Opinion
Civil Action 23-12106
08-21-2024
SHANNON CROY, Plaintiffs, v. GOOGLE LLC, Defendant.
Shalina D. Kumar United States District Judge
REPORT AND RECOMMENDATION TO GRANT DEFENDANT'S MOTION TO DISMISS (ECF NO. 17)
DAVID R. GRAND UNITED STATES MAGISTRATE JUDGE
Background
Pro se plaintiff Shannon Croy (“Croy”), brings this lawsuit against defendant Google LLC (“Google”), raising various claims arising out of a “scheme” to unlawfully prevent him from accessing his Gmail account, which allegedly contained “information” regarding 15,000 Bitcoin he claims to have purchased in 2010. (ECF No. 5). Croy's complaint is dense and difficult to follow, as it sets forth allegations in a largely stream-of-consciousness manner in 378 numerated single-spaced paragraphs over 43 pages, accompanied by an additional 84 pages of exhibits.
After filing an initial amended complaint as a matter of right (ECF No. 5), Croy improperly filed multiple additional amended complaints without seeking or obtaining Google's consent or leave of Court (ECF Nos. 7, 11). Fed.R.Civ.P. 15(a)(2). Google notes all of this in its motion to dismiss and thus largely focuses on Croy's initial amended complaint. (ECF No. 17, PageID.506-7). In his response brief, Croy “concurs with [Google's] viewpoint for purposes of this response [and] agree[s] to regard the Amended Complaint dated 08-24-2023 [(ECF No. 5)] as the current operative complaint . . .” (ECF No. 22, PageID.553). Thus, the Court will focus its analysis on that pleading, as well.
As best as can be discerned, however, a liberal construction of Croy's lengthy complaint reflects that, in 2010, he allegedly purchased 15,000 Bitcoin, (Id., PageID.159, ¶ 314), and “stor[ed] his Bitcoin information in email messages to himself” including “a copy of the Dat File, Bitcoin Address, and Keys” to his email at “Referralrewards@gmail.com.” (Id., PageID.156-57, ¶¶ 294-95). Croy alleges that “immediately after he sent the Bitcoin information from Referralrewards@gmail.com,” “his Bitcoin became corrupted inside his 2010 Wallet.” (Id., ¶ 295). He alleges that “there was no way for [him] to know or imagine this problem existed with 2010 Wallets,” as they were “new technology[] in the year 2010,” and “it's not his fault Google secretly disable[d] access to his account,” apparently by “secretly delet[ing] [the] recovery security answer for [the account].” (Id., ¶¶260, 295).
It appears that Croy either did not find out about the corruption of his Bitcoin or did nothing to address the situation until almost 11 years later in 2021, at which time he alleges Google “secretly disabled” his email address at Referralrewards@gmail.com because it was one of several “selected accounts with missing birthdate information.” (Id., ¶¶ 237, 300). Croy alleges that Google's disabling of his access to Referralrewards@gmail.com was a “breach of duty” that caused “damage or theft to his Bitcoin information.” (Id., ¶ 300). As a result, Croy alleges that, on April 27, 2021, he sent a letter to Google requesting that they restore his access to Referralrewards@gmail.com, but his request was “denied.” (Id., ¶¶ 241, 297). Croy “informed Google's CEO and Board Members that there is approximate[ly] 1 billion Dollar['s worth of] Bitcoin information located in 1 of 61” of his email accounts, and that only after he shared this information did Google assign his account at Referralrewards@gmail.com to “Enhanced or Targeted Re-Collection of Secretly Deleted Recovery Security Answer Scheme” in order to “try[] to permanently steal the value of [his Bitcoin] information from him.” (Id., ¶¶ 246, 348). He alleges that there was also an “inside person” from the United States Postal Service involved in this scheme who obstructed his sending of U.S. Certified Mail to remedy the issue. (Id., ¶ 279). He alleges that Google has a “pattern of suppressing evidence of secretly deleted recovery emails and recovery security answers.” (Id., ¶ 280).
