Summary
finding plaintiff did not plausibly allege "loss" where court could not allocate between losses attributed to periods before and after the revocation of authority
Summary of this case from United Fed'n of Churches, LLC v. JohnsonOpinion
NO. C18-0874RSL
2020-03-26
DOMAIN NAME COMMISSION LIMITED, Plaintiff, v. DOMAINTOOLS, LLC, Defendant.
James Harlan Corning, Stephen M. Rummage, David Maas, MaryAnn Almeida, Davis Wright Tremaine, Seattle, WA, for Plaintiff. Jacob M. Heath, Pro Hac Vice, Robert L. Uriarte, Pro Hac Vice, Orrick Herrington & Sutcliffe, Menlo Park, CA, Aravind Swaminathan, Melanie D. Phillips, Orrick Herrington & Sutcliffe LLP, Seattle, WA, for Defendant.
James Harlan Corning, Stephen M. Rummage, David Maas, MaryAnn Almeida, Davis Wright Tremaine, Seattle, WA, for Plaintiff.
Jacob M. Heath, Pro Hac Vice, Robert L. Uriarte, Pro Hac Vice, Orrick Herrington & Sutcliffe, Menlo Park, CA, Aravind Swaminathan, Melanie D. Phillips, Orrick Herrington & Sutcliffe LLP, Seattle, WA, for Defendant.
ORDER GRANTING IN PART DEFENDANT'S MOTION TO DISMISS
Robert S. Lasnik, United States District Judge This matter comes before the Court on defendant's "Motion to Dismiss Pursuant to FRCP 12(b)(1) and 12(b)(6)." Dkt. # 64. Plaintiff is a New Zealand non-profit corporation that regulates the use of the .nz top level domain, including registering new domain names and responding to inquiries regarding registrants. Defendant collects domain and registrant information from around the world, stores the information, and uses its current and historic databases to sell monitoring and investigative services and products to the public. Plaintiff alleges that the way defendant accessed .nz domain and registrant information before June 6, 2018, any and all access after that date, and its continuing storage and use of the domain and registrant information violates the Computer Fraud and Abuse Act ("CFAA") and the Washington Consumer Protection Act ("CPA"). Defendant seeks dismissal of the statutory claims.
Plaintiff has also asserted a breach of contract claim, regarding which the Court entered a preliminary injunction on September 12, 2018. Dkt. # 43. The preliminary injunctive relief was affirmed on appeal, and defendant is not seeking dismissal of the contract claim.
The question for the Court on a motion to dismiss is whether the facts alleged in the complaint sufficiently state a "plausible" ground for relief. Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). All well-pleaded allegations are presumed to be true, with all reasonable inferences drawn in favor of the non-moving party. In re Fitness Holdings Int'l, Inc. , 714 F.3d 1141, 1144-45 (9th Cir. 2013). If the First Amended Complaint (Dkt. # 54) fails to state a cognizable legal theory or fails to provide sufficient facts to support a claim, however, dismissal is appropriate. Shroyer v. New Cingular Wireless Servs., Inc. , 622 F.3d 1035, 1041 (9th Cir. 2010).
Having reviewed the memoranda submitted by the parties and heard the arguments of counsel, the Court finds as follows:
A. Computer Fraud and Abuse Act, 18 U.S.C. § 1030
As relevant to this litigation, the CFAA prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access," 18 U.S.C. § 1030(a)(2), as well as "intentionally access[ing] a protected computer without authorization" and causing "damage and loss," 18 U.S.C. § 1030(a)(5)(C). Plaintiffs argue that defendant is liable under both provisions because it accessed the .nz servers in ways and for purposes that violated plaintiff's terms of use and continued to access the .nz servers after its right of access had been expressly revoked.
Plaintiff's terms of use prohibited use of Port 43, a communication channel through which users can query plaintiff's servers regarding specific .nz domain names, to send high volume queries to the .nz servers with the effect of downloading or collecting all or part of the .nz register, to access the .nz register in bulk, to store or compile .nz domain data to build up a secondary register, and/or to publish historical or non-current versions of the .nz data. Dkt. # 54-1 at 18. On November 2, 2017, plaintiff sent defendant a cease-and-desist letter notifying defendant that it had violated plaintiff's terms of use and demanding that it "immediately cease and desist accessing .nz WHOIS servers or using and publishing .nz WHOIS data except as permitted by the [terms of use]." Dkt. # 54-1 at 24. When defendant continued to access the .nz servers in ways that plaintiff felt violated the limited license it had granted defendant, plaintiff sent a June 6, 2018, letter revoking defendant's right to access the .nz servers entirely. Dkt. # 54-1 at 30. Plaintiff alleges that defendant accessed the .nz servers after the June 6, 2018, revocation. Dkt. # 54 at ¶ 106.
