Impostor bids in online auction sufficient allegation of interrupted service under CFAA

Yoder v. Equipmentfacts, 2011 WL 2433504 (N.D.Ohio June 14, 2011)

[This is a post by Jackson Cooper. Jackson graduated from DePaul University College of Law in May 2011 with a certificate in intellectual property and information technology law. Jackson also recently passed the Kentucky bar exam and will begin practicing soon. You can find him online at jacksonccooper.com or follow him on Twitter at @jacksoncooper.]

The plaintiffs here were an auction company and a firm employed to assist them with running a private online auction.  They sued the defendant, a firm previously employed by the auction company to assist them with running online auctions.  The plaintiffs  alleged violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, stemming from the defendant’s unauthorized access to a private auction conducted by the plaintiffs after the defendant’s relationship with the auction company was terminated.  According to the plaintiffs, the defendant made unauthorized access to the auction system using an administrative user name and password to post negative comments, and later impersonated a customer in order to place fraudulent bids as that customer.  The plaintiffs further alleged that the defendant, posing as a customer, won auctions for over one million dollars of equipment and failed to pay on those winning bids.

The defendant asked the court to dismiss the CFAA claim, challenging the plaintiffs’ pleadings on the issue of “loss” as defined by the CFAA. The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Plaintiffs alleged lost commission resulting from the defendant’s fraudulent bids and resulting failed auctions.  Defendant claimed that the small scale sabotage as at issue here did not satisfy the “interruption of service” requirement, and therefore could not support the claimed violation of the CFAA.

The court, noting the lack of a definition of “interruption of service” in the statute and the lack of case law dealing with disruptions of this type, treated the issue as one of first impression.  The court concluded that the disruption alleged here was sufficient to support the “interruption of service” requirement in the CFAA.

The court found that the defendant’s alleged “intentional disruption of even a portion of the online auction” constituted an interruption of the service of the site. Although the auction system was not taken offline by defendant’s alleged activities, the court found that thwarting individual transactions and the resulting denial of service to plaintiffs and their customers was an interruption as envisioned by the statute.

NLRB’s Facebook firing decision had little to do with Facebook

Hispanics United of Buffalo, Case No. 3-CA-27872 (NLRB, September 2, 2011)

Folks are talking about the decision handed down by an Adminstrative Law Judge (ALJ) at the National Labor Relations Board (NLRB) last week, finding that a nonprofit employer violated federal law by terminating five employees over a Facebook status update and comments thereto. It is an inherently intriguing case because, as Eric Meyer points out, this is the first time the NLRB has actually issued a ruling that employees were wrongfully fired over Facebook content.

But if you read the decision [PDF], you will see that the NLRB’s decision does not turn on the fact that the communications among the terminated employees took place on Facebook. I am no expert in NLRB matters, but from what I can tell, the ALJ’s analysis is a straightforward look at whether the posting and comments were “concerted activity” which is protected by the National Labor Relations Act.

Here’s a skeletal outline of the analysis:

  • It is an unfair labor practice for employers to, among other things, restrain employees from engaging in “concerted activities for the purpose of . . . mutual aid or protection.”
  • “Concerted activities” are those engaged in with or on the authority of other employees, not solely by one employee alone, though a single employee’s activities to enlist the support of other employees is protected.
  • For there to be a violation, an empolyer must know that the activities were concerted.

In this case, the ALJ found that the terminated employees, by communicating on Facebook, were taking a first step towards taking group action to defend themselves against the accusations they could reasonably believe [another employee] was going to make to management.” The termination prevented them from taking further group action, and the fact that they were fired as a batch tended to show that the employer knew the activity was concerted. So this was thus an unfair labor practice.

If anything, the fact that the communications were on Facebook — during non-work hours and on the employees’ own computers — fortified the claim that the termination was improper. An employer can argue that employee misconduct during the course of otherwise protected activity can be “so opprobrius as to lose protection.” Among the factors the NLRB is to consider in this “opprobriousness” test is the place of the discussion. The communications on Facebook, although maybe not good for the employer’s PR, were separate from work hours and facilities, so as to help disqualify them from being “misconduct.”

