Monday, August 31, 2015

The Passwords, the Computer Fraud and Abuse Act and the Statute of Limitations

This post examines an opinion issued in a case in which a woman – Chantay Sewell -- sued “her former boyfriend, . . . Phil Bernardin,” alleging that he “had gained access to her e-mail and Facebook accounts without her permission and therefore in violation of the [Computer Fraud and Abuse Act] and the [Stored Communications Act]. Sewell v. Bernardin, 2015 WL 4619519 (U.S. Court of Appeals for the 2d Circuit 2015).
Both the Computer Fraud and Abuse Act [CFAA] and the Stored Communications Act [SCA] are primarily “criminal” statutes, in that if you violate their provisions with the requisite intent, you can, and may very well be, prosecuted in federal court by an Assistant U.S.Attorney.  But each also creates a civil cause of action so that those who have been the target of conduct that violates either statute (or both statutes) can sue for damages.  Federal criminal statutes, at least, often include a private cause of action; the premise is that citizens who have been the target of a violation of either statute (or both statutes) can sue for damages, which provides a supplemental enforcement method. The theory is that, since prosecutors probably cannot prosecute every violation of either statute or both statutes, allowing civil enforcement suits supplements enforcement of either or both statutes. This practice is known as enabling private attorney generals and you can,, if you are interested, read a Wikipedia entry about this here.
And that brings us to the facts that resulted in this case. As the Court of Appeals explains,
[i]n order to resolve this appeal, we address a matter of first impression in this Circuit: the operation of the statutes of limitations applicable under the civil enforcement provisions of the Computer Fraud and Abuse Act (CFAA), 18 U.S. Code § 1030, and the Stored Communications Act (SCA), 18 U.S. Code §2701, et seq. A plaintiff bringing an action under the CFAA's civil enforcement provision must do so `within 2 years of the date of the act complained of or the date of the discovery of the damage.’ 18 U.S. Code § 1030(g). The SCA provides that `[a] civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.’ 18 U.S. Code § 2707(f).

The plaintiff, Chantay Sewell, filed suit under both statutes alleging that her former boyfriend, defendant Phil Bernardin, had gained access to her e-mail and Facebook accounts without her permission and therefore in violation of the CFAA and the SCA. She asserts that she discovered that she could not log into her www.aol.com (AOL.) e-mail account on or about August 1, 2011 `because her password was altered.’ Complaint ¶ 11 (J.A. 5). More than six months later, on or about February 24, 2012, she contends, she discovered that she could not log into her www.facebook.com (`Facebook’) account `because her password was altered.’ Complaint ¶ 12 (J.A. 5). The district court granted Bernardin's motion to dismiss Sewell's claims as untimely, and Sewell appealed. 
Sewell v. Bernardin, supra.
The Court of Appeals began its analysis of Sewell’s appeal by explaining that
[w]e accept as true at this stage of the proceedings all facts alleged in Sewell's complaint. See Town of Babylon v. Fed. Housing Finance Agency, 699 F.3d 221 (U.S. Court of Appeals for the 2d Circuit 2012). According to those allegations, Sewell and Bernardin were involved in a `romantic relationship' from in or about 2002 until 2011. Sewell maintained a private e-mail account with AOL and a private social media account with Facebook, including in 2011 and 2012. She did not knowingly share her account passwords with Bernardin or any other person and was the only authorized user of each account.

On or about August 1, 2011, Sewell discovered that her AOL password had been altered, and she was therefore unable to log into her AOL e-mail account. That same month, malicious statements about her sexual activities were e-mailed to various family members and friends `via Sewell's own contacts list maintained privately within her email account.’ Complaint ¶ 19 (J.A. 6).

