Category: Computer Crime

March 6, 2024 Computer Crime, Trade Secrets

Fifth Amendment did not save former employee from having to turn over his Gmail account

Gmail Fifth Amendment

Plaintiff biotech company sued a former employee for allegedly emailing proprietary information to his personal Gmail account and discussing employment with competitors. Plaintiff’s investigations revealed defendant had sent over a hundred emails with confidential data to his Gmail account, in violation of a confidentiality agreement defendant had signed when he was hired. Plaintiff sued defendant alleging misappropriation of trade secrets under both federal and state law. Plaintiff sought a temporary restraining order that required defendant to turn over his devices and online accounts for inspection. The court granted the motion.

Injunctive relief warranted

The court found that plaintiff had shown a reasonable probability of success in the litigation. It had successfully alleged ownership of trade secrets and had described specific instances (e.g., sending emails to a private Gmail account) that would be considered misappropriation.

Defendant could not be trusted

As for the likelihood of irreparable harm plaintiff would suffer if the injunction were not granted, the court considered plaintiff’s assertion that defendant “could not be trusted” based on his alleged conduct, and that plaintiff would suffer irreparable harm because of the continued presence of unsecured confidential information on defendant’s devices and accounts.

No Fifth Amendment Protection

Defendant argued under the “balancing of the equities” test that requiring him to turn over his devices and accounts would violate his Fifth Amendment rights against self-incrimination. The court rejected this argument, however, observing that in the course of plaintiff’s investigation of defendant’s conduct, defendant signed a document knowingly, intelligently and voluntarily, thereby admitting there was incriminating evidence to be found. Because of this, the court found defendant waived his Fifth Amendment rights.

 Injunction favored the public interest

The court also found that entry of the injunction requiring defendant to turn over the devices and accounts would benefit the public interest. It noted that there is a generalized public interest in upholding the inviolability of trade secrets and enforceability of confidentiality agreements. It mentioned the general interest in preserving Fifth Amendment rights but reiterated that in these circumstances, because of defendant’s waiver, the Fifth Amendment did not shield defendant.

Legend Biotech USA v. Liu, 2024 WL 919082 (D.N.J. March 4, 2024)

See also:

March 4, 2024 Computer Crime

Stealing data: Ninth Circuit examines whether cellular data can be subject to a conversion claim

data conversion

Plaintiffs sued Google alleging Google improperly used plaintiffs’ cellular data without consent, constituting conversion under California law. The lower court dismissed the case for failure to state a claim. Plaintiffs sought review with the Ninth Circuit. On appeal, the court reversed the lower court’s decision concerning the conversion claim, finding that cellular data is something that can be subject to conversion.

The court observed that a successful conversion plaintiff must plead and prove (1) ownership or rightful possession of property, (2) defendant’s use of the property in violation of plaintiff’s rights, and (3) resulting damages. The court found that plaintiffs satisfactorily established cellular data as a form of personal property subject to conversion, given its definable nature, potential for exclusive control, and plaintiffs’ legitimate expectations based on their data plans.

Moreover, the court concluded that plaintiffs’ allegations against Google meet the criteria for conversion, demonstrating unauthorized use of their cellular data that went against their property interests and resulted in quantifiable damages. By equating Google’s actions to a “forced sale” of plaintiffs’ data, the court underscored the tangible impact of intangible property loss.

Taylor v. Google, 2024 WL 837044 (9th Cir. February 28, 2024)

See also:

February 6, 2024 Computer Crime

Apple’s civil hacking lawsuit against software maker moves forward

apple hacking

Apple sued defendant NSO, accusing it of, among other things, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”), The case dealt with NSO’s creation and distribution of “Pegasus,” a piece of software Apple claimed was capable of covertly extracting information from virtually any mobile device.

Apple alleged NSO fabricated Apple IDs to gain access to Apple’s servers and launch attacks on consumer devices through a method known as “FORCEDENTRY.” This exploit, characterized as a “zero-click” attack, allowed NSO or its clients to infiltrate devices without the device owners’ knowledge or action. The repercussions for Apple were significant, as the company reportedly faced considerable expenses and damages in its efforts to counteract NSO’s activities. These efforts included the development and deployment of security measures and patches, as well as increased legal exposure.

