Summary
holding that access was without authorization under the CFAA where defendants "circumvented technical . . . barriers in place to restrict or bar a user's access"
Summary of this case from Enargy Power Co. v. Xiaolong WangOpinion
No. C 08–05780 JW.
2012-02-16
David P. Chiappetta, Corrs Chambers Westgarth, Melbourne, Vic, Indra Neel Chatterjee, Monte M.F. Cooper, Morvarid Metanat, Theresa Ann Sutton, Orrick Herrington & Sutcliffe LLP Menlo Park, CA, Joseph Perry Cutler, Perkins Coie LLP, Seattle, WA, for Plaintiff. Scott A. Bursor, Bursor & Fisher P.A., New York, NY, Alan R. Plutzik, Bramson Plutzik Mahler & Birkhaeuser, LLP, Walnut Creek, CA, Lawrence Timothy Fisher, Sarah Nicole Westcot, Bursor and Fisher, P.A., Walnut Creek, CA, Marcia Clare Hofmann, Cindy Ann Cohn, Electronic Frontier Foundation, San Francisco, CA, for Defendants.
David P. Chiappetta, Corrs Chambers Westgarth, Melbourne, Vic, Indra Neel Chatterjee, Monte M.F. Cooper, Morvarid Metanat, Theresa Ann Sutton, Orrick Herrington & Sutcliffe LLP Menlo Park, CA, Joseph Perry Cutler, Perkins Coie LLP, Seattle, WA, for Plaintiff. Scott A. Bursor, Bursor & Fisher P.A., New York, NY, Alan R. Plutzik, Bramson Plutzik Mahler & Birkhaeuser, LLP, Walnut Creek, CA, Lawrence Timothy Fisher, Sarah Nicole Westcot, Bursor and Fisher, P.A., Walnut Creek, CA, Marcia Clare Hofmann, Cindy Ann Cohn, Electronic Frontier Foundation, San Francisco, CA, for Defendants.
ORDER GRANTING PLAINTIFF'S MOTIONS FOR SUMMARY JUDGMENT; DENYING DEFENDANTS' MOTION FOR SUMMARY JUDGMENT
JAMES WARE, Chief Judge.
I. INTRODUCTION
Facebook, Inc. (“Plaintiff”) brings this action against Defendants alleging violations of the Controlling the Assault of Non–Solicited Pornography and Marketing Act (“CAN–SPAM Act”), 15 U.S.C. §§ 7701 et seq., the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and California Penal Code § 502. Plaintiff alleges that Defendants accessed its website in an unauthorized manner, and then utilized this unauthorized access to send unsolicited and misleading commercial e-mails to Facebook users.
Defendants are Power Ventures, Inc. (“Power”) and Steven Vachani (“Vachani”).
Presently before the Court are Plaintiff's Motions for Summary Judgment on Counts One, Two and Three, and Defendants' Motion for Summary Judgment on all counts. The Court conducted a hearing on January 23, 2012. Based on the papers submitted to date and oral argument, the Court GRANTS Plaintiff's Motions for Summary Judgment on all counts, and DENIES Defendants' Motion for Summary Judgment.
(Facebook, Inc.'s Corrected Notice of Motion and Motion for Partial Summary Judgment on Count 1; Memorandum of Points and Authorities in Support Thereof, hereafter, “CAN–SPAM MSJ,” Docket Item No. 215.)
(Notice of Motion, Motion and Memorandum of Points and Authorities for Partial Summary Judgment under California Penal Code § 502 and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, hereafter, “Fraud MSJ,” Docket Item No. 214.)
(Notice of Motion, Motion, and Memorandum of Law in Support of Defendants' Motion for Summary Judgment, hereafter, “Defendants' MSJ,” Docket Item No. 98.)
II. BACKGROUND
A. Undisputed Facts
Plaintiff owns and operates the widely popular social networking website located at http:// www. facebook. com. Defendant Power is a corporation incorporated in the Cayman Islands doing business in the State of California. Defendants operate a website, www. power. com, which offers to integrate multiple social networking accountsinto a single experience on Power.com. (FAC ¶ 5; Answer ¶ 5.) Defendant Vachani is the CEO of Power. ( Id. ¶ 11; Id. ¶ 11.)