Based on the above allegations, Croy contends that Google “actually verified, read[,] intercepted[,] and viewed [his] Bitcoin information inside Referralrewards@gmail.com” (Id., ¶ 263), in violation of (1) the Computer Fraud Abuse Act, 18 U.S.C. § 1030 (“CFAA”); (2) the Wiretap Act, 18 U.S.C. § 2511; (3) the Children's Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501 et seq.; (4) the federal criminal wire fraud statute, 18 U.S.C. § 1343; and (5) the federal criminal mail fraud statute, 18 U.S.C. § 1341. (ECF No. 5, PageID.126, ¶ 2). As a result, Croy seeks monetary damages of $825,330,600.00, which is based on a value of $55,022.04 per each of his 15,000 Bitcoin. (Id., ¶ 310).
While Croy sets forth numerous additional allegations against Google, none appear to be related to his actual claims for relief based on the alleged loss of his account access. For example, he alleges, “In year 2021, [he] discovered evidence that Google failed to collect birthdate information for Canterburywoods@gmal.com, Minglegreen@gmail.com, Referralactivity@gmail.com, and Shannonsreward@gmail.com at registration on 01-02-2009, 09-26-2009, 11-29-2009 and 09-152010, respectively. [] In other words, [his] evidence shows Google failed to collect birthdate information at least from 01-02-2009 to 09-15-2010. Retrospectively, a reasonable inference can be made that the commission of the secret disablement of accounts and the fraud concealment pertaining to accords with missing birthdate information started shortly prior to 03-01-2012.” (ECF No. 5, PageID.137-38, ¶¶ 117-18). Again, such allegations fail to support any of Croy's stated claims for monetary relief based on the alleged loss of his Bitcoin.
In his response to Google's motion to dismiss, Croy concedes that his claims under the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (“SCA”), and Title III of the Americans With Disabilities Act (“ADA”), are subject to dismissal. (See ECF No. 22, PageID.584-85, ¶¶ 100, 101). Thus, the Court need not address these claims here, and they should be dismissed. Croy's complaint also makes passing references to “exemplary damage[s]” “under MCL 600.2919a, MCL 600.5855 and MCL 752.796,” and to “pain and suffering” damages under MCL 750.85. (ECF No. 5, PageID.164). But Croy has no claim under any of these Michigan statutes. MCL 752.796 (“Fraudulent Access to Computers”) and MCL 750.85 (“Torture”) are criminal statutes that do not give rise to private causes of action. Awadv. Reilly, No. 357544, 2022 WL 17997788, at *7 (Mich. Ct. App. Dec. 29, 2022); Cent. Bank of Denver, N.A. v. First Interstate Bank of Denver, N.A., 511 U.S. 164, 190 (1994); Am. Postal Workers Union, AFL-CIO, Detroit Local v. Indep. Postal Sys. of Am., Inc., 481 F.2d 90, 93 (6th Cir. 1973) (“the general rule is that a private right of action is not maintainable under a criminal statute.”). MCL 600.2919a is Michigan's “statutory conversion remedy,” which “allows a plaintiff to recover three times the amount of damages on a conversion claim if the plaintiff can show the defendant converted the plaintiffs property ‘to the [defendant's] own use,'” Reed v. Presque Isle Cnty., 702 F.Supp.3d 553, 586 (E.D. Mich. 2023), but here Croy's claim is that Google is preventing him from accessing his Referralrewards@gmail.com account “by secretly disabling [his] access” to the account, not that Google has actually taken or used the alleged “Bitcoin information” contained therein. Finally, MCL 600.5855 is Michigan's fraudulent concealment tolling provision, which does not create an independent cause of action. Universal Bearing Co. v. Baker Bearing Co., No. 10-11142, 2013 WL 1211463, at *3 (E.D. Mich. Mar. 25, 2013) (“Under Michigan law, fraudulent concealment is not an independent cause of action and damages may not be awarded.”).
Google filed a motion to dismiss, which has been fully briefed. (ECF Nos. 17, 22, 27). The Court finds that oral argument will not aid it in resolving the motions, and declines to hold a hearing. See E.D. Mich. LR 7.1(f)(2).
