Summary
finding that sole officer of defendant corporation who conducted the acts giving rise to CAN-SPAM and CFAA liability by the corporation was individually liable under CAN-SPAM and CFAA
Summary of this case from Facebook, Inc. v. Power Ventures, Inc.Opinion
Case Number C 09-05842 JF (PSG).
January 26, 2011
ORDER GRANTING PLAINTIFF'S MOTION FOR DEFAULT JUDGMENT [Re: Docket No. 75]
This disposition is not designated for publication in the official reports.
Plaintiff Facebook, Inc. ("Facebook") seeks default judgment against Defendants Philip Porembski and PP Web Services LLC. Facebook failed initially to send these Defendants notice of the instant motion. However, Defendants received notice at their addresses of record on November 19, 2010, pursuant to this Court's order. As of the date of this order, Defendants have not filed opposition papers. The Court concludes that this motion is appropriate for determination without oral argument. See Civ. L.R. 7-1(b). For the reasons discussed below, the motion will be granted.
Defendants Jeremi Fisher, Ryan Shimeall, Choko Systems LLC, Harm, Inc., and iMedia Online Services LLC previously stipulated to the entry of permanent injunctions and have separately executed consent judgments.
Order Directing Notice of Plaintiff's Motion for Default Judgment, at Dkt. 78. As the Court explained, under Fed.R.Civ.P. 55(b)(2), "[i]f the party against whom a default judgment is sought has appeared personally or by a representative, that party or its representative must be served with written notice of the application at least 7 days before the hearing." Defendants previously appeared through counsel by means of a stipulated order. Although Defendants' counsel later withdrew, it was incumbent upon Facebook to serve notice upon Defendants themselves pursuant to Fed.R.Civ.P. 55(b)(2).
I. BACKGROUND
A. Factual History
Facebook owns and operates a well-known social networking website located at http://www.facebook.com. Facebook users must register with the website and agree to Facebook's Statement of Rights and Responsibilities ("SRR"). Upon registration, users are given unique usernames and passwords to access their own user profiles as well as the profiles of their "friends." Only registered users have the ability to send messages to each other through the Facebook website. Facebook maintains strict policies against spam or any other form of unsolicited advertising. The SRR prohibits any activity that would impair the operation of Facebook's website, including the use of data mining "bots" to gain access to users' login information, the posting of unsolicited advertising on the website or circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook's prior authorization.
Facebook alleges that Defendant Porembski is a registered Facebook user who is bound by the SRR. Porembski allegedly created PP Web Services LLC and was the sole person to act on its behalf. Since October 2008, Defendants allegedly have obtained login credentials for at least 116,000 Facebook accounts without authorization, and they have sent more than 7.2 million spam messages to Facebook users. According to Facebook, the messages ask recipients to click on a link to a "phishing" site designed to trick users into divulging their Facebook login information. Once users divulge the information, Defendants use it to send spam messages to the users' friends, repeating the cycle. In addition, certain spam messages allegedly redirect users to websites that pay Defendants for each user visit.
As further evidence of this scheme, Facebook points to the discovery by the Sacramento County Sheriff's Department of a computer that is believed to have belonged to Porembski, containing more than 160,000 Facebook login credentials as well as computer scripts designed to access Facebook and create automatic messages. Facebook's inspection of the hard drive revealed that Porembski created files to circumvent the technical measures implemented by Facebook to end Defendants' spam campaign.
On June 29, 2010, the Court authorized Facebook to obtain a copy of the hard drive for discovery purposes. Amended Order Granting Plaintiff's Request for Order Directing Release of Computer, at Dkt. 61.
B. Procedural History
On December 14, 2009, Facebook filed this action against Porembski, PP Web Services LLC, and several other Defendants, asserting that Defendants' phishing and spamming activities are in violation of (1) the Controlling the Assault of Non-Solicited Pornography and Marketing Act ("CAN-SPAM Act"), 15 U.S.C. § 7701 et seq.; (2) the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq.; (3) Cal. Penal Code § 502; and (4) Cal. Bus. Prof. Code § 22948. Facebook also asserts that Defendants' activities constitute a breach of contract under the SRR.