Defendant challenges the adequacy of this allegation, but it is more than enough to give rise to a plausible inference that defendant continued to access the .nz servers after June 6, 2018. Twombly does not require that plaintiff include in its complaint a log indicating the times and dates on which such access occurred, nor has defendant demanded such specificity as to the pre-June 6 access allegations. If, as appears to be the case, defendant is contesting the veracity of the post- June 6 access allegation, it may not do so in the context of this motion to dismiss.
Plaintiff argues that defendant's access to the .nz server in ways that violated plaintiff's terms of use prior to June 6, 2018, constitutes both access "without authorization" and in excess of authorized access. Dkt. # 54 at ¶¶ 74-79 and 104. Plaintiff also argues that defendant's queries to the .nz servers after plaintiff revoked defendant's right of access was "without authorization." Dkt. # 54 at ¶ 106. Plaintiff alleges that defendant's unlawful conduct caused plaintiff "loss in an amount far in excess of the $5,000 statutory minimum during each relevant one-year period." Dkt. # 54 at ¶ 107.
1. "Without Authorization"
The CFAA does not contain a definition of "without authorization." The Ninth Circuit has, therefore, applied the ordinary, common meaning of "authorization," concluding that one is authorized to access a computer when the owner of the computer gives permission to use it. LVRC Holdings LLC v. Brekka , 581 F.3d 1127, 1132-33 (9th Cir. 2009). See also hiQ Labs, Inc. v. LinkedIn Corp. , 938 F.3d 985, 999 (9th Cir. 2019) ("We have held in another context that the phrase "without authorization" is a non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.") (internal quotation marks and citation omitted). A defendant runs afoul of the "without authorization" provisions of the CFAA "when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or enlisting of a third party to aid in access will not excuse liability." Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058, 1067 (9th Cir. 2016). The Ninth Circuit has rejected the argument that permission or authorization to access a computer is automatically withdrawn when the user violates a duty owed to the owner of the computer. Rather, whether access is authorized or unauthorized "depends on actions taken by the employer." Brekka , 581 F.3d at 1134-35. If the computer owner has not affirmatively rescinded the defendant's right to access the computer, any existing authorization/permission remains. Id.
Prior to June 6, 2018, defendant had permission to access the .nz servers, albeit with limitations imposed on the manner in which and purposes for which that access could be exercised. That permission was revoked on June 6, 2018. Taking plaintiff's allegations of access as true, the Court finds that defendant accessed the .nz servers with authorization prior to June 6, 2018, and without authorization after that date.
At one point in the First Amended Complaint, plaintiff alleges that, prior to June 6, 2018, it deployed blocking technology "to limit and prevent [defendant's] access to the .nz WHOIS service and the WHOIS service." Dkt. # 54 at ¶ 104. The suggestion that plaintiff attempted to deprive defendant of any and all access to its servers prior to June 6, 2018, is contradicted by other allegations of the complaint (see Dkt. # 54 at ¶¶ 3, 40, 67, and 105) and does not, therefore, give rise to a plausible inference that defendant's authorization or permission to access the .nz servers and the data contained therein was revoked prior to June 6, 2018. If, in fact, plaintiff took steps prior to June 6, 2018, to entirely exclude defendant from accessing the .nz server through passwords, ISP blocking, or other technological means and defendant hacked its way into the servers, plaintiff may file a motion for leave to amend its complaint using the procedures set forth in LCR 15.
The Court declines to rule upon defendant's brief argument (which it expounded upon during oral argument) that plaintiff cannot revoke its authorization to access the .nz servers "given the public nature of the information at issue." Dkt. # 64 at 17. hiQ Labs , the case cited by defendant, suggests that the reference to "without authorization" limits the scope of statutory protection to information delineated as private through the use of a permission or authentication requirement, such as a password. 938 F.3d at 1001. Plaintiff's allegations, taken as a whole, give rise to a plausible inference that access through Port 43 is different from and limited in ways that access through plaintiff's public website is not. The Court declines to scrutinize these inferences further without more of a factual record and additional assistance from the parties.
