Summary
denying motion to quash ISP subpoenas in CFAA context
Summary of this case from Viken Detection Corp. v. DoeOpinion
NO. C08-2147 TEH.
June 2, 2008
ORDER DENYING JOHN DOE'S MOTION TO QUASH SUBPOENA DIRECTED TO AT T INTERNET SERVICES
This matter comes before the Court on Defendant John Doe's motion to quash the subpoena Plaintiff Kimberlite Corporation ("Kimberlite") served on third party AT T Internet Services ("AT T"). After carefully considering the parties' written arguments, the Court finds good cause to DENY the motion for the reasons discussed below.
BACKGROUND
Kimberlite filed this action on April 24, 2008, seeking damages and injunctive relief for trespass to chattels and violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The complaint alleges that unknown defendants, using the IP address 71.135.177.158, unlawfully accessed Kimberlite's internal computer network and e-mail system on April 7, 2008, and April 14, 2008.
Kimberlite traced the IP address as belonging to AT T and subsequently issued a subpoena to AT T on April 28, 2008. The subpoena, issued under Federal Rule of Civil Procedure 45, seeks "[a]ll documents that refer or relate to the identity of the person or entity to whom the Internet Protocol address 71.135.177.158 was assigned [on the relevant date and times], including, but not limited to, the name and address of the owner of the account, the name and address of all persons listed on the account, and billing information related to the transaction." Opp'n Ex. A at 5.
On May 7, 2008, the alleged IP holder ("Doe"), who remains anonymous, filed a one-page letter on his or her own behalf — without apparent representation by counsel — moving to quash the AT T subpoena. Doe does not challenge the propriety or sufficiency of service of the subpoena on AT T, nor does Doe argue that the subpoena seeks irrelevant information. Instead, the motion raises only two objections. First, Doe contends that Kimberlite "has no compelling arguments in obtaining [Doe's] true identity" that outweigh Doe's "protection under [the] Cable Communication Policy Act of 1984, which prohibits operators from disclosing personally identifiable data to third parties without consent, unless the disclosure is either necessary to render a service provided by the cable operator to the subscriber or if it is made to a government entity pursuant to a court order." Second, Doe contends that Kimberlite has failed to state a claim under the Computer Fraud and Abuse Act because "[t]he holder of the IP address has not accessed a computer of any United States Government Agency, has not obtained any information from [a] United States Agency, has not had any intent and committed any fraud, has not caused transmission of any data resulting in damages and material loss, has not caused any trafficking that would affect interstate or foreign commerce, [and] has not had any intent to extort from any person that could be punishable under the Act." The Court addresses each of these arguments below.
DISCUSSION I. Computer Fraud and Abuse Act
The Court first addresses Doe's argument that Kimberlite has not stated a claim under the Computer Fraud and Abuse Act ("CFAA"). The CFAA allows "[a]ny person who suffers damage or loss by reason of a violation of this section" to maintain a civil action seeking compensatory damages and injunctive or other equitable relief. 18 U.S.C. § 1030(g). It is a violation of the CFAA to "intentionally access a protected computer without authorization, and as a result of such conduct, cause damage" and losses amounting to at least $5000 over a one-year period. 18 U.S.C. § 1030(a)(5)(A)(iii), (B)(i). A "protected computer" includes any computer "used in interstate or foreign commerce or communication." 18 U.S.C. § 1030(e)(2)(B). Losses may include "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense." 18 U.S.C. § 1030(e)(11).
Contrary to Doe's assertions, Kimberlite has adequately alleged — and provided preliminary evidence in support of — a CFAA violation in this case. Kimberlite conducts business throughout the United States and Canada, Patterson Decl. ¶ 2, and its computers are therefore protected under the CFAA because they are used in interstate and foreign commerce. Those computers, which are password-protected, were accessed "without the authorization of Kimberlite or the affected employees," and Kimberlite's activity logs show that the computers were accessed by an individual using the IP address 71.135.177.158. Id. ¶ 4; Deedon Decl. ¶¶ 2, 4 Ex. C. Kimberlite has also submitted evidence that its staff has "spent over 100 hours investigating the matter and taking steps to repair the Kimberlite email system following the intrusions," Deedon Decl. ¶ 6, and that the "cost of securing the Kimberlite email system and conducting [an] investigation has exceeded $5,000.00," Patterson Decl. ¶ 5. Thus, the complaint and the declarations Kimberlite submitted in opposition to the motion to quash sufficiently set forth a violation under the CFAA at this early stage of the proceedings.
As Kimberlite correctly observes, Doe did not assert in the motion to quash that Kimberlite has failed to state a claim for trespass to chattels.
II. Cable Communications Policy Act
The Court now turns to Doe's contention that Kimberlite has failed to set forth a compelling argument to obtain Doe's true identity that outweighs any privacy rights Doe has under the Cable Communication Policy Act ("CCPA"). The CCPA governs "cable operators," defined as "any person or group of persons (A) who provides cable service over a cable system and directly or through one or more affiliates owns a significant interest in such cable system, or (B) who otherwise controls or is responsible for, through any arrangement, the management and operation of such a cable system." 47 U.S.C. § 522(5). The act further defines "cable service" as "(A) the one-way transmission to subscribers of (i) video programming, or (ii) other programming service, and (B) subscriber interaction, if any, which is required for the selection or use of such video programming or other programming service." 47 U.S.C. § 522(6).