On February 24, 2012, Sewell found herself unable to log into her Facebook account. Then, on March 1, 2012, someone other than she posted a public message from her Facebook account containing malicious statements, again concerning Sewell's sex life. Sewell alleges that Bernardin obtained her AOL and Facebook passwords without her permission while he was a guest in her home. Verizon Internet records confirmed that Bernardin's computer was used to gain access to the servers on which Sewell's accounts were stored. He then changed her AOL and Facebook passwords. Bernardin allegedly thereby obtained access to Sewell's electronic communications and other personal information and sent messages purporting to be from her.
Sewell v. Bernardin, supra. The court included two footnotes in the passage quoted above:  The first said, “Sewell's characterization of her relationship with Bernardin is contained in an affidavit filed with the district court on February 14, 2014.” Sewell v. Bernardin, supra. The
second footnote said “[i]n her complaint, Sewell describes an e-mail sent in or around August 2011 using her personal contacts list as containing `malicious statements toward Sewell regarding certain sexually transmitted diseases and sexual activities.’”  Sewell v. Bernardin, supra.
The opinion then went on to explain that
[o]n May 15, 2013, Sewell filed a separate suit against Bernardin's wife, Tara Bernardin, and `John Does # 1–5,’ apparently believing that Tara Bernardin and others unknown to her had gained access to her Internet accounts. The complaint raised claims strikingly similar to those that she is pursuing in the instant action. Tara Bernardin settled her suit with Sewell on September 27, 2013, and the court accordingly entered judgment in Sewell's favor shortly thereafter.

Several months later, on January 2, 2014, Sewell filed the instant action against Phil Bernardin, alleging violations of the SCA and CFAA. On August 2, 2014, the United States District Court for the Eastern District of New York (Arthur D. Spatt, Judge ) granted Bernardin's motion to dismiss, holding that Sewell's claims were time-barred under the CFAA's and SCA's applicable two-year statutes of limitations. This appeal followed.
Sewell v. Bernardin, supra.
The Court of Appeals then began its analysis of the issues in this case, explaining that
[w]e review the grant of a motion to dismiss under Federal Rule of Civil Procedure12(b)(6) de novo, `accepting as true factual allegations made in the complaint, and drawing all reasonable inferences in favor of the plaintiff[ ].’ Town of Babylon v. Federal Housing Finance Agency, 699 F.3d 221 (U.S. Court of Appeals for the 2d Circuit 2012).  `Dismissal under Federal Rules of Civil Procedure Rule 12(b)(6) is appropriate when a defendant raises a statutory bar,’ such as lack of timeliness, `as an affirmative defense and it is clear from the face of the complaint, and matters of which the court may take judicial notice, that the plaintiff's claims are barred as a matter of law.’ Staehr v. Hartford Financial Services Group, 547 F.3d 406 (U.S. Court of Appeals for the 2d Circuit 2008). 
Sewell v. Bernardin, supra.  Rule 12(b)(6), which you can find here, says that a party to litigation (usually a defendant) can assert the defense that the plaintiff’s Complaint “fails to state a claim upon which relief can be granted.” You can read more about Rule 12(b)(6) motions here.
Next, the Court of Appeals summarized the relevant provisions of the CFAA and the SCA and noted the length and “tolling” of the pertinent statute of limitations for each statute. Sewell v. Bernardin, supra.  It began with the CFAA, explaining that the
CFAA criminalizes, inter alia, `intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain [ing] . . . information from any protected computer,’ 18 U.S. Code § 1030(a)(2)(C), and `intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.’  18 U.S. Code § 1030(a)(5)(C).

The statute also provides a civil cause of action to `[a]ny person who suffers damage or loss by reason of a violation of this section.’ 18 U.S. Code § 1030(g). To be timely, such a civil suit must be filed `within 2 years of the date of the act complained of or the date of the discovery of the damage’ 18 U.S. Code § 1030(g). `Damage’ . . . is defined as `any impairment to the integrity or availability of data, a program, a system, or information.’ 18 U.S. Code § 1030(e)(8) The statute of limitations under the CFAA accordingly ran from the date that Sewell discovered that someone had impaired the integrity of each of her relevant Internet accounts.
Sewell v. Bernardin, supra. 
The court then did the same for the SCA, explaining that under the SCA it is a crime to:
(1)  intentionally access[ ] without authorization a facility through which an electronic communication service is provided; or
 (2) intentionally exceed[ ] an authorization to access that facility; and thereby obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system. . . .
Sewell v. Bernardin, supra (quoting 18 U.S. Code § 2701(a)).  It went on to explain that
[a]s with the CFAA, the SCA establishes a civil cause of action. `[A]ny . . . person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind’ may file suit. 18 U.S. Code § 2707(a). A civil action under this section must be commenced no 1later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.’ 18U.S. Code § 2707(f).

In other words, the limitations period begins to run when the plaintiff discovers that, or has information that would motivate a reasonable person to investigate whether, someone has intentionally accessed the `facility through which an electronic communication service is provided’ and thereby obtained unauthorized access to a stored electronic communication. 18 U.S. Code § 2701(a).
Sewell v. Bernardin, supra.
The Court of Appeals then took up the issue involved in Sewell’s appeal, noting that
[t]he district court granted Bernardin's motion to dismiss Sewell's claims as untimely based on the court's conclusion that Sewell was `aware that the integrity of her computer had been compromised’ as of August 1, 2011. Sewell v. Bernardin, 50 F.Supp.3d 204 (U.S. District Court for the Eastern District of New York 2014). The court reasoned that Sewell's August 1, 2011, discovery—which related to the unauthorized use of her AOL account—provided her with a reasonable opportunity to discover the full scope of Bernardin's alleged illegal activity more than two years before she brought this suit on January 2, 2014. We agree with the district court as its decision related to Sewell's AOL account, but disagree with it as it related to her Facebook account.

Sewell discovered the `damage’ to her AOL account for CFAA purposes on August 1, 2011, when she learned that she could not log into her AOL e-mail account. That she may not have known exactly what happened or why she could not log in is of no moment. The CFAA's statute of limitations began to run when Sewell learned that the integrity of her account had been impaired.
Sewell v. Bernardin, supra.
The court then pointed out that Sewell’s
CFAA and SCA claims with regard to her AOL account were first made on January 2, 2014, and were premised on damage and unauthorized access to her AOL account which she had or should have discovered some two years and five months earlier. The two-year statutes of limitations had therefore run.
Sewell v. Bernardin, supra.  In a footnote, the court points out that
[a]lthough the complaint alleges that Sewell's AOL account was improperly accessed on multiple occasions subsequent to August 1, 2011, Sewell does not raise any arguments on appeal with respect to these alleged violations. We thus take no position as to whether claims based on those subsequent violations would be timely under the CFAA or the SCA, or whether such claims would otherwise survive Bernardin's motion to dismiss.
Sewell v. Bernardin, supra.
The Court of Appeals then took up her Facebook claims, noting that Sewell’s
Facebook-related claims, by contrast, appear to have accrued on or about February 24, 2012. Her complaint alleges that she `was the sole authorized user of’ her Facebook account. . . . On or about `February 24, 2012, [she] discovered that she could no longer log into or access her account with www.facebook.com because her password [had been] altered.’ . . .  

There is nothing in the facts as alleged in the complaint from which to infer that anyone gained unauthorized access to her Facebook account before then. Thus, taking these allegations as true, there would have been no damage, for CFAA purposes, or violation, for SCA purposes, for Sewell to discover with respect to her Facebook account before that date, which was less than two years before the suit was brought.
Sewell v. Bernardin, supra.
The court went on to explain that
[t]he fact that Sewell had discovered `damage’ to her AOL account based on her inability to access AOL's computer servers at an earlier date does not lead to a different result. Contrary to the district court's remark, Sewell did not allegedly discover `that the integrity of her computer had been compromised’ as of August 1, 2011. Sewell v. Bernardin, 50 F.Supp.3d 204 (U.S. District Court for the Eastern District of New York August 2014) (emphasis added). She discovered only that the integrity of her AOL account had been compromised as of that time.

Her CFAA claim accordingly is premised on impairment to the integrity of a computer owned and operated by AOL, not of her own physical computer. As a result, Sewell has two separate CFAA claims, one that accrued on August 1, 2011, when she found out that she could not access her AOL account, and one that accrued on February 24, 2012, when she found out that she could not access her Facebook account.
Sewell v. Bernardin, supra.
The Court of Appeals then took up Sewell’s “Facebook-related SCA claim”, noting that,
[l]ike her Facebook-related CFAA claim, [this] claim is also timely. Under the SCA, a civil plaintiff must file her claim within two years of discovery or a reasonable opportunity to discover intentional and unauthorized access to an electronic communication facility.