Standard of Review
A motion to dismiss pursuant to Fed.R.Civ.P. 12(b)(6) tests a complaint's legal sufficiency. “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). The plausibility standard “does not impose a probability requirement at the pleading stage; it simply calls for enough facts to raise a reasonable expectation that discovery will reveal evidence of illegal [conduct].” Twombly, 550 U.S. at 556. Put another way, the complaint's allegations “must do more than create speculation or suspicion of a legally cognizable cause of action; they must show entitlement to relief.” League of United Latin Am. Citizens v. Bredesen, 500 F.3d 523, 527 (6th Cir. 2007) (emphasis in original) (citing Twombly, 550 U.S. at 555-56).
Pleadings filed by pro se litigants are entitled to a more liberal reading than would be afforded to formal pleadings drafted by lawyers. See Thomas v. Eby, 481 F.3d 434, 437 (6th Cir. 2007). Nonetheless, “[t]he leniency granted to pro se [litigants] . . . is not boundless,” Martin v. Overton, 391 F.3d 710, 714 (6th Cir. 2004), and “such complaints still must plead sufficient facts to show a redressable legal wrong has been committed.” Baker v. Salvation Army, 2011 WL 1233200, at *3 (E.D. Mich. Mar. 30, 2011).
Analysis
In its motion to dismiss, Google argues that Croy's “fantastical allegations are conclusory and implausible,” and each of his claims under the CFAA, Wiretap Act, COPPA, and federal wire and mail fraud statutes fail to state a cause of action. The Sixth Circuit has held that a complaint is subject to dismissal when it consists of “fantastical” allegations that lack “facial plausibility.” Burnett v. Garland, No. 20-2158, 2021 WL 4097505 (6th Cir. June 28, 2021); see also Hellmuth v. Hood, 2019 WL 9088170, at *3 (6th Cir. Dec. 20, 2019) (affirming dismissal of a complaint consisting of allegations that were “too speculative” and “implausible.”). Here, while Croy's complaint raises a far- fetched “scheme” among Google's CEO and Board Members and the USPS to fraudulently delete his Gmail account (and other users' email accounts), resulting in him allegedly being unable to access Bitcoin information worth more than $800,000,000 dollars that he emailed himself almost 15 years ago, the Court declines to recommend dismissal on that basis. However, dismissal of Croy's complaint is appropriate based on Google's more substantive arguments, which the Court will address below.
Computer Fraud and Abuse Act (“CFAA”) Claims
The CFAA “criminalizes certain computer-fraud crimes and creates a civil cause of action” for those harmed by such crimes. Pulte Homes, Inc. v. Laborers' Int'l Union of N. Am., 648 F.3d 295, 299 (6th Cir. 2011). In his operative complaint, Croy appears to allege that Google violated the CFAA in two respects: (1) Google “exceeded [its] authorized access [in] violation[] of the CFAA” by “secretly disabling user access accounts” (ECF No. 5, PageID.139, ¶ 43, 135); and (2) Google “obtain[ed], read[,] and intercept[ed] [his] Bitcoin information inside Referralrewards@gmail.com” (id., ¶ 43). While the complaint does not identify which specific provisions of the CFAA were violated, it appears from Croy's allegations that he is first referring to 18 U.S.C. § 1030(a)(5)(c), which prohibits anyone from “intentionally access[ing] a protected computer without authorization, and . . . caus[ing] damage and loss,” and 18 U.S.C. § 1030(a)(2), which prohibits anyone from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.” Both claims fail as a matter of law.
In his 187-page response, Croy additionally cites to 18 U.S.C. §§ 1030(a)(4), (a)(5)(A), (a)(5)(B). (ECF No. 22, PageID.588-90; ECF No. 22-1, PageID.684-87). But he acknowledges in his own response that these sections all require a defendant to have acted “without authorization” or in a way that “exceeds authorized access.” For the same reasons discussed below, Croy's claims under these additional sections would likewise fail as a matter of law.
