Friday, July 26, 2013

Unauthorized Access, Email and Team Viewer

As I have noted in earlier posts, the general federal cybercrime statute – 18 U.S. Code § 1030 – not only defines criminal offenses, it also, in 18 U.S. Code § 1030(g), creates a civil cause of action for one “who suffers damage or loss by reason of a violation” of the statute’s criminal provisions.  As I have also noted, the Stored Communications Act also, in 18 U.S. Code § 2707, creates a civil cause of action for those “aggrieved by” a violation of its provisions.

This post examines an opinion a district court judge in the U.S. District Court for the Eastern District of Pennsylvania issued recently in a civil case involving claims under both statutes:  Brooks v. AM Resorts, LLC, __ F.Supp.2d __, 2013 WL 3343993 (2013). The opinion begins by noting that Douglas Books sued

AM Resorts, LLC (`AM Resorts’). Brooks alleges  thatAM Resorts gained unauthorized accessed to his computer and email account in violation of the Stored Communications Act (`SCA’), 18 U.S.C. § 2701, et seq., the Computer Fraud and Abuse Act (`CFAA’), 18 U.S.C. § 1030, et seq.

Brooks v. AM Resorts, supra.

In this opinion, the judge is ruling on Brooks’ motion for “partial summary judgment on the issue of liability, arguing that AM Resorts is indisputably liable on the claims brought against it and that trial should be set solely on the issue of damages.” Brooks v. AM Resorts, supra. AM Resorts filed a motion for summary judgment “in its favor on all claims.”  Brooks v. AM Resorts, supra. 

As Wikipedia explains, summary judgment is a judgment a court enters “for one party and against another party summarily, i.e., without a full trial.”  As Wikipedia also notes, to grant summary judgment for a party the court has to find that

  1. there are no disputes of `material’ fact requiring a trial to resolve, and
  2. in applying the law to the undisputed facts, one party is clearly entitled to judgment. 
It notes that a “material” fact is “one which, depending upon what the factfinder believes "really happened," could lead to judgment in favor of one party, rather than the other.”  So, each side is trying to avoid a trial on some/all of the issues in the case.

The opinion says Brooks is a former employee of AM Resorts.  On March 4, 2010,

AM Resorts terminated [his] employment. . . . After he was fired, Brooks engaged in an email exchange with his lawyers to discuss attorney-client privileged matters pertaining to the termination (the `privileged email exchange’). Neither Brooks nor his attorneys shared this privileged email exchange with any third party. 

However, on March 21, 2010, Brooks received an email from his former supervisor at AM Resorts, Javier Estelrich, that stated, `Doug, I got your email. Tomorrow our lawyers will get in touch either with your lawyer or with you (in case it is not possible with them).’ . . . Attached . . . was the privileged email exchange between Brooks and his lawyers.

The header to Estelrich's March 21, 2010 email to Brooks listed the Internet Protocol (`IP’) address This same IP address . . . appeared in the header of an email Estelrich received on March 10, 2010 from AM Resorts employee, Pepe Morell. Brooks had a Microsoft Hotmail email account. 

A log from the Microsoft Corporation lists the dates and times any user accessed, or attempted to access, Brooks' personal email account in the month of March 2010. This log indicates someone with the IP address accessed Brooks email account on March 19, 2010 at 10:53 p.m. and on March 20, 2010 at 5:43 a.m. . . .

Brooks had given his personal email address and password to AM Resorts because he had experienced difficulty accessing and using his work email account. Additionally, Brooks had allowed Am Resorts to install a program called Team Viewer on his personal desktop computer. 

Team Viewer is a program designed to allow technicians to diagnose problems on a user computer from a remote location. [It] enables an individual to remotely access and control a computer. Brooks alleges that AM Resorts remotely accessed his computer after his termination through the Team Viewer program and accessed his personal email account, either independently of accessing his computer or, while it was remotely controlling his computer through Team Viewer.

