Unauthorized software downloads did not violate Computer Fraud and Abuse Act

June 23, 2009 | by Evan Brown | 1 Comment 

Cassetica Software made an application available for download on the web and entered into a license agreement for that application with Computer Sciences Corporation (CSC). Cassetica alleged that CSC continued to download the application after the license agreement expired.

download

So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.

What the CFAA requires

Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)

Under the CFAA, “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Insufficient damage allegations

The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads — authorized or not — caused a diminution in the computers or usability of [Cassetica's] computerized data.” The court went on to observe that “[c]ritically absent from the Complaint are allegations that CSC’s downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.”

Insufficient loss allegations

Cassetica’s complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA’s definition of “loss.”

Download picture courtesy Flickr user soren_nb under this Creative Commons license.

Record companies win $1.92 million in case against individual file sharer

June 18, 2009 | by Evan Brown | 1 Comment 

There has only been one copyright infringement case filed against an individual accused of illegally sharing music files over the internet to actually go to trial. That’s the case of Capitol Records v. Jammie Thomas. In October 2007, a jury in the U.S. District Court for the District of Minnesota returned a verdict of $222,000 against Ms. Thomas. The court on its own motion vacated that judgment, and ordered a retrial. That retrial concluded on June 18, 2009, with a judgment of a whopping $1.92 million against Ms. Thomas.

Here is a growing collection of links on the topic:

Subscribe to RSS headline updates from:

 

 

Domain name not tangible property that could satisfy judgment

June 16, 2009 | by Evan Brown | 6 Comments 

Palacio del Mar Homeowners Assn., Inc. v. McMahon, — Cal.Rptr.3d —, 2009 WL 1668294 (Cal. App. 4 Dist. June 16, 2009)

A California state court entered a $40,000 judgment against defendant McMahon in favor of plaintiff homeowners association. The homeowners association tried to collect the money from McMahon, seeking a “turnover” of property McMahon owned. Among the items the homeowners association sought was the domain name ahrc.com, registered in the name of McMahon’s wife.

The trial court permitted the domain name to be turned over to the homeowners association to satisfy the judgment. McMahon sought review with the California Court of Appeal. That court reversed and vacated the turnover order.

The court gave several reasons for reversing the lower court. The most interesting reason, however, dealt with the very nature of domain names. The provision in California law allowing turnover of property limits itself to tangible property that can be “levied upon by taking it into custody.” Looking to the case of Network Solutions, Inc. v. Umbro International, Inc., 529 S.E.2d 80 (Va. 2000), the court held that a domain name registration is not property, but merely supplies the intangible contractual right to use a unique domain name for a specified period of time. Even if the registration were property, it was not something that could be taken into custody.

Scope of Electronic Communications Privacy Act may not be so narrow

June 15, 2009 | by Evan Brown | 2 Comments 

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (“ECPA”). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.