The district court concluded that Sewell `had a reasonable opportunity to discover the Defendant's illegal activity” vis-à-vis her Facebook account as of August 1, 2011. Sewell v. Bernardin, supra, 50 F.Supp.3d at 213. . . . But as we have noted, there is no allegation in the complaint that Sewell's Facebook account and the computer servers on which her information was stored were tampered with before February 24, 2012, when she alleges that she was unable to log into her Facebook account. She could not reasonably be expected to have discovered a violation that, under the facts as alleged in the complaint, had not yet occurred.
Sewell v. Bernardin, supra.
It also pointed out that the U.S. District Court Judge’s
conclusion may rest on the assumption that a plaintiff is on notice of the possibility that all of her passwords for all of the Internet accounts she holds have been compromised because one password for one Internet account was compromised. We do not think that that is a reasonable inference from the facts alleged in the complaint.

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account—AOL e-mail—had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts—Facebook—might similarly have become compromised.
Sewell v. Bernardin, supra.
And it explained that
[w]e pause to acknowledge that the statutes of limitations governing claims under the CFAA and SCA, as we understand them, may have troubling consequences in some situations. Even after a prospective plaintiff discovers that an account has been hacked, the investigation necessary to uncover the hacker's identity may be substantial. In many cases, we suspect that it might take more than two years. But it would appear that if a plaintiff cannot discover the hacker's identity within two years of the date she discovers the damage or violation, her claims under the CFAA and SCA will be untimely.
Sewell v. Bernardin, supra.
Finally, the Court of Appeals explained that Sewell
does have the option of initiating a lawsuit against a John or Jane Doe defendant, but she must still discover the hacker's identity within two years of discovery or a reasonable opportunity to discover the violation to avoid dismissal. This is because we have concluded `that Rule 15(c) does not allow an amended complaint adding new defendants to relate back if the newly-added defendants were not named originally because the plaintiff did not know their identities.’ Barrow v. Wethersfield Police Dep't, 66 F.3d 466, 470 (U.S. Court of Appeals for the 2d Circuit 1995).
Sewell v. Bernardin, supra.
The Court of Appeals therefore ordered that “[f]or the foregoing reasons, the judgment of the district court is AFFIRMED in part and VACATED and REMANDED in part for further proceedings.” Sewell v. Bernardin, supra.
You can, if you are interested, read more about this case in the news stories you can find here, here and here

Friday, August 28, 2015

The Gentlemen's Club, the Telephone Consumer Protection Act and Summary Judgment

This post examines an opinion from a U.S. Magistrate Judge who sits in the U.S. District Court for the Northern District of California:  Luna v. Shac, LLC, 2015 WL 4941781 (2015).  He begins by explaining what the litigation involves and what has happened:
In February 2014, John Luna brought suit against Shac, LLC, dba Sapphire Gentlemen's Club, Club Texting, Inc. and CallFire, Inc. for violation of the Telephone Consumer Protection Act (`TCPA’), 47 U.S. Code § 227.  Shac, the sole remaining defendant, moves for summary judgment. Dkt. No. 85. Plaintiff filed an opposition and Shac filed a reply. Dkt. Nos. 96, 97. In addition, Plaintiff filed two notices of new authority. Dkt. Nos. 98, 101. All parties have expressly consented to having all matters proceed before a magistrate judge. A hearing was held on June 23, 2015.
Luna v. Shac, supra.  
You can, if you are interested, read more about the litigation in the news stories you can find here and here.
The Magistrate Judge then goes on to explain that   
Shac operates the Sapphire Gentlemen's Club in Las Vegas, Nevada. Shac engaged CallFire, a third-party mobile marketing company, to provide a web-based platform (here, EXTexting.com) for sending promotional text messages to its customers. . . .