Brooks does not know how to access his computer remotely through Team Viewer. There is evidence someone accessed Brooks' computer via Team Viewer on four separate occasions after his termination.

Brooks v. AM Resorts, supra. 

When a parties move for summary judgment, they often provide affidavits or other evidence to support their motions, which apparently happened here:

The parties have presented dueling forensic expert reports. All agree that IP addresses can be static or dynamic. Static IP addresses are assigned by the Internet Service Provider (`ISP’) to an individual or company for a certain period of time. Dynamic IP addresses can change at any time because they are not assigned by the ISP to an individual or company for any certain period of time. All experts agree that it is unknown whether IP address is a static or dynamic address.

Brooks' expert, Brian Harris, concludes that Pepe Morell, an employee of AM Resorts, accessed Brooks' email account. This conclusion is based, to a large extent, on the fact that Morell sent an email from the IP address to Estelrich on March 10, 2010 and that same IP address appeared in the header of the March 21, 2010 email sent from Estelrich to Brooks, which contained the privileged email. . . . Harris concludes that AM Resorts accessed Brooks' desktop computer through Team Viewer, a program that it installed on Brooks' computer.

AM Resorts' experts, Jerry Saperstein and Louis Cinquanto, conclude there is not enough evidence to link AM Resorts to the IP address because it is unknown whether [it] is dynamic or static, the parties never subpoenaed the internet service provider to obtain the name of the person or company that was issued the IP address on a specific date and time, and that IP address may have been used by many people at the same time making it impossible to determine the identity of the person who accessed Brooks' email account. . . . AM Resorts' experts conclude there is insufficient evidence to link any Team Viewer access of Brooks' computer to AM Resorts.

Brooks v. AM Resorts, supra. 

The judge first ruled on several of the issues raised by both parties’ motions for summary judgment, noting, again, that Brooks had moved for summary judgment on

AM Resorts' liability, arguing that the evidence indisputably establishes that AM Resorts accessed his computer and email account in violation of the SCA [and] the CFAA. . . . AM Resorts moves for summary judgment in its favor on all claims, [claiming] the evidence is insufficient to prove AM Resorts accessed Brooks' computer and email address.

Brooks v. AM Resorts, supra. 

She then addressed Brooks’ SCA claim, noting that 18 U.S. Code § 2701(a) makes it a crime to intentionally access a facility through which an electronic communication service is provided without being authorized to do so or by exceeding authorization to do so and “thereby” obtain, alter or prevent authorized access to “a wire or electronic communication while it is in electronic storage”.  Brooks v. AM Resorts, supra.  Both sides agreed “that email messages remaining on an internet service provider's server after delivery fall within the Act's definition of electronic storage.” Brooks v. AM Resorts, supra.  And neither argued that “emails downloaded and stored on a personal computer are not included in the” definition of electronic storage. Brooks v. AM Resorts, supra. 

The judge then ruled on one of the issues in the case, noting that Brooks had

only alleged that AM Resorts obtained a downloaded copy of the privileged email exchange that was stored on Brooks' computer. Thus, AM Resorts argues that Brooks' claim under the SCA fails as a matter of law because emails downloaded and stored on a computer are not included in the Act's definition of electronic storage. 

Brooks agrees with AM Resorts' interpretation of the law. However, he strongly disagrees with AM Resorts portrayal of his allegations.

While it is true that Brooks alleges AM Resorts accessed his computer, [he] has never alleged that AM Resorts obtained a downloaded copy of the privileged email exchange from his hard drive. Rather, Brooks has maintained throughout this litigation that AM Resorts obtained the privileged email exchange by accessing his Microsoft Hotmail email account, an act that qualifies as a violation under the SCA. Brooks has presented evidence that a genuine dispute of material fact exists as to whether AM Resorts accessed his email account. 

Therefore, I will deny AM Resorts' motion for summary judgment on Brooks' SCA claim.

Brooks v. AM Resorts, supra. 

