Apple’s civil hacking lawsuit against software maker moves forward

apple hacking

Apple sued defendant NSO, accusing it of, among other things, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”), The case dealt with NSO’s creation and distribution of “Pegasus,” a piece of software Apple claimed was capable of covertly extracting information from virtually any mobile device.

Apple alleged NSO fabricated Apple IDs to gain access to Apple’s servers and launch attacks on consumer devices through a method known as “FORCEDENTRY.” This exploit, characterized as a “zero-click” attack, allowed NSO or its clients to infiltrate devices without the device owners’ knowledge or action. The repercussions for Apple were significant, as the company reportedly faced considerable expenses and damages in its efforts to counteract NSO’s activities. These efforts included the development and deployment of security measures and patches, as well as increased legal exposure.

Defendant moved to dismiss the claims. The court denied the motion.

In finding that Apple had properly pled the CFAA claim, the court noted that Apple’s allegations aligned with the anti-hacking intent of the CFAA. Despite NSO’s contention that the devices in question were not owned by Apple and thus not protected under the CFAA, the court observed that Apple’s claims extended to the exploitation of its own servers and services, fitting within the statute’s scope.

Apple Inc. v. NSO Group Technologies Ltd., 2024 WL 251448 (N.D. Cal. January 23, 2024)

 

Can one be liable for hacking by depositing fake checks into an ATM?

ATM fraud

If a person uses an ATM to deposit fraudulent checks, is the person liable for computer fraud? A recent criminal case answers that question, at least as far as Virginia state law would address the situation.

Depositing checks

Defendant deposited four checks at an ATM. These checks were later identified as forgeries or linked to a closed account, leading to the bank losing around $937. Security footage confirmed defendant’s involvement. During subsequent police interrogation, defendant acknowledged depositing the checks but denied knowing the man on whose account they were drawn, or the checks’ origins. At trial, she claimed her stepfather had given them to her, and that she believed he had earned them from construction work. Her mother supported this claim. The man on whose account the checks were drawn denied writing the checks, suspecting they were stolen from his truck.

Convicted for computer fraud, but…

At trial, defendant was convicted of multiple offenses, including uttering forged checks, obtaining money by false pretenses, computer fraud (under Virginia Code § 18.2-152.3), and failure to appear, resulting in a lengthy prison sentence. On appeal, a three-judge panel reversed her conviction for computer fraud, finding the evidence insufficient to show that the she acted “without authority” in using the ATM do deposit the checks.

The appellate court saw it differently

The government asked the court to reconsider the question en banc (i.e., with the full court, not just the three judge panel). The full court likewise determined the conviction for computer fraud should be reversed.

The court held that the term “without authority” in the statute specifically pertained to the use of a computer or network, not necessarily the intent or outcome of such use. It concluded that defendant, as a bank customer, had the right to use the ATM. Her actions, albeit for fraudulent purposes, did not equate to using the ATM without authority. Accordingly, the court reversed her conviction for computer fraud, differentiating between the unlawful purpose of an action and the unauthorized use of a computer or network as defined by the statute.

Wallace v. Commonwealth, — S.E.2d —, 2024 WL 236297 (Ct. App. Va., January 23, 2024) [Link to Opinion]

See also:

Court dismisses hacking claim in fraudulent refund case

hacking claim fraudulent

Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.

Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.

The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.

If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.

Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.

The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.

Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)

See also:

 

Microsoft Edge privacy case dismissed for lack of standing

standing

A legal dispute involving Microsoft recently concluded with the dismissal of a class-action lawsuit. Plaintiffs had accused Microsoft of unauthorized data collection through its Edge browser, alleging violation of privacy laws. The court, however, ruled in favor of Microsoft, citing the plaintiffs’ lack of standing under Article III of the Constitution.

The Allegations Against Microsoft

The lawsuit centered on the claim that Microsoft Edge intercepted and sent private user data, including activities in “private” browsing mode, to Microsoft-controlled servers. This data, linked to unique user identifiers, allegedly allowed Microsoft to track users’ internet habits. Plaintiffs argued this was done without consent, breaching the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and various state laws, and claimed economic injury due to these practices.

Microsoft’s Challenge and the Court’s Decision

Microsoft moved to dismiss the lawsuit, arguing plaintiffs lacked the necessary standing under Article III of the U.S. Constitution. The court agreed, determining the plaintiffs did not meet the required standing criteria.

