Monday, January 05, 2015

Text Enhance, Wiretapping and the Computer Fraud and Abuse Act

Dan Halperin filed a “putative class action” in federal court “against Affluent Ads, LLC, and International Web Services, LLC, the creator and distributor of Text Enhance, alleging violations of the “Computer Fraud and Abuse Act (`CFAA’), 18 U.S.C. § 1030” and “the Electronic Communications Privacy Act's anti-wiretap provisions (`Wiretap Act’)” among other causes of action.  Halperin v. International Web Services, LLC, 2014 WL 4913528 (U.S. District Court for the Northern District of Illinois 2014).  
The defendants responded by moving to dismiss his lawsuit under Rule 12(b)(6) of the Federal Rules of Civil Procedure.  Halperin v. International Web Services, supra. As Wikipedia explains, a Rule 12(b)(6) motion is how lawsuits with “insufficient legal theories underlying their cause of action are dismissed from court.”  In the opinion this post examines, the U.S. District Court Judge who has the case is ruling on the defendants’ motion.  Halperin v. International Web Services, supra.
The judge began his analysis of the motion by explaining how, and why, the case arose:
Affluent Ads created a software program called `Text Enhance,’ which International Web Services then distributed. . . . Without Halperin's knowledge or consent, Defendants somehow installed Text Enhance on his computer. . . . When Halperin visits a website using his computer, `Text Enhance automatically scans the text of the webpage’ for certain keywords, and for each keyword found, it `turns the [word] blue and underlines it.’ . . . If Halperin's cursor hovers over an underlined word, `an advertisement will appear over the website.’ . . . For example, in the image below (taken from Halperin's complaint), Text Enhance has underlined the word `bet,’ and when Halperin's cursor hovers over that word, a pop-up advertisement entitled Play Free Slots’ appears. . . [image omitted].
Were Halperin to click on the pop-up ad, his browser would be directed to the website `Youplaytime.net,’ which is not affiliated with the website (`April Dammann Website’) he had been viewing. . . .

Halperin alleges that `Text Enhance causes computers to slow down, takes up bandwidth over an Internet connection, uses up memory, utilizes pixels and screen space on monitors, causes the loss of data, and otherwise frustrates the customary and intended uses of computers.’ . . . As a result, he must upgrade his computer or internet connection speed, . . . or `spend valuable time and money to investigate . . . how the malware can be removed.’ . . .
Halperin v. International Web Services, supra. (The ellipses indicate the omission of to Halperin’s Complaint.”)  The news story you can find here provides more information about Halperin’s claims in the lawsuit.
As noted earlier, Halperin wanted this judge to “certify a nationwide class” for the federal causes of action.  Halperin v. International Web Services, supra.  As Wikipedia explains, the procedure for filing a federal class action suit is to
file suit with one or several named plaintiffs on behalf of a proposed class. The proposed class must consist of a group of individuals or business entities that have suffered a common injury or injuries. Typically these cases result from an action on the part of a business or a particular product defect or policy that applied to all proposed class members in a typical manner. After the complaint is filed, the plaintiff must file a motion to have the class certified.
Once the class has been certified, the case can proceed.
The judge began his analysis of the defendants’ Rule 12(b)(6) to dismiss Halperin’s claim under the Computer Fraud and Abuse Act, 18U.S. Code § 1030(g).  Halperin v. International Web Services, supra.  Halperin brought his suit under 18 U.S. Code § 1030(g), which creates a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation of [18 U.S. Code § 1030(a)]” which lets the victim “the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
As the judge noted, to have a cause of action under the Computer Fraud and Abuse Act,
Halperin must plausibly allege that Defendants caused `a loss to 1 or more persons during any 1–year period . . . aggregating at least $5,000 in value.’ 18 U.S.C. §§ 1030(c)(4)(A)(i)(I), 1030(g); see WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009); P.C. Yonkers, Inc. v. Celebrations the Party & Seasonal Superstore, LLC., 428 F.3d 504 (U.S. Court of Appeals for the 3d Circuit 2005).

