Apple’s civil hacking lawsuit against software maker moves forward

apple hacking

Apple sued defendant NSO, accusing it of, among other things, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”), The case dealt with NSO’s creation and distribution of “Pegasus,” a piece of software Apple claimed was capable of covertly extracting information from virtually any mobile device.

Apple alleged NSO fabricated Apple IDs to gain access to Apple’s servers and launch attacks on consumer devices through a method known as “FORCEDENTRY.” This exploit, characterized as a “zero-click” attack, allowed NSO or its clients to infiltrate devices without the device owners’ knowledge or action. The repercussions for Apple were significant, as the company reportedly faced considerable expenses and damages in its efforts to counteract NSO’s activities. These efforts included the development and deployment of security measures and patches, as well as increased legal exposure.

Defendant moved to dismiss the claims. The court denied the motion.

In finding that Apple had properly pled the CFAA claim, the court noted that Apple’s allegations aligned with the anti-hacking intent of the CFAA. Despite NSO’s contention that the devices in question were not owned by Apple and thus not protected under the CFAA, the court observed that Apple’s claims extended to the exploitation of its own servers and services, fitting within the statute’s scope.

Apple Inc. v. NSO Group Technologies Ltd., 2024 WL 251448 (N.D. Cal. January 23, 2024)

 

Court dismisses hacking claim in fraudulent refund case

hacking claim fraudulent

Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.

Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.

The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.

The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.

If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.

Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.

The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.

Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)

See also:

 

Hackers stole cryptocurrency but the insurance company did not have to pay

hackers cryptocurrency insurance

Insurance and loss

Plaintiffs had a homeowners insurance policy with defendant insurance company. The policy covered personal property owned or used by the plaintiffs with a maximum limit of $359,500 for direct physical loss due to certain perils, including theft. In June 2021, hackers accessed plaintiffs’ computer and stole crypto tokens from their crypto wallets on two blockchain networks, amounting to approximately $750,000. Plaintiffs reported the incident and filed an insurance claim with defendant. Defendant only paid $200 on the claim because of a special limit of liability found in the policy.

Thinking that to be a pretty insufficient payment for such a dramatic loss, plaintiffs sued, alleging breach of contract and unreasonable denial of coverage under a Minnesota statute. Defendant moved for judgment on the pleadings. (“Judgment on the pleadings” in US federal court refers to a ruling made by the court based solely on the parties’ written pleadings and documents, without the need for a trial, when there are no genuine issues of material fact in dispute.) The court granted the motion.

Not direct and physical

Defendant had argued that the theft of digital assets (crypto tokens) did not constitute a “direct physical loss” under the policy, and thus, the claim was not covered. The court analyzed the language of the insurance policy, stating that “direct physical loss” required a distinct, demonstrable, and physical alteration to the covered property. Since crypto tokens are purely digital and lack physicality, according to the court, they do not meet the requirements for “direct physical loss” under Minnesota law.

Plaintiffs claimed that the policy’s language was ambiguous, but the court rejected this argument, applying the ordinary meaning of “direct physical loss” as required by Minnesota law.

The court also addressed plaintiffs’ statutory claim for bad-faith denial of coverage under Minnesota Statute § 604.18. To succeed in this claim, plaintiffs needed to prove that defendant lacked a reasonable basis for denying coverage and acted in reckless disregard of this fact. But since defendant did not breach the policy, the court found that the bad-faith claim failed as well.

Rosenberg v. Homesite Insurance Agency, Inc., 2023 WL 4686412 (D. Minn., July 21, 2023)

From the archives: 

Exploiting blockchain software defect supports unjust enrichment claim

Facebook hacking that causes emotional distress – does the CFAA provide recovery?

A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).

Unauthorized Access Under the Computer Fraud and Abuse Act

Underlying facts

Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.

Plaintiff’s lawsuit

Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.

Loss under the CFAA

One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.

Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.

The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.

Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)

Case shows the surprising narrowness of a key hacking statute definition

Plaintiff sued defendant for violation of the Computer Fraud and Abuse Act (“CFAA”). For almost 20 years, defendant had worked for a company that developed plaintiff’s proprietary software system. In this capacity, defendant had access to plaintiff’s customer database, accounting system and other confidential information. After leaving the work he was performing for plaintiff, defendant founded his own competing venture. 

Defendant moved to dismiss the CFAA claim. The court granted the motion to dismiss. The court held that defendant did not exceed the scope of his authorized access by accessing certain of plaintiff’s documents, files or drives for the benefit of his own venture. Citing to United States v. Nosal, 676 F.3d 854, (9th Cir. 2012), the court observed that the Ninth Circuit has defined “exceeds authorized access” narrowly to include only someone who is authorized to access only certain data or files but accesses unauthorized data or files – or to put it simply: hacking. 

In this case, defendant was authorized to access plaintiff’s systems by virtue of the work he was hired to do in connection with plaintiff’s proprietary software systems. Plaintiff had attempted to draw a distinction between the work he was doing for his former employer and the actions he was undertaking to benefit his new venture (even though those actions were one and the same conduct). The court rejected this reasoning: “[E]ven if defendant accessed [plaintiff’s] information for the eventual benefit of [defendant’s new venture], that does not mean he could not have also accessed it for [his former employer’s] authorized purpose of building software.”

