District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA
Every now and then I wonder what goes through the mind of some litigation parties and their respective attorneys. Case in point the ongoing case of Wendi J. Lee v. PMSI, Inc., 8:10-cv-2904, out of the U.S. Middle District of Florida within the 11th Circuit Court of Appeals.
Ms. Lee filed suit against PMSI, her former employer, in Florida state court after being fired from her position as a Proposal Developer in PMSI’s Marketing Department. In her complaint she alleged violations by PMSI of Title VII of the Civil Rights Act and Florida’s analogous Civil Rights Act of 1992 (FCRA), for “discrimination because of pregnancy.”
After removing to federal court, PMSI moved to dismiss count 2 (the FCRA claim), which was denied, and then answered, which was in turn followed by an amended answer with a counterclaim “for violation of the Computer Fraud and Abuse Act, as amended by the Computer Abuse Amendments Act of 1994, 18 U.S.C. §§ 1030 and 2707.” PMSI’s counterclaim maintained that “Lee’s internet usage substantially exceed the usage of her coworkers in the Marketing Department” and that such usage “exceeded her authorization to use the internet by accessing and spending large amounts of paid work time visiting personal websites such as Facebook . . . while on company paid time and from a company owned computer.”
The Court's Order in response struck PMSI's attempted use of the CFAA with prejudice.
In its counterclaim PMSI concluded that Lee's actions violated the Company’s Computer Usage Policy and that as to the necessary CFAA hook “[t]he Company suffered a loss from this unproductive time that Lee spent on these unauthorized websites” which “[a]s a direct and proximate result of the . . . conduct by Lee . . . suffered financial losses in excess of $5,000, due to her lack of productivity, as work that should have been performed by her had to be given to others and in wages paid to her.”
The Court's Order
In response, Ms. Lee moved to dismiss the counterclaim via a Motion to strike Defendant's Untimely Amended Pleading and Counterclaim or Alternativly [sic] to Dismiss Defendant's Counterclaim. In a workmanlike six-page Order, U.S. District Judge Steven D. Merryday granted Ms. Lee’s motion and dismissed PSMI’s counterclaim with prejudice while reinstating PMSI’s original Answer.
Frankly, had the court held otherwise virtually every employee with computer access around the country – or rather, at least within the Middle District of Florida - would have been subject to a CFAA counterclaim if fired and thereafter attempting to sue in response. Judge Merryday’s Order notes that “[t]he CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to ‘access and control high technology processes vital to our everyday lives....’ * * * Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working.”
From this second paragraph of the Order it was all downhill for PMSI. In discussing PMSI’s attempted damages hook as to Lee’s alleged “lost productivity” due to surfing the Internet the court, and I can’t help but applaud the Judge’s ability to maintain a straight face in his prose, stated “[t]he defendant asserts (dubiously) that during her six months of employment, the plaintiff caused the defendant ‘financial losses in excess of $5,000, due to her lack of productivity . . .’ (Doc. 12) The definition of ‘loss’ contemplates damage to a system or data, rather than a lack of productivity.” It’s one thing to argue zealously on behalf of one’s client; it’s quite another to attempt to stretch a statute, flawed as the CFAA is, to such lengths that an Acme Giant Rubber Band of the type favored by Wiley E. Coyote would snap.
In putting PMSI’s counterclaim to bed, the court further observed that:
“PMSI fails to show that the plaintiff ‘exceeded authorized access’ or obtained information from the computer. ‘Exceeds authorized access’ is defined as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never ‘obtained or alter[ed] information in the computer.’ Lee accessed her facebook, personal email, and news websites but did not access any information that she was ‘not entitled so to obtain or alter.’"
