Dan Halperin filed a “putative class action” in federal
court “against Affluent Ads, LLC, and International Web Services, LLC, the
creator and distributor of Text Enhance, alleging violations of the “Computer Fraud and Abuse Act (`CFAA’), 18 U.S.C. § 1030” and “the Electronic Communications Privacy Act's anti-wiretap provisions (`Wiretap Act’)” among
other causes of action. Halperin v. International Web Services,
LLC, 2014 WL 4913528 (U.S. District Court for the Northern District of Illinois
2014).
The defendants responded by moving to dismiss his lawsuit
under Rule 12(b)(6) of the Federal Rules of Civil Procedure. Halperin
v. International Web Services, supra.
As Wikipedia explains, a Rule 12(b)(6) motion is how lawsuits with “insufficient
legal theories underlying their cause of action are dismissed from
court.” In the opinion this post
examines, the U.S. District Court Judge who has the case is ruling on the
defendants’ motion. Halperin v. International Web Services, supra.
The judge began his analysis of the motion by explaining
how, and why, the case arose:
Affluent Ads created a software program
called `Text Enhance,’ which International Web Services then distributed. . . .
Without Halperin's knowledge or consent, Defendants somehow installed Text
Enhance on his computer. . . . When Halperin visits a website using
his computer, `Text Enhance automatically scans the text of the webpage’ for
certain keywords, and for each keyword found, it `turns the [word] blue and
underlines it.’ . . . If Halperin's cursor hovers over an underlined word, `an
advertisement will appear over the website.’ . . . For example, in the
image below (taken from Halperin's complaint), Text Enhance has underlined the
word `bet,’ and when Halperin's cursor hovers over that word, a pop-up
advertisement entitled Play Free Slots’ appears. . . [image omitted].
Were Halperin to click on the pop-up
ad, his browser would be directed to the website `Youplaytime.net,’ which is not
affiliated with the website (`April Dammann Website’) he had been
viewing. . . .
Halperin alleges that `Text Enhance
causes computers to slow down, takes up bandwidth over an Internet connection,
uses up memory, utilizes pixels and screen space on monitors, causes the loss
of data, and otherwise frustrates the customary and intended uses of
computers.’ . . . As a result, he must upgrade his computer or internet
connection speed, . . . or `spend valuable time and money to
investigate . . . how the malware can be removed.’ . . .
Halperin v.
International Web Services, supra.
(The ellipses indicate the omission of to Halperin’s Complaint.”) The news story you can find here provides more
information about Halperin’s claims in the lawsuit.
As noted earlier, Halperin wanted this judge to “certify a
nationwide class” for the federal causes of action. Halperin
v. International Web Services, supra. As Wikipedia explains, the procedure for
filing a federal class action suit is to
file suit with one or several named
plaintiffs on behalf of a proposed class. The proposed class must consist of a
group of individuals or business entities that have suffered a common injury or
injuries. Typically these cases result from an action on the part of a business
or a particular product defect or policy that applied to all proposed class
members in a typical manner. After the complaint is filed, the plaintiff must
file a motion to have the class certified.
Once the class has been certified, the case can proceed.
The judge began his analysis of the defendants’ Rule
12(b)(6) to dismiss Halperin’s claim under the Computer Fraud and Abuse Act, 18U.S. Code § 1030(g). Halperin v. International Web Services, supra.
Halperin brought his suit under 18 U.S. Code § 1030(g), which
creates a civil cause of action for “[a]ny person who suffers damage or loss by
reason of a violation of [18 U.S. Code § 1030(a)]” which lets the victim “the
violator to obtain compensatory damages and injunctive relief or other
equitable relief.”
As the judge noted, to have a cause of action under the
Computer Fraud and Abuse Act,
Halperin must plausibly allege that
Defendants caused `a loss to 1 or more persons during any 1–year period . . .
aggregating at least $5,000 in value.’ 18 U.S.C. §§ 1030(c)(4)(A)(i)(I), 1030(g); see
WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012); LVRC Holdings LLC v. Brekka, 581
F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009); P.C.
Yonkers, Inc. v. Celebrations the Party & Seasonal Superstore, LLC., 428
F.3d 504 (U.S. Court of Appeals for the 3d Circuit 2005).