2. "Exceeds Authorized Access"
The CFAA defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to so obtain or alter." 18 U.S.C. § 1030(e)(6). In United States v. Nosal , 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit acknowledged that this language could be read in two ways. The first would encompass situations in which a person's authorization to access a computer is limited to certain files, programs, or databases, but he or she "hacks" into other areas of the computer without permission. In the alternative, the language could refer to a person who has unrestricted access to a computer, but who accesses the files, programs, or databases in a way or for a purpose that is proscribed by the owner. Id. at 856-57. The Ninth Circuit was concerned that the second interpretation would "transform the CFAA from an anti-hacking statute into an expansive misappropriation statute," making "everyone who uses a computer in violation of computer use restrictions - which may well include everyone who uses a computer" liable under the CFAA. Id. at 857. The Ninth Circuit held that, whereas the "without authorization" clause of § 1030(c)(2) applies to outside hackers with no rights or authority to access the computer at all, the "exceeds authorized access" clause applies to inside hackers "whose initial access to a computer is authorized but who access unauthorized information or files." Id. at 858. It sided with "the growing number of courts" who recognize that the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation." Id. at 863 (quoting Shamrock Foods Co. v. Gast , 535 F. Supp.2d 962, 965 (D. Ariz. 2008) ).
The Ninth Circuit recognized that "[w]henever we access a web page, commence a download, post a message on somebody's Facebook wall ... or do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands." Id. at 861. Because "website owners retain the right to change the terms [of use] at any time and without notice," an interpretation of "exceeds authorized access" that encompassed violations of use restrictions would mean that "behavior that wasn't criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever." Id. at 862.
Plaintiff argues that once it specifically and individually reminded defendant on November 2, 2017, that its access to the .nz servers was subject to plaintiff's terms of use, further access in violation of the terms of use exceeded defendant's authorization under the analysis set forth in Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058 (9th Cir. 2016), and Ticketmaster LLC v. Prestige Entm't W., Inc. , 315 F. Supp.3d 1147, 1171 (C.D. Cal. 2018). Facebook does not support plaintiff's claim of a CFAA violation prior to June 6, 2018. In that case, Facebook issued a cease-and-desist letter notifying defendant that it was no longer authorized to access Facebook's computers. Facebook , 844 F.3d at 1067 n.3. In light of the "explicit revo[cation of the] authorization for any access," the Ninth Circuit found that defendant's access following receipt of the notice was without authorization and a violation of the CFAA. Id. at 1068 (emphasis in original). Plaintiff's November 2, 2017, letter did not revoke defendant's access to the .nz servers, it simply reminded defendant that access was subject to the terms of use.
Ticketmaster , on the other hand, supports plaintiff's argument, but the Court declines to adopt its analysis. In Ticketmaster , the ticket seller made tickets available to the public on its website subject to terms of use that barred the use of robots, programs, and other automated devices ("bots") to make purchases. Defendants used bots to purchase large quantities of tickets for resale. The district court recognized that simply violating Ticketmaster's terms of use did not, standing alone, constitute a violation of the CFAA under Nosal . The district court distinguished Nosal , however, on the ground that Ticketmaster had sent defendants an individualized cease-and-desist letter informing them that their access was restricted to that which conforms to Ticketmaster's terms of use. In the court's view, this letter "was, in effect, an individualized access policy that revoked authorization upon breach of the policy.... [It was] the violation of the terms of the Letter, not of Ticketmaster's Terms of Use, on which the Court base[d] its finding of a well-pled CFAA claim." 315 F. Supp.3d at 1170-71.