Applying the final thrust, Lee’s actions may have violated the company’s usage policies, in the court’s view, but PMSI’s attempted shoehorning of her conduct into the CFAA was a distinct no-go. And in a footnote aside, that fairly screamed READ THE STATUTE AND APPLICABLE CASE LAW NEXT TIME, the court dryly quipped, “18 U.S.C. § 1030(a)(2)(C) also requires that the information be obtained from ‘a protected computer’ which is defined as a computer ‘which is used in or affecting interstate or foreign commerce or communication.’ 18 U.S.C. § 1030(e)(2)(B). The defendant fails to allege that the plaintiff accessed a ‘protected computer.’"
And, with a final light touch, Judge Merryday closed with the backhand that “[e]xtension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir. 2003).”
Bottom-Line
As we all know in litigation, to egregiously mangle a metaphor, sometimes the bear gets you and sometimes you get the bear. Here PMSI was more than "gotten" by the bear, as it were. Thankfully so. Still, it's a lesson as to when aggressive or sloppy representation crosses over into mere aggravation for all concerned, particularly when the often troublesome CFAA is involved.
While We Were Shopping, the Privacy Legal Risk Environment Shifts Again
2010. What a year for data security and privacy, and the law. Choose whatever story you want: Facebook privacy practices, Google Buzz, Wikileaks data breach, TSA full-body scanning at the airports, FTC Do Not Track, etc. I am having trouble thinking of a week (perhaps even a day) in 2010 where there was not a big privacy or data security story reported at a major media outlet. In fact, it is difficult to come up with an issue in 2010 (except perhaps “the economy” or the healthcare debate) that became more firmly lodged in the public consciousness than privacy and data security.
However, while all the headline grabbing stories were catching the eyes of the average “American Joe,” an excellent series by the Wall Street Journal (“What They Know”; Pulitzer possibilities?) has ended up rocking the privacy legal liability landscape for 2011. While we can argue cause and effect all day long, it appears that the WSJ series has caught the eye of one important group in the American legal world: the plaintiffs' bar.
While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory, settlements, judgments and otherwise) will be one of the big data security and privacy stories of 2011.
These cases have the potential to change the privacy and security game in ways that are difficult to anticipate. Could they be the “tipping point” leading to new state or federal regulations? Might they result in a “break-through” case that leads to a flood of litigation? Will they impact the way companies handle personal information and do business? Will consumers think of their privacy in a different light if these suits are frequent or successful?
What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking. There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community. Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement.
01.21.11, 02.08.11 & 03.11.11 UPDATE BELOW (Search for dates to find updates)
“Zombie” flash cookie online tracking lawsuits. A series of class action lawsuits have been filed against marketing companies (e.g. Clearspring Technologies, Inc., Quantcast Corporation, and Specific Media, Inc.) for using “flash cookies” to track website visitors as they surf the web. These flash cookies, also known as "zombie cookies," are capable of reinstalling themselves even if purposefully deleted by the user. Several brand name clients of the marketing companies were also named as defendants in the lawsuits. By the end of 2010, some of these lawsuits had settled for millions of dollars. A copy of one of the complaints can be found HERE. It alleges a series of data privacy and security violations, including violations of the CFAA, ECPA, Video Privacy Protection Act and various California laws. 02.08.11 UPDATE: another lawsuit filed in New York. 03.11.11 UPDATE:class action filed in filed against Amazon.com in Washington. More HERE.
HTML5 mobile online tracking lawsuit. A class action lawsuit was filed against Ringleader Digital alleging privacy violations arising out of its use of HTML5’s client-side database storage capabilities to track users of mobile devices as they surfed the Internet. Similar to the flash cookie lawsuits, plaintiffs allege that the HTML5 tracking capabilities returned even if users were able to delete the HTML5 database engaged in the tracking. A copy of the complaint can be found HERE. It alleges a series of data privacy and security violations, including (among others) violations of CFAA and various California laws.