On December 21, 2009, the Court issued a Temporary Restraining Order ("TRO"), enjoining Defendants from engaging in the alleged phishing and spamming activities. On January 7, 2010, the Court issued a preliminary injunction enjoining the alleged misconduct. Facebook subsequently obtained a Clerk's entry of default against Defendants. The instant motion was filed on September 21, 2010, seeking a permanent injunction and statutory damages under the CAN-SPAM Act and Cal. Bus. Prof. Code § 22948.
II. DISCUSSION
A. Statutory Damages
Upon default, the well-pleaded allegations in a complaint are deemed true and sufficient to establish a defendant's liability. Benny v. Pipes, 799 F.2d 489, 495 (9th Cir. 1986) amended, 807 F.2d 1514 (9th Cir. 1987) (citing Thomson v. Wooster, 114 U.S. 104, 114 (1884)); Chanel, Inc. v. Doan, No. C 05-03464-VRW, 2007 WL 781976, at *2 (N.D. Cal. Mar. 13, 2007). However, "the allegations of the complaint regarding the amount of damages suffered are not controlling." Kingvision Pay-Per-View, Ltd. v. Backman, 102 F. Supp. 2d 1196, 1197 (N.D. Cal. 2000). "The district court has `wide discretion in determining the amount of statutory damages to be awarded, constrained only by the specified maxima and minima.'" DirecTV, Inc. v. Le, 267 Fed.Appx. 636, 636 (9th Cir. 2008) (citing Harris v. Emus Records Corp., 734 F.2d 1329, 1335 (9th Cir. 1984)). However, a statutory damages award may violate the due process rights of a defendant "where the penalty prescribed is so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable." United States v. Citrin, 972 F.2d 1044, 1051 (9th Cir. 1992) (quoting St. Louis, Iron Mt. S. Ry. Co. v. Williams, 251 U.S. 63, 66-67 (1919)).Facebook seeks the maximum penalty available under the CAN-SPAM Act — an award of $100 for each of Defendants' 7.2 million violations — as well as aggravated damages, resulting in a total award of $2,160,000,000 under that Act. Facebook also seeks damages in the amount of $500,000 under the Cal. Bus. Prof. Code § 22948 and asks that the Court impose treble damages for a total award of $1,500,000.
The record demonstrates that Defendants willfully and knowingly violated the statutes in question by engaging in the circumvention of Facebook's security measures as described above. Nonetheless, it does not appear that an award in excess of $2 billion is proportionate to the gravity of Defendants' acts. Without deciding whether such an award would violate Defendants' due process rights, the Court in the exercise of its discretion declines to award the full amount of damages requested by Facebook. Instead, it will award statutory damages of $50.00 per violation of the CAN-SPAM Act, for a total award of $360,000,000 under that Act. The Court also will award statutory damages of $500,000 pursuant to Cal. Bus. Prof. Code § 22948.2. The total amount of statutory damages against Defendants thus is $360,500,000. Given the magnitude of this award, the Court declines to award treble damages.
B. Injunctive Relief
Facebook contends that Defendants' violation of the CAN-SPAM Act and the CFAA supports entry of a permanent injunction. The CAN-SPAM Act specifically authorizes the Court to grant a permanent injunction, "to enjoin further violation by the defendant." 15 U.S.C. § 7706(g)(1)(A). Likewise, the CFAA provides that, "[a]ny person who suffers damage or loss by reason of a violation of [§ 1030] may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C.A. § 1030(g).
As a result of Defendants' spam campaign, Facebook has received more than 8,000 user complaints, and more than 4,500 Facebook users have deactivated their accounts. Additionally, Facebook has expended large financial and professional resources to upgrade its security measures. Defendants have demonstrated a willingness to continue their activities without regard for Facebook's security measures or cease and desist requests. Thus, it is appropriate that Defendants be permanently enjoined from accessing and abusing Facebook services.
Facebook indicates that Defendants have continued their spamming and phishing activities even after receiving a cease-and-desist letter from Facebook. The letter clearly stated that Facebook had gathered evidence that Defendants were responsible for the spam messages, and that spamming was against the SRR. Motion for Default Judgment at 17 n. 5.
III. ORDER
Accordingly, for good cause shown,
(1) Facebook's motion for default judgment is GRANTED; statutory damages of $360,500,000 are awarded against Defendants, and Facebook's request for permanent injunctive relief is GRANTED.
(2) As Facebook already has settled its claims with all other Defendants, the Clerk of the Court is directed to CLOSE THE FILE.
DATED: January 26, 2011