The core issue was whether the plaintiffs had standing, a fundamental requirement for a case to be heard in a federal court. The constitution requires an actual “case or controversy” for federal courts’ involvement. The court examined whether plaintiffs demonstrated (1) an injury in fact, (2) a direct causation, and (3) a potential remedy through court action.

The 2021 Supreme Court ruling in TransUnion LLC v. Ramirez was key to the outcome in this case. This ruling stressed that not every violation of a statutory right leads to a concrete harm that warrants a federal lawsuit. This court, agreeing with Microsoft, found that the data identified in the complaint was not traditionally considered private. It determined that the collection of browsing data did not closely relate to a harm traditionally actionable in court. The court pointed out that data like browsing history and keystrokes do not carry a reasonable expectation of privacy.

Final Outcome

So the court found that the plaintiffs failed to allege a concrete privacy injury that would fulfill the requirements for Article III standing. The dismissal of this lawsuit highlights the complex challenges in digital privacy litigation and the difficulty plaintiffs face in proving standing in privacy-related legal actions.

Saeedy v. Microsoft Corporation, 2023 WL 8828852 (W.D. Washington, December 21, 2023)

See also: Reading a non-friend’s comment on Facebook wall was not a privacy invasion

Is it unlawful to access someone else’s Google Drive content that is not password protected?

Plaintiff set up a Google Drive so that he could collect photos and other content related to a local school board controversy. He thought it was private, but it was actually configured so that anyone using the URL could access the content. After the local controversy escalated, plaintiff’s son emailed some photos to an opponent, and one of those photos contained the Google Drive’s URL. That photo made its way into the hands of defendant, who, using the URL, allegedly reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.

Google Drive CFAA

So plaintiff sued under the Computer Fraud and Abuse Act, 18 U.S.C. §1030, (the “CFAA”). Defendant moved to dismiss, arguing, among other things, that plaintiff had failed to adequately plead that defendant’s access to the Google Drive was without authorization.

Defendant had argued that her access using the URL could not be considered unauthorized under the CFAA, in accordance with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). In that case, the Ninth Circuit reasoned that “the prohibition on unauthorized access is properly understood to apply only to private information – information delineated as private through use of a permission requirement of some sort.” Thus, for a website to fall under CFAA protections, it must have erected “limitations on access.” And if “anyone with a browser” could access the website, it had no limitations on access.

In this case, defendant merely used her web browser and the URL she obtained to access plaintiff’s Google Drive. The portion of the Google Drive was not password protected. And plaintiff had – though inadvertently – enabled the setting that allowed anyone with the URL to access the drive’s contents.

But in the court’s view, the Google Drive nonetheless had limitations that made defendant’s access unauthorized. The court differentiated the situation from one in which just “anyone with a web browser” might access the content, for example, via a web search. One needed to enter a 68-character URL to access the content. And the content was not indexed by any search engines. So the Google Drive was not “per se” public. And defendant’s access – as plaintiff had pled it – was not authorized.

Greenburg v. Wray, 2022 WL 2176499 (D. Ariz., June 16, 2022)

See also:

Court refuses to enjoin use of fake accounts to access DRM-protected information

Plaintiff manufacturer of medical equipment sued a company that services such equipment for hospitals and clinics. Plaintiff claimed, among other things, that defendant violated the Computer Fraud and Abuse Act and the anticircumvention provisions of the Digital Millennium Copyright Act by using fake accounts to access proprietary documents, information and software that plaintiff had protected with digital rights management (DRM) technology.

The court denied plaintiff’s motion for preliminary injunction – which sought to bar defendant from accessing the computer systems or circumventing the DRM. It held that plaintiff had not met an essential element required for injunctive relief, namely, that plaintiff would suffer irreparable harm if the injunction was not granted.

There were two main reasons for the court’s decision. First, the court found that the assertions of irreparable harm were mere conclusions not supported by concrete facts. Second, the court found that the obligations on the defendant imposed by the contracts it had with its hospital and clinic customers would constrain defendant from engaging in the harmful activity that plaintiff sought to stop. For example, plaintiff claimed that defendant would access patient data without authorization. But the court noted that defendant was bound by confidentiality agreements and the obligation to abide by applicable data protection law. And plaintiff was worried that continued unauthorized access would increase the chances that defendant would modify the equipment. But again, the court looked to the contracts between defendant and its customers, which obligated defendant to properly maintain the equipment (thus removing any incentive to do what plaintiff was seeking to prevent).