(First Amended Complaint ¶ 20, hereafter, “FAC,” Docket Item No. 9; Amended Answer and Counterclaims of Defendants Power Ventures, Inc. and Steve Vachani ¶ 20, hereafter, “Answer,” Docket Item No. 54.)
(FAC ¶ 10; Answer ¶ 10.)
Users of Plaintiff's website register with a unique username and password. (FAC ¶ 21; Answer ¶ 21.) Before Plaintiff activates a username and permits a user to access certain features of Facebook, the user must agree to Plaintiff's Terms of Use. ( Id. ¶ 29; Id. ¶ 29.) The Terms of Use require users to refrain from using automated scripts to collect information from or otherwise interact with Facebook, impersonating any person or entity, or using Facebook website for commercial use without the express permission of Facebook. ( Id. ¶ 30; Id. ¶ 30.)
On or before December 1, 2008, Power began advertising and offering integration with Plaintiff's site. (FAC ¶ 49; Answer ¶ 49.) Power permitted users to enter their Facebook account information and access Facebook site through Power.com. ( Id. ¶ 50; Id. ¶ 50.) At no time did Defendants receive permission from Plaintiff to represent that solicitation of Facebook usernames and passwords was authorized or endorsed by Plaintiff. ( Id. ¶ 53; Id. ¶ 53.)
On or before December 26, 2008, Power began a “Launch Promotion” that promised Power.com's users the chance to win one hundred dollars if they successfully invited and signed up new Power.com users. (FAC ¶ 65; Answer ¶ 65.) As part of this promotion, Power provided participants with a list of their Facebook friends, obtained by Power from Facebook, and asked the participant to select which of those friends should receive a Power invitation. ( Id. ¶ 66; Id. ¶ 66.) The invitations sent to those friends purport to come from “Facebook” and used an “@facebookmail. com” address, not a Power.com address. ( Id. ¶ 68; Id. ¶ 68.)
On December 1, 2008, Plaintiff notified Defendant Vachani of its belief that Power's access of Plaintiff's website and servers was unauthorized and violated Plaintiff's rights. (FAC ¶ 57; Answer ¶ 57.) Facebook subsequently implemented technical measures to block users from accessing Facebook through Power.com. ( Id. ¶ 63; Id. ¶ 63.)
B. Procedural History
On December 30, 2008, Plaintiff filed its initial Complaint. ( See Docket Item No. 1.) On January 13, 2009, Plaintiff filed the First Amended Complaint naming both Power Ventures and Vachani as Defendants. ( See FAC at 1.) On March 23, 2009, Defendants moved to dismiss Plaintiff's Complaint or, in the alternative, for a more definite statement. ( See Docket Item No. 17.) On May 11, 2009, 2009 WL 1299698, the Court denied Defendants' Motion to Dismiss as to all claims. ( See Docket Item No. 38.) On November 23, 2009, Defendants answered Plaintiff's First Amended Complaint and asserted counterclaims under the Sherman Antitrust Act and California's Unfair Competition Law. ( See Answer ¶¶ 167–185.)
On December 23, 2009, Plaintiff filed a Motion for Judgment on the Pleadings or, in the Alternative, Partial Summary Judgment of Liability Under California Penal Code Section 502(c). ( See Docket Item No. 56.) The same day, Plaintiff also filed a Motion to Dismiss Defendants' Counterclaims and Strike Defendants' Affirmative Defenses. ( See Docket Item No. 58.) On January 15, 2010, Defendants filed a Cross–Motion for Summary Judgment. (See Docket Item No. 62.) On February 26, 2010, Judge Fogel recused himself from the case. ( See Docket Item No. 72.) On March 2, 2010, the case was reassigned to Judge Ware. ( See Docket Item No. 73.) On July 20, 2010, the Court denied Plaintiff's Motion for Judgment on the Pleadings or Summary Judgment, denied Plaintiff's Motion to Strike Defendants'Affirmative Defenses, denied Defendants' Motion for Summary Judgment and granted Plaintiff's Motion to Dismiss Defendants' Counterclaims.