The CFAA defines `loss’ to include `any
reasonable cost to any victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense.” 18 U.S. Code §
1030(e)(11). With exceptions not pertinent here, however, a CFAA plaintiff's
damages `are limited to economic damages.’ § 1030(g). `When an individual
or firm's money or property are impaired in value, or money or property is
lost, or money must be spent to restore or maintain some aspect of a business
affected by a violation, those are “economic damages.”’ Creative
Computing v. Getloaded.com LLC, 386 F.3d 930 (U.S. Court of Appeals
for the 9th Circuit 2004).
Halperin v.
International Web Services, supra.
The judge began his analysis of the defendants’ motion by
noting they argued that
Halperin has not alleged that he
personally suffered at least $5,000 in economic damages, and that he may not
aggregate the economic damages of the absent class members to meet the $5,000
minimum because `such aggregation is allowed only if the damage arose from a
single act.’. . . Halperin does not argue that his economic
damages alone satisfy the $5,000 threshold, and he also concedes that the
`single act’ rule applies here. . . . But Halperin contends that Defendants' `sen[ding]
the Text Enhance software out into the web’ qualifies as that single act, and
therefore that the putative class members' damages may be aggregated to satisfy
the $5,000 threshold. . . .
Defendants are right that, at least
under the facts alleged in Halperin's complaint, the putative class members'
damages may not be aggregated to reach $5,000 because the CFAA does not allow
aggregating damages suffered by absent class members resulting from disparate
acts. The statutorily prohibited act is `intentionally access[ing] a protected computer
without authorization.’ 18 U.S. Code § 1030(a)(5)(B). Sending the Text
Enhance software `out into the web’ -- whatever that means -- is not `access[ing]
a protected computer without authorization.’ The `access’ prohibited by § 1030(a)(5)(B)
occurs only when a user downloads the software . . . to his or her own
computer.
Any allegation that all class members
downloaded Text Enhance at the same time or via a single download would be
implausible, and Halperin sensibly does not so allege. Doc. 2 at ¶ 22 (alleging
only that `Text Enhance hit thousands of consumers' computers and continues to
afflict them to this day,’ without specifying how or when the various computers
were `hit’); id. at ¶ 26 (alleging only that class members' `computers
were infected with Text Enhance,’ without specifying how or when); id. at
¶ 41 (alleging only that `there are thousands of consumers . . .who have been
damaged by Defendants' wrongful conduct,’ without specifying how or when their
respective downloads occurred). Accordingly, each class member's (unwitting)
download would be a different culpable act under the statute. And because
Halperin concedes that the `single act’ rule applies, he therefore cannot
aggregate his claim with those of the absent class members. . . .
Halperin v.
International Web Services, supra.
He also found that “[f]urther confirmation” for this
conclusion came from the fact that the
CFAA liability provision containing the
$5,000 minimum, 18 U.S. Code § 1030(c)(4)(A)(i)(I), is a substantive
provision of law, and in fact is an element of the crime. Absent a clear
statutory indication to the contrary, to allow aggregation of absent class
members' claims from disparate instances of `access,’ 18 U.S. Code §
1030(a)(5)(B), would effectively allow a civil procedural device, Federal Rule of Civil Procedure 23, to `abridge, modify, or enlarge a[ ] substantive
right,’ in violation of the Rules Enabling Act, 28 U.S.C. § 2072(b).
In Shady Grove Orthopedic Associates, P.A. v. Allstate Ins. Co., 559 U.S. 393 (2010), the Supreme Court held
that Rule 23 did not violate the Rules Enabling Act because `[a]
class action, no less than traditional joinder (of which it is a species),
merely enables a federal court to adjudicate claims of multiple parties at once,
instead of in separate suits’; it does not `change plaintiffs' separate
entitlements to relief.’ Shady Grove v. Allstate, supra.