Lost sales were not “loss” under the Computer Fraud and Abuse Act

CustomGuide v. CareerBuilder, LLC, 2011 WL 3809768 (N.D.Ill. August 24, 2011)

Plaintiff and defendant had discussed a licensing arrangement whereby defendant would provide certain of plaintiff’s materials online. The parties never entered into that agreement. But plaintiff claimed that defendant went ahead and accessed the materials stored on plaintiff’s computer system, and thereby caused plaintiff to miss out on certain sales in the business to business marketplace for the materials.

So plaintiff sued, alleging a variety of claims, including a claim under the Computer Fraud and Abuse Act. Defendant moved to dismiss. The court granted the motion.

The CFAA defines a “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).

The court looked to the case of Cassetica Software v. Computer Sciences Corp., 2009 WL 1703015, (N.D.Ill. June 18, 2009) which explained that “[w]ith respect to ‘loss’ under the CFAA, other courts have uniformly found that economic costs unrelated to computer systems do not fall within the statutory definition of the term.” Rather, the purported loss “must relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data.” For these reasons, the court in Cassetica Software held that lost revenues that were not related to the impairment of a computer system were not recoverable under the CFAA.

In this case, the court found that plaintiff did not allege any facts connecting its purported “loss” to an interruption of service of its computer systems. Instead, the complaint described an economic loss of revenues related plaintiff’s making business to business sales. Because such economic losses do not fall within the definition of “loss” under the CFAA, the court tossed the CFAA claim.

Court won’t let marijuana activist change his legal name to njweedman.com

In re Robert Edward Forchion, Jr., 2011 WL 3834929, (Cal.App. 2 Dist. August 31, 2011)

A long time marijuana activist (who now self-identifies as a “marijuana capitalist”) asked a California court to legally change his name to match the domain name of his website — njweedman.com. The court denied the request.

The court gave three reasons why it would not allow the name change:

  • A name change would last indefinitely, but a domain name could expire or be lost. Therafter, people might be confused.
  • The name change would associate the petitioner’s legal name with a website that advocates illegal activities, and that should not be allowed.
  • The petitioner tried to change his name in New Jersey back in 2001 but failed. The California court, looking to principles of “comity,” went along with the New Jersey Court.

At least we know Sunshine Megatron is not as controversial.

Facebook user had standing to challenge subpoena seeking his profile information

Mancuso v. Florida Metropolitan University, Inc., 2011 WL 310726 (S.D. Fla. January 28, 2011 )

Plaintiff sued his former employer seeking back overtime wages. In preparing its defense of the case, the employer sent supboenas to Facebook and Myspace seeking information about plaintiff’s use of those platforms. (The employer probably wanted to subtract the amount of time plaintiff spent messing around online from his claim of back pay.) Plaintiff moved to quash the subpoenas, claiming that his accounts contained confidential and privileged information. The court denied the motion as to these social networking accounts, but did so kind of on a technicality. The subpoenas were issued out of federal district courts in California, and since this court (in Florida) did not have jurisdiction over the issuance of those subpoenas, it had to deny the motion to quash.

But there was some interesting discussion that took place in getting to this analysis that is worth noting. Generally, a party does not have standing to challenge a subpoena served on a non-party, unless that party has a personal right or privilege with respect to the subject matter of the materials subpoenaed. The employer argued that plaintiff did not have standing to challenge the subpoenas in the first place.

The court disagreed, looking to the case of Crispin v. Christian Audiger, Inc. 717 F.Supp.2d 965 (C.D. Cal. 2010), in which that court explained:

[A]n individual has a personal right in information in his or her profile and inbox on a social networking site and his or her webmail inbox in the same way that an individual has a personal right in employment and banking records. As with bank and employment records, this personal right is sufficient to confer standing to move to quash a subpoena seeking such information.