( See Order Denying Facebook's Motion for Judgment on the Pleadings; Denying the Parties' Cross–Motions for Summary Judgment; Granting Facebook's Motion to Dismiss Defendants' Counterclaims; Denying Facebook's Motion to Strike Defendants' Affirmative Defenses, hereafter, “July 20 Order,” Docket Item No. 89.)
Presently before the Court are the parties' Motions for Summary Judgment.
III. STANDARDS
Summary judgment is proper when the moving party shows that there is no genuine dispute as to any material fact. Fed.R.Civ.P. 56(a). The purpose of summary judgment “is to isolate and dispose of factually unsupported claims or defenses.” Celotex v. Catrett, 477 U.S. 317, 323–24, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). The moving party “always bears the initial responsibility of informing the district court of the basis for its motion, and identifying the evidence which it believes demonstrates the absence of a genuine issue of material fact.” Id. at 323, 106 S.Ct. 2548. If the moving party meets its initial burden, the “burden then shifts to the nonmoving party to establish, beyond the pleadings, that there is a genuine issue for trial.” Miller v. Glenn Miller Prods., Inc., 454 F.3d 975, 987 (9th Cir.2006) (citing Celotex, 477 U.S. at 324, 106 S.Ct. 2548).
When evaluating a motion for summary judgment, the court views the evidence through the prism of the evidentiary standard of proof that would pertain at trial. Anderson v. Liberty Lobby Inc., 477 U.S. 242, 255, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). The court draws all reasonable inferences in favor of the nonmoving party, including questions of credibility and of the weight that particular evidence is accorded. See, e.g., Masson v. New Yorker Magazine, Inc., 501 U.S. 496, 520, 111 S.Ct. 2419, 115 L.Ed.2d 447 (1991). The court determines whether the non-moving party's “specific facts,” coupled with disputed background or contextual facts, are such that a reasonable jury might return a verdict for the non-moving party.
T.W. Elec. Serv. v. Pac. Elec. Contractors, 809 F.2d 626, 631 (9th Cir.1987). In such a case, summary judgment is inappropriate. Anderson, 477 U.S. at 248, 106 S.Ct. 2505. However, where a rational trier of fact could not find for the non-moving party based on the record as a whole, there is no “genuine issue for trial.” Matsushita Elec. Indus. Co. v. Zenith Radio, 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986).
Although the district court has discretion to consider materials in the court file not referenced in the opposing papers, it need not do so. See Carmen v. San Francisco Unified Sch. Dist., 237 F.3d 1026, 1028–29 (9th Cir.2001). “The district court need not examine the entire file for evidence establishing a genuine issue of fact.” Id. at 1031. However, when the parties file cross-motions for summary judgment, the district court must consider all of the evidence submitted in support of both motions to evaluate whether a genuine issue of material fact exists precluding summary judgment for either party. Fair Housing Council of Riverside Cnty., Inc. v. Riverside Two, 249 F.3d 1132, 1135 (9th Cir.2001).
IV. DISCUSSION
Plaintiff moves for summary judgment on the grounds that: (1) the undisputed evidence establishes that Defendants sent misleading commercial e-mails through Facebook's network in violation of the CAN–SPAM Act; and (2) the undisputed evidence also establishes that Defendants utilized technical measures to access Facebook without authorization, in violation of both the CFAA and California Penal Code Section 502. Defendants respond that: (1) because Plaintiff's own servers sent the commercial e-mails at issue, Defendants did not initiate the e-mails as a matter of law; and (2) Defendants did not circumvent any technical barriers in order to access Facebook site, precluding liability under the CFAA or Section 502. Defendants further contend that Plaintiff suffered no damages as a result of Defendants' actions, and thus lacks standing to bring a private suit for Defendants' conduct. ( Id. at 15–16, 19–20.)
(CAN–SPAM MSJ at 12–16.)
(Fraud MSJ at 1.)
(Defendants' MSJ at 5, 16–17.)
