Click fraud might violate CFAA

Click fraud is a problem in online advertising and in situations where companies and advertisers use publishers to promote their content. A federal court in Delaware recently addressed this problem. 

Plaintiff job search engine sued one of its former “publishing partners” and its owners. Defendants sent out email messages with links to job search results. Plaintiff paid defendants on a “pay-per-click” basis – a certain amount each time someone clicked on one of the links.

The Alleged Click Fraud

Eventually plaintiff noted that “conversions” were low from defendants’ activities. That means there were a lot of clicks on links but not many actual job applicants. Plaintiff began to suspect defendants were artificially inflating the number of clicks – that is, committing click fraud. The contract between plaintiff and defendants prohibited this conduct.

After investigating, plaintiff learned one of its employees was allegedly working with defendants to engage in the click fraud scheme. Plaintiff sued defendants, asserting a number of claims, including one under the federal Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”).

Defendants moved to dismiss. The court denied the motion.

CFAA and Click Fraud

The CFAA imposes liability when a plaintiff pleads and proves that a defendant:

  • has accessed a protected computer (defined in the statute);
  • did so without authorization or by exceeding such authorization as was granted;
  • has done so knowingly and with intent to defraud; and
  • as a result has furthered the intended fraud and obtained anything of value.

Defendant argued that CFAA liability should not apply because there were no allegations of “hacking” in this case. The court rejected that argument.

The court looked to the case of CollegeSource, Inc. v. AcademyOne, Inc., 597 F. App’x 116 (3d Cir. 2015) to hold that if a defendant accesses the plaintiff’s computers and uses information in violation of a contractual agreement with the plaintiff, that could be enough to impose CFAA liability. And the court believed that is essentially what is alleged to have happened in this case: that defendants violated the terms of contractual agreements with plaintiff by causing illegitimate clicks to be directed to plaintiff’s computer servers.

Juju, Inc. v. Native Media, LLC, 2020 WL 3208800 (D. Del., June 15, 2020)

See also: Facebook hacking that causes emotional distress – does the CFAA provide recovery?

Scroll to top