Sending text messages through EXTexting.com involved multiple steps. First, an employee of Shac would input telephone numbers into CallFire's web-based platform either by manually typing a phone number into the website, or by uploading or cutting and pasting an existing list of phone numbers into the website. . . . In addition, Shac's customers could add themselves to the platform by sending their own text messages to the system. . . .  Next, the employee would log in to EXTexting.com to draft and type the message content. . . . The employee would then designate the specific phone numbers to which the message would be sent, then click `send’ on the website in order to transmit the message to Shac's customers. . . . The employee could either transmit the messages in real time or preschedule messages to be transmitted `[a]t some future date.’ . . . As a result of this process, an allegedly unwanted text message was sent to Plaintiff, a customer of Shac, who had provided Shac with his cell phone number.
Luna v. Shac, supra. 
He also noted that the
First Amended Complaint (the operative complaint) asserts one claim against Shac, Club Texting, and CallFire: violation of the TCPA. Club Texting has been voluntarily dismissed from this action. CallFire is no longer a defendant to this action, as Plaintiff accepted an offer of judgment and dismissed all claims against CallFire with prejudice. . . .  Shac is the one remaining defendant. Shac moves for summary judgment.
Luna v. Shac, supra. 
As Wikipedia explains, in U.S. law, a summary judgment is a judgment
entered by a court for one party and against another party summarily, i.e., without a full trial. Such a judgment may be issued on the merits of an entire case, or on discrete issues in that case.

In common-law systems, questions about what the law actually is in a particular case are decided by judges; in rare cases jury nullification of the law may act to contravene or complement the instructions or orders of the judge, or other officers of the court. A factfinder has to decide what the facts are and apply the law. In traditional common law the factfinder was a jury, but in many jurisdictions the judge now acts as the factfinder as well. It is the factfinder who decides `what really happened,’ and it is the judge who applies the law to the facts as determined by the factfinder, whether directly or by giving instructions to the jury.

Absent an award of summary judgment . . ., a lawsuit will ordinarily proceed to trial, which is an opportunity for litigants to present evidence in an attempt to persuade the factfinder that they are saying `what really happened,’ and that, under the applicable law, they should prevail. . . .

A party moving (applying) for summary judgment is attempting to avoid the time and expense of a trial when the outcome is obvious. A party may also move for summary judgment in order to eliminate the risk of losing at trial, and possibly avoid having to go through discovery (i.e., by moving at the outset of discovery), by demonstrating to the judge, via sworn statements and documentary evidence, that there are no material factual issues remaining to be tried. If there is nothing for the factfinder to decide, then the moving party asks rhetorically, why have a trial? The moving party will also attempt to persuade the court that the undisputed material facts require judgment to be entered in its favor. In many jurisdictions, a party moving for summary judgment takes the risk that, although the judge may agree there are no material issues of fact remaining for trial, the judge may also find that it is the non-moving party that is entitled to judgment as a matter of law.
The Magistrate Judge in this case began his analysis of Shac’s motion for summary judgment by explaining that a motion for summary judgment
should be granted if there is no genuine issue of material fact and the moving party is entitled to judgment as a matter of law. Fed.R.Civ.P. 56(a)Anderson v. Liberty Lobby,Inc., 477 U.S. 242 (1986). The moving party bears the initial burden of informing the court of the basis for the motion, and identifying portions of the pleadings, depositions, answers to interrogatories, admissions, or affidavits which demonstrate the absence of a triable issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317 (1986). In order to meet its burden, `the moving party must either produce evidence negating an essential element of the nonmoving party's claim or defense or show that the nonmoving party does not have enough evidence of an essential element to carry its ultimate burden of persuasion at trial. Nissan Fire & Marine Ins. Co., Ltd. v. Fritz Cos., Inc., 210 F.3d 1099 (U.S. Court of Appeals for the 9th Circuit 2000).

If the moving party meets its initial burden, the burden shifts to the non-moving party to produce evidence supporting its claims or defenses. See Nissan Fire & Marine Ins. Co., supra. The non-moving party may not rest upon mere allegations or denials of the adverse party's evidence, but instead must produce admissible evidence that shows there is a genuine issue of material fact for trial. See Nissan Fire & Marine Ins. Co., supra .A genuine issue of fact is one that could reasonably be resolved in favor of either party. A dispute is `material’ only if it could affect the outcome of the suit under the governing law. Anderson v. Liberty Lobby, Inc., supra.