By the same token, an interpretation
of Rule 23 that does `change plaintiffs' separate entitlements to
relief,’ for better or worse, would violate the Rules Enabling
Act. Yet that is precisely what would result were Halperin allowed to aggregate
his claim with those of absent class members -- for without aggregation, some
of them would not have a cause of action under the statute, because not all of
them could meet the $5,000 minimum. Unlike in Shady Grove, where `[e]ach
of the 1,000–plus members of the putative class could ... [have] br[ought] a
freestanding suit asserting his individual claim,’ here not all -- and maybe
even none -- of the putative class members could bring a freestanding suit
absent the aggregation proposed by Halperin.
Halperin contends that disallowing
aggregation would render the phrase `loss to 1 or more persons’ in §
1030(c)(4)(A)(i)(I) a nullity. Not so. Economic damages to multiple
victims could still be aggregated as long as they were the result of a single
act -- for example, the damages suffered by all family members who share an
infected computer, or by all customers with accounts stored on an infected
server, or by everyone who uses an infected public kiosk terminal, could be
aggregated. One can even envision a single act infecting multiple computers at
once, such as releasing a computer worm; in that case, the damages suffered by
everyone with an infected computer might possibly be aggregated. But under the
allegations of Halperin's complaint, a single act is not responsible for the
injuries to the putative class.
Halperin does not allege that
Defendants performed some action that caused the simultaneous or
near-simultaneous or rapidly spreading infection of all of the class members'
respective computers. Instead, the proposed class includes `[a]ll individuals
in the United States . . . whose computers have been infected with . . .
Text Enhance,” . . . no matter how or
when the infection occurred. He therefore has not alleged that his and the
absent class members' injuries arose from a single act. For these reasons,
Halperin's CFAA claim is dismissed.
Halperin v.
International Web Services, supra (emphasis
in the original).
The judge then took up the defendants’ Rule 12(b)(6) motion
to dismiss Halperin’s cause of action under the Wiretap Act, explaining that
the defendants claimed Halperin had
failed to allege that they
`intercept[ed]’ any `wire, oral, or electronic communication,’ 18 U.S.Code § 2520(a), without the consent of at least one party to the communication, see 18 U.S. Code § 2511(d) (`It
shall not be unlawful . . . to intercept a wire, oral, or electronic
communication . . . where one of the parties to the communication has given
prior consent[.]”). The Wiretap Act defines `intercept’ as `the aural or other acquisition of
the contents of any wire, electronic, or oral communication through the use of
any electronic, mechanical, or other device.’ 18 U.S. Code § 2510(4) (emphasis added).
Halperin argues that when he `typed a
website into his Web browser he intended to send “data” from his computer to
the server of a third party -- not Defendants,’ . . . and that this data was `intercepted
by Defendants' malware’. . . . Defendants respond that they never acquired, and
therefore could not have `intercept[ed],’ such communications. . . . Defendants
say that because `Text Enhance operates exclusively on the user's machine,
reading text that resides in the user's browser,’ they have not `acqui [red]”
the contents of any communication of Halperin's contemporaneously with the transmission
of those contents. . . .
Defendants' argument is based in part
on the statute's definition of `communication:’ Section 2510(1) defines
`wire communication’ as `any aural transfer made . . . by the
aid of wire, cable, or other like connection,’ and § 2510(12) defines
electronic communication’ as `any transfer of signs, signals,
[etc.] . . . by a wire, radio, electromagnetic, photoelectronic or photooptical
system.’ 18 U.S.C. §§ 2510(1), (12) (emphases added). `Transfer’ implies
some sort of transient event; and so to `intercept’ a communication, the
argument goes, the `acquisition’ must be contemporaneous with the `transfer.
The Seventh Circuit has never explicitly adopted this reading of the Wiretap
Act, though it did note in U.S. v. Szymuszkiewicz, 622 F.3d
701 (U.S. Court of Appeals for the 7th Circuit 2010), that `[s]everal circuits
have said that, to violate § 2511, an interception must be
“contemporaneous{ with the communication.’
Szymuszkiewicz did not need
to reach that issue, having held that the defendant's auto-forwarding his
supervisor's emails to himself violated the Wiretap Act because `if both [the
defendant] and [his boss] were sitting at their computers at the same time,
they would have received each message with no more than an eyeblink in between.
That's contemporaneous by any standard.’ U.S.
v. Szymuszkiewicz, supra.
Halperin v.
