Hunter Moore arrest reveals a certain inconsistency about the Computer Fraud and Abuse Act

The feds arrested Hunter Moore and an alleged co-conspirator on Thursday for hacking into email accounts to get nude photos Moore published on isanyoneup.com. At the heart of the prosecution is the Computer Fraud and Abuse Act, the federal statute that makes it a crime (and in some circumstances, gives rise to civil liability) for accessing a computer without authorization.

Few will come to these guys’ defense in this situation. Moore’s conduct in publishing and promoting isanyoneup.com was reprobate, and if the allegations in this criminal action prove true, that backend nefariousness will simply multiply the reasons why Moore was known as the most hated man on the internet. And because of this disdain for Moore’s conduct, most of us are happy to see the CFAA used aggressively against him.

But that’s the same statute many blame for crushing Aaron Swartz. To the extent a reasonable person may feel ill-will against Hunter Moore, he or she may feel sympathy, indeed compassion, for Aaron Swartz having had the CFAA book thrown at him. Against Moore there’s a sense of justice, against Swartz, a palpable injustice.

Isn’t it a bit mysterious how the same conduct — granted, for way different purposes and under different circumstances — can elicit such contrasting emotions?

No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account

Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. October 4, 2012)

After plaintiff was fired as an executive, her former employer (using the password known by another employee) took over plaintiff’s LinkedIn account. It kept all of plaintiff’s contacts and recommendations but switched out plaintiff’s name and photo with those of the new CEO.

LinkedIn identity writ large

Plaintiff sued in federal court under the Computer Fraud and Abuse Act, the Lanham Act, and a slew of state law claims including identity theft, conversion and tortious interference. The former employer moved for summary judgment on the CFAA and Lanham Act claims. The court granted the motion, but continued to exercise supplemental jurisdiction over the state law claims.

On the CFAA claim, the court found that plaintiff failed to show how the taking over over her account gave rise to a cognizable loss under the CFAA. The kinds of losses she tried to prove, e.g., lost future business opportunities and professional reputation, did not pertain to any impairment or damage to a computer or computer system. Moreover, the court found, plaintiff failed to specify or quantify the damages she alleged.

As for the Lanham Act claim, the court found that there was no likelihood of confusion. It noted that “anyone who navigated to [plaintiff’s] LinkedIn account would be met with [the new CEO’s] name, photograph and new position.” Accordingly, there was no effort to “pass off” the new CEO as plaintiff or to otherwise suggest an endorsement or affiliation.

Though it dismissed all the federal claims, the court kept the pending state law claims. The matter had been before the court for over a year, the judge was familiar with the facts and the parties, and dismissing it so soon before trial would not have been fair.

Other coverage by Venkat.

Photo credit: Flickr user smi23le under this Creative Commons license.

Alleged voyeur boss cannot pursue Computer Fraud and Abuse Act claim

Bashaw v. Johnson, 2012 WL 1623483 (D.Kan. May 9, 2012)

Some employees filed suit after they learned that their boss — who required them to wear skirts to work — allegedly installed the Cam-u-flage video surveillance app on his iPhone and iPad to surreptitiously capture upskirt shots of plaintiffs at work.

The boss filed a counterclaim under the Computer Fraud and Abuse Act (CFAA), claiming that plaintiffs deleted data from his iDevices without authorization. Plaintiffs moved to dismiss this counterclaim. The court granted the motion.

The court held that the boss failed to allege the nature of his alleged damages within the meaning of the CFAA, and that he failed to sufficiently allege a qualified loss as defined by the statute.

As for damage, the court found that the mere allegation that data had been erased, without identifying which data, did not meet the plausibility requirement to survive a motion to dismiss. (Hmm. I wonder what data the plaintiff-employees would have wanted to delete?)

On the question of loss, the employer alleged that such calculation “would exceed” the CFAA threshold of $5,000. But he did not allege that he actually incurred losses in that amount. He did not mention any investigative or response costs, nor did he allege any lost revenues or other losses due to an interruption in service.

