Wednesday, August 11, 2010

The Computer Fraud and Abuse Act and the Thumb Drive

As I’ve noted before, the general federal computer crime statute -- 18 U.S. Code § 1030 (a/k/a the Computer Fraud and Abuse Act or CFAA) – isn’t just a criminal statute. It also creates a civil cause of action for those who have been injured – have suffered "damage" -- as a result of a criminal violation of the statute.


This post is about a civil suit brought under 18 U.S. Code § 1030(g), the section that creates the cause of action. The suit was brought by Aaron Doyle against “Haley Taylor, Brian Chase, and Brian Chase, PLLC”. Doyle v. Taylor, 2010 WL 2163521 (U.S. District Court for the Eastern District of Washington 2010). Here is how the lawsuit arose:


[Doyle] alleges that Chase obtained a USB thumb drive from [Doyle]'s client, Haley Taylor, in February of 2009 and it remained in his possession until May of 2009. [Doyle] alleges that this thumb drive was his property and that Haley Taylor stole this thumb drive from him. For the purposes of this motion, [Chase] assumes as true that Ms. Taylor in fact stole the thumb drive. However, [Chase] declares that Ms. Taylor told him she had received the thumb drive in an anonymous mailing. [Doyle] asserts that [Chase] made a copy of the contents of this thumb drive and put all of the documents onto his laptop computer. [Chase] eventually returned the original thumb drive to the Moses Lake Police Department in October of 2009 in compliance with a state court order. During the time that [Chase] possessed this thumb drive, he emailed electronic copies, printed out copies and disseminated paper copies of the documents on the thumb drive to third parties.


One of the documents contained in the thumb drive was titled `Notice of Proposed Termination' from [Doyle]'s former employer, the Sierra County Sheriff's Office. It was rescinded after a settlement was reached between both of the parties, and the California state court sealed the file. The California state court found that `[t]he records include confidential personnel records ordinarily protected against disclosure by the employee's right to privacy . . . [d]isclosure of the contents of the records lodged conditionally under seal would unduly embarrass [Aaron Doyle].' [Chase] distributed this document to various parties, including filing it in at least two court proceedings in Washington state courts.


Doyle v. Taylor, supra. Chase responded to the suit by filing a motion for summary judgment. Doyle v. Taylor, supra. As Wikipedia explains, in the U.S. a motion for summary judgment asks the trial judge to enter judgment without proceeding to trial because there are “no material issues of fact” that warrant a trial so the court can simply apply the law to the facts that have been set out in the pleadings. Chase’s motion asked the judge in this case to throw the case out because the facts on the record didn’t justify taking the case to trial. Doyle v. Taylor, supra.


Before we get into the legal issues, a little more background on what happened here might be useful. According to Chase’s motion for summary judgment, Doyle moved to Quincy, California and


took up with Hayley Taylor. . . . They had an affair that lasted until . . . they had an acrimonious breakup. . . . A couple weeks later, Ms. Taylor, her mother, and her step father, the Grays, unsuccessfully attempted to get orders for protection against Doyle.


The genesis of this action occurred when Brian Chase was retained by Robert and Peggy Gray to represent them in obtaining permanent anti-harassment restraining orders against Doyle. Chase prepared a declaration and attached a letter that was a proposed termination to Doyle from Van Maddox the Sierra County Auditor that recited allegations, which had some resemblance to the complaints of the Grays. . . . Doyle sued the Grays for defamation. In a conversation with Doyle's attorney Robert Schiffner, Chase told him that if Doyle did not back off his claims against the Grays he would file Maddox's letter. Schiffner filed his own declaration claiming the documents were stolen from Doyle's house and had been ordered sealed by a court in California. Doyle filed a theft report. Chase had received the letter from Haley Taylor, and when she learned that she was now being investigated for having burgled Doyle's house, she gave Chase a thumb drive that contained the letter she had given him. . . .


Memorandum in Support of Motion for Summary Judgment, Doyle v. Taylor, 2010 WL 1861673. Chase’s motion for summary judgment argued that Doyle’s case against him should be dismissed for either or both of two reasons: “(1) Plaintiff has not shown a loss, as required by the statute, and (2) a thumb drive does not meet the statutory definition of a `computer.’” Doyle v. Taylor, supra. We’ll discuss them in order.