`When the nonmoving party has the burden of proof at trial, the moving party need only point out ‘that there is an absence of evidence to support the nonmoving party's case.’ Devereaux v. Abbey, 263 F.3d 1070 (U.S. Court of Appeals for the 9th Circuit 2001) (quoting Celotex Corp v. Catrett). Once the moving party meets this burden, the nonmoving party may not rest upon mere allegations or denials, but must present evidence sufficient to demonstrate that there is a genuine issue for trial.  Devereaux v. Abbey, supra.
Luna v. Shac, supra. 
He then began his analysis of the arguments in this case, explaining, that,
Shac argues that it is entitled to summary judgment because the text message was not sent using an automatic telephone dialing system (`ATDS’). Under the TCPA, it is `unlawful for any person within the United States, or any person outside the United States if the recipient is within the United States -- (A) to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system . . . (iii) to any telephone number assigned to a . . .  cellular telephone service . . . or any service for which the called party is charged for the call.’ 47 U.S. Code § 227(b)(1). `The term “automatic telephone dialing system” means equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.’ 47U.S. Code § 227(a)(1).

Plaintiff and Shac dispute the definition of ATDS. Shac argues that because the definition of ATDS is `clear and unambiguous,’ the court's `inquiry begins with the statutory text, and ends there as well.’ Satterfield v. Simon & Schuster, Inc., 569 F.3d 946 (U.S. Court of Appeals for the 9th Circuit 2009). . . . According to Shac, equipment must have the capacity to store or produce telephone numbers to be called using a random or sequential number generator in order to qualify as an ATDS. Plaintiff argues that Congress has expressly conferred authority on the Federal Communications Commission (`FCC’) to issue interpretative rules pertaining to the TCPA, and the FCC has issued several regulations expanding the statutory definition of ATDS. The Court agrees with Plaintiff.
Luna v. Shac, supra. 
He also noted that
28 U.S. Code § 2342(1), and the FederalCommunications Act, 47 U.S. Code § 402(a), operate together to restrict district courts from invalidating certain actions by the FCC. The Federal Communications Act provides: `Any proceeding to enjoin, set aside, annul, or suspend any order of the Commission under this chapter . . . shall be brought as provided by and in the manner prescribed in [28 U.S. Code § 2341(1)].’ 47U.S. Code § 402(a). Under § 2341, `The court of appeals (other than the United States Court of Appeals for the Federal Circuit) has exclusive jurisdiction to enjoin, set aside, suspend (in whole or in part), or to determine the validity of—(1) all final orders of the Federal Communications Commission made reviewable by section 402(a) of title 47.  28 U.S. Code § 2342.

In other words, [28 U.S. Code § 2342] jurisdictionally divests district courts from ignoring FCC rulings interpreting the TCPA. Accordingly, this court must look not only to the statutory language in applying the definition of an ATDS, but also to FCC rulings addressing the same.
Luna v. Shac, supra. 
The Magistrate Judge then took up that task, explaining that in 2003, the FCC
noted that, “`[i]n the past, telemarketers may have used dialing equipment to create and dial 10–digit telephone numbers arbitrarily,’ but that `the evolution of the teleservices industry has progressed to the point where using lists of numbers is far more cost effective.’ 18 FCC Rcd. 14014, 14092 (2003). The FCC found it `clear from the statutory language and the legislative history that Congress anticipated that the FCC, under its TCPA rulemaking authority, might need to consider changes in technologies.’ 18 FCC Rcd. 14014, supra. The FCC concluded that `predictive dialers,’ which dial numbers from customer calling lists, `fall[ ] within the meaning and the statutory definition of ‘automatic telephone dialing equipment’ and the intent of Congress.’ 18 FCC Rcd. 14014, supra.

In 2008, the FCC `affirm[ed] that a predictive dialer constitutes an automatic telephone dialing system and is subject to the TCPA's restrictions on the use of autodialers,’ and in 2012, the FCC again confirmed that the statute covered systems with the `capacity to store or produce and dial those numbers at random, in sequential order, or from a database of numbers.’ 23 FCC Rcd. 559, 566 (2008); 27 FCC Rcd. 15391, 15399 n.5 (2012).