Photo credit: Magic Madzik

ISP’s alleged throttling of BitTorrent and Skype violates Computer Fraud and Abuse Act

Fink v. Time Warner Cable, 2011 WL 3962607 (S.D.N.Y. September 7, 2011)

Plaintiffs sued Time Warner (the provider of Road Runner High Speed Online internet access), alleging, among other things, that Time Warner’s alleged “throttling” of plaintiffs’ internet communications violated the Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”). Specifically, plaintiffs alleged that without their authorization, Time Warner sent forged reset packets which frustrated plaintiffs’ peer-to-peer communications (e.g., BitTorrent and other P2P mechanisms) as well as their use of Skype.

Time Warner moved to dismiss the CFAA claims. The court granted the motion as to claims that required plaintiffs to  plead “loss” as defined by the statute. As for those claims that required only allegations of “access” and “damage,” the court denied the motion to dismiss and let the case move forward.

Plaintiffs brought three claims under the CFAA, one under each of subparts (A), (B) and (C) of 18 USC 1030(a)(5). This part of the statute provides liability for anyone who:

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

No CFAA loss

The CFAA defines “loss” as “any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In this case, plaintiffs alleged that the loss they suffered arose from their payments for high-speed internet services allegedly not received, costs to prevent Time Warner’s throttling practice and the costs of obtaining information elsewhere when they were unable to use their computers for file transfers and VoIP communications. Plaintiffs also pled losses relating to time and effort in assessing “damage” to each computer for which transmissions were interrupted. 

The court found these alleged losses to be outside the scope of those contemplated by the CFAA. Plaintiffs did not allege that they needed to restore data,a program, a system, or information to its condition prior to Time Warner’s conduct. The court held that Plaintiffs had failed to adequately plead this element of a CFAA claim. So it dismissed the claim plaintiffs had brought under 18 USC 1030(a)(5)(C).

“Damage” and “access” adequately pled

Plaintiffs’ failure to adequately plead loss was not the end of the case. Since subparts (A) and (B) of  18 USC 1030(a)(5) do not require one to plead “loss,” but do require pleading “damage” and “access,” the court turned its attention to see if those elements were adequately pled. It found that they were.

The CFAA defines “damage” as “any impairment to the integrity or availability of data, a system, or information.” Plaintiffs alleged that Time Warner impaired their ability to obtain data and utilize their computer systems by knowingly transmitting “reset packets to [their] computers with the intention of impeding or preventing [their] peer-to-peer transmissions” and that damage was caused because the reset packets “compromis[ed] the internal software of [their]computers and impair[ed] their ability to receive and transmit data.” The plaintiffs also alleged that the throttling process prevented data exchange and inhibited certain use of their computers. In addition, plaintiffs identified the specific types of information that had its availability “impeded” and identified a particular program, Skype, that was rendered unusable by the alleged throttling. 

As for “access,” the court looked to the plain meaning, dictionary definition of the word for guidance (since the term is not defined in the CFAA). Plaintiffs had alleged that Time Warner accessed their computers in violation of the statute by knowingly transmitting reset packets to plaintiff’s computers and otherwise accessed their computers to impede data receipt and transmission.” Giving the term “access” a broad meaning, the court found these allegations to satisfy the CFAA requirement.

Lost sales were not “loss” under the Computer Fraud and Abuse Act

CustomGuide v. CareerBuilder, LLC, 2011 WL 3809768 (N.D.Ill. August 24, 2011)

Plaintiff and defendant had discussed a licensing arrangement whereby defendant would provide certain of plaintiff’s materials online. The parties never entered into that agreement. But plaintiff claimed that defendant went ahead and accessed the materials stored on plaintiff’s computer system, and thereby caused plaintiff to miss out on certain sales in the business to business marketplace for the materials.

So plaintiff sued, alleging a variety of claims, including a claim under the Computer Fraud and Abuse Act. Defendant moved to dismiss. The court granted the motion.

The CFAA defines a “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).

