As the story you can find here explains, a few weeks ago
Uber Technologies, Inc. “filed a lawsuit Friday aimed at tracking down those
behind the cyberattack” that revealed the names and license numbers of “50,000
Uber drivers”. This post examines an
opinion the U.S. District Court Judge who has the case recently issued on a
request Uber filed with the court. Uber Technologies, Inc. v. John Doe I, 2015
WL 1205167 (U.S. District Court for the Northern District of California
2015).
As to the way the suit identifies the defendant, this is an
instance in which a plaintiff is suing an as-yet-to-be identified person. As Wikipedia explains, a
a fictitious defendant is a person that cannot be identified by
the plaintiff before a lawsuit is commenced. Commonly this person is
identified as `John Doe’ or `Jane Doe’.
The District Court Judge began her opinion by explaining
that Uber Technologies, Inc.,
asserts claims against Defendant John
Doe I for violating the Computer Fraud and Abuse Act, 18 U.S. Code §
1030, et seq., and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. . . . Uber seeks
permission to take expedited discovery from the third party GitHub, Inc. to
identify John Doe I. . . . The court heard this matter on March 12, 2015. . . .
Uber Technologies,
Inc. v. John Doe I, supra.
The judge went on to note, as a preface, that Uber
has demonstrated the following: (1)
John Doe I is a real person who may be sued in federal court; (2) it has
unsuccessfully attempted to identify John Doe I before filing this motion; (3)
its claims against John Doe I could withstand a motion to dismiss; and (4)
there is a reasonable likelihood that the proposed subpoena will lead to
information identifying John Doe I.
Uber Technologies, Inc. v. John Doe I, supra.
Uber Technologies, Inc. v. John Doe I, supra.
She then went on to outline why Uber sought to identity John
Doe I:
Uber is a technology company. . . . It
has developed a smartphone application that connects drivers and riders in
cities all over the world. . . . Uber's smartphone application is available in
over 200 cities and has been used by over 100,000 drivers to receive requests
for transportation services. . . . Uber maintains internal database files with
confidential details on the drivers who use its application. . . .
Those database files can be accessed
only by certain Uber employees using a unique security key from Uber's
protected computers. . . . On or around May 12, 2014, from an Internet protocol
(`IP’) address not associated with an Uber employee and otherwise unknown to
Uber, John Doe I used a unique security key without authorization to access and
download Uber's proprietary database files. . . .
Uber alleges that John Doe I's
unauthorized access has harmed Uber and caused it to expend resources to
investigate and to prevent such access from occurring. . . . As a result, Uber
suffered over $5,000 in damages. . . .
Uber Technologies,
Inc. v. John Doe I, supra.
The fact that Uber suffered over $5,000 in damages is
relevant to its claim under the Computer Fraud and Abuse Act. As Wikipedia explains, the Act criminalizes
various types of attacks on computers, under federal law. In addition to defining several crimes,
however, the statute also creates a civil cause of action for any “person” who
“suffers damage or loss by reason of a violation of” the Computer Fraud and
Abuse act “may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief.” 18 U.S.Code § 1030(g).
In order to bring a civil suit for damage for law resulting
from a violation of the Computer Fraud and Abuse Act, however, the person
seeking to sue must establish that the conduct at issue satisfies one of the
requirements for such a suit. 18 U.S.
Code § 1030(g). One of the factors is that the violation of the Act caused
“loss to 1 or more persons during any 1-year period . . . aggregating at least
$5,000 in value”. 18 U.S. Code §1030(g), 1030(c)(4)(A)(i)(I). That is why the judge notes that Uber suffered
over $5,000 in damages from the conduct at issue in this lawsuit.
The judge then explains that
[u]nder Local Civil Rule 7–10, Uber
certifies that it attempted to identify John Doe I without success. . . .
Specifically, Uber reviewed the IP addresses that accessed the database and
isolated one unrecognized IP address, but could not identify John Doe I. . . .
Uber Technologies,
Inc. v. John Doe I, supra.
According to the opinion, Uber was
informed that the person who downloaded
the files also visited two pages at the GitHub website that are specified in
the subpoena, which requests:
For the GitHub posts
https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b2982609
6fe043409e2c305bb79/insurance_fun.py[gist.githubusercontent.com] and https://
api.github.com/gists/9556255/[api.github.com], please produce all records,
including but not limited to transactional or other logs, from March 14, 2014
to September 17, 2014, identifying the IP addresses or subscribers that viewed,
accessed, or modified these posts and the date/time of access, viewing, or
modification, as wellas any records or metadata relating to the browser (i.e.,
logged HTTP headers, including cookies) or device that viewed, accessed, or modified
the posts.
This subpoena does not request the
contents of any communications.
Please immediately preserve any
potentially responsive records in your possession, custody, or control,
including by suspending routine deletion procedures that might result in the
deletion or overwriting of records that may be responsive to tis subpoena.
Uber Technologies,
Inc. v. John Doe I, supra.