As to a claim under § 1030(a)(5)(c), Croy fails to sufficiently allege that Google accessed a “protected computer without authorization.” Here, the only “protected computer” that Google is alleged to have accessed is its own Gmail servers. See Abu v. Dickson, 2021 WL 1087442, at *5 (E.D. Mich. Mar. 22, 2021) (finding that a “cloud-based email account” qualifies as a “protected computer”); American Furukawa, Inc., v. Hossain, 103 F.Supp.3d 864, 875-76 (E.D. Mich. 2015) (finding that an employee accessed a protected computer without authorization when he accessed the company's email server to download emails during his leave of absence). However, because Google is the owner and operator of its own servers, including its Gmail server, Croy cannot show that Google's alleged improper access of that server was “without authorization.” See Pulte Homes, Inc., 648 F.3d at 304 (stating that “a person who uses a computer ‘without authorization' has no rights, limited or otherwise, to access the computer in question,” and so the court must ask whether defendant had “any right” to access) (emphasis in original and citations omitted). Thus, Croy fails to allege a violation of § 1030(a)(5)(c).
A “protected computer” is defined as any computer “used in or affecting interstate or foreign commerce or communication[.]” 18 U.S.C. § 1030(e)(8).
As to a claim under § 1030(a)(2), Croy again fails to allege that Google accessed its own Gmail servers “without authorization” for the reasons discussed above. See Pulte Homes, Inc., 648 F.3d at 304. Moreover, Croy fails to allege that Google “exceeded authorized access,” which the statute defines as “access[ing] a computer with authorization and ... us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). “Under this definition, ‘an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has ‘exceed[ed] authorized access.''” Pulte Homes, 648 F.3d at 304 (emphasis in original) (quoting LVRC Holdings LLC v Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009)). Courts have found that an entity has the authority to access emails that are stored on its own servers. See, e.g., Abu, 2021 WL 1087442, at *7 (“Defendants may have had the authority to access the emails if they were stored on Defendants' server”); Sargeant v. Maroil Trading, Inc., 2018 WL 3031841, at *7 (S.D. Fla. May 30, 2018) (“The common understanding of an entity ‘maintaining' a server would include that entity having the technological ability (i.e. the password) and the legal right to access the server.”); Freedom Calls Found. v. Bukstel, 2006 WL 845509, at *27 (E.D.N.Y. Mar. 3, 2006) (“To the extent that prior e-mails sent to Defendant's [work] email account are stored on Plaintiff's computer system, Plaintiff has the right to search those stored emails.”). Finally, Croy's assertion that Google accessed his emails “for illegal and unlawful purposes” does not change the analysis under the CFAA, as § 1030(a)(2) “covers those who obtain information from particular areas in the computer . . . to which their computer access does not extend. It does not cover those who . . . have improper motives for obtaining information that is otherwise available to them.” Van Buren v. United States, 593 U.S. 374, 378 (2021); see also Ajuba Int'l, L.L.C. v. Saharia, 871 F.Supp.2d 671, 687 (E.D. Mich. 2012) (finding that “the text of the CFAA calls for only an objective analysis of whether an individual had sufficient ‘authorization'” to access a computer, but does not “require an analysis of an individual's subjective intent in accessing a computer system.”).
In sum, because Google is merely alleged to have accessed emails stored in its own Gmail server, Croy fails to allege a valid claim under the CFAA, and such claims should be dismissed.
To the extent Croy argues in his response brief that the above caselaw is distinguishable because he did not have an employer-employee relationship with Google (ECF No. 22, ¶ 110), such argument lacks merit. The CFAA and relevant caselaw do not turn on an employer-employee relationship, but rather on whether the entity who “retains dominion and control” over the protected computer authorized access to it. See, e.g., Sargeant v. Maroil Trading Inc., 2018 WL 3031841, at *6. Here, it is undisputed that Google retains dominion and control over its Gmail server. Moreover, to the extent Croy alleges a CFAA violation because Google violated its “Terms of Services” by preventing him access to his email account, he fails to explain how that violates the CFAA, much less its own terms, which expressly provide that “you acknowledge that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google's sole discretion, without prior notice to you.” (ECF No. 5, PageID.170).