A. The CAN–SPAM Act
At issue is whether the conduct of Defendants, as established by the undisputed evidence, constitutes a violation of the CAN–SPAM Act.
The CAN–SPAM Act provides that “[i]t is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading.” 15 U.S.C. § 7704(a)(1). The Act also creates a private right of action for internet service providers adversely affected by violations of this provision. See id. § 7706(g)(1). To prevail on a CAN–SPAM Act claim, a plaintiff must establish not only that the defendant violated the substantive provisions of the Act, but also that the plaintiff was adversely affected by this violation such that it satisfies the statutory standing requirements. See Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048 (9th Cir.2009). The Court considers each requirement in turn.
1. Standing
At issue is whether Plaintiff has standing to assert a claim under the CAN–SPAM Act.
Standing under Section 7706 “involves two general components: (1) whether the plaintiff is an ‘Internet access service’ provider (‘IAS provider’), and (2) whether the plaintiff was ‘adversely affected by’ statutory violations.” Gordon, 575 F.3d at 1049 (citation omitted).
Here, Defendants concede that Plaintiff is an IAS provider. Therefore, the only question before the Court in determining Plaintiff's standing is whether Plaintiff was “adversely affected” by the alleged violations at issue.
( See Defendants' MSJ at 13.)
In Gordon, the Ninth Circuit explained that not all possible harms to an IAS provider constitute harm within the meaning of the Act, and distinguished those harms sufficient to confer standing from those outside the scope of Congress' intent. See 575 F.3d at 1049–55. After discussing the congressional decision to confer standing upon IAS providers but not end-consumers affected by commercial e-mails, the court concluded that “[l]ogically, the harms redressable under the CANSPAM Act must parallel the limited private right of action and therefore should reflect those types of harms uniquely encountered by IAS providers.” Id. at 1053. Thus, while the “mere annoyance” of spam encountered by all e-mail users is not sufficient to confer standing, the court identified the costs of investing in new equipment to increase capacity, customer service personnel to address increased subscriber complaints, increased bandwidth, network crashes, and the maintenance of anti-spam and filtering technologies as the “sorts of ISP-type harms” that Congress intended to confer standing. Id. at 1053. Thus, the court noted, “[i]n most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail would suffice.” Id. at 1054 (citation omitted).
Id. at 1053–54.
Here, in support of its contention that it has standing to pursue a CANSPAM Act claim, Plaintiff offers the following evidence:
(1) Around December 1, 2008 Ryan McGeehan, manager of Plaintiff's Security Incident Response Team (“SIR Team”), determined that Power was running an automated scripting routine to harvest data and download it to the Power.com website. McGeehan then spent substantial time and effort determining what steps were necessary to contain Power's spamming. ( Id. ¶ 12.) It was determined that at least 60,627 event invitations were sent to Facebook users due to Power's activities. ( Id.) On December 12, 2008, after Plaintiff's counsel sent Power a cease and desist letter, and the activity did not stop, Plaintiff attempted to block Power's access by blocking what appeared to be its primary IP address. ( Id. ¶ 13.) On December 22, 2008, McGeehan determined that Power was still accessing Facebook through new IP addresses. ( Id. ¶ 14.) Plaintiff then attempted to block these IP addresses as well. ( Id. ¶ 13.) In early 2009, Facebook blacklisted the term Power.com, preventing that term from appearing anywhere on the site. ( Id. ¶ 16.) In implementing these measures, McGeehan spent at least three to four days of his own engineering time addressing security issues presented by Power. ( Id. ¶ 17.)
( See Declaration of Ryan McGeehan in Support of Facebook's Motion for Partial Summary Judgment on Count 1 Under the CAN–SPAM Act ¶¶ 1, 7, hereafter, “McGeehan Decl.,” Docket Item No. 213–4.)
