of the [FISA Amendments Act], we now have to assume that every one of our international communications may be monitored by the government.” Id., at 375a (emphasis added); see also id., at 337a, 343a–344a, 350a, 356a. “The party invoking federal jurisdiction bears the burden of establishing” standing—and, at the