Defendant moved to dismiss the claims. The court denied the motion.

In finding that Apple had properly pled the CFAA claim, the court noted that Apple’s allegations aligned with the anti-hacking intent of the CFAA. Despite NSO’s contention that the devices in question were not owned by Apple and thus not protected under the CFAA, the court observed that Apple’s claims extended to the exploitation of its own servers and services, fitting within the statute’s scope.

Apple Inc. v. NSO Group Technologies Ltd., 2024 WL 251448 (N.D. Cal. January 23, 2024)

 

January 27, 2024 Computer Crime

Can one be liable for hacking by depositing fake checks into an ATM?

ATM fraud

If a person uses an ATM to deposit fraudulent checks, is the person liable for computer fraud? A recent criminal case answers that question, at least as far as Virginia state law would address the situation.

Depositing checks

Defendant deposited four checks at an ATM. These checks were later identified as forgeries or linked to a closed account, leading to the bank losing around $937. Security footage confirmed defendant’s involvement. During subsequent police interrogation, defendant acknowledged depositing the checks but denied knowing the man on whose account they were drawn, or the checks’ origins. At trial, she claimed her stepfather had given them to her, and that she believed he had earned them from construction work. Her mother supported this claim. The man on whose account the checks were drawn denied writing the checks, suspecting they were stolen from his truck.

Convicted for computer fraud, but…

At trial, defendant was convicted of multiple offenses, including uttering forged checks, obtaining money by false pretenses, computer fraud (under Virginia Code § 18.2-152.3), and failure to appear, resulting in a lengthy prison sentence. On appeal, a three-judge panel reversed her conviction for computer fraud, finding the evidence insufficient to show that the she acted “without authority” in using the ATM do deposit the checks.

The appellate court saw it differently

The government asked the court to reconsider the question en banc (i.e., with the full court, not just the three judge panel). The full court likewise determined the conviction for computer fraud should be reversed.

The court held that the term “without authority” in the statute specifically pertained to the use of a computer or network, not necessarily the intent or outcome of such use. It concluded that defendant, as a bank customer, had the right to use the ATM. Her actions, albeit for fraudulent purposes, did not equate to using the ATM without authority. Accordingly, the court reversed her conviction for computer fraud, differentiating between the unlawful purpose of an action and the unauthorized use of a computer or network as defined by the statute.

Wallace v. Commonwealth, — S.E.2d —, 2024 WL 236297 (Ct. App. Va., January 23, 2024) [Link to Opinion]

See also:

January 20, 2024 Computer Crime

Court dismisses hacking claim in fraudulent refund case

hacking claim fraudulent

Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.

Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.

The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.

If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.

Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.

The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.

Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)

See also:

 

July 25, 2023 Blockchain, Computer Crime

Hackers stole cryptocurrency but the insurance company did not have to pay

hackers cryptocurrency insurance

Insurance and loss

Plaintiffs had a homeowners insurance policy with defendant insurance company. The policy covered personal property owned or used by the plaintiffs with a maximum limit of $359,500 for direct physical loss due to certain perils, including theft. In June 2021, hackers accessed plaintiffs’ computer and stole crypto tokens from their crypto wallets on two blockchain networks, amounting to approximately $750,000. Plaintiffs reported the incident and filed an insurance claim with defendant. Defendant only paid $200 on the claim because of a special limit of liability found in the policy.

Thinking that to be a pretty insufficient payment for such a dramatic loss, plaintiffs sued, alleging breach of contract and unreasonable denial of coverage under a Minnesota statute. Defendant moved for judgment on the pleadings. (“Judgment on the pleadings” in US federal court refers to a ruling made by the court based solely on the parties’ written pleadings and documents, without the need for a trial, when there are no genuine issues of material fact in dispute.) The court granted the motion.