The CFAA defines `loss’ to include `any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.” 18 U.S. Code § 1030(e)(11). With exceptions not pertinent here, however, a CFAA plaintiff's damages `are limited to economic damages.’ § 1030(g). `When an individual or firm's money or property are impaired in value, or money or property is lost, or money must be spent to restore or maintain some aspect of a business affected by a violation, those are “economic damages.”’ Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (U.S. Court of Appeals for the 9th Circuit 2004).
Halperin v. International Web Services, supra. 
The judge began his analysis of the defendants’ motion by noting they argued that
Halperin has not alleged that he personally suffered at least $5,000 in economic damages, and that he may not aggregate the economic damages of the absent class members to meet the $5,000 minimum because `such aggregation is allowed only if the damage arose from a single act.’. . . Halperin does not argue that his economic damages alone satisfy the $5,000 threshold, and he also concedes that the `single act’ rule applies here. . . . But Halperin contends that Defendants' `sen[ding] the Text Enhance software out into the web’ qualifies as that single act, and therefore that the putative class members' damages may be aggregated to satisfy the $5,000 threshold. . . .

Defendants are right that, at least under the facts alleged in Halperin's complaint, the putative class members' damages may not be aggregated to reach $5,000 because the CFAA does not allow aggregating damages suffered by absent class members resulting from disparate acts. The statutorily prohibited act is `intentionally access[ing] a protected computer without authorization.’ 18 U.S. Code § 1030(a)(5)(B). Sending the Text Enhance software `out into the web’ -- whatever that means -- is not `access[ing] a protected computer without authorization.’ The `access’ prohibited by § 1030(a)(5)(B) occurs only when a user downloads the software . . . to his or her own computer.

Any allegation that all class members downloaded Text Enhance at the same time or via a single download would be implausible, and Halperin sensibly does not so allege. Doc. 2 at ¶ 22 (alleging only that `Text Enhance hit thousands of consumers' computers and continues to afflict them to this day,’ without specifying how or when the various computers were `hit’); id. at ¶ 26 (alleging only that class members' `computers were infected with Text Enhance,’ without specifying how or when); id. at ¶ 41 (alleging only that `there are thousands of consumers . . .who have been damaged by Defendants' wrongful conduct,’ without specifying how or when their respective downloads occurred). Accordingly, each class member's (unwitting) download would be a different culpable act under the statute. And because Halperin concedes that the `single act’ rule applies, he therefore cannot aggregate his claim with those of the absent class members. . . .
Halperin v. International Web Services, supra.  
He also found that “[f]urther confirmation” for this conclusion came from the fact that the
CFAA liability provision containing the $5,000 minimum, 18 U.S. Code § 1030(c)(4)(A)(i)(I), is a substantive provision of law, and in fact is an element of the crime. Absent a clear statutory indication to the contrary, to allow aggregation of absent class members' claims from disparate instances of `access,’ 18 U.S. Code § 1030(a)(5)(B), would effectively allow a civil procedural device, Federal Rule of Civil Procedure 23, to `abridge, modify, or enlarge a[ ] substantive right,’ in violation of the Rules Enabling Act, 28 U.S.C. § 2072(b). In Shady Grove Orthopedic Associates, P.A. v. Allstate Ins. Co., 559 U.S. 393  (2010), the Supreme Court held that Rule 23 did not violate the Rules Enabling Act because `[a] class action, no less than traditional joinder (of which it is a species), merely enables a federal court to adjudicate claims of multiple parties at once, instead of in separate suits’; it does not `change plaintiffs' separate entitlements to relief.’  Shady Grove v. Allstate, supra.