The Court respectfully disagrees. Permission or authorization to access a computer does not evaporate simply because the user has violated a duty owed to the owner of the computer. See Brekka , 581 F.3d at 1134-35 (rejecting the Seventh Circuit's reasoning in Int'l Airport Ctrs., LLC v. Citrin , 440 F.3d 418 (7th Cir. 2006), and requiring the employer to rescind the defendant's right to use the computer before potential criminal liability under the CFAA will attach). "The CFAA was enacted to prevent intentional intrusion into someone else's computer - specifically, computer hacking." hiQ Labs , 938 F.3d at 1000. The forbidden conduct is analogous to "breaking and entering," where defendant has unlawfully intruded into otherwise inaccessible computers (or portions thereof) in a form of trespass. Id. (quoting H.R. Rep. No. 98-894, at 20 (1984)). The Ninth Circuit has already determined that the rule of lenity demands that the "exceeds authorized access" prong of the CFAA be given a narrow interpretation so as to criminalize unauthorized access to a computer (or part thereof), not the misuse of authorized access. Nosal , 676 F.3d at 863. See also hiQ Labs , 938 F.3d at 1000 (recognizing that the Ninth Circuit has "rejected the contract-based interpretation of the CFAA's prohibitions). This Court is not at liberty to second guess the Ninth Circuit's resolution of the issue, nor is it persuaded that simply repeating or referencing the existing use restrictions in a letter changes the scope of authorized access in a material way.
For all of the foregoing reasons, the Court finds that the allegations of the First Amended Complaint do not support a plausible inference that defendant exceeded its authorization to access the .nz servers (as that phrase has been interpreted by the Ninth Circuit) prior to June 6, 2018.
3. "Damage or Loss"
The CFAA provides a private right of action to "[a]ny person who suffers damage or loss by reason of a violation of this section," 18 U.S.C. § 1030(g), as long as the violation causes "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value," 18 U.S.C. § 1030(c)(4)(A)(i)(I). "Damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8). "Loss" means "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, costs incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). Thus, while "damage" covers harm to the integrity or availability of the data or information on the computer, "loss" refers to the monetary injuries imposed on plaintiff by defendant's conduct.
Plaintiff alleges that it "has suffered loss in an amount far in excess of the $5,000 statutory minimum during each relevant one-year period, in an amount to be proved at trial. This loss includes, without limitation, the costs [plaintiff] has incurred in investigating and responding to [defendant's] misconduct." Dkt. # 54 at 25. For the reasons discussed above, the only potential violations of the CFAA occurred after June 6, 2018, and plaintiff's allegations provide no basis on which to allocate the alleged losses between the pre- and post-revocation periods. Plaintiff filed its initial complaint on June 15, 2018, less than two weeks after it revoked defendant's right to access the .nz servers: the identical loss allegation is in that document, again with no indication of any events or actions giving rise to post-revocation "loss." See Dkt. # 1 at ¶ 105. The Court finds that the allegations do not give rise to a plausible inference that defendant's alleged violations of the CFAA - limited as they are to the post-June 6, 2018, period - caused damage or loss in excess of $5,000.
Defendant points out that, in order to survive a motion to dismiss the claim under 18 U.S.C. § 1030(a)(5)(C), plaintiff must allege facts giving rise to a plausible inference that its unauthorized access to the .nz servers caused both "damage and loss" in the conjunctive. See NovelPoster v. Javitch Canfield Group , 140 F. Supp.3d 954, 961 (N.D. Cal. 2014). Because plaintiff has not adequately alleged the jurisdictional amount, the Court need not determine whether "damage" has been alleged for purposes of § 1030(a)(5)(C).
B. Washington Consumer Protection Act ("CPA"), RCW 19.86
To prevail on a CPA claim, plaintiff must prove an "(1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; [and] (5) causation." Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co. , 105 Wash.2d 778, 780, 719 P.2d 531 (1986). Plaintiff alleges that defendant's efforts to circumvent the rate limiting and use restrictions plaintiff imposed to protect the data on its servers was "unfair or deceptive," that defendant engaged in these unfair acts in order to create and sell its products and services, that the public's interest is impacted because consumers are deprived of their privacy, and that plaintiff has incurred expenses and suffered injury to reputation and good will as a result. Dkt. # 54 at ¶¶ 109-112.
The CPA is a consumer protection statute that applies to both "unfair" and "deceptive" acts and practices. The wrongs about which plaintiff complains - that defendant improperly gathered data from plaintiff's computers and repackaged it into products and services for its own customers - are not deceptive insofar as they do not have "the capacity to deceive a substantial portion of the public." Hangman Ridge , 105 Wash.2d at 785, 719 P.2d 531. Plaintiff has identified no representation or act defendant directed at the public, much less one that has the capacity to deceive a substantial portion of the public. Rather, plaintiff alleges that the information defendant publishes to its customers may be outdated and the customers could obtain more accurate information directly from plaintiff. Dkt. # 54 at ¶ 88. Absent some indication that defendant advertises its wares as "100% accurate" or "the most up-to-date registry information available," merely offering for sale a product or service that could be bettered is not a deceptive act.