History sniffing online tracking lawsuit. In two separate lawsuits an online advertising company (Interclick) and a pornography website (YouPorn) were sued for engaging in a practice known as “history sniffing.” History sniffing involves obtaining data about a user’s web surfing by secretly accessing the web history data stored by most commonly used browsers. This browsing history data is then used to create profiles about the user’s online behavior and visits to websites across the Internet. The complaint against Interclick can be found HERE. The compliant alleges (among others) violations of the CFAA, ECPA, violations of various New York laws and trespass to chattels.
Deep packet inspection online tracking lawsuit. In December 2010 a Federal District Court in Montana refused to dismiss the CFAA claim against an ISP that had allowed an advertising company to engage in “deep packet inspection.” EPIC describes deep packet inspection in relevant part as follows:
Deep packet inspection is a computer network packet filtering technique that involves the inspection of the contents of packets as they are transmitted across the network. . . Deep Packet Inspection can be used to determine the contents of all unencrypted data transferred over a network. Since most Internet traffic is unencrypted, DPI enables Internet Service Providers to intercept virtually all of their customers' Internet activity, including web surfing data, email, and peer-to-peer downloads.
A copy of the court’s order denying in part and granting in part, the defendant’s motion to dismiss, can be found HERE.
Data aggregation and social media/application privacy lawsuits. Social media giant Facebook, social media application designers (such as Zynga), and a data broker (Rapleaf) were sued for their handling of personal information obtained from Facebook users. The plaintiffs allege that the defendants impermissibly shared the personal information of Facebook users with advertisers and marketing companies, including unique Facebook ID numbers that could be combined with other information to create user profiles. The complaint can be found HERE. It alleges (among others) violations of ECPA, the Stored Communications Act, and various California laws, and breach of contract. 03.11.11 UPDATE: class action filed against Netflix in California.
Apple iPhone/iPad Privacy Lawsuit. Apple was sued in the waning days of 2010 for allegedly allowing application makers for its popular iPad and iPhone to obtain and transmit personal information about users' activities. The complaint alleges that Apple’s iPad and iPhone are encoded with identifying devices that allow advertising networks to track applications users download, monitor their use and sell personal information of users. Also named are several application providers that allegedly provided their users’ personal information to advertisers. A copy of the compliant can be found HERE. It too alleges (among others) violations of the CFAA, ECPA and various California laws. Some believe that claims set forth in this lawsuit could impact Google in the future. 02.08.11 UPDATE: Another class action filed against Apple in California.
01.21.11 UPDATE -- Canadian Class Action Against Google
We have identified a rare beast indeed: a Canadian class action privacy lawsuit against Google (arising out of Google Buzz). More HERE. Will try to get the pleadings... stay tuned.
Conclusion
Based on the foregoing it should be apparent that there has been a significant increase in the volume of privacy lawsuits recently filed and being litigated. In addition, with significant settlements on the books (e.g. Google Buzz for $8.5 million; Facebook Beacon for $9.5 million; Quantcast for $2.4 million) it is likely that privacy-related lawsuits will become more attractive to the plaintiffs' bar.
It also should be noted that many/most of the lawsuits cited above involve online behavioral tracking. Moreover, not only are the social media companies and advertising networks being sued, “brand name” organizations are being brought into these suits if they participated in an advertising network or used a behavioral advertising services. Based on these suits, it appears that privacy-related legal risk and liability potential is at a cross-road, and will likely increase going forward (at least in terms of litigation costs and settlements, and perhaps someday in the form of judgments and adverse case law).
Action Item. At this stage companies that handle personal information, especially those that provide online behavioral advertising services, and those that purchase such services or participate in behavioral advertising, should consider an audit and risk assessment of their policies, processes and activities in order to reduce privacy-related legal risks. In fact, it is likely that some companies are not even aware that they are participating in online advertising networks that track users, or if they are aware they may not understand how their providers collect and use personal information. Preparation on privacy and security issues ahead of time is key in order to reduce risk and increase the likelihood of a favorable outcome should an organization find itself in a lawsuit. Moreover, if a lawsuit arises, understanding the substantive privacy issues that it raises is crucial. Again, we have blinked, and the privacy and security legal landscape looks very different.
