Opinion
No. C 15-00908 LB
03-16-2015
UBER TECHNOLOGIES, INC., Plaintiff, v. JOHN DOE I, an individual, Defendant.
ORDER GRANTING EXPEDITED DISCOVERY
[ECF No. 4]
INTRODUCTION
Plaintiff Uber Technologies, Inc. asserts claims against Defendant John Doe I for violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq. and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. (Compl. - ECF No. 1.) Uber seeks permission to take expedited discovery from the third party GitHub, Inc. to identify John Doe I. (ECF No. 4 at 1.) The court heard this matter on March 12, 2015. (ECF No. 10.)
Record citations are to documents in the Electronic Case File ("ECF"); pinpoint citations are to the ECF-generated page numbers at the top of the documents.
As discussed below, Uber has demonstrated the following: (1) John Doe I is a real person who may be sued in federal court; (2) it has unsuccessfully attempted to identify John Doe I before filing this motion; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the proposed subpoena will lead to information identifying John Doe I. The court therefore finds that good cause exists to allow Uber to engage in this preliminary discovery. Accordingly, the court GRANTS Uber's ex parte motion for expedited discovery.
STATEMENT
Uber is a technology company. (Compl. - ECF No. 1, ¶ 5; ECF No. 4 at 2.) It has developed a smartphone application that connects drivers and riders in cities all over the world. (Id.) Uber's smartphone application is available in over 200 cities and has been used by over 100,000 drivers to receive requests for transportation services. (Id.) Uber maintains internal database files with confidential details on the drivers who use its application. (ECF No. 1, ¶ 6; ECF No. 4 at 2.) Those database files can be accessed only by certain Uber employees using a unique security key from Uber's protected computers. (ECF No. 1, ¶ 7; ECF No. 4 at 2.) On or around May 12, 2014, from an Internet protocol ("IP") address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used a unique security key without authorization to access and download Uber's proprietary database files. (ECF No. 1, ¶ ¶ 7, 10, 11; ECF No. 4 at 2.) Uber alleges that John Doe I's unauthorized access has harmed Uber and caused it to expend resources to investigate and to prevent such access from occurring. (ECF No. 1, ¶ 12.) As a result, Uber suffered over $5,000 in damages. (Id; ECF No. 4 at 5.)
Under Local Civil Rule 7-10, Uber certifies that it attempted to identify John Doe I without success. (ECF No. 1, ¶ 12; ECF No. 4 at 4.) Specifically, Uber reviewed the IP addresses that accessed the database and isolated one unrecognized IP address, but could not identify John Doe I. (ECF No. 4 at 4; ECF No. 4-2 at 1) Uber was informed that the person who downloaded the files also visited two pages at the GitHub website that are specified in the subpoena, which requests:
For the GitHub posts
https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b29826096fe043409e2c305bb79/insurance_fun.py[gist.githubusercontent.com] and https://api.github.com/gists/9556255/[api.github.com], please produce all records, including but not limited to transactional or other logs, from March 14, 2014 toSeptember 17, 2014, identifying the IP addresses or subscribers that viewed, accessed,or modified these posts and the date/time of access, viewing, or modification, as wellas any records or metadata relating to the browser (i.e., logged HTTP headers,including cookies) or device that viewed, accessed, or modified the posts.
This subpoena does not request the contents of any communications.
Please immediately preserve any potentially responsive records in your
possession, custody, or control, including by suspending routine deletion proceduresthat might result in the deletion or overwriting of records that may be responsive to tis subpoena.(ECF No. 4-1 at 7; see ECF No. 4 at 4; ECF No. 4-2 at 2, 3.)