Kimberlite contends that the CCPA does not apply here because AT T Internet Services, on whom the subpoena was served, is not a "cable operator" as defined in the CCPA. Although Kimberlite cites neither supporting evidence that AT T does not operate a cable service nor any case law that internet service providers do not provide "cable service" as defined by the CCPA, there is legal support for Kimberlite's position. For example, the Ninth and Sixth Circuits have held that internet service is not a "cable service" as defined by the CCPA. Klimas v. Comcast Cable Commc'ns, Inc., 465 F.3d 271, 279-80 (6th Cir. 2006); AT T Corp. v. City of Portland, 216 F.3d 871, 876-77 (9th Cir. 2000).
Even if the CCPA does apply, however, Doe's argument that Kimberlite has not demonstrated a compelling need for the information it seeks is incorrect. As discussed above, Kimberlite has adequately set forth a claim for relief against the IP address holder whose identity it seeks, and it is therefore proper for Kimberlite to subpoena the internet service provider to obtain such information. As one court has succinctly explained, "Plaintiffs lacking necessary information about unidentified defendants must seek such information through third-party subpoenas or other third-party discovery." Butera Andrews v. Int'l Bus. Machs. Corp., 456 F. Supp. 2d 104, 114 (D.D.C. 2006) (citing " Virgin Records Am. v. John Does 1-35, Civ. No. 05-1918 (CKK), 2006 WL 1028956, at *1-*3 (D.D.C. Apr. 18, 2006) (allowing third-party subpoena directed at Internet Service Providers (`ISP') of unidentified defendants, where the plaintiff could not otherwise `identify the true names and locations of the [alleged copyright] infringers'); Alvis Coatings, Inc. v. John Does 1-10, Civ. No. 3L94-374-H, 2004 WL 2904405, at *2 (W.D.N.C. Dec.2, 2004) (denying motion to quash third-party subpoena directing the ISP of unidentified defendants `to provide documents sufficient to identify the name, address, and telephone number of the individuals corresponding to the specific IP addresses [named by the plaintiff]')"); see also, e.g., UMG Recordings, Inc. v. Does 1-4, Case No. 06-0652 SBA (EMC), 2006 WL 1343597, at *4 (N.D. Cal. Mar. 6, 2006) (granting plaintiff's motion to take expedited discovery by serving subpoena on third-party internet service provider to identify unknown defendants alleged to have committed copyright infringement).
III. Other Issues
Although the Court rejects the arguments raised in Doe's motion to quash, it does find good cause to impose two restrictions on the subpoena at issue. First, the Court finds that the subpoena is not, as Kimberlite contends, narrowly constructed to ask "only for information sufficient to identify the individual who used the IP address 71.135.177.158 during the times in which the initial two email break-ins occurred." Opp'n at 4. To the contrary, the subpoena also seeks billing information. The Court does not find such information to be necessary for Kimberlite's stated purpose, and it therefore will not require AT T to produce billing information in response to the subpoena at this time. Kimberlite should be able to identify the Doe defendants by using "the name and address of the owner of the account [and] the name and address of all persons listed on the account." If, however, such information proves to be insufficient, Kimberlite may seek leave of court to conduct further discovery on AT T.
Second, the Court finds that notice to the IP address holders "is required in the interest of fairness and pursuant to Rule 45(c)(3)(A)(iii) and (iv), which provide that a subpoena may be quashed or modified if it requires disclosure of privileged or `other protected matter,' or if it subjects a person to undue burden. Given the privacy . . . interests that inhere in the records sought, this Court has the authority under the Federal Rules to condition the subpoena on consumer notice and an opportunity to be heard." UMG Recordings, Inc., 2006 WL 1343597, at *3. While Doe's motion to quash indicates that at least one of the individuals whose names Kimberlite seeks has received notice of the subpoena served on AT T, it is unclear whether other such individuals exist and, if so, whether they have been provided notice. Thus, AT T shall ensure that all affected subscribers receive notice of the subpoena and have an opportunity to respond.
CONCLUSION
For the reasons discussed above, Doe's motion to quash the subpoena served by Kimberlite on AT T is hereby DENIED. However, to ensure notice to all affected subscribers, IT IS HEREBY ORDERED that:
1. Kimberlite shall serve a copy of this order on AT T, which in turn shall serve copies of this order and the subpoena on all affected subscribers within seven calendar days of the date of service upon AT T.
2. Any affected subscribers — other than the Doe defendant who filed the motion to quash rejected by this order — shall then have fifteen calendar days, calculated from the date of service upon them, in which to file a motion to quash with this Court.
3. If no motions to quash are received within the fifteen-day period, then AT T shall provide Kimberlite with the names and addresses of the owner and all persons listed on the account for the relevant IP address during the relevant time periods. AT T shall comply with this order within ten calendar days following the expiration of the fifteen-day period discussed above.