This post examines a recent opinion from a federal court in
California – an opinion that issued in a civil case but examines issues
involving criminal liability. Craigslist, Inc. v. Kerbel, 2012 WL
3166798 (U.S. District Court for the Northern District of California
2012). Craigslist sued Alecksey Kerbel,
“alleging violations of”, among other things, the Computer Fraud and Abuse Act (18
U.S. Code § 1030) and California Penal Code § 502. Craigslist,
Inc. v. Kerbel, supra.
In this opinion, the federal judge is ruling on craigslist’s
motion for a default judgment. Craigslist, Inc. v. Kerbel, supra. As Wikipedia explains, a default judgment is
a
binding judgment in favor of
either party based on some failure to take action by the other party. Most
often, it is a judgment in favor of a plaintiff when the defendant has
. . . failed to appear before a court of law.
You can read more about default judgment, the procedure used
to obtain one and the consequences of such a judgment here.
The opinion begins its analysis of the propriety of granting
craigslist a default judgment by explaining what it is and how it operates:
[C]raigslist . . . provides online
localized classified advertising service and related online services. . . . [C]raigslist
enables authorized users to post classified ads on its website based on their
geographic area and the product or service category in which they seek to
advertise. . . . The site lists ads within each category in reverse
chronological order, so the newest posts are at the top of the list. . . .
[C]raigslist governs access to its site with its
Terms of Use (`TOU’). . . . Each user who seeks to post to the site
must accept the TOU before the ad is posted. . . . The TOU prohibit . . .
repeatedly posting the same or similar content, posting said content in more
than one category or geographic area, posting ads on behalf of others, using a
Posting Agent to post ads,
attempting to gain unauthorized access to craigslist's computer systems or
engaging in any activity that disrupts or interferes with craigslist, using any
automated device or computer program that enables non-manual postings, and
making available content that uses automated means to download data from
craigslist. . . .
Once a user accepts the TOU, he or she
must successfully respond to a CAPTCHA challenge. . . . CAPTCHAs are
challenge-response tests in the form of partially obscured characters that the
user must read and type into a box. . . . They are designed to
ensure that humans, rather than machines and automated devices, post ads. . . .
A user may also create an account to manage his or her postings, which sometimes
requires a phone-verified account (`PVA). . . . PVAs are designed
to prevent repetitious and unauthorized postings to craigslist by requiring
users to provide a valid phone number in order to create an account. .
. .
[C]raigslist [also] uses additional
security measures to protect its site and systems, including IP address
blocking, which blocks multiple ads from the same IP address within a short
period of time. . . .
Craigslist, Inc. v.
Kerbel, supra. (The opinion notes
that a “Posting Agent” is a “third-party agent, service, or intermediary that
posts content to craigslist on behalf of others.”) Craigslist,
Inc. v. Kerbel, supra.
the owner and operator of the
www.craigslist-poster.com website. . . . [C]raigslist alleges [Kerbel] develops,
offers, and markets services designed to enable illegitimate uses of
craigslist. . . . For example, Craigslist Poster allows customers
to create a campaign through which [Kerbel] will repeatedly auto-post ads to
craigslist. . . . [Kerbel] will repost customers' ads `24/7,’ in
multiple geographic areas and categories. . . .
Customers purchase `credits’ from [Kerbel] which
they can use to purchase various services, including ad-posting (1 credit),
creating craigslist accounts (5 credits), and creating a PVA for posting in
PVA-required categories (10 credits). . . .
[Kerbel’s] services require [him] and
his customers to circumvent craigslist's security measures, create fraudulent
accounts and PVAs, and fraudulently accept the TOU. . . . [Kerbel] also uses
the CRAIGSLIST mark without authorization. . . . [He] has continued
his activities despite receiving multiple cease and desist letters from
craigslist. . . . [His] activities burden craigslist's systems and cause
it to incur expenses to increase server capacity, provide additional customer
service and support for its legitimate customers, and investigate and enforce
its policies. . . .
Craigslist, Inc. v.
Kerbel, supra.
Before addressing the specific issues, the judge noted that
several factors weighed generally in terms of granting craigslist a default
judgment on at least some of its claims:
One was that if the motion were denied, craigslist “would likely be left
without a remedy”, by which I assume he means Kerbel would not defend himself
at trial. Craigslist, Inc. v. Kerbel,
supra.
He also noted (i) that craigslist’s claims “include
statutory damages” to which it “would be entitled under federal law” and (ii) that
because Kerbel had not filed an answer to craigslist’s complaint, there was
little likely that the “material facts” were in dispute. Craigslist,
Inc. v. Kerbel, supra. Finally, he
explained that he also had to consider the “sufficiency of the complaint”,
i.e., the extent to which craigslist had stated legitimate claims under the
relevant statutes. Craigslist, Inc. v. Kerbel, supra.
