by ·0 Comments

California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).

Oracle, a supplier of enterprise hardware and software systems, was dealt a setback in its efforts to combat software piracy using the Computer Fraud and Abuse Act (CFAA).  Oracle customers can buy an annual contract for technical support services including the ability to download software updates from Oracle’s support websites.  Access to Oracle’s support websites requires a login and password, which are provided to purchasers of the optional support service.   Under the Terms of Use for the support websites, only users who have a support agreement with Oracle are authorized to receive software updates.

DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software.  To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites.  Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers.  Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so.  Oracle sued DLT under numerous theories, including violations of the CFAA.

Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems.  The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).  In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.”  Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization).  That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled.  However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s  support sites because such a claim is not based upon unauthorized access to a protected computer.

Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity.  One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .”  18 U.S.C. § 1030(a)(4).   The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b).  Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.

The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages.  Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement.  The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000.  That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]”  18 U.S.C. § 1030(a)(4) (emphasis added).  The $5,000 threshold is not meant to be a measure of damages, the court held.  Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists.  In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.

LegalTXTS Lesson:  If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge.  Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches.  Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).

When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA.  The Oracle decision follows that rule.  Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).

by ·0 Comments

AF Holdings, LLC owns the copyrights to various porn videos.  AF Holdings has filed numerous copyright infringement actions against individuals who download and share its videos illegally through BitTorrent, an online peer-to-peer sharing tool.  Besides targeting the individuals actively downloading and sharing files—whose identities are often unknown and therefore end up being named as “Doe” defendants—AF Holdings goes after owners of the Internet connections used in the torrent activity (the “Network Defendants”).   AF Holdings sued the Network Defendants under a negligence theory.  AF Holdings alleged that the Network Defendants breached their duty to secure their Internet connections from third parties who use the connections for unlawful activity.  In a pair of similar lawsuits, the courts rejected AF Holding’s negligence claims.  See AF Holdings, LLC v. John Doe and Josh Hatfield, 2012 WL 3835102 (N.D. Cal. Sept. 4, 2012); AF Hodlings, LLC v. John Doe and John Botson, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012)

No legal duty to secure Internet connection to prevent copyright infringement

AF Holdings argued that the Network Defendants owed it a duty to secure their Internet connections to prevent infringement of AF Holdings’ copyrighted works.  The duty at issue was one of “non-feasance,” or the failure to take certain steps, as opposed to “misfeasance,” which involves activity putting the plaintiff in a worse position, such as exposing the plaintiff to risk of peril.  A duty arises in non-feasance situations when the plaintiff has a special relationship with the defendant.  Finding no special relationship between the Network Defendants and AF Holdings, the court concluded that the Network Defendants owed no legal duty to protect AF Holdings against copyright infringement.  The courts therefore dismissed the negligence claims.

Copyright Act preempts negligence claims

Part of the Network Defendants’ defense was that the negligence claims are preempted by the Copyright Act of 1976 because they seek protection for the same exclusive rights that the Act protects.  A state law claim is preempted by the Act when (1) the work at issue comes within the subject matter of copyright, and (2) the rights granted by state law are equivalent to the exclusive rights of copyright holders under section 106 of the Act.  The Network Defendants cleared the first test easily because AF Holdings’ videos clearly are protected by copyright.  In analyzing the second issue, most courts determine whether the state law claim contains an “extra element” that is different or in addition to a claim based on the Copyright Act.  The only “extra elements” in AF Holdings’ negligence claim were the elements of duty and breach of duty.  Since the Network Defendants had no duty to secure their Internet connections to prevent copyright infringement, the negligence claims had no extra elements to be saved from being preempted.  Essentially, AF Holdings repackaged its copyright infringement claim into a negligence claim.