The judge then goes on to explain that GitHub is a
San Francisco-headquartered
subscription Internet service where users collaborate in developing
open-source-code software. At the hearing, Uber's counsel explained that GitHub
hosts portions of Uber's code on the two pages specified in the subpoena. On
these GitHub pages, people from Uber can work on the code collaboratively.
In response to the court's questions,
Uber represented that there should not be many `hits’ on these pages. The hits
should generally reveal people, who were affiliated with Uber and who worked on
the Uber code near the time of the unauthorized download. Uber explained that
GitHub may well have user logs that can be accessed easily, that Uber would
work with GitHub to address any concerns about the burden that responding to
the subpoena would place on GitHub, and that it would be in a better position to
evaluate any burden or notification concerns once it sees how GitHub captures
the relevant data.
To date, Uber has been unable to obtain
the information it needs from GitHub through informal investigation. . . . Uber
therefore asks for early discovery under Federal Rule of Civil Procedure 26(d) and leave to serve the Proposed GitHub Subpoena to obtain
information that can reasonably be expected to lead to discovering John Doe 1's
identity. . . .
Uber Technologies,
Inc. v. John Doe I, supra.
She then began her analysis of Uber’s request, explaining
that a federal court can
authorize early discovery before
the Rule 26(f) conference for the parties' and witnesses' convenience
and in the interests of justice. Federal Rules of Civil Procedure 26(d).
Courts within the Ninth Circuit generally consider whether a plaintiff has
shown `good cause’ for early discovery. See, e.g., IO Group, Inc.
v. Does 1–65, 2010 WL 4055667 (U.S. District Court for the Northern
District of California Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron
America, Inc., 208 F.R.D. 273 (U.S. District Court for the Northern
District of California 2002); Texas Guaranteed Student Loan Corp. v.
Dhindsa, 2010 WL 2353520 (U.S. District Court for the Eastern District of California 2010); Yokohama Tire Corp. v. Dealers Tire
Supply, Inc., 202 F.R.D. 612 (U.S. District Court for the District of Arizona (2005). . .
When the identities of defendants are
not known before a complaint is filed, a plaintiff `should be given an
opportunity through discovery to identify the unknown defendants, unless it is
clear that discovery would not uncover the identities, or that the complaint
would be dismissed on other grounds.' Gillespie v. Civiletti, 629
F.2d 637 (U.S. Court of Appeals for the 9th Circuit 1980). In evaluating
whether a plaintiff establishes good cause to learn the identity of Doe
defendants through early discovery, courts examine whether the plaintiff: (1)
identifies the Doe defendant with sufficient specificity that the court can
determine that the defendant is a real person who can be sued in federal court;
(2) recounts the steps taken to locate and identify the defendant; (3)
demonstrates that the action can withstand a motion to dismiss, and (4) proves
that the discovery is likely to lead to identifying information that will
permit service of process. Columbia Ins. Co. v. seescandy.com, 185
F.R.D. 573 (U.S. District Court for the Northern District of California 1999).
Uber Technologies,
Inc. v. John Doe I, supra.
The judge then found that “Uber has made a sufficient
showing under each of the four factors listed above to establish good cause to
permit it to engage in early discovery to identify John Doe I.” Uber Technologies, Inc. v. John Doe I, supra.
She began her ruling by explaining that
[f]irst, Uber has shown that a real
person, John Doe I, may be subject to jurisdiction in this court by showing
that the target of his misconduct is California, where Uber is headquartered. .
. In this action, Uber alleges that John Doe I accessed Uber's proprietary
database files from its protected computers by using a unique security key. . .
.
Those specific acts of misconduct can
be perpetrated only by actual people, as opposed to a mechanical process. In
addition, even if John Doe I is located outside California, the court would
still have personal jurisdiction. To establish specific personal jurisdiction
in the forum state, the Ninth Circuit applies the following three-prong test:
1. The non-resident defendant must
purposefully direct his activities or consummate some transaction with the
forum or resident thereof; or perform some act by which he purposefully avails
himself of the privilege of conducting activities in the forum . . . ;
2. the claim must be one which arises
out of or relates to the defendant's forum-related activities; and
3. the exercise of jurisdiction must
comport with fair play and substantial justice, i.e. it must be reasonable.
Schwarzenegger v. Fred
Martin Motor Co., 374 F.3d 797 (U.S. Court of Appeals for the 9th Circuit 2004). "`The plaintiff bears the burden of satisfying the first two prongs of [this]
test.’" Schwarzenegger v. Fred Martin
Motor Co., supra.
Uber Technologies,
Inc. v. John Doe I, supra.
The judge went on to note that Uber
has proved that John Doe I
intentionally targeted Uber, which is headquartered in California, by accessing
its computers and illegally downloading its confidential files. Uber's damages
claims arise out of John Doe I's forum-related activities. Given that John Doe
I intentionally accessed Uber's proprietary and confidential database without
permission, he or she must know his or her acts likely caused harm in California.
See Calder v. Jones, 465 U.S. 783 (1984) (`petitioners
are not charged with mere untargeted negligence. Rather, their intentional, and
allegedly tortious, actions were expressly aimed at California’); Bancroft
& Masters, Inc. v. Augusta Nat'l Inc., 223 F.3d 1082 (U.S. Court
of Appeals for the 9th Circuit 2000) (`the defendant must have . . .
caused harm, the brunt of which is suffered and which the defendant knows is
likely to be suffered in the forum state’); Yahoo! Inc. v. La Ligue
Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199 (U.S. Court of
Appeals for the 9th Circuit 2006). The court thus finds that it has personal
jurisdiction over John Doe I.
Uber Technologies,
Inc. v. John Doe I, supra.
Next, she pointed out that,
Uber has adequately described the steps
it took to find and identify John Doe I. Specifically, its efforts include: (1)
reviewing the IP address that accessed Uber's internal database; (2) isolating
one unrecognized IP address; (3) learning that John Doe I also visited certain
pages at the GitHub website; and (4) contacting GitHub to obtain the necessary
information through informal investigation. . . .
Third, Uber has pleaded the essential
elements to state a claim for violations of the federal Computer Fraud and
Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act.
. . . See18 U.S. Code § 1030(a)(2)(C) (“Whoever . . . intentionally
accesses a computer without authorization or exceeds authorized access, and
thereby obtains information from any protected computer . . . shall be punished . . .’); California Penal
Code § 502(c)(1), (2), (7) (`[A]ny person who commits any of following
acts is guilty of a public offense: Knowingly accesses and without
permission . . . uses any data,
computers . . . in order to wrongfully control or obtain . . . data’).
Uber Technologies,
Inc. v. John Doe I, supra.
The judge concluded by finding that
[f]ourth, Uber has demonstrated that
the proposed subpoena seeks information likely to lead to uncovering John Doe's
identity. . . . Again, Uber learned that the person who accessed its database
also visited pages at the GitHub website; the subpoena specifies these pages. .
. . The proposed subpoena directs GitHub to yield information regarding John
Doe I's access to the web pages in question. . . .
Given the information that is presently
available to Uber, before and so without the issuance of the subpoena,
obtaining this information from GitHub may be more than `reasonable,’ see Schwarzenegger v. Fred Martin Motor Co.,
supra; it may be the only way that Uber can be expected to identify John
Doe I. Additionally, Uber has shown that its need for early discovery outweighs
the prejudice to GitHub, as GitHub is an established provider who routinely
deals with discovery requests and would suffer little burden from producing the
requested information. . . .
Uber Technologies,
Inc. v. John Doe I, supra.
She also explained that
[t]aken together, the court finds that
the foregoing factors demonstrate that good cause exists to grant Uber's leave
to conduct early discovery. . . . Furthermore, the court finds that
early discovery furthers the interests of justice and poses little, if any,
inconvenience to GitHub. Permitting Uber to engage in this early discovery is
therefore consistent with Rule 26(d).
Uber Technologies,
Inc. v. John Doe I, supra.
She therefore granted Uber’s motion for expedited discovery
and entered the following order:
1. Uber may immediately serve on GitHub
the Proposed Subpoena to obtain the requested information. Uber's proposed
subpoena is acceptable. The subpoena shall have a copy of this order attached.
To the extent that producing the information sought is burdensome, the parties
must meet and confer and comply with the court's discovery procedures in the
attached standing order. It may be that an iterative process is the best way to
deliver the information about the unauthorized access that entitles Uber to
this discovery.
2. GitHub will have 30 days from the
date that the subpoena is served upon them to serve John Doe I with a copy of
the subpoena and a copy of this order. GitHub may serve John Doe I using any
reasonable means, including written notice sent to his or her last known
address, transmitted either by first-class mail or via overnight service.
3. John Doe I shall have 30 days from
the date of service upon him or her to file any motions in this court
contesting the subpoena (including a motion to quash or modify the subpoena).
If that 30–day period lapses without John Doe I contesting the subpoena, GitHub
shall have 10 days to produce the information responsive to the subpoena to
Uber.
4. GitHub shall preserve any subpoenaed
information pending the resolution of any timely motion to quash.
5. If GitHub has no information
identifying John Doe I, then it need not comply with Paragraphs 2–4, and should
immediately produce the information that the subpoena requests.
6. GitHub must confer with Uber and
must not assess any charge in advance of providing the information requested in
the subpoena. If GitHub elects to charge for the costs of production, it must
provide a billing summary and cost reports that serve as a basis for such
billing summary and any costs claimed by GitHub.
7. Uber must serve a copy of this order
along with the subpoena to all relevant entities.
8. Uber may use the subpoenaed
information only in connection with its instant claims under the federal
Computer Fraud and Abuse Act, and the California Comprehensive Computer Data
Access and Fraud Act.
Uber Technologies,
Inc. v. John Doe I, supra.
Parisian taxi drivers taking the law into their own hands, bodily pulling passengers and also the drivers from Uber cars.
ReplyDelete