By the same token, an interpretation of Rule 23 that does `change plaintiffs' separate entitlements to relief,’ for better or worse, would violate the Rules Enabling Act. Yet that is precisely what would result were Halperin allowed to aggregate his claim with those of absent class members -- for without aggregation, some of them would not have a cause of action under the statute, because not all of them could meet the $5,000 minimum. Unlike in Shady Grove, where `[e]ach of the 1,000–plus members of the putative class could ... [have] br[ought] a freestanding suit asserting his individual claim,’ here not all -- and maybe even none -- of the putative class members could bring a freestanding suit absent the aggregation proposed by Halperin.

Halperin contends that disallowing aggregation would render the phrase `loss to 1 or more persons’ in § 1030(c)(4)(A)(i)(I) a nullity. Not so. Economic damages to multiple victims could still be aggregated as long as they were the result of a single act -- for example, the damages suffered by all family members who share an infected computer, or by all customers with accounts stored on an infected server, or by everyone who uses an infected public kiosk terminal, could be aggregated. One can even envision a single act infecting multiple computers at once, such as releasing a computer worm; in that case, the damages suffered by everyone with an infected computer might possibly be aggregated. But under the allegations of Halperin's complaint, a single act is not responsible for the injuries to the putative class.

Halperin does not allege that Defendants performed some action that caused the simultaneous or near-simultaneous or rapidly spreading infection of all of the class members' respective computers. Instead, the proposed class includes `[a]ll individuals in the United States . . . whose computers have been infected with . . . Text Enhance,” . . .  no matter how or when the infection occurred. He therefore has not alleged that his and the absent class members' injuries arose from a single act. For these reasons, Halperin's CFAA claim is dismissed.
Halperin v. International Web Services, supra (emphasis in the original).  
The judge then took up the defendants’ Rule 12(b)(6) motion to dismiss Halperin’s cause of action under the Wiretap Act, explaining that the defendants claimed Halperin had
failed to allege that they `intercept[ed]’ any `wire, oral, or electronic communication,’ 18 U.S.Code § 2520(a), without the consent of at least one party to the communication,  see 18 U.S. Code § 2511(d) (`It shall not be unlawful . . . to intercept a wire, oral, or electronic communication . . . where one of the parties to the communication has given prior consent[.]”). The Wiretap Act defines `intercept’ as `the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.’ 18 U.S. Code § 2510(4) (emphasis added).

Halperin argues that when he `typed a website into his Web browser he intended to send “data” from his computer to the server of a third party -- not Defendants,’ . . . and that this data was `intercepted by Defendants' malware’. . . . Defendants respond that they never acquired, and therefore could not have `intercept[ed],’ such communications. . . . Defendants say that because `Text Enhance operates exclusively on the user's machine, reading text that resides in the user's browser,’ they have not `acqui [red]” the contents of any communication of Halperin's contemporaneously with the transmission of those contents. . . .

Defendants' argument is based in part on the statute's definition of `communication:’ Section 2510(1) defines `wire communication’ as `any aural transfer made . . . by the aid of wire, cable, or other like connection,’ and § 2510(12) defines electronic communication’ as `any transfer of signs, signals, [etc.] . . . by a wire, radio, electromagnetic, photoelectronic or photooptical system.’ 18 U.S.C. §§ 2510(1), (12) (emphases added). `Transfer’ implies some sort of transient event; and so to `intercept’ a communication, the argument goes, the `acquisition’ must be contemporaneous with the `transfer. The Seventh Circuit has never explicitly adopted this reading of the Wiretap Act, though it did note in U.S. v. Szymuszkiewicz, 622 F.3d 701 (U.S. Court of Appeals for the 7th Circuit 2010), that `[s]everal circuits have said that, to violate § 2511, an interception must be “contemporaneous{ with the communication.’