CDA immunity applies

The Network Defendants also claimed immunity under the Communications Decency Act (“CDA”).  The court in the Hatfield case found it unnecessary to decide the issue given the dismissal of the negligence action on other grounds, but the court in the Botson case ruled that the defendant had immunity.  A defendant qualifies for CDA immunity if (1) it is the provider or user of an interactive computer service; (2) the cause of action treat the defendant as a publisher or speaker of information; and (3) the information at issue is provided by another information content provider.  Botson met these qualifications, the court found.  AF Holdings alleged that Botson was the provider of a computer service (i.e., the Internet connection) to pirate the videos.  AF Holdings also treated Botson as a copyright infringer or a participant in the infringement.  Finally, the information at issue (the videos) were provided by another content provider, namely the “Doe” defendant.

by ·1 Comment

A round-up of recent developments in CFAA litigation is in order.  In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA).  The recent cases address three general questions:

1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

2. What computers are subject to the protections of the CFAA?

3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?

What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.”  Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases.  The recent cases are no exception.  The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.

Downloading Information From a Publicly Accessible Website

Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to  CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012).  The case involved two competing business that offered online access to college catalogs.  One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs.  The link could be inserted into the school’s homepage.  If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain.  Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.

The defendant (AcademyOne) maintained an online course description database.  To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet.  AcademyOne’s contractor obtained over 700 catalogs through CataLink.

The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection.  The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website.  The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.

Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information

Asking others to get you information that you’re not entitled to have will get you in trouble.  In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company.  Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.

Hacking Into an Employees’ Email Account

This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA.  The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account.  The wrongfulness of the act was undisputed.  The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).

What constitutes a “protected computer”?

Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions.  A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA.  A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….”  18 U.S.C. § 1030.

In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce.  If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.

What “losses” count toward meeting the standing requirement?

A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA.  18 U.S.C. § 1030(g).  One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000.  § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.

The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.”  To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation.  Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation.  So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued.  The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed.  The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.

In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act.  Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.

by ·0 Comments

On September 5, the Federal Trade Commission published its first guide specifically with mobile app developers in mind.  Entitled “Marketing Your Mobile App: Get It Right From the Start,” the guide is not legally binding, but it does set out guidelines to help mobile app developers comply with truth-in-advertising and privacy laws.  In particular, the guide lays out seven principles for complying with federal data privacy requirements under statutes like the Graham-Leach-Bileley Act, the Fair Credit Reporting Act, the Child Online Privacy Protection Act, and the Federal Trade Commission Act.  Click here for the press release and a link to the guide.

by ·0 Comments

A civil CFAA claim for damages requires damage to computers, systems, or data Schatzki v. Weiser Capital Mgmt, LLC, 2012 WL 2568973 (S.D.N.Y. July 3, 2012)

As I said in a previous post, we are seeing more activity dealing with the Computer Fraud and Abuse Act (CFAA).  The CFAA is both a criminal and civil statute.  The CFAA imposes criminal penalties on someone who  “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”  or “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.”  A civil claim is available if, in addition to establishing the elements of a criminal violation, the plaintiff can show “damage or loss” as a result of the violation.  The damage or loss must be at least $5,000.00.

Schatzki is the latest case to read the terms “damage” and “loss” narrowly.  The defendants in the case allegedly obtained information from plaintiff’s computer systems without authorization and trafficked in computer passwords.  This access enabled the defendants to obtain valuable private and confidential information about the plaintiff’s clients, the plaintiffs said.  As a result, the plaintiffs had to hire consultants and incur legal fees.

The court said that the plaintiffs did not show the required “damage” or “loss,” and here’s why.  The plaintiffs failed to allege that the defendants’ access to the computer system damaged the data accessed or the system itself, or that the costs to recover the system/data exceeded $5,000.  The court also would not allow the plaintiffs to base their CFAA claim on other kinds of damages like lost profits, invasion of privacy, trespass to personal property, or misappropriation of confidential data.

LegalTXT Lesson: Quantify your damages if you are bringing a civil claim under the CFAA.  Also, remember that the CFAA is more in the nature of an anti-hacking statute than an anti-misappropriation statute.  Attempts to seek damages under the CFAA on a theory that someone gained access to electronic information and used it for improper purposes might not go very far.