Category: Computer Crime

October 25, 2018 Computer Crime, Contracts, Social Media, Trademarks

Twitter account hacked, chaos ensued, but no legal claims stuck

Plaintiff owned a Twitter account and operated a related blog. Plaintiff used the Twitter account to drive traffic and revenue to the blog, conduct business via direct messages, and promote its brand, for which it claimed common law trademark rights.

Unknown hackers took control of plaintiff’s Twitter account by changing the email address associated with it. This locked plaintiff out. Plaintiff contacted Twitter several times to report the hack, but Twitter declined to take action because the complaints did not come from the email address then associated with the account. Plaintiff had not enabled Twitter’s two-factor authentication feature and claimed Twitter failed to adequately inform users about it.

While in control of the account, the hackers used plaintiff’s credit card without permission to purchase 93,000 promoted tweets and posted spam messages, including ones falsely advertising that the account was for sale and offering free iPhones. Plaintiff submitted refund requests to Twitter, but claimed Twitter’s process was broken. Twitter did not restore plaintiff’s access until after the lawsuit was filed.

So let’s sue Twitter

Plaintiff sued Twitter for multiple claims, including contributory trademark infringement, breach of contract, negligence, breach of bailment, and unfair competition. The court granted Twitter’s motion to dismiss all claims, though some were dismissed with permission for plaintiff to amend.

How the court ruled

Plaintiff claimed contributory trademark infringement, arguing that Twitter allowed the hackers to control plaintiff’s account after being notified of the hack, which led to misuse of plaintiff’s mark. The court dismissed this claim because plaintiff did not allege that Twitter had actual or constructive knowledge that trademark infringement was occurring. Simply receiving reports of a hack was not enough to show that Twitter knew or should have known the account’s use was infringing a trademark.

For the breach of contract claim, plaintiff pointed to Twitter’s Terms of Service (TOS), asserting that Twitter had obligations to maintain access and protect content. The court found that the TOS provisions cited did not amount to enforceable promises about uninterrupted access or account security. The court also rejected plaintiff’s claim that Twitter had breached an implied contract, finding no facts showing Twitter made any implied promises. Finally, the court dismissed the breach of the implied covenant of good faith and fair dealing because it was based on the same allegations as the breach of contract claim and added nothing new.

In its negligence and recklessness claim, plaintiff argued that Twitter failed to use reasonable care in securing accounts and responding to the hack. The court rejected this claim for three reasons. First, plaintiff failed to show that Twitter owed a legal duty separate from the contract. Second, the only damages alleged were economic losses, which are barred in negligence cases unless accompanied by personal or property harm. Third, the negligence allegations were nearly identical to the contract claims, making the tort claim impermissibly duplicative.

Plaintiff also alleged a breach of the duty of bailment, claiming Twitter had custody of its credit card information and private messages. The court rejected this claim, stating that digital content and payment information did not qualify as personal property that could be “delivered” and then returned, as required for a bailment. The court also noted this claim was duplicative of the breach of contract and negligence claims.

Under California’s unfair competition law, plaintiff asserted that Twitter engaged in unlawful and unfair practices. The court dismissed this claim because it was entirely derivative of the other claims. Since none of those underlying claims were properly pled, the unfair competition claim also failed.

Finally, the court dismissed plaintiff’s request for declaratory judgment, which asked for a declaration of ownership over its blog, domain, and Twitter account. The court explained that declaratory judgment is not a standalone legal claim and requires a viable underlying claim, which plaintiff had not presented.

Worldwide Media, Inc. v. Twitter, Inc., 2018 WL 5304852 (N.D. Cal., October 24, 2018)

May 23, 2018 Computer Crime, Governance

Police not required to publicly disclose how they monitor social media accounts in investigations

In the same week that news has broken about how Amazon is assisting police departments with facial recognition technology, here is a decision from a Pennsylvania court that held police do not have to turn over details to the public about how they monitor social media accounts in investigations.