GitHub is a San Francisco-headquartered subscription Internet service where users collaborate in developing open-source-code software. At the hearing, Uber's counsel explained that GitHub hosts portions of Uber's code on the two pages specified in the subpoena. On these GitHub pages, people from Uber can work on the code collaboratively. In response to the court's questions, Uber represented that there should not be many "hits" on these pages. The hits should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download. Uber explained that GitHub may well have user logs that can be accessed easily, that Uber would work with GitHub to address any concerns about the burden that responding to the subpoena would place on GitHub, and that it would be in a better position to evaluate any burden or notification concerns once it sees how GitHub captures the relevant data. To date, Uber has been unable to obtain the information it needs from GitHub through informal investigation. (Id.) Uber therefore asks for early discovery under Federal Rule of Civil Procedure 26(d) and leave to serve the Proposed GitHub Subpoena to obtain information that can reasonably be expected to lead to discovering John Doe 1's identity. (ECF No. 4.)
ANALYSIS
I. LEGAL STANDARD
A court may authorize early discovery before the Rule 26(f) conference for the parties' and witnesses' convenience and in the interests of justice. Fed. R. Civ. P. 26(d). Courts within the Ninth Circuit generally consider whether a plaintiff has shown "good cause" for early discovery. See, e.g., IO Group, Inc. v. Does 1-65, No. C 10-4377 SC, 2010 WL 4055667, at *2 (N.D. Cal. Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron America, Inc., 208 F.R.D. 273, 275-77 (N.D. Cal. 2002); Texas Guaranteed Student Loan Corp. v. Dhindsa, No. C 10-0035, 2010 WL 2353520, at *2 (E.D. Cal. June 9, 2010); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 613-14 (D. Ariz. 2001) (collecting cases and standards).
When the identities of defendants are not known before a complaint is filed, a plaintiff "should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds." Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). In evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery, courts examine whether the plaintiff: (1) identifies the Doe defendant with sufficient specificity that the court can determine that the defendant is a real person who can be sued in federal court; (2) recounts the steps taken to locate and identify the defendant; (3) demonstrates that the action can withstand a motion to dismiss, and (4) proves that the discovery is likely to lead to identifying information that will permit service of process. Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578-80 (N.D. Cal. 1999).
II. UBER HAS SHOWN GOOD CAUSE TO TAKE EARLY DISCOVERY
Here, Uber has made a sufficient showing under each of the four factors listed above to establish good cause to permit it to engage in early discovery to identify John Doe I.
First, Uber has shown that a real person, John Doe I, may be subject to jurisdiction in this court by showing that the target of his misconduct is California, where Uber is headquartered. (ECF No. 1 at 2, 1; ECF No. 4 at 3, 4.) In this action, Uber alleges that John Doe I accessed Uber's proprietary database files from its protected computers by using a unique security key. (Id; Compl. - ECF No. 1, ¶ 11.) Those specific acts of misconduct can be perpetrated only by actual people, as opposed to a mechanical process. In addition, even if John Doe I is located outside California, the court would still have personal jurisdiction. To establish specific personal jurisdiction in the forum state, the Ninth Circuit applies the following three-prong test:
1. The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum . . . ;Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004). "The plaintiff bears the burden of satisfying the first two prongs of [this] test." Id.
2. the claim must be one which arises out of or relates to the defendant's forum-related activities; and
3. the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.
Uber has proved that John Doe I intentionally targeted Uber, which is headquartered in California, by accessing its computers and illegally downloading its confidential files. Uber's damages claims arise out of John Doe I's forum-related activities. Given that John Doe I intentionally accessed Uber's proprietary and confidential database without permission, he or she must know his or her acts likely caused harm in California. See Calder v. Jones, 465 U.S. 783, 789 (1984) ("petitioners are not charged with mere untargeted negligence. Rather, their intentional, and allegedly tortious, actions were expressly aimed at California."); Bancroft & Masters, Inc. v. Augusta Nat'l Inc., 223 F.3d 1082, 1087 (9th Cir. 2000) ("the defendant must have . . . caused harm, the brunt of which is suffered and which the defendant knows is likely to be suffered in the forum state."); Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199, 1206-07 (9th Cir. 2006). The court thus finds that it has personal jurisdiction over John Doe I.