Philips North America LLC v. Advanced Imaging Services, Inc., 2021 WL 6052285 (E.D. Cal., December 21, 2021)

Can you violate the CFAA by deleting data on your own computer?

The Computer Fraud and Abuse Act (CFAA) has a provision that makes it unlawful to “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” Can a person violate that provision of the CFAA by deleting data on his or her own computer? A recent federal case answered that question.

Plaintiff sued its former chief technology officer under the CFAA after it learned that the former executive wiped the hard drive of his personal laptop he had used for company business. Defendant moved to dismiss, arguing primarily that the purpose of the CFAA is to target hackers. And he argued that there is a circuit split over what it means for an employee to access a computer without authorization or in excess of authorization.

The court denied the motion to dismiss. It acknowledged there is a circuit split on what it means for an employee to access a computer without authorization or in excess of authorization. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) exemplify this split. But the court noted that this case did not present the question of authorization to access a computer. Instead, the relevant CFAA provision discusses unauthorized damage.

Looking at the plain language of the CFAA, the court found no basis to dismiss the complaint. So the court in effect said that a person can violate the CFAA by deleting data on his or her computer. The factual question of whether the particular defendant in this case did that will proceed to trial.

New Touch Digital Inc. v. Cabral, 2020 WL 5946067 (D.D.C. October 7, 2020)

See also:

Damages available under Computer Fraud and Abuse Act, even though no “interruption of service”

About the author:

Evan Brown, nondisclosure agreementsEvan Brown is a technology and intellectual property attorney in Chicago. This content originally appeared on evan.law.

Click fraud might violate CFAA

Click fraud is a problem in online advertising and in situations where companies and advertisers use publishers to promote their content. A federal court in Delaware recently addressed this problem. 

Plaintiff job search engine sued one of its former “publishing partners” and its owners. Defendants sent out email messages with links to job search results. Plaintiff paid defendants on a “pay-per-click” basis – a certain amount each time someone clicked on one of the links.

The Alleged Click Fraud

Eventually plaintiff noted that “conversions” were low from defendants’ activities. That means there were a lot of clicks on links but not many actual job applicants. Plaintiff began to suspect defendants were artificially inflating the number of clicks – that is, committing click fraud. The contract between plaintiff and defendants prohibited this conduct.

After investigating, plaintiff learned one of its employees was allegedly working with defendants to engage in the click fraud scheme. Plaintiff sued defendants, asserting a number of claims, including one under the federal Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”).

Defendants moved to dismiss. The court denied the motion.

CFAA and Click Fraud

The CFAA imposes liability when a plaintiff pleads and proves that a defendant:

  • has accessed a protected computer (defined in the statute);
  • did so without authorization or by exceeding such authorization as was granted;
  • has done so knowingly and with intent to defraud; and
  • as a result has furthered the intended fraud and obtained anything of value.

Defendant argued that CFAA liability should not apply because there were no allegations of “hacking” in this case. The court rejected that argument.

The court looked to the case of CollegeSource, Inc. v. AcademyOne, Inc., 597 F. App’x 116 (3d Cir. 2015) to hold that if a defendant accesses the plaintiff’s computers and uses information in violation of a contractual agreement with the plaintiff, that could be enough to impose CFAA liability. And the court believed that is essentially what is alleged to have happened in this case: that defendants violated the terms of contractual agreements with plaintiff by causing illegitimate clicks to be directed to plaintiff’s computer servers.

Juju, Inc. v. Native Media, LLC, 2020 WL 3208800 (D. Del., June 15, 2020)

See also: Facebook hacking that causes emotional distress – does the CFAA provide recovery?

Facebook hacking that causes emotional distress – does the CFAA provide recovery?

A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).

Unauthorized Access Under the Computer Fraud and Abuse Act

Underlying facts

Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.

Plaintiff’s lawsuit

Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.

Loss under the CFAA

One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.

Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.

The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.

Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)

Can a person bring a Computer Fraud and Abuse Act claim over unauthorized access to someone else’s computer?

Federal agents served a search warrant on plaintiff’s doctor’s office and thereby obtained access to plaintiff’s medical records, which were shared with a number of other parties involved in the criminal investigation of plaintiff’s doctor. Plaintiff sued under the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss that claim. The court granted the motion. The CFAA prohibits unauthorized access to a “protected computer”. In dismissing the case, the court found, among other things, that there were no specific allegations that defendants accessed plaintiff’s computer.

Micks-Harm v. Nichols, No. 18-12634, 2019 WL 4781342 (E.D. Michigan, September 30, 2019)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Scroll to top