(2) On December 1, 2008, Joseph Cutler sent a cease and desist letter to Power.com. After this letter was sent Cutler was contacted by Steve Vachani, who identified himself as the owner and operator of Power Ventures. ( Id. ¶ 7.) In this and subsequent discussions, Vachani assured Cutler that the functionality of the Power website would be changed to comply with Facebook's requests. ( Id. ¶¶ 9–10.) On December 27, 2008, Cutler received an e-mail saying that Power Ventures would not change its website as earlier stated. ( Id. ¶ 13.) From fall of 2008 through early 2009, Facebook spent approximately $75,000 on Cutler's firm related to Power Venture's actions. ( Id. ¶ 15.)
( See Declaration of Joseph Cutler in Support of Facebook, Inc.'s Motion for Partial Summary Judgment for Liability Under the CAN–SPAM Act ¶ 6, hereafter, “Cutler Decl.,” Docket Item No. 213–2.)
Defendants do not dispute the accuracy or veracity of this evidence of Plaintiff's expenditures. Instead, Defendants contend that, as a matter of law, these are not the sorts of harm that give rise to standing under Gordon, as they fall within the category of negligible burdens routinely borne by IAS providers. In support of this contention, Defendants rely on the following evidence:
(Defendants' Memorandum of Points and Authorities in Opposition to Facebook's Motion for Partial Summary Judgment on Count 1 (CAN–SPAM Act, 15 U.S.C. § 7704) at 14–15, hereafter, “CAN–SPAM Opp'n,” Docket Item No. 234.)
(1) In the fourth quarter of 2008, Plaintiff received 71,256 user complaints that contained the word “spam.” (McGeehan Decl. ¶ 5.) Facebook did not produce any evidence of customer complaints specifically referencing the e-mails at issue in this case.
( See Declaration of L. Timothy Fisher in Support of Defendants' Motion for Summary Judgment ¶ 4, hereafter, “Fisher Decl.,” Docket Item No. 106; see also Fisher Decl., Ex. B, Facebook, Inc.'s Objections and Response to Defendants' Requests for Production, Set One, Docket Item No. 106.)
(2) Craig Clark, litigation counsel at Facebook, testified that he was not aware of any documents that would be responsive to any of the requests for production made by Defendants. These requests for production included requests for all documents regarding any injury that Plaintiff suffered, expenditures Plaintiff made, or user complaints that Plaintiff received as a result of the events complained of in Plaintiff's First Amended Complaint.
(Fisher Decl., Ex. C, Deposition of Craig Clark at 118:20–118:23, hereafter, “Clark Depo.,” Docket Item No. 106.) Plaintiff objects to Defendants' reliance on Mr. Clark's testimony because Mr. Clark was deposed in his personal capacity, rather than pursuant to Fed.R.Civ.P. 30(b)(6), and thus Plaintiff contends that Mr. Clark's answers to the questions presented to him are irrelevant because he does not speak on behalf of Facebook. ( See Docket Item No. 240 at 17–23.) For the purposes of this Order only, Plaintiff's objection to the Clark deposition is OVERRULED because harm to Plaintiff is established irregardless of Mr. Clark's testimony.
(Fisher Decl., Ex. A, Defendants' First Requests for Production Pursuant to Fed.R.Civ.P. 34, Docket Item No. 106.)
Upon review, on the basis of these undisputed facts, the Court finds that Plaintiff has demonstrated an “adverse effect” from Defendants' conduct sufficient to confer standing. The evidence submitted by Plaintiff is not limited to documenting a general response to spam prevention, but rather shows acts taken and expenditures made in response to Defendants' specific acts. These specific responses to Defendants' actions distinguish Plaintiff's damages from those in the cases relied upon by Defendants, which asserted only the costs of general spam prevention as the basis for standing. In particular, since Plaintiff documented a minimum of 60,000 instances of spamming by Defendants, the costs of responding to such a volume of spamming cannot be categorized as “negligible.” See Gordon, 575 F.3d at 1055–56. The Court finds that under Gordon and Azoogle, though the general costs of spam prevention may not confer standing under the CAN–SPAM Act, documented expenditures related to blocking a specific offender may. This is particularly true where, as here, Defendants' spamming activity was ongoing, prolific, and did not stop after requests from the network owner. Thus, as the undisputed evidence establishes that Plaintiff expended significant resources to block Defendants' specific spamming activity, the Court finds that Plaintiff has standing to maintain a CANSPAM action.