The ACLU sought a copy under Pennsylvania’s Right-to-Know Law of the policies and procedures of the Pennsylvania State Police (PSP) for personnel when using social media monitoring software. The PSP produced a redacted copy, and after the ACLU challenged the redaction, the state’s Office of Open Records ordered the full document be provided. The PSP sought review in state court, and that court reversed the Office of Open Records order. The court found that disclosure of the record would be reasonably likely to threaten public safety or a public protection activity.

The court found in particular that disclosure would: (i) allow individuals to know when the PSP can monitor their activities using “open sources” and allow them to conceal their activities; (ii) expose the specific investigative method used; (iii) provide criminals with tactics the PSP uses when conducting undercover investigations; (iv) reveal how the PSP conducts its investigations; and (v) provide insight into how the PSP conducts an investigation and what sources and methods it would use. Additionally, the court credited the PSP’s affidavit which explained that disclosure would jeopardize the PSP’s ability to hire suitable candidates – troopers in particular – because disclosure would reveal the specific information that may be reviewed as part of a background check to determine whether candidates are suitable for employment.

Pennsylvania State Police v. American Civil Liberties Union of Pennsylvania, 2018 WL 2272597 (Commonwealth Court of Pennsylvania, May 18, 2018)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

December 1, 2015 Computer Crime, First Amendment

Seventh Circuit sides with Backpage in free speech suit against sheriff

trouble

Backpage is an infamous classified ads website that provides an online forum for users to post ads relating to adult services. The sheriff of Cook County, Illinois (i.e. Chicago) sent letters to the major credit card companies urging them to prohibit users from using the companies’ services to purchase Backpage ads (whether those ads were legal or not). Backpage sued the sheriff, arguing the communications with the credit card companies were a free speech violation.

The lower court denied Backpage’s motion for preliminary injunction. Backpage sought review with the Seventh Circuit. On appeal, the court reversed and remanded.

The appellate court held that while the sheriff has a First Amendment right to express his views about Backpage, a public official who tries to shut down an avenue of expression of ideas and opinions through “actual or threatened imposition of government power or sanction” is violating the First Amendment.

Judge Posner, writing for the court, mentioned the sheriff’s past failure to shut down Craigslist’s adult section through litigation (See Dart v. Craigslist, Inc. 665 F.Supp.2d 961 (N.D.Ill.2009)):

The suit against Craigslist having failed, the sheriff decided to proceed against Backpage not by litigation but instead by suffocation, depriving the company of ad revenues by scaring off its payments-service providers. The analogy is to killing a person by cutting off his oxygen supply rather than by shooting him. Still, if all the sheriff were doing to crush Backpage was done in his capacity as a private citizen rather than as a government official (and a powerful government official at that), he would be within his rights. But he is using the power of his office to threaten legal sanctions against the credit-card companies for facilitating future speech, and by doing so he is violating the First Amendment unless there is no constitutionally protected speech in the ads on Backpage’s website—and no one is claiming that.

The court went on to find that the sheriff’s communications made the credit card companies “victims of government coercion,” in that the letters threatened Backpage with criminal culpability when, à la Dart v. Craigslist and 47 U.S.C. 230, it was unclear whether Backpage was in violation of the law for providing the forum for the ads.

Backpage.com, LLC v. Dart, — F.3d —, 2015 WL 7717221 (7th Cir. Nov. 30, 2015)

Evan Brown is a Chicago attorney advising enterprises on important aspects of technology law, including software development, technology and content licensing, and general privacy issues.

September 5, 2015 Computer Crime, Section 230

Washington Supreme Court keeps victims’ lawsuit against Backpage.com moving forward

Plaintiffs – three minor girls – alleged that they were subjected to multiple instances of rape by adults who contacted them through advertisements posted on Backpage.com. Plaintiffs sued the website and its owner alleging various claims.

Defendants moved to dismiss the claims, arguing that Section 230 (47 U.S.C. § 230) shielded the website from liability arising from content posted by the site’s users. The lower court denied the motion to dismiss, finding that the site’s involvement went beyond passive hosting. Plaintiffs had claimed the website’s advertisement posting rules were intentionally designed to aid in evading law enforcement scrutiny, thereby facilitating the illegal trafficking and exploitation of minors. Defendants sought review with the court of appeals, which certified the question to the Washington state Supreme Court.

