This post examines an opinion a federal district court judge
in Oregon issued recently in a civil suit.
Matot v. CH, 2013 WL 5431586
(U.S. District Court for the District of Oregon 2013). In his opinion, the District Court judge is deciding whether to adopt the Findings and
Recommendations [F&R] filed by the U.S. Magistrate Judge to whom he
referred certain motions that challenged the viability of the plaintiff’s –
Matot’s – suit. Matot v. CH, supra.
(As Wikipedia explains, a District Court judge
can refer certain issues to a Magistrate Judge to have the latter draft a
preliminary opinion analyzing those issues.)
In his F&R, the Magistrate Judge explains that in the
lawsuit Matot,
an assistant principal at a middle
school in Salem, Oregon, alleges that one or more of the defendants created
social media accounts under his name and likeness. Defendants then allegedly
invited students to communicate with them under the accounts falsely tied to
plaintiff.
[Matot] further alleges that defendants
published false and defamatory statements and images about or attributed to [him]
using the false accounts. [He] alleges that the parents of defendant CH were
negligent in their supervision of [his] internet and computer use causing harm
to [him].
Matot v. CH, supra.
Neither the F&R nor the judge’s opinion explains what
happened in any more detail, but a Complaint Matot filed, apparently before he
knew the defendants’ names, sheds a little light on what happened. It says that
“one or more” of the students named as defendants was/were “known” to use a
“procedure” in which they/one/some of them would “create an account” on a
social networking site, “include[ing] Twitter and Facebook”, “using [Matot’s]
name and likeness, appearing at least initially to be an account” belonging to
him. Matot
v. Does 1-5, Complaint ¶
18, U.S. District Court for the District of Oregon (6:13-cv- 00153).
“One or more defendants would then send an invitation to
communicate to a child-student, appearing at least initially to be a
communication from” Matot. Matot v. Does 1-5, supra, Complaint ¶
19. The Complaint then says that once a student accepted “an invitation to communicate
from defendants, third parties, including children, were then exposed to
pornographic and obscene material of a prurient nature which was displayed and
presented as if it were associated with or from” Matot. Matot v. Does 1-5, supra,
Complaint ¶ 19. Matot seems to have filed an amended
complaint later, since at least one defendant is identified in this opinion,
and it may have added more details.
In the Complaint these judges are dealing with, Matot seeks “damages
and equitable relief for alleged violation of the Computer Fraud and Abuse Act,
18 U.S. Code § 1030, defamation, negligent supervision, and parental liability
pursuant to Oregon Revised Statute § 30.765.” Matot
v. CH, supra. As the district court
judge notes in his opinion, the defendant in this case (“Gary Hill”) filed a
motion to dismiss the lawsuit for “lack of subject-matter jurisdiction.” Matot
v. CH, supra.
And as Wikipedia explains, subject-matter jurisdiction “is the
authority of a court to hear cases of a particular type”. As it also explains, most state courts in the
United States are courts of “general” jurisdiction, which means they can hear
“any case over which no other tribunal has exclusive jurisdiction.” And as Wikipedia notes, U.S. federal
courts, including district courts like this one, are courts of limited
jurisdiction, which basically means that if no federal statute confers
jurisdiction on a federal district court to hear certain types of cases, it
will not be able to hear those cases.
Here, Gary Hill filed a motion under Rule 12(b)(1) of the Federal Rules of Civil Procedure in which he claimed the federal court did not
have subject-matter jurisdiction. Matot v. CH, supra. Since Matot’s claims for defamation,
negligent supervision and parental liability arose under Oregon law, the
federal court would not have jurisdiction over them unless jurisdiction existed
under what is known as pendent jurisdiction.
As Wikipedia explains, pendent jurisdiction “is the authority of
a United States federal court to hear a closely related state law
claim against a party already facing a federal claim”. The theory is that it is efficient to decide all the claims in a single case.
Matot argued that the court had pendent jurisdiction because
his claim under 18 U.S. Code § 1030 arose under federal law, which gave the
court jurisdiction over the “case.” Matot
v. CH, supra. If he did, in fact,
have a valid claim under § 1030, then the Oregon District Court would have
jurisdiction over that claim and pendent jurisdiction would give it
subject-matter jurisdiction over the related state-law claims. Matot
v. CH, supra. In other words, he would be able to keep the case in federal
court if he had a viable § 1030 claim.