(See, e.g., McGeehan Decl. ¶¶ 8–17; see also Id., Ex. 4, Electronic Ticket Documenting McGeehan's Attempts to Block Defendant's Access to Facebook, Docket Item No. 213–7.)
(See, e.g., CAN–SPAM Opp'n at 15) (citing ASIS Internet Servs. v. Azoogle.com, Inc., 357 Fed.Appx. 112, 113–14 (9th Cir.2009)).
2. Merits of CAN–SPAM Act Claim
At issue is whether Defendants' conduct, as established by the undisputed facts, violates the substantive provisions of the CAN–SPAM Act. The Act makes it unlawful, inter alia, “for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading.” 15 U.S.C. § 7704(a)(1). Defendants contend that Plaintiff's CAN–SPAM Act claim must fail because: (1) the undisputed facts establish that Plaintiff itself, and not Defendants, initiated the e-mails at issue; and (2) because Plaintiff sent the e-mails, the header information identifying Facebook as the sender was accurate and not misleading. The Court considers each element in turn.
(Defendants' MSJ at 12–14.)
a. Initiation of Commercial E-mails
At issue is whether Defendants initiated the e-mails associated with the Launch Promotion.
The CAN–SPAM Act provides that “[t]he term ‘initiate,’ when used with respect to a commercial electronic mail message, means to originate or transmit such message or to procure the origination or transmission of such message, but shall not include actions that constitute routine conveyance of such message. For purposes of this paragraph, more than one person may be considered to have initiated a message.” 15 U.S.C. § 7702(9). The word “procure,” in turn, is defined to mean “intentionally to pay or provide other consideration to, or induce, another person to initiate such a message on one's behalf.” Id. § 7702(12).
In support of its claim that Defendants initiated the e-mails at issue, Plaintiff offers the following undisputed evidence:
(1) On or before December 26, 2008, Defendant Power began a “Launch Promotion” that offered site users $100 if they successfully invited and signed up the most new Power.com users. (FAC ¶ 65; Answer ¶ 65.) As part of the promotion, Power obtained a list of the user's Facebook friends and asked the participant to select which of those friends should receive a Power.com invitation. ( Id. ¶ 66; Id. ¶ 66). Selected friends would then receive an e-mail in which Facebook was listed as the sender, promoting an event “Bring 100 Friends and win 100 bucks!” ( Id. ¶ 70; Id. ¶ 70.) Defendant admits that Power.com's “offer of potential monetary compensation may have induced some Facebook users to participate in Power's launch program.” ( Id. ¶ 72; Id. ¶ 72.)
(2) The testimony of Vachani that Power.com both authored the text contained in the e-mails and provided the link contained therein that would allow recipients to sign up for Power.com.
(Declaration of Monte M.F. Cooper in Support of Facebook, Inc.'s Motion for Partial Summary Judgment on Count 1 under the CAN–SPAM Act, hereafter, “Cooper Decl.,” Ex. 2, Deposition of Steven Vachani at 197:4–197:12, hereafter, “Vachani Depo.,” Docket Item No. 229.)
(3) The launch promotion feature that offered the $100 reward was made available to Power.com users through Power.com. (Vachani Depo. at 264:2–264:8.) None of the social networking networks on Power.com created the contents of the launch promotion feature. ( Id. at 264:9–264:12.)
(4) The declaration of Facebook's technical expert, Lawrence Melling, that based on his study of the software created by Defendant Power and its code, the script would automatically insert Power as the host of the event and the event location. The script also automatically generated a guest list for the event if one was not provided, and did so by accessing the user's Facebook friends list. ( Id. ¶ 19.) The script would then automatically send Facebook event invitations to each Facebook user on the guest list on behalf of Power. ( Id. ¶ 20.)
(Declaration of Lawrence Melling in Support of Facebook, Inc.'s Motion for Partial Summary Judgment on Count 1 of the CAN–SPAM Act ¶ 18, hereafter, “Melling Decl.,” Docket Item No. 217.)