CAPTCHA. DMCA GOTCHA?
As of late there has been a great deal of news and discussion concerning “web scraping.” Web scraping is the practice of using computer software to extract information from a website. In short, a wealth of information exists on the Internet and companies of all stripes are interested in collecting it from websites, compiling and combining it, and using it to further their business. There are even third party companies that will scrape websites on behalf of other companies.
Scraping raises a multitude of legal issues, including issues related to privacy and security, intellectual property, and laws concerning unauthorized access to computers and trespass to chattels (in fact, the overlapping issues raised by scraping represent a very good example of what we call “information law”). As such, a website being scraped may disapprove of such activity and may pursue legal action against companies that engage in scraping. Many companies would rather avoid lawsuits and attempt to stop scraping from occurring in the first instance. This can be achieved by implementing technologies such as CAPTCHA (which are becoming ubiquitous) that are intended to ensure that a human is entering the website rather than a computer software program or bot. If technologies like CAPTCHA are evaded by scrapers, some websites owners might pursue an action under the anti-circumvention provisions of the Digital Millennium Copyright Act (the “DMCA”). The DMCA provides for potential statutory penalties and even criminal sanctions for violations of its anti-circumvention provisions. This post explores how the DMCA might be used in this context and looks at some cases addressing whether circumvention of CAPTCHA (and similar protocols) might result in violation of, and liability under, the DMCA.
Background
One method for preventing scraping software from being able to access information on a website is to use a challenge response test – a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. CAPTCHA is one such protocol (it stands for “"Completely Automated Public Turing test to tell Computers and Humans Apart."). In short, when a person or computer program attempts to log into a website, the website will ask for login credentials as well as requiring the person or computer to complete a CAPTCHA test. Typically the CAPTCHA requires the person or computer to re-type a series of letters, symbols and/or numbers that are printed in barely legible font. The theory being that a computer program would not be able to discern the text, while a human could (even if it takes multiple attempts, and even if the person is required to listen to audio of the text read aloud in order to understand it). The end result would be humans in, computers out. Of course those that desire to get into these websites using computer programs might be able to design such programs in a manner that evades or defeats the CAPTCHA protocol. This type of activity has actually resulted in a couple lawsuits alleging DMCA violations (among others).
DMCA Anti-Circumvention Provisions
The DMCA anti-circumvention provisions prohibit persons and entities from circumventing the technological measures that effectively control access to a copyrighted work (in this case the copyrighted work on a website). Under the DMCA, “circumvent a technological measure” is defined as efforts to “descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” A technological measure “effectively controls access to a work” if the measure, “in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” The DMCA provides a private right of action for actual damages, as well as statutory damages in the sum of not less than $200 or more than $2,500 per act of circumvention, device, product, component, offer, or performance of service, as the court considers just. In addition, a willful violation of these provisions for purposes of commercial advantage or private financial gain could result in criminal penalties ($500,000 to $1,000,000 per offense) and jail time (up to ten years).
Relevant Caselaw
There are two main cases that look at this issue, the most recent of which was decided in March 2010 (see Craigslist, Inc. v. Naturemarket, Inc., 694 F. Supp. 2d 1039 (N.D. Cal. 2010); Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007)).
In the Ticketmaster case, Ticketmaster sought a premlinary injunction against RMG, and one of the causes of action alleged was a violation of the DMCA’s anti-circumvention provisions. RMG allegedly had developed a software program that allowed its customers to evade Ticketmaster’s CAPTCHA system in order to allow for the automated mass purchase of tickets. In granting Ticketmaster’s preliminary injunction, the court considered whether CAPTCHA constituted a “technological measure” (a term not defined under the DMCA):
First, the Court notes that the DMCA does not equate its use of the term "technological measure" with Defendant's terms "system" or "program." In any case, Plaintiff has submitted evidence that CAPTCHA is a technological measure that regulates access to a copyrighted work. Although the DMCA does not appear to include a definition of the term, it states that "a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work." When the user makes a ticket request on ticketmaster.com, CAPTCHA presents "a box with stylized random characters partially obscured behind hash marks." The user is required to type the characters into an entry on the screen in order to proceed with the request." Most automated devices cannot decipher and type the random characters and thus cannot proceed to the copyrighted ticket purchase pages. Thus, because CAPTCHA "in the ordinary course of its operation, requires the application of information . . . to gain access to the work," it is a technological measure that regulates access to a copyrighted work. Plaintiff is therefore likely to prevail on its DMCA § 1201(a)(2) claim.