The Supreme Court affirmed the denial of the motion to dismiss. The court emphasized the necessity for further investigation into the website’s practices to determine the extent of its involvement in the alleged illegal activities. It found that plaintiffs’ allegations suggested that Backpage had specific content requirements and posting rules that, while outwardly appearing to comply with legal standards by prohibiting explicit content, were allegedly crafted in such a manner as to facilitate the concealment of illegal activities, including the sexual exploitation of minors.

J.S. v. Village Voice Media Holdings, LLC, 359 P.3d 714 (Wash., September 3, 2015)

August 5, 2015 Computer Crime, Litigation, Privacy

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

January 12, 2015 Computer Crime, Fraud/Misrepresentation

Facebook wins against alleged advertising fraudster

Defendant set up more than 70 bogus Facebook accounts and impersonated online advertising companies (including by sending Facebook falsified bank records) to obtain an advertising credit line from Facebook. He ran more than $340,000 worth of ads for which he never paid. Facebook sued, among other things, for breach of contract, fraud, and violation of the Computer Fraud and Abuse Act (CFAA). Despite the court giving defendant several opportunities to be heard, defendant failed to answer the claims and the court entered a default.

The court found that Facebook had successfully pled a CFAA claim. After Facebook implemented technological measures to block defendant’s access, and after it sent him two cease-and-desist letters, defendant continued to intentionally access Facebook’s “computers and servers to obtain account credentials, Facebook credit lines, Facebook ads, and other information.” The court entered an injunction against defendant accessing or using any Facebook website or service in the future, and set the matter over for Facebook to prove up its $340,000 in damages. It also notified the U.S. Attorney’s Office.

Facebook, Inc. v. Grunin, 2015 WL 124781 (N.D. Cal. January 8, 2015)

February 12, 2014 Computer Crime

Computer Fraud and Abuse Act claim dismissed where plaintiff failed to adequately plead loss or damage

Cost of investigating scope of information loss was not a “damage assessment” as contemplated by the CFAA.

BrokenlaptopPlaintiff sued defendant (a former employee) under the Computer Fraud and Abuse Act (“CFAA”) alleging that defendant intentionally and without authorization accessed plaintiff’s computers, intranet, and email system and sent plaintiff’s confidential customer information to his personal email account. Defendant allegedly used this information when he went to work for a competitor. Plaintiff also alleged that defendant attempted to conceal his actions by deleting the outgoing messages from the work email account.

Defendant moved to dismiss for failure to state a claim. The court granted the motion as to the CFAA claim.

The court found that plaintiff did not (and could not) claim defendant’s conduct caused “damage” within the meaning of the CFAA, because plaintiff did not allege any data were lost or impaired.

On the question of “loss” under the CFAA, the court found that plaintiff failed to allege any facts connecting its purported loss to an interruption of service, loss of data, or even a suspected loss of service or data. Although plaintiff attributed certain losses to “damage assessment and mitigation,” the court found it clear from the complaint that plaintiff’s “damage assessment” efforts were aimed at determining the scope of information defendant emailed to himself and disclosed to his new employer. Plaintiff did not allege it ever lost access to any of the information contained in defendant’s emails, notwithstanding defendant’s attempt to conceal his conduct by deleting the emails.

The court observed:

To be sure, assessing the extent of information illegally copied by an employee is a prudent business decision. But the cost of such an investigation is not “reasonably incurred in responding to an alleged CFAA offense,” because the disclosure of trade secrets, unlike destruction of data, is not a CFAA offense.

Accordingly, in this situation, the costs of investigating defendant’s conduct were not “losses” compensable under the CFAA.

SBS Worldwide, Inc. v. Potts, 2014 WL 499001 (N.D.Ill. February 7, 2014)

February 4, 2014 Anonymity, Computer Crime, Evidence, Privacy

No privacy interest in photo metadata

using-exif-dataA digital photo’s EXIF data can reveal where the photo was taken. This has created some interesting scenarios in the past. Consider Vice.com’s inadvertent revealing of John McAfee’s location in Central America, a cleavage pic of a hacker’s girlfriend leading to the hacker’s arrest, and MythBusters host Adam Savage disclosing where he lived from a photo he posted on TwitPic.