Wiretap Act Claims
Croy also alleges that Google reviewed the contents of his emails containing his Bitcoin information, in violation of the Wiretap Act, 18 U.S.C. § 2511(a). The Wiretap Act prohibits an entity from “intentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(a). The Sixth Circuit has made clear that “in order for an ‘intercept' to occur for purposes of the Wiretap Act, the electronic communication at issue must be acquired contemporaneously with the transmission of that communication.” Luis v. Zang, 833 F.3d 619, 629 (6th Cir. 2016). In other words, a contemporaneous interception requires that the “communications were still ‘in flight' for purposes of 18 U.S.C. § 2511,” and does not extend to communications that have already been sent and received. Id. at 630; see also Branden v. Branden, 2018 WL 11303983, at (E.D. Tenn. Feb. 26, 2018) (“the Federal Wiretap Act does not criminalize or provide a private right of action when a person simply accesses electronically stored communications or communications that are no longer ‘in flight.'”).
Here, Croy makes clear in his operative complaint that he emailed his Bitcoin information to himself in 2010, and alleges that it was not until he sent his letter in April 2021 to Google's CEO and Board that his email containing his Bitcoin information was purportedly “intercepted.” As discussed above, however, at least for purposes of the Wiretap Act, Google could not have “intercepted” an email that had already been sent and received, much less one sent and received more than 10 years prior. See Garback v. Lossing, 2010 WL 3733971, at *3 (E.D. Mich. Sept. 20, 2010) (“Courts have found that simply accessing another's stored email does not constitute interception because it is not done contemporaneously with the transmission of the original email.”). Accordingly, Croy fails to allege a valid “interception” of his electronic communications, and his Wiretap Act claim should be dismissed.
Indeed, Croy concedes in his response that he cannot sue Google for reviewing his email under the Wiretap Act because “the message was not in transmission.” (ECF No. 22, ¶ 102). Instead, he argues that he was fraudulently induced to provide information to Google, namely his “secretly deleted recovery security answers for Referralrewards@gmail.com.” (Id., ¶ 103). Such claim does not appear to be properly alleged in the operative complaint, and therefore would not be properly raised for the first time in his response brief. See Bates v. Green Farms Condo. Ass'n, 958 F.3d 470, 483 (6th Cir. 2020) (“Plaintiffs cannot . . . amend their complaint in an opposition brief or ask the court to consider new allegations (or evidence) not contained in the complaint.”). In any event, such claim would fail for the same reason that Croy has not established how Google intercepted a communication “in flight” by soliciting such information, and especially when Google was the intended recipient of the information. See 18 U.S.C. § 2511(2)(d); In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 274 (3d Cir. 2016) (“Here, Google was either a party to all communications with the plaintiffs' computers or was permitted to communicate with the plaintiffs' computers by Viacom, who was itself a party to all such communications. Accordingly, the plaintiffs failed to state a legally sufficient wiretapping claim.”).
Children's Online Privacy Protection Act (“COPPA”) Claims
Croy's COPPA claim appears to be based on his allegations that Google “secretly disabl[ed] accounts with missing birthdate information in order to comply with COPPA through fraudulent means.” (ECF No. 5, ¶ 137). “Under COPPA and its regulations, companies that operate websites and online services marketed toward children must provide certain disclosures about their data collection activities and must safeguard the confidentiality, security, and integrity of the children's personal online information.” Jones v. Google LLC, 73 F.4th 636, 641 (9th Cir. 2023) (citing 15 U.S.C. § 6501-06; 16 C.F.R. §§ 312.1-13). Significant to this case, “COPPA does not authorize a private right of action. Rather, the statute confers enforcement authority on the FTC, 15 U.S.C. § 6505(a), and on state attorneys general, who must notify the FTC and cooperate with it to bring civil actions as parens patriae, Id. § 6504(a).” Id.; see also In re Tiktok, Inc., Consumer Priv. Litig., 617 F.Supp.3d 904, 924 n.17 (N.D. Ill. 2022) (“Plaintiffs have not brought a COPPA claim here-nor could they, given that COPPA has no private right of action.”). Because there is no private right of action arising from a COPPA violation, Croy cannot raise a valid COPPA claim, and such claim should be dismissed.