International Web Services, supra (emphasis
in the original).
The judge then
explained that he did not need to “predict how the [U.S. Court of
Appeals for the] 7th Circuit would resolve the contemporaneity issue” because “under
. . . the well-pleaded allegations” in Halperin’s Complaint, the defendants
never
`acqui[red]’ the contents of Halperin's
electronic communications, as required to maintain a private action under the
Wiretap Act. See 18 U.S. Code §§ 2510(4), 2511(1),(a), 2520(a).
According to the complaint, Text Enhance resides locally on Halperin's computer
and generates pop-up ads in his browser. . . . Halperin does not allege that
Text Enhance somehow forwards to Defendants the contents of his communication
with a third-party website (such as the `April Dammann Website’ . . . above).
At most, Defendants may be notified (and paid, according to the complaint) if
Halperin clicks on the advertising link -- but that would be a communication
with the advertiser (for example, `Youplaytime.net’), who has
presumably consented to Defendants' being notified, which . . . negates
liability under the statute. See 18 U.S. Code § 2511(2)(d) (`It
shall not be unlawful. . . to intercept a wire, oral, or electronic
communication . . . where one of the parties to the communication has given
prior consent to such interception[.]’); Doe v. Smith, 429 F.3d 706
(U.S. Court of Appeals for the 7th Circuit 2005) (`The statute provides
some defenses, such as consent. Any one private participant's consent usually
suffices’). . . .
Text Enhance itself scans the text of
Halperin's communications (for example, the html file sent by a third-party
website and then displayed by his web browser) to insert the advertising links.
But Halperin does not allege that Text Enhance stores or transmits those
contents beyond his local computer. That is significant. By way of analogy, courts
have uniformly held that `keylogger’ software, which records keystrokes made on
a computer, does not violate the Wiretap Act. The Eleventh Circuit recently so
held because `the signal or information captured from the keystrokes is not at
that time being transmitted beyond the computer on which the keylogger is
installed.” U.S. v. Barrington, 648 F.3d 1178 (U.S. Court of Appeals for the 11th Circuit 2011). . . . .
Text Enhance, too, “capture[s] a
transmission that require[s] no connection” to the outside world, . . .;
rather, according to the complaint, it simply modifies the rendering of an html
file within the web browser before the page is displayed on Halperin's screen,
without recording or retransmitting that page's contents.
More compelling is that the court has
been unable to find . . . any decision finding a potential Wiretap Act
violation where the defendant did not actually acquire the contents
of a communication, but instead, by means of a locally installed software program
or device, simply modified -- without recording or retransmitting -- the
contents of a communication. To the contrary, the case law appears to reject
that proposition. See Expert Bus. Sys., LLC v. BI4CE, Inc., 233
Fed.Appx. 251 (U.S. Court of Appeals for the 4th Circuit (2007) (rejecting
a Wiretap Act claim where the defendant's software that was locally installed
on the plaintiff's computers could access the plaintiff's “records and data,”
but where the defendant could not remotely access that data using the
software).
In sum, given the statutory requirement
of an `acquisition,’ 18 U.S.C. § 2510(4), Halperin has not stated a viable
claim under the Wiretap Act, which seems to be a poor fit to address the kind
of invasive and annoying tactics that Text Enhance is alleged to employ. . . .
It is, of course, possible that Text Enhance does record or
retransmit to Defendants the contents of the webpages that Halperin visits, in
which case Defendants would have “acqui[red]” those contents; and if so,
Halperin might well have a valid Wiretap Act claim. . . .
Accordingly, because Halperin might
consistent with Rule 11 be able to plead that fact or any other fact that would
bring Defendants' conduct within the Wiretap Act's scope, the dismissal of the
Wiretap Act claim is without prejudice and with leave to replead.
Halperin v.
International Web Services, supra (emphasis
in the original).
Since the dismissal of both causes of action was without prejudice, the judge noted that he was giving Halperin “one opportunity to try”
to address the deficiencies he found in Halperin’s attempt to plead these two
causes of action. Halperin v.
International Web Services, supra. In other words, he can file a new Complaint
that addresses the issues discussed above.
){kind=link}
No comments:
Post a Comment