She then took up the CFAA claim, noting Brooks alleges AM Resorts violated the CFAA

by `intentionally access[ing] a protected computer without authorization, and as a result of such conduct, recklessly caus[ing] damage.’ 18 U.S. Code § 1030(a)(5)(B). Because this is a civil action, Brooks must demonstrate that he suffered damage or loss as a result of AM Resorts' violation of the CFAA. AM Resorts argues that Brooks cannot succeed on his CFAA claim because he has not put forth any evidence to support that he has suffered either damage or loss. Brooks argues that he has established evidence of loss.

Brooks v. AM Resorts, supra. 

The judge then explained that In a 1030(g) civil suit for violating the CFAA, the plaintiff must show that the defendant “caused “`loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.’” Brooks v. AM Resorts, supra (quoting  18 U.S. Code § 1030(c)(4)(A)(i)(I)).  She also noted that the “CFAA defines `loss’ as `any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.’” Brooks v. AM Resorts, supra (quoting 18 U.S. Code § 1030(e)(11)).

Next, she reviewed Brooks’ arguments as to why he had alleged loss, noting that he

alleges that he suffered `loss’ when he had to replace his computer while it was shipped to another location for examination. There is no evidence in the record to support this occurrence. Moreover, even if it did occur, there is no evidence to support the amount of economic loss that Brooks suffered as a result. 

Additionally, Brooks includes as `loss’ the litigation costs associated with hiring court reporters and videographers, and obtaining deposition transcripts. However, litigation costs are not a compensable loss under the CFAA because they are not related to investigating or remedying damage to the computer. . . .

Lastly, Brooks points to the invoices Harris, his forensic expert, sent his attorney during this litigation. While fees paid to an expert for investigating and remedying damage to a computer may be a cognizable `loss’ under the CFAA, . . . fees paid to an expert to assist in litigation do not fall within [its] definition of `loss.’ See Mintel Int'l Group, LTD. v. Neergheen, 2010 WL 145786 (U.S. District Court for the Northern District of Illinois 2010).

Brooks v. AM Resorts, supra. 

The judge noted that Brooks claimed AM Resorts violated the CFAA in March 2010 and filed the Complaint that began this suit in February of 2011. Brooks v. AM Resorts, supra.  She then explained that in the “eleven month time period” between the "alleged" violation

and the filing of the Complaint, there is no evidence Brooks hired anyone to assess and/or remedy the damage done to his computer. Rather, it was not until October 2011, . . . that [he] hired Harris to investigate his computer. Harris' deposition testimony and expert report indicate [he] was hired to prove AM Resorts accessed Brooks' computer and email account. 

There is no evidence Harris spent any time investigating, or responding to, damage to Brooks' computer that occurred as a result of AM Resorts unauthorized access.

The invoices cover services . . . performed by Harris in September 2012 through February 2013, including deposition preparation. Moreover, all invoices are addressed to Brooks' attorney in this litigation. This evidence establishes Brooks retained Harris for assistance in his lawsuit against AM Resorts. Therefore, these invoices do not fall within the definition of `loss’ under the CFAA. 

Moreover, even if some of the services Harris performed could arguably fall within the definition of `loss’ . . . , [they] do not meet the minimum loss requirement of $5,000.00. While the total amount billed by Harris was $7,225.00, more than $3,000.00 was. . . for time spent on depositions, declarations, and forwarding documents to opposing counsel, all of which are litigation expenses that are not considered `loss’ under the CFAA.

Brooks v. AM Resorts, supra. 

The judge therefore denied Brooks’ motion for partial summary judgment on liability and denied AM Resorts’ motion for summary judgment on his SCA claim. Brooks v. AM Resorts, supra.  She granted “AM Resorts' motion for summary judgment on Brooks' CFAA claim because he "has not demonstrated that he suffered the requisite `loss’ under the CFAA.”  Brooks v. AM Resorts, supra. 

No comments: