Tag: cfaa (page 3 of 4)

Lack of unauthorized access kills Computer Fraud and Abuse Act claim

Oce North America, Inc. v. MCS Services, Inc., No. 10-984, 2010 WL 3703277 (D.Md. September 16, 2010)

Plaintiff makes sophisticated commercial grade printers. It also produces complex software that is used to diagnose problems with the printers and to set the functionality of the machines.

A field engineer who used to work for plaintiff allegedly copied some of the software onto his laptop when he worked for plaintiff. Later he went to work for one of the defendant companies, a competitor to plaintiff that also services plaintiff’s machines. Other employees of the defendant allegedly used copies of the software to do their work for defendant.

Plaintiff sued for, among other things, violation of the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to protected computers. Defendants moved to dismiss. The court granted the motion.

The court held that plaintiff failed to allege that the field engineer’s access to the computer containing the software was unauthorized, because he accessed it and copied it to his laptop while he still worked for plaintiff. And that access was authorized.

As for the other defendants, the court held that the defendant company’s access to the software on the various laptops was not unauthorized. The critical point in this portion of the CFAA analysis was on whether access to the actual computer (not access to the software) was unauthorized. The defendant employees allowed access to the laptops onto which the diagnostic software was allegedly installed. So the CFAA claim failed on this basis.

Computer Fraud and Abuse Act, the Stored Communications Act, and unauthorized access

Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

Email snooping can be intrusion upon seclusion

Analysis could also affect liability of enterprises using cloud computing technologies.

Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.

The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.

The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:

  • defendant committed an unauthorized prying into the plaintiff’s seclusion;
  • the intrusion would be highly offensive to the reasonable person;
  • the matter intruded upon was private; and
  • the intrusion caused the plaintiff to suffer.

The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.

The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.

Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License

What the Lori Drew acquittal should mean for service providers

You know the story of Lori Drew — the mom from Missouri who was accused of setting up a bogus MySpace profile impersonating an adolescent boy. Lori acted as this fake “Josh” to stir up romantic feelings in young Megan Meier who, after being dumped by “Josh,” took her own life.

A terrible thing of course. And someone needed blaming. So federal prosecutors chose to go after Lori Drew. The jury convicted her of violating the Computer Fraud and Abuse Act (the federal anti-hacking statute), but today the judge acquitted her. Seems like a good decision, as the theory on which the prosecution based its case — that Lori violated the site’s terms of service by saying she was someone other than she is and thereby exceeded her authority — was shaky at best. The big problem with that theory was that such a reading would make most of us criminals. I’m sure you don’t mean to tell me you’ve never signed up for an online service using something other than your real name or accurate contact information.

Most smart people can agree that the Computer Fraud and Abuse Act was not the right way to punish this “crime.” Various states have enacted legislation to handle cyberbullying and are already prosecuting people in state court. But the problem is not going to go away. People will still do foolish things on the internet.

And to the extent that foolishness is criminal, the individual should pay a criminal price. The individual.

Using the Computer Fraud and Abuse Act to go after this conduct put the contractual relationship between the end user and the provider (i.e., Lori Drew and MySpace) under the microscope where it did not belong. The court and jury had to scrutinize that contractual relationship and the resulting authority (or lack thereof). They had to do that because there was no other way the government was going to win a CFAA prosecution otherwise.

Focusing on that relationship in this context did not make sense. MySpace didn’t have anything to do with this other than being a passive intermediary. Why should the inquiry at trial have gone to those kinds of questions? Why should the intermediary have been bothered? It shouldn’t have.

The bad act was (I guess we have to again say “allegedly was” now that she’s been acquitted) between Lori Drew and Megan Meier. That’s the space where the factual focus and legal analysis belonged. Not in the legal relationship between Lori Drew and MySpace.

Now that we have a sensible legal outcome in this case, hopefully prosecutors will take some more principled approaches and leave the intermediaries out of it.

Unauthorized software downloads did not violate Computer Fraud and Abuse Act

Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)

Cassetica Software made an application available for download on the web and entered into a license agreement for that application with Computer Sciences Corporation (CSC). Cassetica alleged that CSC continued to download the application after the license agreement expired.

download

So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.

What the CFAA requires

Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)

Under the CFAA, “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Insufficient damage allegations

The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads — authorized or not — caused a diminution in the computers or usability of [Cassetica’s] computerized data.” The court went on to observe that “[c]ritically absent from the Complaint are allegations that CSC’s downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.”

Insufficient loss allegations

Cassetica’s complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA’s definition of “loss.”