Not direct and physical

Defendant had argued that the theft of digital assets (crypto tokens) did not constitute a “direct physical loss” under the policy, and thus, the claim was not covered. The court analyzed the language of the insurance policy, stating that “direct physical loss” required a distinct, demonstrable, and physical alteration to the covered property. Since crypto tokens are purely digital and lack physicality, according to the court, they do not meet the requirements for “direct physical loss” under Minnesota law.

Plaintiffs claimed that the policy’s language was ambiguous, but the court rejected this argument, applying the ordinary meaning of “direct physical loss” as required by Minnesota law.

The court also addressed plaintiffs’ statutory claim for bad-faith denial of coverage under Minnesota Statute § 604.18. To succeed in this claim, plaintiffs needed to prove that defendant lacked a reasonable basis for denying coverage and acted in reckless disregard of this fact. But since defendant did not breach the policy, the court found that the bad-faith claim failed as well.

Rosenberg v. Homesite Insurance Agency, Inc., 2023 WL 4686412 (D. Minn., July 21, 2023)

From the archives: 

Exploiting blockchain software defect supports unjust enrichment claim

June 18, 2022 Computer Crime

Is it unlawful to access someone else’s Google Drive content that is not password protected?

Plaintiff set up a Google Drive so that he could collect photos and other content related to a local school board controversy. He thought it was private, but it was actually configured so that anyone using the URL could access the content. After the local controversy escalated, plaintiff’s son emailed some photos to an opponent, and one of those photos contained the Google Drive’s URL. That photo made its way into the hands of defendant, who, using the URL, allegedly reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.

Google Drive CFAA

So plaintiff sued under the Computer Fraud and Abuse Act, 18 U.S.C. §1030, (the “CFAA”). Defendant moved to dismiss, arguing, among other things, that plaintiff had failed to adequately plead that defendant’s access to the Google Drive was without authorization.

Defendant had argued that her access using the URL could not be considered unauthorized under the CFAA, in accordance with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). In that case, the Ninth Circuit reasoned that “the prohibition on unauthorized access is properly understood to apply only to private information – information delineated as private through use of a permission requirement of some sort.” Thus, for a website to fall under CFAA protections, it must have erected “limitations on access.” And if “anyone with a browser” could access the website, it had no limitations on access.

In this case, defendant merely used her web browser and the URL she obtained to access plaintiff’s Google Drive. The portion of the Google Drive was not password protected. And plaintiff had – though inadvertently – enabled the setting that allowed anyone with the URL to access the drive’s contents.

But in the court’s view, the Google Drive nonetheless had limitations that made defendant’s access unauthorized. The court differentiated the situation from one in which just “anyone with a web browser” might access the content, for example, via a web search. One needed to enter a 68-character URL to access the content. And the content was not indexed by any search engines. So the Google Drive was not “per se” public. And defendant’s access – as plaintiff had pled it – was not authorized.

Greenburg v. Wray, 2022 WL 2176499 (D. Ariz., June 16, 2022)

See also:

January 20, 2022 Computer Crime, Privacy

Is Indiana’s revenge porn law constitutional?

revenge porn constitutional
Stained glass window at Pokagon State Park in Angola, Indiana, near where the underlying events in this case took place.

 

In 2019, Indiana joined a number of other states and enacted a statute that makes it a crime for a person to distribute an “intimate image” when he or she knows or reasonably should know that an individual depicted in the image does not consent to the distribution. In March 2020, defendant sent a video of himself receiving oral sex to his ex-girlfriend via Snapchat. After being charged under the statute, defendant moved to dismiss, arguing in part that the statute violates both the Indiana and U.S. constitutions. The trial court agreed and dismissed the case. But the state appealed to the Indiana Supreme Court.

What part of the Indiana constitution applied?

The court’s analysis under the Indiana constitution is particularly interesting. Indiana’s constitutional protection in this area reads quite a bit differently than the language of the First Amendment.

Article 1, Section 9 of the Indiana constitution reads as follows:

No law shall be passed, restraining the free interchange of thought and opinion, or restricting the right to speak, write, or print, freely, on any subject whatever: but for the abuse of that right, every person shall be responsible.