The district court judge began his analysis of this issue by
noting that Matot’s § 1030
claim rests on defendants' alleged use
`without authorization’ of social media services (e.g., Facebook and Twitter)
and defendants' alleged use `exceed[ing] authorized access’ of social media
services, i.e., defendants' violation of the terms of use of the particular
social media service. As indicated by Judge Coffin in the F&R, a mere
violation of a use restriction, i.e.,`exceed[ing] authorized access,’ is not
actionable under [18 U.S. Code § 1030] in the [U.S. Court of Appeals for the 9th Circuit]. Thus, the crux of [Matot’s] argument
is that defendants accessed social media services `without authorization’ under 18
U.S. Code § 1030.
Matot v. CH, supra. (The U.S. District Court for the District of
Oregon is in the 9th Circuit, which means the 9th
Circuit’s decisions are binding on it.)
The district court judge noted that Matot’s
`without authorization’ argument
focuses on defendants' alleged use of [his] name and image in creating `forged’
social media accounts (e.g. Facebook and Twitter). [Matot] attempts to cast
defendants' behavior as analogous to that of hacking proscribed by [18 U.S. Code § 1030].
Matot v. CH, supra. He found that Matot’s argument was
“unpersuasive in light of” two decisions from the U.S. Court of Appeals for the
9th Circuit and “the rule of lenity.” Matot
v. CH, supra.
The first decision was LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009). The judge explained that in Brekka, the Court of Appeals held that
someone
`uses a computer “without
authorization” under [§ 1030] when the person has not received permission to
use the computer for any purpose (such as when a hacker
accesses someone's computer without any permission), or when the employer has
rescinded permission to access the computer and the defendant uses the computer
anyway.’ LVRC Holdings v. Brekka,
supra (emphasis added). The Court further provided that `a person who uses
a computer ‘without authorization’ has no rights, limited or otherwise, to access
the computer in question.’ LVRC
Holdings v. Brekka, supra.
Matot v. CH, supra.
The judge noted that notwithstanding this
relatively bright-line rule, this Court
is reluctant to use it as an absolute bar to [Matot’s] claim. To begin with,
unlike in Brekka, defendants are not
employees of Twitter or Facebook who initially used the service for purposes of
employment. Rather, as [Matot] alleges, defendants' relationship with the
social media websites was `forged . . . from the ground up,’ i.e., the
defendants, as social media users, never were authorized because they breached
the terms of use at the inception of the relationship. . . .
[T]his court doubts that even the Brekka Court
would enforce its `without authorization’ language to the extent implicated. For example, if a hacker targeted a United States governmental
website for malicious purposes, such a hacker may be `authorized’ to access the
website under Brekka because many governmental websites are
open to the public. In other words, if interpreted strictly, Brekka could
preclude [§ 1030] application of `without authorization’ to hackers who breach
governmental websites that are open to the public. For the same
reason, strict adherence to Brekka's bright-line rule outside
of the employment context appears to be in conflict with the underlying
legislative purpose.
Matot v. CH, supra.
The second decision was U.S.
v. Nosal, 676 F.3d 854 (U.S. Court of Appeals for the 9th Circuit 2012), in which the9th Circuit,
in dicta, found that `without authorization would apply to
outside hackers (individuals who have no authorized access to
the computer at all).’ 676 F.3d at 858 (internal quotation marks
omitted) (emphasis added). In contrast, the Court found that `exceeds
authorized access would apply to inside hackers (individuals whose initial
access to a computer is authorized but who access unauthorized information or
files).’ Id. (internal quotation marks omitted).
The Court further provided that
`hacking’ colloquially refers to `someone who's authorized to access only
certain data or files but accesses unauthorized data or files.’ Id. at
856–57. Unfortunately, the Court's colloquial definition provides little
insight as to `outside hackers’ because `hackers,’ by definition, lack
authorized access.
Matot v. CH, supra (quoting
U.S. v. Nosal, supra).