Accordingly, through these implementing regulations, the FCC has indicated that the definition of ATDS now includes `predictive dialers,’ which may dial numbers from preprogrammed lists rather than generate numbers randomly or sequentially. See Glauser v. GroupMe, Inc., 2015 WL 475111, at *5 (U.S. District Court for the Northern Districtof California Feb. 4, 2015).
Luna v. Shac, supra. 
Shac, though, also argued that
even if the court were to agree that the above-cited FCC regulations expand the definition of ATDS, this expanded definition encompasses only predictive dialers, not web-based text messaging platforms, like the one at issue here. However, this district has held that these FCC regulations are not limited to predictive dialers. McKenna v. WhisperText, 2015 WL 428728  (U.S. District Court for the Northern District of California Jan. 30, 2015); Nunes v. Twitter, Inc., 2014 WL 6708465, at *1–2 (U.S. District Court for the Northern District of California 2014); Fields v. Mobile Messengers Am., Inc., 2013 WL 6774076, at *3 (U.S. District Court for the Northern District of California 2013).

In addition, on June 18, 2015, the FCC voted on, and approved, FCC Chairman Tom Wheeler's omnibus proposal under the TCPA. Wheeler's `Fact Sheet’ outlining the approved matters states, `as codified at 47 U.S. Code § 227(b)(2),’ the `Telephone Consumer Protection Act explicitly empowers the Commission to enforce and interpret its consumer protection provisions,’ to `review questions related to the meaning of the TCPA's prohibitions,’ and “to prescribe regulations to implement the statute.’ First Notice of New Authority, Exh. 1, at 2. The FCC voted to `affirm[ ]' the current definition of "autodialer" ensur[ing] the robocallers cannot skirt consumer consent requirements through changes in calling technology design or by calling from a list of numbers.’ Id. In the Declaratory Ruling and Order following the FCC vote on June 18, 2015, the FCC reiterated that `[i]n the 2003 TCPA Order, the Commission found that, in order to be considered an automatic telephone dialing system, the equipment need only have the capacity to store or produce telephone numbers. The Commission stated that, even when dialing a fixed set of numbers, equipment may nevertheless meet the autodialer definition.' Second Notice of New Authority, Exh. 1 ¶ 12 (internal quotation marks omitted). `Internet-to-phone text messaging technology” is expressly included in the definition of “automatic telephone dialing system.' Second Notice of New Authority, Exh., supra.

Accordingly, the fact that CallFire's system has the ability to send text messages from preprogrammed lists, rather than randomly or sequentially, does not disqualify it as an ATDS.
Luna v. Shac, supra. 
Shac also argued that it was
entitled to summary judgment because the text message was sent as a result of human intervention. As indicated at the hearing, the parties do not dispute the law governing what constitutes `human intervention,’ nor do they dispute the material facts as to what led up to Plaintiff receiving the text message. Rather, the parties dispute the application of the facts to the law. Shac argues that these undisputed facts constitute human intervention, while Plaintiff argues that they do not.
Luna v. Shac, supra. 
The Magistrate Judge explained that, in its 2008 ruling, the FCC
indicated that the defining characteristic of an autodialer is `the capacity to dial numbers without human intervention.’ 23 FCC Rcd. at 566. In 2012, the FCC further discussed the definition of `autodialer,’ explaining that it `covers any equipment that has the specified capacity to generate numbers and dial them without human intervention regardless of whether the numbers called are randomly or sequentially generated or come from calling lists.’ 27 FCC Rcd. At 15399 n. 5.  At 15399, n.5. Accordingly, the capacity to dial numbers without human intervention is required for TCPA liability. Glauser, 2015 WL 475111 at *6.  

Here, human intervention was involved in several stages of the process prior to Plaintiff's receipt of the text message, including transferring of the telephone number into the CallFire database, drafting the message, determining the timing of the message, and clicking `send’ on the website to transmit the message to Plaintiff. Shai Cohen, Shac's person most knowledgeable, was involved in the process of sending Shac's text messages via the EZTexting website. Andrews Decl., Exh. 1, at 19. Cohen testified that he inputted telephone numbers into CallFire's web-based platform either by manually typing phone numbers into the website, or by uploading or cutting and pasting an existing list of phone numbers into the website. See id., Exh. 1, at 71 (`Q: And who at Shac actually inputted the numbers one by one? A: I have. Q: And who at Shac did the exporting, to the extent exporting was used, input numbers? A: I have. Q: And that's also the case for uploading the numbers from a separate file? A: Yes.’).