The court first had to evaluate whether videos – and in particular the video at issue – were covered by the applicable Indiana constitutional provision. “Our encounters with Article 1, Section 9 have always involved words, thus invoking the ‘right to speak’ clause.” The court held that the video content was protected under the “free interchange” clause of the state’s constitution. “We understand the free interchange clause to encompass the communication of any thought or opinion, on any topic, through ‘every conceivable mode of expression.’” And the court quickly ascertained that being prosecuted for the distribution of the video was a “direct and substantial burden” on defendant’s right to self-expression.

Abuse of rights?

But defendant’s expressive activity in this case – though within his right to free interchange as expressed in the constitution – was an abuse of that right. Looking through the lens of the natural rights philosophy that informed the drafting of the Indiana constitution, the court cited to previous authority (Whittington v. State, 669 N.E.2d 1363 (Ind. 1996)) that explained how “individuals possess ‘inalienable’ freedom to do as they will, but they have collectively delegated to government a quantum of that freedom in order to advance everyone’s ‘peace, safety, and well-being.'” Thus, the court observed that the purpose of state power is “to foster an atmosphere in which individuals can fully enjoy that measure of freedom they have not delegated to government.”

Citing to State v. Gerhardt, 145 Ind. 439 (Ind. 1896), the court evaluated how “[t]he State may exercise its police power to promote the health, safety, comfort, morals, and welfare of the public.” And citing to other authority, the court noted that “courts defer to legislative decisions about when to exercise the police power and typically require only that they be rational.” So the question became whether – approached from the standpoint of rationality – the statute’s restriction on the right to self-expression was appropriate to promote the health, safety, comfort, morals and welfare of the public.

Rationality favored public protection

“Under our rationality inquiry, we have no trouble concluding the impingement created by the statute is vastly outweighed by the public health, welfare, and safety served.” In reaching this conclusion, the court examined, among other things, the tremendous harms of revenge porn – including its connection to domestic violence and psychological injury. Accordingly, the court found the statute did not violate the Indiana constitution.

The court also found that the statute did not violate the First Amendment of the U.S. Constitution. It held that the statute is content-based and therefore subject to strict scrutiny. Even under this standard, the court found that it served a compelling government interest, and was narrowly tailored to achieve that compelling interest.

State v. Katz, 2022 WL 152487 (Ind., January 18, 2022)

See also:

January 12, 2022 Computer Crime, Section 230

Omegle protected by Section 230 against claims for child pornography, sex trafficking and related claims

Section 230 sex trafficking

Omegle is a notorious website where you can be randomly placed in a chat room (using video, audio and text) with strangers on the internet. Back in March 2020, 11-year-old C.H. was using Omegle and got paired with a pedophile who intimidated her into disrobing on camera while he captured video. When C.H.’s parents found out, they sued Omegle alleging a number of theories:

  • possession of child pornography in violation of 18 U.S.C. § 2252A;
  • violation of the Federal Trafficking Victims Protection Act, 18 U.S.C. §§ 1591 and 1595;
  • violation of the Video Privacy Protection Act, 18 U.S.C. § 2710;
  • intrusion upon seclusion;
  • negligence;
  • intentional infliction of emotional distress;
  • ratification/vicarious liability; and
  • public nuisance

The court granted Omegle’s motion to dismiss all eight claims, holding that each of the claims was barred by the immunity provided under 47 U.S.C. § 230. Citing to Doe v. Reddit, Inc., 2021 WL 5860904 (C.D. Cal. Oct. 7, 2021) and Roca Labs, Inc. v. Consumer Op. Corp., 140 F. Supp. 3d 1311 (M.D. Fla. 2015), the court observed that a defendant seeking to enjoy the immunity provided by Section 230 must establish that: (1) defendant is a service provider or user of an interactive computer service; (2) the causes of action treat defendant as a publisher or speaker of information; and (3) a different information content provider provided the information.

Omegle met Section 230’s definition of “interactive computer service”

The court found Omegle to be an interactive computer service provider because there were no factual allegations suggesting that Omegle authored, published or generated its own information to warrant classifying it as an information content provider. Nor were there any factual allegations that Omegle materially contributed to the unlawfulness of the content at issue by developing or augmenting it. Omegle users were not required to provide or verify user information before being placed in a chatroom with another user. And some users, such as hackers and “cappers”, could circumvent other users’ anonymity using the data they themselves collected from those other users.