Download picture courtesy Flickr user soren_nb under this Creative Commons license.

No CFAA claim where no impairment of system or data

Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2008)

When defendants Pettit and Harper worked for plaintiff Andritz, Inc., they had company-issued laptops with which they accessed proprietary information. After defendants resigned, they allegedly took that proprietary information and gave it to defendant-competitor SMC.

Andritz sued in federal court, alleging violation of the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss for failure to state a claim. The court granted the motion.

The CFAA claim failed because the plaintiff did not allege the type of “loss” or “damage” required to sustain such a claim. The loss that plaintiff alleged was that defendants took proprietary information and used it to poach customers.

But the CFAA requires there be an impairment of the computer system or data accessed. Because the plaintiff “still had access to the data just as it had before [d]efendants’ actions,” there was no violation of the CFAA.

Similar cases: Sam’s Wines & Liquors, Inc. v. Hartig and Garelli Wong & Assoc. v. Nichols.

Laptop photo courtesy Flickr user maveric2003 via this Creative Commons license.

No damage under Computer Fraud and Abuse Act for merely copying customer list

Sam’s Wines & Liquors, Inc. v. Hartig, 2008 WL 4394962 (N.D.Ill. September 24, 2008)

Hartig worked for Sam’s Wines & Liquors and had access to a password-protected customer list. Hartig left Sam’s in June 2005 and went to work for Plinio Group. Some two and a half years after leaving Sam’s, Hartig sent an email to customers appearing on Sam’s list, soliciting business for Plinio.

Sam’s claimed that Hartig used his password to access and copy the customer list prior to the time he resigned. So Sam’s sued Hartig for a number of things, including violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 et seq. Hartig moved to dismiss the CFAA claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court granted the motion.

Hartig put forth three arguments why the CFAA claim should be thrown out. First, he argued that Sam’s had not and could not adequately allege that Hartig accessed a protected computer without authorization, or that he exceeded his authorized access. Second, he argued that Sam’s had not and could not allege that it suffered “damage” under the CFAA from Hartig’s conduct. Finally, he argued that Sam’s had not and could not allege that it suffered “loss” under the CFAA from Hartig’s conduct.

The court held that Sam’s adequately pled unauthorized access to a protected computer (applying the agency principles Judge Posner set forth in Intl. Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006)). It also held that the expenses Sam’s incurred in responding to Hartig’s alleged conduct were properly pled as “loss” under the CFAA. But the claim failed on the damage element: merely accessing the information and allegedly using it while working for a competitor was not “impairment to the integrity or availability of data, a program, a system, or information.”

See Garelli Wong & Assoc., Inc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008) for a similar analysis.

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

CFAA requires intent to cause harm, not merely intent to transmit

Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008)

The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq. creates civil liability for anyone who “knowingly causes the transmissions of a program, information, code, or command, and as a result of such conduct intentionally causes damage without authorization, to a protected computer.” Does this mean that the defendant has to intend to cause harm, or does it simply mean that the defendant merely intended to cause the transmission? The U.S. District Court for the District of New Jersey chose the former in the recent case of Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008).

Plaintiff Kalow got hooked on the defendant’s software, which converted and stored plaintiff’s data in a proprietary format. In March 2006 the software stopped working because of a purported “time bomb” that defendant included in the application. To get the program working again, Kalow had to upgrade at a cost of over $15,000.

Kalow sued, and claimed, among other things, violation of the Computer Fraud and Abuse Act. The defendant moved to dismiss, and the court granted the motion with leave to amend.

In its complaint, Kalow had alleged that the defendant “intentionally transmitted a software code” to Kalow’s computer system and that the “software code [that defendant] intentionally transmitted to these computer systems caused damage to them.” The court found that these allegations were insufficient, as Kalow had not actually averred that defendant intended to cause harm.

The court rejected Kalow’s reliance on the case of Shaw v. Toshiba America Information Systems, Inc., 91 F.Supp.2d 926 (E.D.Tex.1999), concluding that the plaintiffs therein not only pled that the defendants knowingly had transmitted code, but that the defendants “knew [it] would cause the loss and corruption of data….” The court similarly rejected Kalow’s reliance on North Texas Preventive Imaging, LLC v. Eisenberg, No. 96-0071, 1996 U.S. Dist. LEXIS 19990, observing that the 1994 amendments to the CFAA embodied Congress’s aim to emphasize harmful intent and resultant harm rather than just unauthorized access.

« Older posts Newer posts »

© 2020 internetcases

Theme by Anders NorenUp ↑