Opinion
23-cv-04610-KAW
12-20-2023
A PSEUDONYM VICTIM ONE, Plaintiff, v. JOHN DOE, Defendant.
ORDER RE EX PARTE MOTION FOR EXPEDITED DISCOVERY
RE: DKT. NO. 7
KANDIS A. WESTMORE UNITED STATES MAGISTRATE JUDGE
On September 7, 2023, Plaintiff filed the instant case against Doe Defendant, asserting violations of the Computer Fraud and Abuse Act (“CFAA”). (Compl. at 1, Dkt. No. 1.) Plaintiff alleges that on July 16, 2023, he received a notification from Truist Bank of an unauthorized transfer of $2,000 from his bank account via ZellePay to “Mike.” (Compl. ¶¶ 9-10.) When investigating the unauthorized transfer, Plaintiff discovered that Doe Defendant unlawfully accessed his @juno.com account to reset and modify the password to Plaintiff's @yahoo.com account, which Doe Defendant then used to unlawfully access and modify Plaintiff's Truist Bank account. (Compl. ¶ 11.) Plaintiff alleges that Doe Defendant also allegedly accessed and compromised Plaintiff's @outlook.com account using an unfamiliar computer from an unfamiliar location, as well as Plaintiff's @yahoo.com account using an unfamiliar computer with an unfamiliar Internet Protocol address. (Compl. ¶¶ 15(d), (g).) Additionally, Doe Defendant allegedly used information from the compromised @juno.com, @yahoo.com, and @outlook.com e-mails to try to unlawfully access other accounts of Plaintiff, as well as to create new accounts purporting to be Plaintiff's. (Compl. ¶ 20.)
On October 19, 2023, Plaintiff filed the instant ex parte motion for expedited discovery, seeking the true identity of Doe Defendant from Google LLC, Yahoo! Inc., Truist Financial Corporation, Early Warning Services, LLC (“Zelle”), United Online (“Juno”), and Microsoft Corporation. (Pl.'s Mot. at 2, Dkt. No. 7.) The Court deemed this matter suitable for disposition without a hearing pursuant to Civil Local Rule 7-1(b), and VACATED the December 7, 2023 hearing.
The Court finds Plaintiff has failed to demonstrate that he is entitled to early discovery. In general, Federal Rule of Civil Procedure 26(d)(1) permits a court to authorize early discovery if there is good cause. Further:
In determining whether there is good cause to allow expedited discovery to identify anonymous internet users named as doe defendants, courts consider whether: (1) the plaintiff can identify the missing party with sufficient specificity such that the Court can determine that defendant is a real person or entity who could be sued in federal court; (2) the plaintiff has identified all previous steps taken to locate the elusive defendant; (3) the plaintiffs suit against defendant could withstand a motion to dismiss; and (4) the plaintiff has demonstrated that there is a reasonable likelihood of being able to identify the defendant through discovery such that service of process would be possible.OpenMind Sols., Inc. v. Doe, No. C 11-3311 MEJ, 2011 U.S. Dist. LEXIS 116552, at *3 (N.D. Cal. Oct. 7, 2011).
First, Plaintiff fails to identify Doe Defendant “with sufficient specificity, demonstrating that each Defendant is a real person or entity who would be subject to jurisdiction in this Court.” OpenMind Sols., Inc., 2011 U.S. Dist. LEXIS 116552, at *5. Specifically, Plaintiff has not explained why Doe Defendant would be subject to the jurisdiction of this Court, as Doe Defendant's activities seem directed at Plaintiff, who does not appear to reside in California. (See Pl.'s Mot. at 3 (stating that while “Plaintiff is an American citizen, Plaintiff's current country of residence, unfortunately, is subject to rampant violence”).) Plaintiff asserts that the Court would have jurisdiction over Doe Defendant because Doe Defendant unlawfully accessed Plaintiff's @yahoo.com account using a gmail.com account, and that the @yahoo.com and @gmail.com accounts are hosted and maintained in California. (Id. at 8.) Plaintiff cites no authority showing that this is sufficient to create jurisdiction; indeed, this would suggest that any case involving the use of a @yahoo.com or @gmail.com account would give rise to jurisdiction in the Northern District of California. But see OOO Brunswick Rail Mgmt. v. Sultanov, No. 5:17-cv-00017-EJD, 2017 U.S. Dist. LEXIS 8374, at *6-7 (N.D. Cal. Jan. 20, 2017) (rejecting argument that the use of a @gmail.com account created personal jurisdiction in California, and noting that under such a theory “every one of Gmail's one billion users . . . would be subject to personal jurisdiction in California based solely on their e-mail activity”); Kazakhstan v. Ketebaev, No. 17-CV-00246-LHK, 2017 U.S. Dist. LEXIS 211198, at *19 (N.D. Cal. Dec. 21, 2017) (finding no personal jurisdiction where the defendant was alleged to have hacked Gmail accounts).
Second, it is not clear to the Court that Plaintiff's claim will withstand a motion to dismiss. Plaintiff brings a single claim under the CFAA, alleging that Doe Defendant has either violated § 1030(a)(2)(C) (accessing a computer without authorization to obtain information from a protected computer), § 1030(a)(4) (accessing a protected computer without authorization to commit fraud and obtain anything of more than $5,000 value), or § 1030(a)(6)(A) (trafficking in passwords through which a computer may be accessed without authorization if such trafficking affects interstate or foreign commerce).
The Supreme Court has explained that the CFAA prohibits actual damage or impairment of a protected computer, such as the corruption of files. Van Buren v. United States, 141 S.Ct. 1648, 1660 (2021) (“The statutory definitions of ‘damage' and ‘loss' thus focus on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data.”). Likewise, the Ninth Circuit has found that “the CFAA's prohibition on accessing a computer ‘without authorization' is violated when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements to gain access to a computer.” hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1200 (9th Cir. 2022).
Here, the crux of Plaintiff's claim is that Doe Defendant improperly accessed his various accounts. (See Compl. ¶¶ 15-17.) While Plaintiff alleges that Doe Defendant obtained personal and financial information from his computers, such allegations are conclusory; indeed, all of the specific factual allegations make clear that Doe Defendant was hacking into and compromising Plaintiff's @juno.com account, @yahoo.com account, @outlook.com account, and Truist Bank account,, resetting passwords and using “unfamiliar computers” to log in to the accounts. (See Compl. ¶¶ 15(b), (d), (e), (g), (j), (1), (n), (o), (p); 16; 17.) Likewise, Plaintiff alleges that Doe
Defendant accessed private data and personal identifying information from the Truist bank account and Plaintiff's cloud storage tied to his @outlook.com account, and that Doe Defendant continues to use “Plaintiff's identification information and data found within the compromised @juno.com, @yahoo.com, and @outlook.com accounts to attempt to unlawfully access other accounts of Plaintiff.” (Compl. ¶¶ 15(k), 18, 20.) Thus, it is unclear that Doe Defendant has improperly accessed Plaintiff's computer, rather than accessing his accounts using unknown computers. Absent specific factual allegations of access to Plaintiff's computer or legal authority that access to accounts is sufficient to constitute a violation of the CFAA, the Court cannot find that Plaintiff's claim could withstand a motion to dismiss.
Accordingly, the Court DENIES Plaintiff's motion without prejudice.
IT IS SO ORDERED.