Plaintiffs’ claims sought to treat Omegle as a publisher or speaker of information

The court found that each of the claims for possession of child pornography, sex trafficking, violation of the Video Privacy Protection Act, intrusion upon seclusion and intentional infliction of emotional distress sought redress for damages caused by the unknown pedophile’s conduct. Specifically, in the court’s view, no well-pleaded facts suggested that Omegle had actual knowledge of the sex trafficking venture involving C.H. or that Omegle had an active participation in the venture. As for the claims of intentional infliction of emotional distress, ratification/vicarious liability and public nuisance, the court similarly concluded that plaintiffs’ theories of liability were rooted in Omegle’s creation and maintenance of the site. The court observed that plaintiffs’ claims recognized the distinction between Omegle as an interactive computer service provider and its users, but nonetheless treated Omegle as the publisher responsible for the conduct at issue. The court found this was corroborated by the “ratification/vicarious liability” claim, in which plaintiffs maintained that child sex trafficking was so pervasive on and known to Omegle that it should have been vicariously liable for the damages caused by such criminal activity. And, in the court’s view, through the negligence and public nuisance claims, plaintiffs alleged that Omegle knew or should have known about the dangers that the platform posed to minor children, and that Omegle failed to ensure that minor children did not fall prey to child predators that may use the website.

The information at issue was provided by a third party

On this third element, the court found that Omegle merely provided the forum where harmful conduct took place. The content giving rise to the harm – the video and the intimidation – were undertaken by the unknown pedophile, not Omegle.

Special note: Section 230 and the sex trafficking claim

Section 230 (e)(5) limits an interactive computer service provider’s immunity in certain circumstances involving claims of sex trafficking. In this case, however, like the court did in the case of Doe v. Kik Interactive, Inc., 482 F. Supp. 3d 1242 (S.D. Fla. 2020), the court held that Omegle’s Section 230 immunity remained intact, because the plaintiffs’ allegations were premised upon general, constructive knowledge of past sex trafficking incidents. The complaint failed to sufficiently allege Omegle’s actual knowledge or overt participation in the underlying incidents between C.H. and the unknown pedophile.

M.H. and J.H. v. Omegle.com, LLC, 2022 WL 93575 (M.D. Fla. January 10, 2022)

January 5, 2022 Computer Crime, Contracts

Court refuses to enjoin use of fake accounts to access DRM-protected information

Plaintiff manufacturer of medical equipment sued a company that services such equipment for hospitals and clinics. Plaintiff claimed, among other things, that defendant violated the Computer Fraud and Abuse Act and the anticircumvention provisions of the Digital Millennium Copyright Act by using fake accounts to access proprietary documents, information and software that plaintiff had protected with digital rights management (DRM) technology.

The court denied plaintiff’s motion for preliminary injunction – which sought to bar defendant from accessing the computer systems or circumventing the DRM. It held that plaintiff had not met an essential element required for injunctive relief, namely, that plaintiff would suffer irreparable harm if the injunction was not granted.

There were two main reasons for the court’s decision. First, the court found that the assertions of irreparable harm were mere conclusions not supported by concrete facts. Second, the court found that the obligations on the defendant imposed by the contracts it had with its hospital and clinic customers would constrain defendant from engaging in the harmful activity that plaintiff sought to stop. For example, plaintiff claimed that defendant would access patient data without authorization. But the court noted that defendant was bound by confidentiality agreements and the obligation to abide by applicable data protection law. And plaintiff was worried that continued unauthorized access would increase the chances that defendant would modify the equipment. But again, the court looked to the contracts between defendant and its customers, which obligated defendant to properly maintain the equipment (thus removing any incentive to do what plaintiff was seeking to prevent).

Philips North America LLC v. Advanced Imaging Services, Inc., 2021 WL 6052285 (E.D. Cal., December 21, 2021)

Scroll to top