The fact pattern in the Craigslist case was similar to Ticketmaster (and indeed relied in part on the reasoning in Ticketmaster). This case, however, came up in the context of a default judgment so its precedential value may be limited. Nonetheless, the court did look at whether Craigslist stated a proper DMCA anti-circumvention claim related to evasion of the CAPTCHA process used by Craigslilst. In this case the defendants provided their clients with a software service known as "CraigsList AutoPoster Professional" which included an automatic CAPTCHA bypass feature that allowed the defendant and its customers to circumvent Craigslist’s CAPCHA security measures. In holding that Craigslist stated a valid cause of action under the DMCA, the court indicated the following:
Plaintiff owns valid copyrights in its website and the content within. This content is protected by Plaintiffs CAPTCHA software and telephone verification, both of which were circumvented by Defendants. Plaintiff has alleged that Defendants' AutoPoster Professional software, pre-verified craigslist accounts, and CAPTCHA credits each circumvent these security measures and provide unauthorized access to Plaintiffs copyrighted material. Defendants' products and services were designed primarily for the purpose of circumventing Plaintiffs CAPTCHA and telephone verification measures. Defendants thus enabled unauthorized access to and copies of copyright-protected portions of Plaintiffs website controlled by these measures—particularly the ad posting and account creation portions of the website. As such, Defendants' manufacture, marketing, and distribution of their software provided third parties unauthorized access to Plaintiffs copyrighted material. Taken together, the undersigned finds that Plaintiff has sufficiently stated a claim for violation of Section 1201(a)(2) of the DMCA. Further, because the CAPTCHA Plaintiff employs also protects Plaintiffs rights in its website—a protected work—Plaintiff has also sufficiently stated a claim under Section 1201(b)(1).
Note that both the Ticketmaster and Craigslist case were against a company creating anti-circumvention software for use by others, and do not address the direct violation that could exist for an entity actually using the software. Note also that neither decision amounts to a final judgment on the merits of whether evading CAPTCHA is a DMCA violation. Nonetheless, it does follow that if a software program that evades CAPTCHA could constitute a violation of the DMCA’s anti-trafficking provisions, it is also likely that use of that software to evade CAPTCHA could be a violation of DMCA section 1201(a) (or at least it may be a valid allegation of such a violation).
Conclusion
So what does this all mean for companies engaged in scraping or desiring to engage in scraping (or having somebody else do it on their behalf). Be careful, especially where the scraping requires the circumvention or evasion of technological measures preventing access to the website’s copyrighted works. While we are still far from answering the ultimate question as to whether evading CAPTCHA is a violation of the DMCA, the risk inherent in the DMCA per violation statutory damages could be high (not mention the risk of criminal action). There is a potential multiplier effect because each circumvention of CAPTCHA could be a violation, and if this is being done automatically all the time those actions could be very numerous. Companies that are considering engaging in these activities need to look very closely at how the scraping will be done and whether technological measures need to be circumvented in order to get the data at issue. If using a third party they should inquire as to their practices in order to assess this risk (as there may be vicarious liability theories that could attach). Note, this blogpost does not even address other key issues like copyright infringement, potential computer fraud and abuse claims (e.g. under the Computer Fraud and Abuse Act), and others. Those issues so should also be analyzed and taken into account before engaging in these activities.