Doyle’s CFAA claim was brought under 18 U.S. Code § 1030(a)(2)(C), which makes it a crime to intentionally access a computer without authorization and thereby obtain information. As the judge noted, “any person bringing a civil action must show a loss of at least $5,000” in a one-year period resulting from the CFAA violation. Doyle v. Taylor, supra. Section 1030(e)(11) defines “loss” as


any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.


Chase claimed Doyle hadn’t shown he’d incurred any costs as a result of Chase’s accessing the thumb drive. Doyle v. Taylor, supra. To rebut that, Doyle hired a computer forensics expert who submitted “two declarations detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers. The expert estimates that the cost of such work would easily exceed $5,000.” Doyle v. Taylor, supra. The judge didn’t find that sufficient.


The Court finds that the thrust of [Doyle’s] loss assessment misses the mark. [His] expert focuses on the cost that would be incurred by examining other parties' computers -- computers onto which [Chase] allegedly copied material taken from [Doyle’s] thumb drive-and permanently deleting any such material found. However, the [CFAA] primarily redresses damages to computers and information accessed in violation of the act. . . . Accordingly, a number of district courts have strictly construed the Act's `damages’ and `loss’ definitions to find that plaintiffs must identify impairment of or damage to the computer system that was accessed without authorization.


Doyle v. Taylor, supra. The judge also explained that while Chase’s accessing the


thumb drive may fall within the scope of conduct prohibited by the [CFAA], there is no basis in the record to find that the thumb drive was impaired or [Doyle] will incur any costs associated with restoring any such impairment. Moreover, [Doyle] has not shown `any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.’ [He] cites no cases, and the Court finds none, recognizing as sufficient the primary loss Plaintiff alleges: the cost of examining others' computer systems and deleting misappropriated files. . . . Under [Doyle’s] theory . . . a compensable loss could accrue every time any person accessed another person's computer or thumb drive without authorization and copied information stored there, because a forensic expert would have to be retained to examine every computer onto which such information might have been copied, and delete it. That strikes the Court as outside the intended scope of the [CFAA].


Doyle v. Taylor, supra. The judge also noted, in an aside the law calls dictum, that even if he bought Doyle’s theory of loss, Doyle hadn’t shown that he’d actually incurred any loss; the expert’s first declaration simply described “the process of making a `forensic image’ of a computer and comparing the `fingerprints’ of files so that unauthorized files can be deleted” and mentioned the expert’s hourly fee. Doyle v. Taylor, supra.


The judge found that “no reasonable jury could properly award damages based solely on the expert’s declaration” because the jury would “have to speculate about how many computers” and files were involved and how many hours the expert would need to conduct the examination. Doyle v. Taylor, supra. The judge therefore granted Chase’s motion for summary judgment and threw out the case. Doyle v. Taylor, supra. (Taylor had been dismissed as a defendant earlier, I don't know why.)


What about the second argument? Sadly, as far as I’m concerned, the judge didn’t address it. Here’s how Chase articulated the argument in the memorandum he submitted in support of his motion for summary judgment:


A computer `means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions . . . .’ and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.' Doyle wants to read this as `an electronic . . . device performing . . . storage functions’ by omitting the words `data processing’ before `device.’ Thumb drives do not process data; they only store it. . . . The grammatical integrity of the definition does not include a thumb drive any more than it would include independently a computer case or a human interface device.


Memorandum in Support of Motion for Summary Judgment, Doyle v. Taylor, supra (quoting 18 U.S. Code § 1030(e)(1)). It would have been interesting to see how the judge ruled on this argument . . . but, of course, he didn’t need to, having already determined that the case should be dismissed.


16 comments:

Anonymous said...

Under the CFAA does the law require that a loss of at least $5000 occur to the affected computer system? (Civil and Criminal).

Anonymous said...

I found these two articles that tells basically the whole story behind this nonsense. What a huge mess!

http://qvpr.com/articles/police-officer-sues-local-family-defamation

http://www.columbiabasinherald.com/news/local_business/article_37ebd556-adba-5536-854b-7aecdedc1a7d.html

Anonymous said...

Surprisingly enough, when i googled this guy Doyle ALL kinds of stuff turns up. As of May 2010 he still has his police job. But he seems to be involved in litigation everywhere. He is also involved in a State Bar investigation of the County Attorney.

