Friday, November 27, 2009

Access? Disruption?

As I explained in a post I did several years ago, the U.S. federal government and every U.S. state (and many other countries) make it a crime to “hack,” i.e., to gain access to a computer or computer system without being authorized to do so. As I explained, it can sometimes be difficult to determine whether what happened constituted “access,” or not.

This post is about a case in which the issue of gaining “access” to a computer came up in a rather unusual context. The case is Swearingen v. Haas Automation, Inc., 2009 WL 3818362 (U.S. District Court for the Southern District of California 2009). As is probably obvious from the case caption, it’s a civil case. It is also, in effect, a criminal case, since one of the plaintiff’s claims arises under the California computer crimes statute.

Before we get into the substance of the case, I should probably explain a bit about why a case raising a claim under a California statute was filed in a federal district court. As Wikipedia explains, U.S. federal courts have two kinds of jurisdiction, i.e., two sources of authority to hear civil cases. One is federal question jurisdiction, which lets them hear cases that present issues arising under federal law. The other is diversity jurisdiction which, as Wikipedia notes, “is a form of subject-matter jurisdiction . . . in which a United States district court (the trial courts of general jurisdiction in the federal judiciary) [can] hear a civil case because the persons that are parties are ‘diverse’ in citizenship”, i.e., they are citizens of different U.S. states or one or more of them is a non-U.S. citizen.

And that brings us to the facts in Swearingen v. Haas, as set forth in the plaintiff’s (Swearingen’s) Second Amended Complaint (SAC):

Haas . . .. manufactures machine tools which consist of four major product lines: vertical machining centers (VMCs), horizontal machining centers (HMCs), CNC lathes and rotary tables. These machines sell for over $30,000 up to hundreds of thousands of dollars.

Haas advises potential customers to purchase Haas machines from Haas Factory Outlets around the United States, including the Haas Factory Outlet located in Anaheim, California, which is a division of defendant Machining Time Savers, Inc. (`MTS’). Haas recommends that potential customers finance their purchase through various entities, including defendants HAI Capital (`HAI’) and CNC Associates, Inc (`CNC’). . . .

All Haas machines are manufactured to trigger a `lock out’ alarm (displayed as an error code of `144’) after 800 hours of logged use. If a Haas distributor does not provide the machine operator with an access code within the defined time period, the machine shuts down and will not operate. Only if a customer is completely up to date on all payments and in compliance with all terms in the agreement(s) will Haas allow its distributors to provide the customer with an access code that will permit another 800 hours of use. If a customer is not up to date on payments or not in compliance with applicable terms, the Haas distributor will not provide an access code. . . .

Plaintiff purchased his first Haas machine from MTS in 1998. The manual . . . provided:

This machine is equipped with an electronically-recorded serial number that cannot be altered. This is done in case of theft and to track machines when sold to other owners. After approximately 800 hours of use, the machine will automatically shut down if it has not been unlocked by Haas Automation. To unlock the machine, we must have the above registration with the serial number and the authorization from your dealer. . . .

Plaintiff believed the . . . lock-out mechanism was for his own protection and benefit. When Plaintiff got the error message on this first machine, Plaintiff called MTS and received the code that unlocked the machine for another 800 hours. Plaintiff called MTS eight or nine more times to obtain access codes. . . .

In 2000, Plaintiff bought a second Haas machine. Again, Plaintiff continued to get the 800 hour error code but was always provided with the access code and was never told that the code was being used for collection purposes.

In 2007, Plaintiff bought a third Haas machine. . . . [which he] financed through CNC. In April 2009, Plaintiff fell behind in his payments. He was advised for the first time that if he did not bring his account current, he would `be denied further requests for a time code for the Haas equipment.’ . . . Plaintiff was able to bring his account current, however, `during this time, his machine was shut down twice over the weekend, causing production to stop until Monday and causing delay in satisfying contracts.’

Swearingen v. Haas, supra. Swearingen’s second amended complaint asserted two claims against the defendants, one of which arose under California’s Comprehensive Computer Data Access and Fraud Act, codified as California Penal Code § 502. In this opinion, the federal judge to whom the case is assigned is ruling on the defendants’ Rule 12(b)(6) motion to dismiss this claim as legally flawed. Swearingen v. Haas, supra.