Second, Uber has adequately described the steps it took to find and identify John Doe I. Specifically, its efforts include: (1) reviewing the IP address that accessed Uber's internal database; (2) isolating one unrecognized IP address; (3) learning that John Doe I also visited certain pages at the GitHut website; and (4) contacting GitHub to obtain the necessary information through informal investigation. (ECF No. 4 at 4; ECF No. 4-2.)
Third, Uber has pleaded the essential elements to state a claim for violations of the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act. (ECF No. 1 ¶¶ 6-12, 13-17; ECF No. 4 at 4, 5;) see 18 U.S.C. § 1030(a)(2)(C) ("Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer . . . shall be punished . . . ."); Cal. Penal Code § 502(c)(1), (2), (7) ("[A]ny person who commits any of following acts is guilty of a public offense: Knowingly accesses and without permission . . . uses any data, computers . . . in order to wrongfully control or obtain . . . data.").
Fourth, Uber has demonstrated that the proposed subpoena seeks information likely to lead to uncovering John Doe's identity. (ECF No. 4 at 5.) Again, Uber learned that the person who accessed its database also visited pages at the GitHub website; the subpoena specifies these pages. (Id; ECF No. 4-2.) The proposed subpoena directs GitHub to yield information regarding John Doe I's access to the web pages in question. (ECF No. 4-2.) Given the information that is presently available to Uber, before and so without the issuance of the subpoena, obtaining this information from GitHub may be more than "reasonable," see Schwarzenegger, 374 F.3d at 802; it may be the only way that Uber can be expected to identify John Doe I. Additionally, Uber has shown that its need for early discovery outweighs the prejudice to GitHub, as GitHub is an established provider who routinely deals with discovery requests and would suffer little burden from producing the requested information. (ECF No. 4 at 5.)
Taken together, the court finds that the foregoing factors demonstrate that good cause exists to grant Uber's leave to conduct early discovery. See Semitool, 208 F.R.D. at 276 ("Good cause may be found where the need for expedited discovery . . . outweighs the prejudice to the responding party."). Furthermore, the court finds that early discovery furthers the interests of justice and poses little, if any, inconvenience to GitHub. Permitting Uber to engage in this early discovery is therefore consistent with Rule 26(d).
CONCLUSION
For the reasons stated above, the court GRANTS Uber's Ex Parte Motion for Expedited Discovery. The court orders the following:
1. Uber may immediately serve on GitHub the Proposed Subpoena to obtain the requested information. Uber's proposed subpoena is acceptable. The subpoena shall have a copy of this order attached. To the extent that producing the information sought is burdensome, the parties must meet and confer and comply with the court's discovery procedures in the attached standing order. It may be that an iterative process is the best way to deliver the information about the unauthorized access that entitles Uber to this discovery.
2. GitHub will have 30 days from the date that the subpoena is served upon them to serve John Doe I with a copy of the subpoena and a copy of this order. GitHub may serve John Doe I using any reasonable means, including written notice sent to his or her last known address, transmitted either by first-class mail or via overnight service.
3. John Doe I shall have 30 days from the date of service upon him or her to file any motions in this court contesting the subpoena (including a motion to quash or modify the subpoena). If that 30-day period lapses without John Doe I contesting the subpoena, GitHub shall have 10 days to produce the information responsive to the subpoena to Uber.
4. GitHub shall preserve any subpoenaed information pending the resolution of any timely motion to quash.
5. If GitHub has no information identifying John Doe I, then it need not comply with Paragraphs 2-4, and should immediately produce the information that the subpoena requests.
6. GitHub must confer with Uber and must not assess any charge in advance of providing the information requested in the subpoena. If GitHub elects to charge for the costs of production, it must provide a billing summary and cost reports that serve as a basis for such billing summary and any costs claimed by GitHub.
7. Uber must serve a copy of this order along with the subpoena to all relevant entities.
8. Uber may use the subpoenaed information only in connection with its instant claims under the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act.
This disposes of ECF No. 4.
IT IS SO ORDERED. Dated: March 16, 2015
/s/_________
LAUREL BEELER
United States Magistrate Judge