Impostor bids in online auction sufficient allegation of interrupted service under CFAA

Yoder v. Equipmentfacts, 2011 WL 2433504 (N.D.Ohio June 14, 2011)

[This is a post by Jackson Cooper. Jackson graduated from DePaul University College of Law in May 2011 with a certificate in intellectual property and information technology law. Jackson also recently passed the Kentucky bar exam and will begin practicing soon. You can find him online at or follow him on Twitter at @jacksoncooper.]

The plaintiffs here were an auction company and a firm employed to assist them with running a private online auction.  They sued the defendant, a firm previously employed by the auction company to assist them with running online auctions.  The plaintiffs  alleged violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, stemming from the defendant’s unauthorized access to a private auction conducted by the plaintiffs after the defendant’s relationship with the auction company was terminated.  According to the plaintiffs, the defendant made unauthorized access to the auction system using an administrative user name and password to post negative comments, and later impersonated a customer in order to place fraudulent bids as that customer.  The plaintiffs further alleged that the defendant, posing as a customer, won auctions for over one million dollars of equipment and failed to pay on those winning bids.

The defendant asked the court to dismiss the CFAA claim, challenging the plaintiffs’ pleadings on the issue of “loss” as defined by the CFAA. The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Plaintiffs alleged lost commission resulting from the defendant’s fraudulent bids and resulting failed auctions.  Defendant claimed that the small scale sabotage as at issue here did not satisfy the “interruption of service” requirement, and therefore could not support the claimed violation of the CFAA.

The court, noting the lack of a definition of “interruption of service” in the statute and the lack of case law dealing with disruptions of this type, treated the issue as one of first impression.  The court concluded that the disruption alleged here was sufficient to support the “interruption of service” requirement in the CFAA.

The court found that the defendant’s alleged “intentional disruption of even a portion of the online auction” constituted an interruption of the service of the site. Although the auction system was not taken offline by defendant’s alleged activities, the court found that thwarting individual transactions and the resulting denial of service to plaintiffs and their customers was an interruption as envisioned by the statute.

NLRB’s Facebook firing decision had little to do with Facebook

Hispanics United of Buffalo, Case No. 3-CA-27872 (NLRB, September 2, 2011)

Folks are talking about the decision handed down by an Adminstrative Law Judge (ALJ) at the National Labor Relations Board (NLRB) last week, finding that a nonprofit employer violated federal law by terminating five employees over a Facebook status update and comments thereto. It is an inherently intriguing case because, as Eric Meyer points out, this is the first time the NLRB has actually issued a ruling that employees were wrongfully fired over Facebook content.

But if you read the decision [PDF], you will see that the NLRB’s decision does not turn on the fact that the communications among the terminated employees took place on Facebook. I am no expert in NLRB matters, but from what I can tell, the ALJ’s analysis is a straightforward look at whether the posting and comments were “concerted activity” which is protected by the National Labor Relations Act.

Here’s a skeletal outline of the analysis:

  • It is an unfair labor practice for employers to, among other things, restrain employees from engaging in “concerted activities for the purpose of . . . mutual aid or protection.”
  • “Concerted activities” are those engaged in with or on the authority of other employees, not solely by one employee alone, though a single employee’s activities to enlist the support of other employees is protected.
  • For there to be a violation, an empolyer must know that the activities were concerted.

In this case, the ALJ found that the terminated employees, by communicating on Facebook, were taking a first step towards taking group action to defend themselves against the accusations they could reasonably believe [another employee] was going to make to management.” The termination prevented them from taking further group action, and the fact that they were fired as a batch tended to show that the employer knew the activity was concerted. So this was thus an unfair labor practice.

If anything, the fact that the communications were on Facebook — during non-work hours and on the employees’ own computers — fortified the claim that the termination was improper. An employer can argue that employee misconduct during the course of otherwise protected activity can be “so opprobrius as to lose protection.” Among the factors the NLRB is to consider in this “opprobriousness” test is the place of the discussion. The communications on Facebook, although maybe not good for the employer’s PR, were separate from work hours and facilities, so as to help disqualify them from being “misconduct.”

Wikileaks, decentralized distribution, and the lack of meaningful remedies for unauthorized disclosure

Apart from the difficult question of liability — that is, whether Julian Assange should hang for his actions — the decentralized nature of the distribution methods of Wikileaks content gives us a meaningful opportunity to consider the remedies that should be imposed upon an actor like Wikileaks in those cases in which liability should attach. To do this we can set aside for the time being the more essential question of whether Wikileaks is good or bad. (I have come to think that question may be about as answerable as whether God exists or whether abortion is right.)

It is erroneous to think that Wikileaks should be less culpable merely because it does not have the capacity to be blocked. Wikileaks is not just a website with documents hosted on one server. More cleverly, Wikileaks made its content available via the Bittorrent protocol, which ensures that the information is as widely distributed as possible given today’s reasonably available technology. Attempts to completely block the content would be futile, because so many computers on the network that contain the distributed files (millions?) can work together to ensure that the content remains available.

By seeing to it that the content was available via Bittorrent, Wikileaks knowingly facilitated the decentralized distribution. To say that Wikileaks is not an evildoer because it is without power to undo the harm it caused is an exemplar of the principle behind the old saying that a defendant accused of killing his parents should not be shown leniency because he is now an orphan.

The real relevance of the decentralized distribution and unable-to-block-ness of Wikileaks lies in measuring the culpability for the original act of releasing the information. Here is the central thesis: to the extent generally available methods of information distribution like Bittorrent become further decentralized, the potential for that distribution to have effect becomes correspondingly greater.

Whether this correlation (i.e., greater effect potential in proportion to extent of decentralization) is good or bad depends on the nature of the information being distributed. Obviously, when the released information is harmful, the effect will be bad, and vice versa. A really, really decentralized release of information that, like Wikileaks content cannot be blocked, and which has a harmful effect from being disclosed, causes harm which truly is irreparable. Deleting, returning, or blocking further distribution of the information is impossible.

So what is to be done when harmful information is released in an ultra-distributed, unblockable way? Money damages will rarely do the trick. But what kind of equitable remedy will work? No type of injunction will have any effect in reducing the amount of information that has escaped into the wild, never to be redomesticated in even the slightest sense (since its perpetual propagation is assured through technologies like Bittorrent). How can we meaningfully deal with this problem uniquely occasioned by the digital age? What do you suggest?