Szymuszkiewicz did not need to reach that issue, having held that the defendant's auto-forwarding his supervisor's emails to himself violated the Wiretap Act because `if both [the defendant] and [his boss] were sitting at their computers at the same time, they would have received each message with no more than an eyeblink in between. That's contemporaneous by any standard.’ U.S. v. Szymuszkiewicz, supra.
Halperin v. International Web Services, supra (emphasis in the original).  
The judge then explained that he did not need to “predict how the [U.S. Court of Appeals for the] 7th Circuit would resolve the contemporaneity issue” because “under . . . the well-pleaded allegations” in Halperin’s Complaint, the defendants never
`acqui[red]’ the contents of Halperin's electronic communications, as required to maintain a private action under the Wiretap Act. See 18 U.S. Code §§ 2510(4), 2511(1),(a), 2520(a). According to the complaint, Text Enhance resides locally on Halperin's computer and generates pop-up ads in his browser. . . . Halperin does not allege that Text Enhance somehow forwards to Defendants the contents of his communication with a third-party website (such as the `April Dammann Website’ . . . above). At most, Defendants may be notified (and paid, according to the complaint) if Halperin clicks on the advertising link -- but that would be a communication with the advertiser (for example, `Youplaytime.net’), who has presumably consented to Defendants' being notified, which . . . negates liability under the statute. See 18 U.S. Code § 2511(2)(d) (`It shall not be unlawful. . . to intercept a wire, oral, or electronic communication . . . where one of the parties to the communication has given prior consent to such interception[.]’); Doe v. Smith, 429 F.3d 706 (U.S. Court of Appeals for the 7th Circuit 2005) (`The statute provides some defenses, such as consent. Any one private participant's consent usually suffices’). . . .

Text Enhance itself scans the text of Halperin's communications (for example, the html file sent by a third-party website and then displayed by his web browser) to insert the advertising links. But Halperin does not allege that Text Enhance stores or transmits those contents beyond his local computer. That is significant. By way of analogy, courts have uniformly held that `keylogger’ software, which records keystrokes made on a computer, does not violate the Wiretap Act. The Eleventh Circuit recently so held because `the signal or information captured from the keystrokes is not at that time being transmitted beyond the computer on which the keylogger is installed.” U.S. v. Barrington, 648 F.3d 1178 (U.S. Court of Appeals for the 11th Circuit 2011). . . . .

Text Enhance, too, “capture[s] a transmission that require[s] no connection” to the outside world, . . .; rather, according to the complaint, it simply modifies the rendering of an html file within the web browser before the page is displayed on Halperin's screen, without recording or retransmitting that page's contents.

More compelling is that the court has been unable to find . . . any decision finding a potential Wiretap Act violation where the defendant did not actually acquire the contents of a communication, but instead, by means of a locally installed software program or device, simply modified -- without recording or retransmitting -- the contents of a communication. To the contrary, the case law appears to reject that proposition. See Expert Bus. Sys., LLC v. BI4CE, Inc., 233 Fed.Appx. 251 (U.S. Court of Appeals for the 4th Circuit (2007) (rejecting a Wiretap Act claim where the defendant's software that was locally installed on the plaintiff's computers could access the plaintiff's “records and data,” but where the defendant could not remotely access that data using the software).

In sum, given the statutory requirement of an `acquisition,’ 18 U.S.C. § 2510(4), Halperin has not stated a viable claim under the Wiretap Act, which seems to be a poor fit to address the kind of invasive and annoying tactics that Text Enhance is alleged to employ. . . . It is, of course, possible that Text Enhance does record or retransmit to Defendants the contents of the webpages that Halperin visits, in which case Defendants would have “acqui[red]” those contents; and if so, Halperin might well have a valid Wiretap Act claim. . . .

Accordingly, because Halperin might consistent with Rule 11 be able to plead that fact or any other fact that would bring Defendants' conduct within the Wiretap Act's scope, the dismissal of the Wiretap Act claim is without prejudice and with leave to replead.
Halperin v. International Web Services, supra (emphasis in the original).  
Since the dismissal of both causes of action was without prejudice, the judge noted that he was giving Halperin “one opportunity to try” to address the deficiencies he found in Halperin’s attempt to plead these two causes of action. Halperin v. International Web Services, supra.  In other words, he can file a new Complaint that addresses the issues discussed above.



No comments: