Friday, March 20, 2015

Uber, John Doe 1 and the Computer Fraud and Abuse Act

As the story you can find here explains, a few weeks ago Uber Technologies, Inc. “filed a lawsuit Friday aimed at tracking down those behind the cyberattack” that revealed the names and license numbers of “50,000 Uber drivers”.  This post examines an opinion the U.S. District Court Judge who has the case recently issued on a request Uber filed with the court. Uber Technologies,  Inc. v. John Doe I, 2015 WL 1205167 (U.S. District Court for the Northern District of California 2015). 
As to the way the suit identifies the defendant, this is an instance in which a plaintiff is suing an as-yet-to-be identified person.  As Wikipedia explains, a
fictitious defendant is a person that cannot be identified by the plaintiff before a lawsuit is commenced. Commonly this person is identified as `John Doe’ or `Jane Doe’.
The District Court Judge began her opinion by explaining that Uber Technologies, Inc.,
asserts claims against Defendant John Doe I for violating the Computer Fraud and Abuse Act, 18 U.S. Code § 1030, et seq., and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. . . . Uber seeks permission to take expedited discovery from the third party GitHub, Inc. to identify John Doe I. . . . The court heard this matter on March 12, 2015. . . .
Uber Technologies, Inc. v. John Doe I, supra.
The judge went on to note, as a preface, that Uber
has demonstrated the following: (1) John Doe I is a real person who may be sued in federal court; (2) it has unsuccessfully attempted to identify John Doe I before filing this motion; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the proposed subpoena will lead to information identifying John Doe I.
Uber Technologies, Inc. v. John Doe I, supra.
She then went on to outline why Uber sought to identity John Doe I:
Uber is a technology company. . . . It has developed a smartphone application that connects drivers and riders in cities all over the world. . . . Uber's smartphone application is available in over 200 cities and has been used by over 100,000 drivers to receive requests for transportation services. . . . Uber maintains internal database files with confidential details on the drivers who use its application. . . .

Those database files can be accessed only by certain Uber employees using a unique security key from Uber's protected computers. . . . On or around May 12, 2014, from an Internet protocol (`IP’) address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used a unique security key without authorization to access and download Uber's proprietary database files. . . .

Uber alleges that John Doe I's unauthorized access has harmed Uber and caused it to expend resources to investigate and to prevent such access from occurring. . . . As a result, Uber suffered over $5,000 in damages. . . .
Uber Technologies, Inc. v. John Doe I, supra. 
The fact that Uber suffered over $5,000 in damages is relevant to its claim under the Computer Fraud and Abuse Act.  As Wikipedia explains, the Act criminalizes various types of attacks on computers, under federal law.  In addition to defining several crimes, however, the statute also creates a civil cause of action for any “person” who “suffers damage or loss by reason of a violation of” the Computer Fraud and Abuse act “may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.Code § 1030(g).  
In order to bring a civil suit for damage for law resulting from a violation of the Computer Fraud and Abuse Act, however, the person seeking to sue must establish that the conduct at issue satisfies one of the requirements for such a suit.  18 U.S. Code § 1030(g). One of the factors is that the violation of the Act caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value”.  18 U.S. Code §1030(g), 1030(c)(4)(A)(i)(I). That is why the judge notes that Uber suffered over $5,000 in damages from the conduct at issue in this lawsuit. 
The judge then explains that
[u]nder Local Civil Rule 7–10, Uber certifies that it attempted to identify John Doe I without success. . . . Specifically, Uber reviewed the IP addresses that accessed the database and isolated one unrecognized IP address, but could not identify John Doe I. . . .
Uber Technologies, Inc. v. John Doe I, supra. 
According to the opinion, Uber was
informed that the person who downloaded the files also visited two pages at the GitHub website that are specified in the subpoena, which requests:

For the GitHub posts

https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b2982609 6fe043409e2c305bb79/insurance_fun.py[gist.githubusercontent.com] and https:// api.github.com/gists/9556255/[api.github.com], please produce all records, including but not limited to transactional or other logs, from March 14, 2014 to September 17, 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as wellas any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts.

This subpoena does not request the contents of any communications.
Please immediately preserve any potentially responsive records in your possession, custody, or control, including by suspending routine deletion procedures that might result in the deletion or overwriting of records that may be responsive to tis subpoena.
Uber Technologies, Inc. v. John Doe I, supra. 
The judge then goes on to explain that GitHub is a
San Francisco-headquartered subscription Internet service where users collaborate in developing open-source-code software. At the hearing, Uber's counsel explained that GitHub hosts portions of Uber's code on the two pages specified in the subpoena. On these GitHub pages, people from Uber can work on the code collaboratively.

In response to the court's questions, Uber represented that there should not be many `hits’ on these pages. The hits should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download. Uber explained that GitHub may well have user logs that can be accessed easily, that Uber would work with GitHub to address any concerns about the burden that responding to the subpoena would place on GitHub, and that it would be in a better position to evaluate any burden or notification concerns once it sees how GitHub captures the relevant data.

To date, Uber has been unable to obtain the information it needs from GitHub through informal investigation. . . . Uber therefore asks for early discovery under Federal Rule of Civil Procedure 26(d) and leave to serve the Proposed GitHub Subpoena to obtain information that can reasonably be expected to lead to discovering John Doe 1's identity. . . .
Uber Technologies, Inc. v. John Doe I, supra. 
She then began her analysis of Uber’s request, explaining that a federal court can
authorize early discovery before the Rule 26(f) conference for the parties' and witnesses' convenience and in the interests of justice. Federal Rules of Civil Procedure 26(d). Courts within the Ninth Circuit generally consider whether a plaintiff has shown `good cause’ for early discovery. See, e.g., IO Group, Inc. v. Does 1–65, 2010 WL 4055667 (U.S. District Court for the Northern District of California Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron America, Inc., 208 F.R.D. 273 (U.S. District Court for the Northern District of California 2002); Texas Guaranteed Student Loan Corp. v. Dhindsa,  2010 WL 2353520 (U.S. District Court for the Eastern District of California 2010); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612 (U.S. District Court for the District of Arizona (2005). . .

When the identities of defendants are not known before a complaint is filed, a plaintiff `should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds.' Gillespie v. Civiletti, 629 F.2d 637 (U.S. Court of Appeals for the 9th Circuit 1980). In evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery, courts examine whether the plaintiff: (1) identifies the Doe defendant with sufficient specificity that the court can determine that the defendant is a real person who can be sued in federal court; (2) recounts the steps taken to locate and identify the defendant; (3) demonstrates that the action can withstand a motion to dismiss, and (4) proves that the discovery is likely to lead to identifying information that will permit service of process. Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573 (U.S. District Court for the Northern District of California 1999).
Uber Technologies, Inc. v. John Doe I, supra. 
The judge then found that “Uber has made a sufficient showing under each of the four factors listed above to establish good cause to permit it to engage in early discovery to identify John Doe I.” Uber Technologies, Inc. v. John Doe I, supra.  She began her ruling by explaining that
[f]irst, Uber has shown that a real person, John Doe I, may be subject to jurisdiction in this court by showing that the target of his misconduct is California, where Uber is headquartered. . . In this action, Uber alleges that John Doe I accessed Uber's proprietary database files from its protected computers by using a unique security key. . . .

Those specific acts of misconduct can be perpetrated only by actual people, as opposed to a mechanical process. In addition, even if John Doe I is located outside California, the court would still have personal jurisdiction. To establish specific personal jurisdiction in the forum state, the Ninth Circuit applies the following three-prong test:

1. The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum . . . ;
2. the claim must be one which arises out of or relates to the defendant's forum-related activities; and
3. the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.
Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797 (U.S. Court of Appeals for the 9th Circuit 2004). "`The plaintiff bears the burden of satisfying the first two prongs of [this] test.’" Schwarzenegger v. Fred Martin Motor Co., supra.
Uber Technologies, Inc. v. John Doe I, supra. 
The judge went on to note that Uber
has proved that John Doe I intentionally targeted Uber, which is headquartered in California, by accessing its computers and illegally downloading its confidential files. Uber's damages claims arise out of John Doe I's forum-related activities. Given that John Doe I intentionally accessed Uber's proprietary and confidential database without permission, he or she must know his or her acts likely caused harm in California. See Calder v. Jones, 465 U.S. 783 (1984) (`petitioners are not charged with mere untargeted negligence. Rather, their intentional, and allegedly tortious, actions were expressly aimed at California’); Bancroft & Masters, Inc. v. Augusta Nat'l Inc., 223 F.3d 1082 (U.S. Court of Appeals for the 9th Circuit 2000) (`the defendant must have . . . caused harm, the brunt of which is suffered and which the defendant knows is likely to be suffered in the forum state’); Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199 (U.S. Court of Appeals for the 9th Circuit 2006). The court thus finds that it has personal jurisdiction over John Doe I.
Uber Technologies, Inc. v. John Doe I, supra. 
Next, she pointed out that,
Uber has adequately described the steps it took to find and identify John Doe I. Specifically, its efforts include: (1) reviewing the IP address that accessed Uber's internal database; (2) isolating one unrecognized IP address; (3) learning that John Doe I also visited certain pages at the GitHub website; and (4) contacting GitHub to obtain the necessary information through informal investigation. . . .

Third, Uber has pleaded the essential elements to state a claim for violations of the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act. . . . See18 U.S. Code § 1030(a)(2)(C) (“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer . . .  shall be punished . . .’); California Penal Code § 502(c)(1), (2), (7) (`[A]ny person who commits any of following acts is guilty of a public offense: Knowingly accesses and without permission  . . . uses any data, computers . . . in order to wrongfully control or obtain . . . data’).
Uber Technologies, Inc. v. John Doe I, supra. 
The judge concluded by finding that
[f]ourth, Uber has demonstrated that the proposed subpoena seeks information likely to lead to uncovering John Doe's identity. . . . Again, Uber learned that the person who accessed its database also visited pages at the GitHub website; the subpoena specifies these pages. . . . The proposed subpoena directs GitHub to yield information regarding John Doe I's access to the web pages in question. . . .

Given the information that is presently available to Uber, before and so without the issuance of the subpoena, obtaining this information from GitHub may be more than `reasonable,’ see Schwarzenegger v. Fred Martin Motor Co., supra; it may be the only way that Uber can be expected to identify John Doe I. Additionally, Uber has shown that its need for early discovery outweighs the prejudice to GitHub, as GitHub is an established provider who routinely deals with discovery requests and would suffer little burden from producing the requested information. . . .
Uber Technologies, Inc. v. John Doe I, supra. 
She also explained that
[t]aken together, the court finds that the foregoing factors demonstrate that good cause exists to grant Uber's leave to conduct early discovery. . . . Furthermore, the court finds that early discovery furthers the interests of justice and poses little, if any, inconvenience to GitHub. Permitting Uber to engage in this early discovery is therefore consistent with Rule 26(d).
Uber Technologies, Inc. v. John Doe I, supra. 
She therefore granted Uber’s motion for expedited discovery and entered the following order:
1. Uber may immediately serve on GitHub the Proposed Subpoena to obtain the requested information. Uber's proposed subpoena is acceptable. The subpoena shall have a copy of this order attached. To the extent that producing the information sought is burdensome, the parties must meet and confer and comply with the court's discovery procedures in the attached standing order. It may be that an iterative process is the best way to deliver the information about the unauthorized access that entitles Uber to this discovery.

2. GitHub will have 30 days from the date that the subpoena is served upon them to serve John Doe I with a copy of the subpoena and a copy of this order. GitHub may serve John Doe I using any reasonable means, including written notice sent to his or her last known address, transmitted either by first-class mail or via overnight service.

3. John Doe I shall have 30 days from the date of service upon him or her to file any motions in this court contesting the subpoena (including a motion to quash or modify the subpoena). If that 30–day period lapses without John Doe I contesting the subpoena, GitHub shall have 10 days to produce the information responsive to the subpoena to Uber.

4. GitHub shall preserve any subpoenaed information pending the resolution of any timely motion to quash.

5. If GitHub has no information identifying John Doe I, then it need not comply with Paragraphs 2–4, and should immediately produce the information that the subpoena requests.

6. GitHub must confer with Uber and must not assess any charge in advance of providing the information requested in the subpoena. If GitHub elects to charge for the costs of production, it must provide a billing summary and cost reports that serve as a basis for such billing summary and any costs claimed by GitHub.

7. Uber must serve a copy of this order along with the subpoena to all relevant entities.

8. Uber may use the subpoenaed information only in connection with its instant claims under the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act.

Uber Technologies, Inc. v. John Doe I, supra. 

1 comment:

  1. Parisian taxi drivers taking the law into their own hands, bodily pulling passengers and also the drivers from Uber cars.

    ReplyDelete