The judge then addressed craigslist’s Computer Fraud and
Abuse claims, noting that to
state a claim under 18 U.S. Code §1030(a)(2)(C), [craigslist] must show [Kerbel] `intentionally access[ed] a
computer without authorization or exceed[ed] authorized access, and thereby
obtain[ed] . . . information from a protected computer.
Under § 1030(a)(4), [it] must
allege [Kerbel] `knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and by means of
such conduct furthers the intended fraud and caused at least $5,000 in damage
in a one-year period.
Finally, under §
1030(a)(5)(A)-(C), [craigslist] must allege that Kerbel knowingly or `intentionally
accesses a protected computer without authorization, and as a result of such
conduct, caused damage or recklessly caused damage or loss.’
Craigslist, Inc. v.
Kerbel, supra (quoting Craigslist,
Inc. v. Naturemarket, Inc., 694 F.Supp.2d 1039 (U.S. District Court for the
Northern District of California 2010)).
The judge found that, like the plaintiff in the Naturemarket case, craigslist adequately
pled the above causes of action:
`First, [it] established that its
computers were used in interstate commerce, and therefore qualify as protected
computers under the CFAA. . . . Second, [it] alleged that [the defendant]
accessed its computers in violation of the TOUs, and therefore without
authorization, for the purpose of employing, implementing and updating [its auto-posting
products and services]. . . . [It] sufficiently pled that [the defendant’s]
actions caused it to incur losses and damages.’
Craigslist, Inc. v.
Kerbel, supra (quoting Craigslist,
Inc. v. Naturemarket, Inc., supra).
The judge also noted that craigslist
alleges that Kerbel's conduct was both
knowing and intentional because it was designed to circumvent craigslist's
security features and [he] had to agree to the TOU with no intention of
complying with it. . . . Kerbel also continued said conduct despite receiving
cease and desist letters. . . .
His conduct caused harm to craigslist
of over $5,000 per year, including increased costs associated with the burden
on [craigslist’s] servers, investigation and enforcement costs to maintain the
legitimacy of posts to the site, loss of goodwill, and the need for increased
customer service and support.
Craigslist, Inc. v.
Kerbel, supra. He therefore held
that craigslist was entitled to default judgment on its Computer Fraud and
Abuse act claims. Craigslist, Inc. v. Kerbel, supra.
The judge then addressed craigslist’s claims under
California Penal Code §§ 502 (c)(1)-(7). Craigslist, Inc. v. Kerbel, supra. Basically, these seven sections make it a
crime under California law to knowingly access without permission and (i)
alter, damage, delete, destroy, take, copy or make use of any data, computer
software or computer programs in a computer or computer network, (ii) use or
cause computer services to be used, (iii) disrupt or cause the disruption of
computer services or cause the denial of computer services to an authorized
user, (iv) provide or assist in providing a means of accessing a computer in
violation of this statute and/or (v) access or cause to be accessed any
computer, computer system or computer network.
Craigslist, Inc. v. Kerbel, supra.
The judge found that, again like the plaintiff in the Naturemarket case, craigslist had
adequately pled four claims under California Penal Code §§ 502 (c)(1)-(7):
`With respect to subsection (c)(1), [it]
has alleged that [defendant] knowingly accessed [its] computer system in
violation of the TOUs and obtained information which [he] used to develop,
update, operate, and maintain their auto-posting software and services. . . .
Under subsection (c)(2), [it] has also
alleged that [defendant] knowingly accessed [its] computers and computer system
and, without authorization, copied and made use of [its] data. . . .
With respect to subsection (c)(6), [it]
has also alleged that [defendant] knowingly and without permission provided a
means of accessing its computers through their use and selling of their
auto-posing software, services, and devices. . . . Finally, with respect to
subsection (7), [it] has alleged that [defendant] accessed [its] computer in an
effort to create and implement [his] auto-posting software.’
Craigslist, Inc. v.
Kerbel, supra (quoting Craigslist,
Inc. v. Naturemarket, Inc., supra).
The judge then noted that in
addition to the subsections considered
in Naturemarket, [craigslist] alleges that [Kerbel] `uses or causes
to be used [craigslist's] computer services’ in violation of (c)(3), . . . ;
added or altered data to craigslist's computer system in violation of (c)(4), .
. . and disrupted craigslist's services in violation of (c)(5). . . .
Craigslist, Inc. v.
Kerbel, supra. He therefore found
that craigslist had stated a valid claim under California Penal Code §
502. Craigslist,
Inc. v. Kerbel, supra.
For this and other reasons (concerning craigslist’s other
causes of action), the judge granted craigslist’s motion for default judgment
and for “injunctive relief”. Craigslist, Inc. v. Kerbel, supra. He entered an order that, in part, enjoined
Kerbel “and his agents, servants, employees, attorneys, affiliates,
distributors, successors and assigns” from, essentially, doing the things
craigslist had complained of in its complaint.
Craigslist, Inc. v. Kerbel, supra. Absent action by Kerbel, that disposes of the
case.
No comments:
Post a Comment