The judge began his ruling on the motion by noting that Swearingen claimed that the defendants’ “use of the lock-out code without disclosure or consent constitutes a violation of” California Penal Code § 502”, “specifically subsections (c)(1) and (c)(5), which make it a crime to do either of the following:

(1) Knowingly access[] and without permission alter[], damage[], . . . or otherwise use[] any data, computer, computer system, or computer network . . . to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. . . . .

(5) Knowingly and without permission disrupt[s] or cause[s] the disruption of computer services or den[y] or cause[] the denial of computer services to an authorized user of a computer, computer system, or computer network.

California Penal Code § 502. While § 502 is fundamentally a criminal statute, it also creates a civil cause of action that lets one injured by a violation of § 502(c) “bring a civil action against the violator for compensatory damages and injunctive relief”. California Penal Code § 502(e)(1). Swearingen’s theory, then, is that it was injured by a violation of one of these subsections of § 502 which was carried out or caused by the defendants and which therefore entitled it to recover damages for what it had lost.

The opinion doesn’t explain the substance of the motion to dismiss this claim, but I think we can gather what it said from what this court said when it granted the motion:

[T]he facts alleged by Plaintiff do . . . . establish that any of the Defendants `accessed’ the computer in Plaintiff's machine. `Access’ is defined as `to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.’ Cal. Penal Code § 502(b)(1). Because the lock-out mechanism was . . . programmed into the machine at the time it was manufactured, Defendants did not have to `access’ the machine's computer to cause the machine to shut down after 800 hours.

With respect to subsection (c)(5), Plaintiff fails to state a claim because he does not allege Defendants refused to provide him the access code because he was behind in payments, resulting in his machine shutting down. Plaintiff knew he would need to obtain an access code to unlock the machine after approximately 800 hours of use. What he allegedly did not know was that Defendants might refuse him the code if he was behind in payments. If Defendants actually refused to give him the code because he was behind in payments, any resulting disruption in service would arguably be `without permission.’ In contrast, if Plaintiff's machine became locked after 800 hours of use and Plaintiff was given the code upon requesting it, any period of inoperation before the access code was obtained would not constitute an impermissible disruption of service. . . .

Plaintiff's allegations . . . do not make it clear whether he was ever denied the code because he was behind in payments. It seems any disruption in operations was due to Plaintiff not seeking the code before the weekend. . . [T]he SAC explains, `If the warning goes off during a long weekend, the machine will shut down and the owner will be unable to get in touch with anyone to provide the unlock code. This would result in no production for that entire weekend.’ A weekend shut-down under these circumstances would be an inconvenience . . . but would not be the result of Defendants impermissibly withholding the code to compel payments.

Swearingen v. Haas, supra. The judge also noted that Swearingen implicitly conceded that the defendants “never refused to give him the code, arguing, `[I]t is the entire racket that is being challenged – whether or not the code is ever withheld. . . . Every time a 144 lockout occurs, it is caused by this unlawful motivation intended to circumvent the . . . legal collections system.’” Swearingen v. Haas, supra. The judge therefore granted the motion to dismiss the claim because it found Swearingen knew that the machine would

lock after 800 hours of operation, requiring an access code to unlock it. Unless Defendants refused to give Plaintiff the code . . . to compel payments . . . any disruption in operations was not `without permission’ and did not violate” California Penal Code § 502(c).

Swearingen v. Haas, supra.

I found the “access” and “disrupt” issues interesting, given the context in which they arise. I did a little research and couldn’t find any similar cases, at least not cases that generated reported opinions.

1 comment:

JoelKatz said...

Haas retaining the right and ability to withhold the code to compel payments created the risk that a code might not be obtainable over a long weekend. Haas could have designed the lock out in many ways that would have avoided this problem, for example, with a single four-day "extension" option. Or Haas could have provided an online way to obtain a lock out code that was always available regardless of whether their office was staffed or not.

However, I disagree with the court that this isn't an "unauthorized access" issue. The law makes it a crime to "Knowingly and without permission disrupt[s] or cause[s] the disruption of computer services or den[y] or cause[] the denial of computer services to an authorized user of a computer, computer system, or computer network." When one puts a poorly-deisgned automated lockout mechanism for one's own benefit in a device and then sells it (without telling the owner how to permanently disarm the mechanism or giving him that option), that's exactly what one does -- knowingly cause the disruption of computer services to authorized users.