In this case, a photo’s EXIF data led to the arrest of an admitted child pornographer.

Defendant took a pornographic image of a 4-year-old girl with his iPhone and used TOR to upload the image to the web. Federal agents analyzed the photo’s EXIF data to determine the GPS coordinates of where defendant took the photo. Agents went to a home near the coordinates. The residents of that home sent the agents to a home about 100 feet away — within the iPhone’s GPS range of error — that belonged to defendant, a registered sex offender.

When the agents visited defendant’s home, he let them enter and later admitted to taking the photo. He then consented to a search, and the agents found child pornography. Defendant was arrested and indicted in federal court in Texas.

Defendant moved to supress the EXIF data as evidence, arguing that law enforcement’s seizure and use of the data violated his Fourth Amendment rights. The court denied the motion.

It rejected defendant’s attempt to “split” his privacy interests between the photo itself and its metadata. Defendant conceded he had no legitimate Fourth Amendment expectation of privacy in the photo — after all, he put it on the web. But as for the metadata, he argued that he retained a privacy interest because he did not realize that he was releasing the information and he intended to remain anonymous.

The court looked to the application of DNA technology to support its conclusion that once defendant left the image in a public place, he had no privacy interest in the metadata:

Assume a defendant left an article of his clothing at a crime scene in 1981. At the time, the defendant had no idea that years later crime labs would be able to conduct DNA analysis of hairs present on that clothing. And in leaving the clothing, he certainly intended to do so “anonymously.” On those grounds, would the defendant be able to suppress the results of the DNA analysis? Of course not, because he left the clothing in a public place and lost any expectation of privacy he had in it, regardless of how he contemplated that clothing could be used.

The court distinguished the holding of this case from the current NSA metadata-collection controversy:

Whatever the ultimate outcome of that issue in higher courts, whether an individual lacks a privacy interest in dialed numbers because those numbers are necessarily disclosed to his phone company is a much different question than whether an individual loses his privacy interest in an item because he voluntarily makes it publicly available on the internet.

It also distinguished this situation from those cases dealing with a defendant’s Fourth Amendment rights in his cell phone and its contents. In those cases, observed the court, the defendant clearly has a privacy interest in his cell phone and its contents. The issue there is whether the justifications that overcome that privacy interest and allow for warrantless seizure of the phone also support warrantless search of its contents. The defendant in this case, by contrast, had no cognizable privacy interest that the government needed to overcome to justify searching for metadata in the photo he placed on the web.

U.S. v. Post, 2014 WL 345992 (S.D.Tex. January 30, 2014)

January 29, 2014 Computer Crime, Employment

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

January 24, 2014 Computer Crime

Hunter Moore arrest reveals a certain inconsistency about the Computer Fraud and Abuse Act

The feds arrested Hunter Moore and an alleged co-conspirator on Thursday for hacking into email accounts to get nude photos Moore published on isanyoneup.com. At the heart of the prosecution is the Computer Fraud and Abuse Act, the federal statute that makes it a crime (and in some circumstances, gives rise to civil liability) for accessing a computer without authorization.

Few will come to these guys’ defense in this situation. Moore’s conduct in publishing and promoting isanyoneup.com was reprobate, and if the allegations in this criminal action prove true, that backend nefariousness will simply multiply the reasons why Moore was known as the most hated man on the internet. And because of this disdain for Moore’s conduct, most of us are happy to see the CFAA used aggressively against him.

But that’s the same statute many blame for crushing Aaron Swartz. To the extent a reasonable person may feel ill-will against Hunter Moore, he or she may feel sympathy, indeed compassion, for Aaron Swartz having had the CFAA book thrown at him. Against Moore there’s a sense of justice, against Swartz, a palpable injustice.

Isn’t it a bit mysterious how the same conduct — granted, for way different purposes and under different circumstances — can elicit such contrasting emotions?

Scroll to top