Apple’s civil hacking lawsuit against software maker moves forward

apple hacking

Apple sued defendant NSO, accusing it of, among other things, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”), The case dealt with NSO’s creation and distribution of “Pegasus,” a piece of software Apple claimed was capable of covertly extracting information from virtually any mobile device.

Apple alleged NSO fabricated Apple IDs to gain access to Apple’s servers and launch attacks on consumer devices through a method known as “FORCEDENTRY.” This exploit, characterized as a “zero-click” attack, allowed NSO or its clients to infiltrate devices without the device owners’ knowledge or action. The repercussions for Apple were significant, as the company reportedly faced considerable expenses and damages in its efforts to counteract NSO’s activities. These efforts included the development and deployment of security measures and patches, as well as increased legal exposure.

Defendant moved to dismiss the claims. The court denied the motion.

In finding that Apple had properly pled the CFAA claim, the court noted that Apple’s allegations aligned with the anti-hacking intent of the CFAA. Despite NSO’s contention that the devices in question were not owned by Apple and thus not protected under the CFAA, the court observed that Apple’s claims extended to the exploitation of its own servers and services, fitting within the statute’s scope.

Apple Inc. v. NSO Group Technologies Ltd., 2024 WL 251448 (N.D. Cal. January 23, 2024)

 

Can one be liable for hacking by depositing fake checks into an ATM?

ATM fraud

If a person uses an ATM to deposit fraudulent checks, is the person liable for computer fraud? A recent criminal case answers that question, at least as far as Virginia state law would address the situation.

Depositing checks

Defendant deposited four checks at an ATM. These checks were later identified as forgeries or linked to a closed account, leading to the bank losing around $937. Security footage confirmed defendant’s involvement. During subsequent police interrogation, defendant acknowledged depositing the checks but denied knowing the man on whose account they were drawn, or the checks’ origins. At trial, she claimed her stepfather had given them to her, and that she believed he had earned them from construction work. Her mother supported this claim. The man on whose account the checks were drawn denied writing the checks, suspecting they were stolen from his truck.

Convicted for computer fraud, but…

At trial, defendant was convicted of multiple offenses, including uttering forged checks, obtaining money by false pretenses, computer fraud (under Virginia Code § 18.2-152.3), and failure to appear, resulting in a lengthy prison sentence. On appeal, a three-judge panel reversed her conviction for computer fraud, finding the evidence insufficient to show that the she acted “without authority” in using the ATM do deposit the checks.

The appellate court saw it differently

The government asked the court to reconsider the question en banc (i.e., with the full court, not just the three judge panel). The full court likewise determined the conviction for computer fraud should be reversed.

The court held that the term “without authority” in the statute specifically pertained to the use of a computer or network, not necessarily the intent or outcome of such use. It concluded that defendant, as a bank customer, had the right to use the ATM. Her actions, albeit for fraudulent purposes, did not equate to using the ATM without authority. Accordingly, the court reversed her conviction for computer fraud, differentiating between the unlawful purpose of an action and the unauthorized use of a computer or network as defined by the statute.

Wallace v. Commonwealth, — S.E.2d —, 2024 WL 236297 (Ct. App. Va., January 23, 2024) [Link to Opinion]

See also:

Court dismisses hacking claim in fraudulent refund case

hacking claim fraudulent

Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.

Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.

The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.

If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.

Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.

The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.

Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)

See also:

 

Is it unlawful to access someone else’s Google Drive content that is not password protected?

Plaintiff set up a Google Drive so that he could collect photos and other content related to a local school board controversy. He thought it was private, but it was actually configured so that anyone using the URL could access the content. After the local controversy escalated, plaintiff’s son emailed some photos to an opponent, and one of those photos contained the Google Drive’s URL. That photo made its way into the hands of defendant, who, using the URL, allegedly reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.

Google Drive CFAA

So plaintiff sued under the Computer Fraud and Abuse Act, 18 U.S.C. §1030, (the “CFAA”). Defendant moved to dismiss, arguing, among other things, that plaintiff had failed to adequately plead that defendant’s access to the Google Drive was without authorization.

Defendant had argued that her access using the URL could not be considered unauthorized under the CFAA, in accordance with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022). In that case, the Ninth Circuit reasoned that “the prohibition on unauthorized access is properly understood to apply only to private information – information delineated as private through use of a permission requirement of some sort.” Thus, for a website to fall under CFAA protections, it must have erected “limitations on access.” And if “anyone with a browser” could access the website, it had no limitations on access.

In this case, defendant merely used her web browser and the URL she obtained to access plaintiff’s Google Drive. The portion of the Google Drive was not password protected. And plaintiff had – though inadvertently – enabled the setting that allowed anyone with the URL to access the drive’s contents.

But in the court’s view, the Google Drive nonetheless had limitations that made defendant’s access unauthorized. The court differentiated the situation from one in which just “anyone with a web browser” might access the content, for example, via a web search. One needed to enter a 68-character URL to access the content. And the content was not indexed by any search engines. So the Google Drive was not “per se” public. And defendant’s access – as plaintiff had pled it – was not authorized.

Greenburg v. Wray, 2022 WL 2176499 (D. Ariz., June 16, 2022)

See also:

Can you violate the CFAA by deleting data on your own computer?

The Computer Fraud and Abuse Act (CFAA) has a provision that makes it unlawful to “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” Can a person violate that provision of the CFAA by deleting data on his or her own computer? A recent federal case answered that question.

Plaintiff sued its former chief technology officer under the CFAA after it learned that the former executive wiped the hard drive of his personal laptop he had used for company business. Defendant moved to dismiss, arguing primarily that the purpose of the CFAA is to target hackers. And he argued that there is a circuit split over what it means for an employee to access a computer without authorization or in excess of authorization.