Cohen drafted and typed the message content. Id., Exh. 1, at 20 ('I would personally go into the website, log in, and type the message and send it off through their website.’); id., Exh. 1, at 142 (`I would upload the numbers into the system. Nothing here was done–nothing was automated. I personally created every one of these messages’). Cohen personally clicked `send’ on the website in order to transmit the messages to Shac's customers, including Plaintiff. Id., Exh. 1, at 139–40 (`Q: . . .  in order for the messages to be transmitted, you personally would have to log into the system and your own act of hitting “send”? A: `No, 100 percent. I would personally type and send each one of those messages.’ Q: `Right. So the message couldn't go out unless you logged into the system? A: Correct. Q: And hit “send”? A: Correct.’); see also id., Exh. 2, at 179–81 (`[I]f contacts are not uploaded to the website and the customer does not hit the submit button and say send out these text messages, nothing happens.’).
Luna v. Shac, supra. 
The Magistrate judge went on to explain that this
case is similar to Glauser and McKenna v. WhisperText, supra. . . In Glauser, the court found that `GroupMe obtained the telephone numbers of the newly added group members . . . through the actions of the group's creator’ when the numbers were uploaded into the database. Glauser, supra. The court in Glauser concluded that the text messages at issue `were sent to plaintiff as a direct response to the intervention of Mike L., the “Poker” group creator.' Glauser, supra. In McKenna, supra, the court found that `Whisper App can send SMS invitations only at the user's affirmative direction to recipients selected by the user.' McKenna, supra. Accordingly, the court in McKenna held that `under such circumstances, the action taken is with human intervention —disqualifying the equipment at issue as any kind of ATDS.’  McKenna, supra.

Plaintiff asserts that Glauser and McKenna `ruled that the act of uploading customer telephone numbers to a database constitutes human intervention.’ Opp. at 16. Plaintiff argues that because these two cases `effectively eviscerate the FCC of its power to interpret the TCPA, they should be disregarded.’ Opp. at 16.  Plaintiff urges the court to instead follow several cases that Plaintiff argues have held the contrary: Moore v. Dish Network, LLC, 57 F.Supp.3d 639 (U.S. District Court for the Northern District of West Virginia 2014); Davis v. Diversified Consultants, Inc., 36 F.Supp.3d 217 (U.S. District Court for the District of Massachusetts 2014); Sterk v. Path, Inc., 46 F.Supp.3d 813 (U.S. District Court for the Northern District of Illinois 2014); and Griffith v. Consumer Portfolio Serv., Inc., 838 F.Supp.2d 723 (U.S. District Court for the Northern District of Illinois 2011).
Luna v. Shac, supra. 
He therefore held that the Plaintiff’s
argument fails. As an initial matter, the court finds that human intervention was involved in several stages of the process prior to Plaintiff's receipt of the text message, and was not limited to the act of uploading the telephone number to the CallFire database, as Plaintiff argues. As explained above, human intervention was involved in drafting the message, determining the timing of the message, and clicking “send” on the website to transmit the message to Plaintiff.

Moreover, all of the cases cited by Plaintiff were decided outside of this district, and are not binding on the court. They are also distinguishable.  In Davis, supra, the court found the predictive dialer in question to be an ATDS because the system's default setting was for `sequential dialing,' and the court did not conduct a human intervention analysis. Davis, supra.  In Moore, the court found the system to be an ATDS based on the fact that the only human involvement was typing a list of numbers into software, which then automatically transferred them to dialer hardware, which in turn automatically made calls. Moore, 57 F.Supp.3d at 654–55. In Sterk v. Path, Inc., 46 F.Supp.3d 813 (U.S. District Court for the Northern District of Illinois 2014) and Griffith v. Consumer Portfolio Serv., Inc., 838 F.Supp.2d. (U.S. District Court for the Northern District of Illinois 2011), the automated dialing system at issue uploaded lists of numbers from individual users and required no human intervention by defendant. Sterk v. Path, Inc., supra.

Accordingly, because the court finds that the subject text message was sent as a result of human intervention, the court grants summary judgment in favor of Shac.
Luna v. Shac, supra.