This almost sounds like an individual has a privacy right in his or her social media information. But the p-word is absent from this analysis. So from this case we know there is a right to challenge subpoenas directed at intermediaries with information. We’re just not given much to go on as to why such a subpoena should be quashed.

Wikileaks, decentralized distribution, and the lack of meaningful remedies for unauthorized disclosure

Apart from the difficult question of liability — that is, whether Julian Assange should hang for his actions — the decentralized nature of the distribution methods of Wikileaks content gives us a meaningful opportunity to consider the remedies that should be imposed upon an actor like Wikileaks in those cases in which liability should attach. To do this we can set aside for the time being the more essential question of whether Wikileaks is good or bad. (I have come to think that question may be about as answerable as whether God exists or whether abortion is right.)

It is erroneous to think that Wikileaks should be less culpable merely because it does not have the capacity to be blocked. Wikileaks is not just a website with documents hosted on one server. More cleverly, Wikileaks made its content available via the Bittorrent protocol, which ensures that the information is as widely distributed as possible given today’s reasonably available technology. Attempts to completely block the content would be futile, because so many computers on the network that contain the distributed files (millions?) can work together to ensure that the content remains available.

By seeing to it that the content was available via Bittorrent, Wikileaks knowingly facilitated the decentralized distribution. To say that Wikileaks is not an evildoer because it is without power to undo the harm it caused is an exemplar of the principle behind the old saying that a defendant accused of killing his parents should not be shown leniency because he is now an orphan.

The real relevance of the decentralized distribution and unable-to-block-ness of Wikileaks lies in measuring the culpability for the original act of releasing the information. Here is the central thesis: to the extent generally available methods of information distribution like Bittorrent become further decentralized, the potential for that distribution to have effect becomes correspondingly greater.

Whether this correlation (i.e., greater effect potential in proportion to extent of decentralization) is good or bad depends on the nature of the information being distributed. Obviously, when the released information is harmful, the effect will be bad, and vice versa. A really, really decentralized release of information that, like Wikileaks content cannot be blocked, and which has a harmful effect from being disclosed, causes harm which truly is irreparable. Deleting, returning, or blocking further distribution of the information is impossible.

So what is to be done when harmful information is released in an ultra-distributed, unblockable way? Money damages will rarely do the trick. But what kind of equitable remedy will work? No type of injunction will have any effect in reducing the amount of information that has escaped into the wild, never to be redomesticated in even the slightest sense (since its perpetual propagation is assured through technologies like Bittorrent). How can we meaningfully deal with this problem uniquely occasioned by the digital age? What do you suggest?

Debt collector broke the law by using MySpace photo to intimidate consumer

Sohns v. Bramacint, 2010 WL 3926264 (D.Minn. October 1, 2010)

Plaintiff fell behind on her car payments. The lender turned the debt over to a collection agency that used technology and some remarkably poor judgment in an attempt to get paid.

The first bad decision was to use a caller-ID spoofer to make it look like the collection call was coming from plaintiff’s mother in law. The next not-smart use of technology was to access plaintiff’s MySpace page, learn that plaintiff had a daughter, and to use that fact to intimidate plaintiff. There was evidence in the record to suggest that the collection agency’s “investigator” said to plaintiff, after mentioning plaintiff’s “beautiful daughter,” something to the effect of “wouldn’t it be terrible if something happened to your kids while the sheriff’s department was taking you away?”

Plaintiff sued the debt collection agency under the Fair Debt Collection Practices Act. The FDCPA sets some restrictions on how debt collectors can go about their business. Plaintiff moved for summary judgment. The court granted the motion.

It held that the collection agency engaged in conduct the natural consequence of which was to harass, oppress, or abuse in connection with the collection of the debt; used false, deceptive, or misleading representations or means in connection with the collection of the debt; and used unfair or unconscionable means to collect or attempt to collect the debt.

Enhanced by Zemanta

Posts navigation

1 2 3 4 5 6