This is really weird.

http://www.krem.com/video/featured-videos/Grant-Co-Proseuctor-under-investigation-by-state-bar-association-97626109.html

He is also running for public office - County Coroner (after the coroner was arrested for false imprisonment in an incident involving another employee whom he would not let out of a truck they were driving in).

That whole county seems to be a mess.

Susan Brenner said...

Anonymous posts #2 and #3:

Thanks for the links and other information.

Susan Brenner said...

Anonymous #1:

Here's what the relevant statutes say . . . what do you think?

18 U.S. Code section 1030(g):

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

18 U.S. Code section 1030(e)(8):

the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information. . . .

18 U.S. Code section 1030(c)(4)(A)(i):

except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period. . . .

(18 U.S. Code section 1030(c)(4)(E) and (F) encompass causing serious bodily injury or death.)

Susan Brenner said...

Anonymous #1:

I'm going to post what the relevant statutes say . . . in a couple of installments (due to size limits on comments).

Here's how the private cause of action and the term damage are defined:

18 U.S. Code section 1030(g):

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

18 U.S. Code section 1030(e)(8):

the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information. . . .

Susan Brenner said...

Here are the sections that contain additional, relevant information:

18 U.S. Code section 1030(c)(4)(A)(i):

except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period. . . .

(18 U.S. Code section 1030(c)(4)(E) and (F) encompass causing serious bodily injury or death.)

Susan Brenner said...

SORRY for the duplicate posts . . . Blogger told me it wouldn't take the first one (too long) . . . and then it did.

Anonymous said...

From anonymous 1: Okay Mrs. Brenner - from what I'm reading it looks as though any interruption of service could result in a civil suit but criminally it has to be proven that a loss (time, data, recovery, etc.) of at least $5K within a 12 month period has to have occurred.

Great article by the way. Here are some ideas for future articles...

1. How long the federal government can reasonably keep computer equipment without an indictment. (Statute of Limitations?)

2. If the government gets additional warrants in the search of computer equipment (already in their control) does the owner have to be notified for each and every warrant granted by the court?

Anonymous said...

A thumb drive is no more a computer than a cassette is a tape recorder. This seems like a frivolous lawsuit. Maybe he should have sued for violating the court order sealing the records. While not a party to that original lawsuit, she & her attny certainly had personal knowledge of this court order. He could also sue her for conversion. Thats what I would have done, anyways. Then you don't get into the SLAPP issues and such.

Susan Brenner said...

Anonymous 1 - Part I:

First, if you check out the sections of 1030 quoted above, you'll see that the $5,000 is one of the conditions the plaintiff has to show to recover in a civil suit . . . and usually civil plaintiffs can't show the others, e.g., physical injury, etc. The $5,000 used to be an element of a criminal prosecution but became a factor to be considered in sentencing as the result of a 2008 amendment to the statute.

Susan Brenner said...

Anonymous 1 - Part II:

As to #1, I've done at least 3 posts on how long the government can keep a computer if charges aren't filed or were filed and the case is over. You might check them out:

http://cyb3rcrim3.blogspot.com/2009/06/ghosts-contraband-and-seeking-return-of.html

http://cyb3rcrim3.blogspot.com/2007/07/how-long-can-government-keep-seized.html

http://cyb3rcrim3.blogspot.com/2006/11/seeking-return-of-seized-computers.html

Susan Brenner said...

Anonymous 1 - Part 3:

This is in response to your second question . . . which is a good one.

My guess is . . . probably not.

In U.S. v. Pangburn, 983 F.3d 449 (2d Circuit Court of Appeals 1993), the Court of Appeals found that there is (may be) a notice requirement in Rule 41 of the Federal Rules of Criminal Procedure, which governs search warrants . . . but there isn't one in the 4th Amendment.

But then it went on to say that it stands to reason that officers should give people notice at some point in time once they've executed a search warrant.

I'll look into it a bit, see if I can find any more.

DVD Replication said...

I can't understand the term thumb drive that what does it mean by the thumb drive?

drm removal said...

To Above:
Thumb Drive is a thumb-sized portable computer hard drive and data storage device

remove wmv drm said...

thanks susan, i like your news