The court looked to the case of Cassetica Software v. Computer Sciences Corp., 2009 WL 1703015, (N.D.Ill. June 18, 2009) which explained that “[w]ith respect to ‘loss’ under the CFAA, other courts have uniformly found that economic costs unrelated to computer systems do not fall within the statutory definition of the term.” Rather, the purported loss “must relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data.” For these reasons, the court in Cassetica Software held that lost revenues that were not related to the impairment of a computer system were not recoverable under the CFAA.

In this case, the court found that plaintiff did not allege any facts connecting its purported “loss” to an interruption of service of its computer systems. Instead, the complaint described an economic loss of revenues related plaintiff’s making business to business sales. Because such economic losses do not fall within the definition of “loss” under the CFAA, the court tossed the CFAA claim.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

Do certain mobile apps violate the Computer Fraud and Abuse Act?

[This is a guest post by attorney Caroline Belich. Caroline is a Chicago native, former Michigan State volleyball player, and recent admitee to the California bar with particular interest in the First Amendment.]

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030). The CFAA is a federal statute that is often used against hackers. Applying this rationale here, federal prosecutors may argue that the app makers essentially hacked users cellphones.

However, some legal experts believe that criminal charges against the app makers are unlikely. Supporting this belief is the fact that many criminal charges against companies result in non-prosecution or deferred prosecution agreements in exchange for concessions of wrongdoing or monetary payments.

But while criminal charges are doubtful, civil lawsuits by users and causes of action brought by the Federal Trade Commission (FTC) may not be. First, consumers may sue app makers for failure to notify under privacy rights claims. Second, the FTC could allege unfair and deceptive trade practices by makers for failure to inform users how their personal information is being employed. Recently, Google settled with the FTC regarding its social network, Buzz, where allegations were made about violations of users’ privacy.

In light of the potential for privacy rights violations and deceptive trade practices, the FTC has advocated a “Do Not Track” option for web browsers and cellphone users, similar to the “Do Not Call” list for telemarketing. But app makers strongly oppose this idea, of course, for various reason. First, it could obstruct their ability to collect data about their users’ utilization of their product. Second, the option could frustrate financial opportunities with third parties seeking the invaluable consumer statistics. And the third justification is best depicted by Facebook’s privacy policy – while a user may be giving away his own information, he’s not giving away that of his friends… as long as his friends haven’t shared the info with “everyone.”

So even if these criminal investigations do not come to fruition, at least the possibility is making the public aware of their rights involving smartphone products so that industry standards may be created or laws requiring notification may be made.

What is a reasonable cost that should count as loss under the Computer Fraud and Abuse Act?

1st Rate Mortg. Corp. v. Vision Mortgage Services Corp., 2011 WL 666088 (E.D.Wis. Feb. 14, 2011)

The Computer Fraud and Abuse Act (CFAA) is a popular weapon that employers use against former employees who steal information on the job. But since the employees just use their credentials to get information off the server, there really is no security breach that occurs in those inside jobs.

So you might tend to agree that the employer overreacts when, after discovering the nefarious acts of its employees, it conducts a thorough and expensive security analysis of its whole system. Just delete the offending employees’ accounts and move on, right?

And this overreaction shouldn’t give the employer something to sue over that it would not have had if it reacted reasonably to the threat, don’t you think? After all, plaintiffs have a duty to mitigate their damages.

The defendants (accused former employee information thieves) in a recent federal case in Wisconsin argued along these lines in their summary judgment brief. But the court did not buy it at the summary judgment stage – whether a CFAA plaintiff’s reaction to alleged theft is “reasonable” should be answered by the jury.

The CFAA allows a plaintiff to recover its “loss.” And courts have interpreted the term “loss” to include the cost of responding to a security breach. But the statute says that loss includes the “reasonable cost to any victim.”

In this case, defendants argued that the employer’s overreaction in doing a system-wide analysis caused the employer to incur an unreasonable (and therefore uncompensable) cost. The court held, however, that “[w]hat matters is whether the employer’s reaction was reasonable, not whether it was strictly necessary to continuing in business.” A jury may well conclude the reaction and its related costs were appropriate.

Scroll to top