The court denied the motion to dismiss. It acknowledged there is a circuit split on what it means for an employee to access a computer without authorization or in excess of authorization. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) exemplify this split. But the court noted that this case did not present the question of authorization to access a computer. Instead, the relevant CFAA provision discusses unauthorized damage.

Looking at the plain language of the CFAA, the court found no basis to dismiss the complaint. So the court in effect said that a person can violate the CFAA by deleting data on his or her computer. The factual question of whether the particular defendant in this case did that will proceed to trial.

New Touch Digital Inc. v. Cabral, 2020 WL 5946067 (D.D.C. October 7, 2020)

See also:

Damages available under Computer Fraud and Abuse Act, even though no “interruption of service”

About the author:

Evan Brown, nondisclosure agreementsEvan Brown is a technology and intellectual property attorney in Chicago. This content originally appeared on evan.law.

Case shows the surprising narrowness of a key hacking statute definition

Plaintiff sued defendant for violation of the Computer Fraud and Abuse Act (“CFAA”). For almost 20 years, defendant had worked for a company that developed plaintiff’s proprietary software system. In this capacity, defendant had access to plaintiff’s customer database, accounting system and other confidential information. After leaving the work he was performing for plaintiff, defendant founded his own competing venture. 

Defendant moved to dismiss the CFAA claim. The court granted the motion to dismiss. The court held that defendant did not exceed the scope of his authorized access by accessing certain of plaintiff’s documents, files or drives for the benefit of his own venture. Citing to United States v. Nosal, 676 F.3d 854, (9th Cir. 2012), the court observed that the Ninth Circuit has defined “exceeds authorized access” narrowly to include only someone who is authorized to access only certain data or files but accesses unauthorized data or files – or to put it simply: hacking. 

In this case, defendant was authorized to access plaintiff’s systems by virtue of the work he was hired to do in connection with plaintiff’s proprietary software systems. Plaintiff had attempted to draw a distinction between the work he was doing for his former employer and the actions he was undertaking to benefit his new venture (even though those actions were one and the same conduct). The court rejected this reasoning: “[E]ven if defendant accessed [plaintiff’s] information for the eventual benefit of [defendant’s new venture], that does not mean he could not have also accessed it for [his former employer’s] authorized purpose of building software.”

It is worth noting that the contours of “exceeding authorized access” under the CFAA give rise to a circuit split. It is fruitful to consider whether the outcome of this case may have been different, for example, in the Seventh Circuit, under the doctrines set out in Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir.2006).

Regal West Corporation v. Nguyen, No. 19-5374, 2019 WL 4748393 (W.D.Washington, September 30, 2019)

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Facebook wins against alleged advertising fraudster

Defendant set up more than 70 bogus Facebook accounts and impersonated online advertising companies (including by sending Facebook falsified bank records) to obtain an advertising credit line from Facebook. He ran more than $340,000 worth of ads for which he never paid. Facebook sued, among other things, for breach of contract, fraud, and violation of the Computer Fraud and Abuse Act (CFAA). Despite the court giving defendant several opportunities to be heard, defendant failed to answer the claims and the court entered a default.

The court found that Facebook had successfully pled a CFAA claim. After Facebook implemented technological measures to block defendant’s access, and after it sent him two cease-and-desist letters, defendant continued to intentionally access Facebook’s “computers and servers to obtain account credentials, Facebook credit lines, Facebook ads, and other information.” The court entered an injunction against defendant accessing or using any Facebook website or service in the future, and set the matter over for Facebook to prove up its $340,000 in damages. It also notified the U.S. Attorney’s Office.

Facebook, Inc. v. Grunin, 2015 WL 124781 (N.D. Cal. January 8, 2015)

Computer Fraud and Abuse Act claim dismissed where plaintiff failed to adequately plead loss or damage

Cost of investigating scope of information loss was not a “damage assessment” as contemplated by the CFAA.

BrokenlaptopPlaintiff sued defendant (a former employee) under the Computer Fraud and Abuse Act (“CFAA”) alleging that defendant intentionally and without authorization accessed plaintiff’s computers, intranet, and email system and sent plaintiff’s confidential customer information to his personal email account. Defendant allegedly used this information when he went to work for a competitor. Plaintiff also alleged that defendant attempted to conceal his actions by deleting the outgoing messages from the work email account.

Defendant moved to dismiss for failure to state a claim. The court granted the motion as to the CFAA claim.

The court found that plaintiff did not (and could not) claim defendant’s conduct caused “damage” within the meaning of the CFAA, because plaintiff did not allege any data were lost or impaired.

On the question of “loss” under the CFAA, the court found that plaintiff failed to allege any facts connecting its purported loss to an interruption of service, loss of data, or even a suspected loss of service or data. Although plaintiff attributed certain losses to “damage assessment and mitigation,” the court found it clear from the complaint that plaintiff’s “damage assessment” efforts were aimed at determining the scope of information defendant emailed to himself and disclosed to his new employer. Plaintiff did not allege it ever lost access to any of the information contained in defendant’s emails, notwithstanding defendant’s attempt to conceal his conduct by deleting the emails.

The court observed:

To be sure, assessing the extent of information illegally copied by an employee is a prudent business decision. But the cost of such an investigation is not “reasonably incurred in responding to an alleged CFAA offense,” because the disclosure of trade secrets, unlike destruction of data, is not a CFAA offense.

Accordingly, in this situation, the costs of investigating defendant’s conduct were not “losses” compensable under the CFAA.

SBS Worldwide, Inc. v. Potts, 2014 WL 499001 (N.D.Ill. February 7, 2014)

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

Scroll to top