Croy also fails to allege how enabling or disabling accounts “with missing birthdate information” violates COPPA, much less how Google improperly collected information from a child by doing so. Jones, 73 F.4th at 641.
Federal Criminal Wire Fraud and Mail Fraud Claims
Finally, Croy alleges that Google fraudulently disabled access to his Gmail account “through the use of wire,” in violation of the federal criminal wire fraud statute, 18 U.S.C. § 1343, and used the mail in furtherance of its scheme, in violation of the federal criminal mail fraud statute, 18 U.S.C. § 1341. (ECF No. 5, ¶¶ 133, 329). However, Croy cannot bring a federal civil lawsuit for criminal wire fraud or mail fraud, as the federal wire fraud and mail fraud statutes do not provide for a private cause of action. Morganroth & Morganroth v. DeLorean, 123 F.3d 374, 386 (6th Cir. 1997) (“Morganroth argues . . . DeLorean's fraud against him violated the federal mail and wire fraud statutes, 18 U.S.C. §§ 1341 & 1343. Violations of these sections of the federal criminal code, however, do not give rise to private causes of action.”); Lockhart v. Deluca, 2023 WL 5963429, at *4 (E.D. Mich. Sept. 13, 2023) (“Lockhart seeks to assert claims under 18 U.S.C. § 1341 and 18 U.S.C. § 1343, the federal criminal mail- and wire-fraud statutes. Neither of these statutes create private causes of action. Lockhart cannot bring a civil claim under these criminal statutes.”) (citations omitted). As such, Croy's wire fraud and mail fraud claims should be dismissed.
On January 16, 2024, Croy filed a “Request to Amend and/or Add Claims under Federal Rule of Civil Procedure 15(C)(1)(A) and/or Rule(C)(1)(B).” (ECF No. 34). In his filing, Croy requests to amend eight paragraphs of his complaint. However, his proposed amendments are futile. Croy's request to add a claim for “Sale of Receipt of Stolen Money” under 18 U.S.C. § 2315 fails for the same reasons as his claims under the federal criminal wire and mail fraud statutes, i.e., he has no private cause of civil action for a federal criminal violation. Croy's other minor amendments do not substantively change the allegations in his complaint, which fail to state a claim for the reasons discussed above. Accordingly, to the extent Croy's filing is construed as a motion to amend his complaint, such motion (ECF No. 34) is DENIED.
For the reasons discussed above, IT IS RECOMMENDED that Google's motion to dismiss (ECF No. 17) be GRANTED.
NOTICE TO THE PARTIES REGARDING OBJECTIONS
The parties to this action may object to and seek review of this Report and Recommendation, but are required to act within fourteen (14) days of service of a copy hereof as provided for in 28 U.S.C. § 636(b)(1) and Fed.R.Civ.P. 72(b)(2). Failure to file specific objections constitutes a waiver of any further right of appeal. Thomas v. Arn, 474 U.S. 140 (1985); Howard v. Secretary of HHS, 932 F.2d 505, 508 (6th Cir.1991); United States v. Walters, 638 F.2d 947, 949-50 (6th Cir.1981). The filing of objections which raise some issues, but fail to raise others with specificity, will not preserve all the objections a party might have to this Report and Recommendation. Willis v. Secretary of HHS, 931 F.2d 390, 401 (6th Cir.1991); Smith v. Detroit Fed'n of Teachers Local 231, 829 F.2d 1370, 1373 (6th Cir.1987). Pursuant to E.D. Mich. LR 72.1(d)(2), a copy of any objections is to be served upon this magistrate judge. A party may respond to another party's objections within 14 days after being served with a copy. See Fed.R.Civ.P. 72(b)(2); 28 U.S.C. §636(b)(1). Any such response should be concise, and should address specifically, and in the same order raised, each issue presented in the objections.