At oral argument, plaintiff argued that defendant disguised itself to avoid the technological defenses plaintiff erected and to hide its improper bulk queries and downloads. While disguising oneself may well be deceptive, plaintiff has not raised a plausible inference that anyone but itself was deceived by the disguise.
The CPA also prohibits unfair acts and practices, even if they are not deceptive. Klem v. Wash. Mut. Bank , 176 Wash.2d 771, 787, 295 P.3d 1179 (2013). Although the full contours of "unfair acts" under the CPA have not yet been established, the Supreme Court of Washington has cited federal law for the proposition that a "practice is unfair [if it] causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits." Klem , 176 Wash.2d at 787, 295 P.3d 1179 (quoting 15 U.S.C. § 45(n) ) (alteration in original). Plaintiff describes the unfair acts at issue here as harvesting and storing .nz registrant information by means of cyber misconduct, particularly the circumvention of protective technologies and the breach of plaintiff's terms of use. Dkt. # 68 at 25. Circumventing a server's protective technologies can be an unfair method of competition, act, or practice. Defendant argues, however, that the allegations of the complaint do not give rise to a plausible inference that defendant's conduct "is likely to cause substantial injury to consumers." Klem , 176 Wash.2d at 787, 295 P.3d 1179 (quoting 15 U.S.C. § 45(n) ). The information defendant obtained was, defendant points out, available to the public through plaintiff's website and Port 43 at the time it was obtained, and there is no indication that .nz registrants had any reason to believe that plaintiff would keep the information they provided confidential. Nevertheless, .nz registrants did have reason to believe that their information would not be harvested and stored, such that they could cancel their registration or alter their privacy selections and limit what information would be publicly availabe going forward: what plaintiff calls a consumer's "dynamic privacy interest." Consumers who chose to participate in plaintiff's enhanced individual registrant privacy option when it was offered were therefore harmed by defendant's prior downloading/storing of information that, while previously available to the public, was now unavailable. At that point, defendant had access to - and sold - information it had unfairly downloaded and stored, depriving consumers of their ability to control the privacy of certain information in accordance with their agreements with plaintiff.
Courts around the country have found that companies that hold sensitive personal and financial information but fail to take adequate steps to secure their servers may be liable under various consumer protection statutes. See FTC v. Wyndham Worldwide Corp. , 799 F.3d 236, 247 (3rd Cir. 2015) ; Gordon v. Chipotle Mexican Grill, Inc. , 344 F. Supp.3d 1231 (D. Colo. 2018) ; Buckley v. Santander Consumer USA, Inc. , 2018 WL 1532671, at *4 (W.D. Wash. Mar. 29, 2018) (CPA); Veridian Credit Union v. Eddie Bauer, LLC , 295 F.Supp.3d 1140, 1161-62 (W.D. Wash. 2017) (CPA); In re Anthem, Inc. Data Breach Litig. , 162 F. Supp.3d 953 (N.D. Cal. 2016) ; In re Michaels Stores Pin Pad Litig. , 830 F. Supp.2d 518 (N.D. Ill. 2011). If the failure to adequately protect sensitive customer data can be deemed unfair, it is hard to imagine that circumventing the security systems imposed by the holder of the data in its (unsuccessful) effort to prevent the misuse of the information would be considered "fair."
For most of the relevant period, registering for a .nz domain name involved an acknowledgment that all registrant information would be available to the public.
The Court finds that plaintiff has raised a plausible inference that defendant's use of bulk queries to download and store registrant information in violation of protective technologies and terms of use is an unfair act in trade or commerce that is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits.
For all of the foregoing reasons, defendant's motion to dismiss the CFAA and CPA claims is GRANTED in part. Because this matter continues as to plaintiff's breach of contract and CPA claims, leave to amend will not be blindly granted. If plaintiff believes it can, consistent with its Rule 11 obligations, amend the complaint to remedy the pleading and legal deficiencies in its CFAA claim, it may file a motion to amend and attach a proposed pleading for the Court's consideration.