It is worth noting that the contours of “exceeding authorized access” under the CFAA give rise to a circuit split. It is fruitful to consider whether the outcome of this case may have been different, for example, in the Seventh Circuit, under the doctrines set out in Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir.2006).

Regal West Corporation v. Nguyen, No. 19-5374, 2019 WL 4748393 (W.D.Washington, September 30, 2019)

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

School didn’t violate eighth grade hacker’s due process rights by suspending him over denial of service attack

Harris ex rel. Harris v. Pontotoc County School Dist., — F.3d —, 2011 WL 814972 (5th Cir., March 10, 2011)

Back in 2008, when Derek Harris was in eighth grade, he got suspended and had to attend “alternative school” for violating the school district’s technology use policy. School officials accused Derek of possessing a keylogger program, of launching a denial of service attack on the school’s network (from the computer his mom used in her job as secretary for the elementary school’s principal), and bypassing security to access the DOS prompt. (Kudos to the kid for getting in trouble for two kinds of “D-O-S” nefariousness!)

Derek’s parents, on his behalf, sued the school in federal court, arguing that the suspension and transfer to alternative school violated his due process rights under the Fourteenth Amendment to the Constitution. The school district moved for summary judgment. The court granted the motion.

It quickly dispensed with the argument that sending Derek to an alternative school violated his rights. It observed that a school district may not withdraw the right to a public education on grounds of misconduct absent fundamentally fair procedures to determine whether the misconduct has occurred. Since transferring him to an alternative education program did not deny access to public education, it did not violate his Fourteenth Amendment rights.

The court likewise held that the suspension was proper and did not violate Derek’s constitutional interests. It reviewed the suspension in light of the 1975 Supreme Court case of Goss v. Lopez, which requires that a student being suspended be given oral or written notice of the charges against him and, if he denies them, an explanation of the evidence the authorities have and an opportunity to present his side of the story.

In this case, the court found that Derek was notified of the charges on the day he was suspended. He had numerous opportunities to meet with school officials, to hear some of the charges, and to explain and respond. The processes he was afforded, the court found, were sufficient to satisfy the Fourteenth Amendment.

Bipolar disorder no excuse for email hacker

Leor Exploration v. Aguiar, 2010 WL 3782195 (S.D. Fla. September 28, 2010)

Plaintiffs claimed that defendant hacked into one of the plaintiffs’ email accounts during the litigation to get an advantage in the case. The court entered severe sanctions against defendant for doing this — it struck his answer. In litigation, that is like declaring plaintiffs the winners.

Defendant had argued to the magistrate judge that his mental illness (bipolar disorder) caused him to hack plaintiff’s email account out of fear for his security. Defendant even presented expert testimony from a psychiatrist to support the claim that he lacked the mental state to act in bad faith.

In adopting the magistrate’s findings, the district judge found defendant’s psychiatric expert’s testimony unmoving. (Mainly because defendant’s lawyers limited what the expert could say.) So the court relied on other evidence that showed defendant’s bad faith intent in accessing the email. The novel theory of “not guilty of email hacking by reason of insanity” failed in this case.

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta

Company may be liable under Computer Fraud and Abuse Act for targeting and directing competitor’s employee to violate the Act

Binary Semantics Limited v. Minitab, Inc., No. 07-1750, 2008 WL 763575 (M.D. Pa. March 20, 2008)

Plaintiff Binary Semantics Limited is a company with expertise in promoting and selling software in India. Defendant Minitab, Inc. is a software development company that for several years had an agreement with Binary whereby Binary would promote and sell Minitab’s software in India. Minitab eventually decided that it would eliminate Binary’s services and sell directly in the Indian market.

Minitab allegedly contacted several of Binary’s employees and induced them to turn over some of Binary’s trade secrets and other information that would help Minitab hold its own in India. One of these Binary employees was a woman named Asha.

Asha

After Asha turned over the information to Minitab, Binary filed suit against Minitab, some of Minitab’s employees, and Asha, alleging, among many other things, violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (“CFAA”). Minitab moved to dismiss the CFAA claim pursuant to FRCP 12(b)(6), arguing that none of its employees had violated the Act, but that Binary’s own employee, Asha, had. The court denied the motion to dismiss as to the CFAA claim.

Binary was required to plead four elements under the CFAA: (1) that Minitab accessed a protected computer, (2) without authorization or by exceeding such authorization as was granted, (3) knowingly and with intent to defraud, and (4) as a result furthered the intended fraud and obtained something of value.

In denying the motion to dismiss, the court found that Binary’s allegations were sufficient to state a claim against Minitab, even though it was actually Asha’s conduct that allegedly brought about the offense. Specifically, the complaint alleged that Minitab targeted Asha and that Asha did indeed access a protected computer. Further, the information retrieved eventually made its way to Minitab.

It was not a situation where Minitab merely received the information from a protected computer. Rather, the complaint sufficiently alleged that the unauthorized access was an action undertaken at the direction of Minitab. Therefore, Minitab could be held liable for the conduct.

Scroll to top