The judge explained that the Nosal court, in affirming the district court’s dismissal of the
claim [in that case], discussed
numerous forms of relevant online conduct it was unwilling to criminalize. . .
. [M]any dealt with [Matot’s] `trespass under false pretenses’ scenario. The
Court found `lying on social media websites is common: People shave years off
their age, add inches to their height and drop pounds from their weight.’ U.S. v. Nosal, supra.
The Court referenced U.S. v.
Drew, to combat the notion that the government could be trusted to not
`prosecute minor violations.’ U.S. v. Drew, 259 F.R.D. 449 (U.S.
District Court for the Central District of California 2009). In Drew, a
mother posed as a 16–year old boy (`Josh Evans’) and cyber-bullied her
daughter's classmate who ultimately committed suicide. U.S. v. Drew, supra. Although Drew's `Josh Evans’ profile was
fictitious, it did include `a photograph of a boy without that boy's knowledge
or consent.’ U.S. v. Drew, supra.
Nosal's extensive
discussion of `lying on social media websites’ and its subsequent disapproval
of prosecution under Drew, indicate that the 9th Circuit is
unwilling to recognize [Matot’s] claim under [§ 1030].
Matot v. CH, supra.
Finally, the judge relied on the “rule of lenity.” As Wikipedia notes, this is a principle of
statutory interpretation under which a court “construing an ambiguous criminal
statute . . . should resolve the ambiguity in favor of the defendant.” He noted that the Brekka court relied on the rule of lenity in interpreting
“authorization” under § 1030 “narrowly” and finding that the statute does not
apply to “employee breach of loyalty scenarios.” Matot
v. CH, supra. He also noted the Nosal court explained that it construes
criminal statutes
narrowly so Congress will not
unintentionally turn ordinary citizens into criminals. [B]ecause of the
seriousness of criminal penalties, and because criminal punishment usually
represents the moral condemnation of the community, legislatures and not courts
should define criminal activity. If there is any doubt about whether Congress
intended [§ 1030] to prohibit the conduct in which [defendants] engaged, then
we must choose the interpretation least likely to impose penalties unintended
by Congress.
Matot v. CH, supra.
(quoting U.S. v. Nosal, supra). While this is a civil case, rather than a
criminal prosecution, § 1030 is a criminal statute, so the principle would
still apply,
The judge then explained that § 1030’s
focus is `on hacking’ rather than the
creation of a `sweeping internet-policing mandate.’ U.S. v. Nosal, supra. This court cannot fail `to consider the
effect on millions of ordinary citizens caused by’ recognizing [Matot’s]
claim. U.S. v. Nosal, supra. [Matot]
alleges that defendants created false social media profiles in his name and
likeness.
Yet, as indicated in Nosal, `lying on social media websites
is common.’ U.S. v. Nosal, supra. For example, in June 2011, Facebook predicted
that approximately 83 million of 855 million active users were duplicates,
false or undesirable. Twitter is also thought to have a large
number of `fake’ accounts. More
recently, police departments have taken to creating false profiles for the
purpose of law enforcement.
Were this court to `adopt the
[plaintiff's] proposed [argument], millions of unsuspecting individuals would
find that they are engaging in criminal conduct,’ in addition to any civil
liability. U.S. v. Nosal, supra.
This Court “must choose the interpretation [of `authorization’] least likely to
impose penalties unintended by Congress.’ U.S.
v. Nosal, supra (quoting U.S. v. Cabaccang, 332 F.3d 622
(9th Circuit 2003) (quotations omitted)).
Matot v. CH, supra.
The judge therefore found that “the rule of lenity precludes
application of [§ 1030] (`access without authorization’) to defendants' alleged
creation of fake social media profiles in violation of social media websites
terms of use.” Matot v. CH, supra. For this
and the reasons noted above, he therefore granted Hall’s motion to dismiss for
lack of subject matter jurisdiction, which meant the case was dismissed. Matot
v. CH, supra. Matot can presumably
try suing in state court.
If you would like to read a little more about the facts in
the case and see a photo of Matot, check out the news story you can find here.
No comments:
Post a Comment