(5) The testimony of Vachani that Power eventually paid 30–40 people who got 100 or more friends to sign up. (Vachani Depo. at 189:5–9.)
Defendants, while not disputing the accuracy of the above facts, contend that as a matter of law, they did not “initiate” the e-mails at issue because the e-mails were authorized by Facebook users and sent from Facebook's own servers. In support of this contention, Defendants rely upon the facts, also undisputed, that after a user authorized the creation of an event as part of the Launch Promotion, Facebook servers automatically filled in the header information and sent an e-mail to each person on the event guest list.
( See Defendants' MSJ at 5–8.)
( See Clark Depo. at 98:18–99:25.)
Upon review, the Court finds that based on these undisputed facts, Defendants initiated the e-mails sent through the Launch Promotion. Although Facebook servers did automatically send the e-mails at the instruction of the Launch Program, it is clear that Defendants' actions-in creating the Launch Promotion, importing users' friends to the guest list, and authoring the e-mail text-served to “originate” the e-mails as is required by the Act. To hold that Plaintiff originated the e-mails merely because Facebook servers sent them would ignore the fact that Defendants intentionally caused Facebook's servers to do so, and created a software program specifically designed to achieve that effect. Further, while Defendants emphasize that Facebook users authorized the creation of events resulting in the e-mails, the Court finds that Defendants procured these users to do so by offering and awarding monetary incentives to provide such authorization. Thus, even if Facebook users may be viewed as initiators of the e-mails because of their participation in the Launch Promotion, Defendants are nonetheless also initiators as a matter of law because of their procurement of user participation.
See15 U.S.C. § 7702(9).
(See, e.g., Defendants' MSJ at 7.)
See15 U.S.C. § 7702(12).
Accordingly, the Court finds that Defendants did initiate the e-mails at issue within the meaning of the CAN–SPAM Act.
b. Whether the E-mails Are Misleading
At issue is whether the e-mails sent as a result of the Launch Promotion contain header information that is false or misleading.
The CAN–SPAM Act defines header information as “the source, destination, and routing information attached to an electronic mail message, including the originating domain name and originating electronic mail address, and any other information that appears in the line identifying, or purporting to identify, a person initiating the message.” 15 U.S.C. § 7702(8). The Act further provides that “header information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the message because the person initiating the message knowingly uses another protected computer to relay or retransmit the message for purposes of disguising its origin.” Id. § 7704(a)(1)(C). A false or misleading statement is considered material if “the alteration or concealment of header information” would impair the ability of an IAS provider or a recipient to “identify, locate, or respond to a person who initiated the electronic mail message.” Id. § 7704(a)(6).
Here, for the reasons discussed above, Defendants were initiators of the e-mail messages at issue. But because Defendants' program caused Facebook servers to automatically send the e-mails, these e-mails contained an “@facebookmail. com” address. These e-mails did not contain any return address, or any address anywhere in the e-mail, that would allow a recipient to respond to Defendants. Thus, as the header information does not accurately identify the party that actually initiated the e-mail within the meaning of the Act, the Court finds that the header information is materially misleading as to who initiated the e-mail.
(FAC ¶¶ 68–69; Answer ¶¶ 68–69.)
(Declaration of Theresa Sutton in Support of Plaintiff Facebook, Inc.'s Opposition to Defendants' Motion for Summary Judgment, hereafter, “Sutton Decl.,” Ex. 4, Defendant Power Ventures, Inc.'s Responses to Facebook, Inc.'s First Set of Requests for Admissions at No. 50, hereafter, “Defendants' Admissions,” Docket Item No. 241–3.)
Defendants contend that even if the Court finds that they did initiate the e-mails at issue, they cannot be held liable for violations of the CAN–SPAM Act on the grounds that: (1) the text of the e-mails itself includes information about Power.com; and (2) Defendants had no control over the headers of the e-mails. The Court finds that both of these contentions are unavailing. First, the presence of a misleading header in an e-mail is, in and of itself, a violation of the CAN–SPAM Act, insofar as the Act prohibits the use of misleading header information. Thus, the fact that the text of the e-mails at issue may have included information about Power.com is irrelevant, for purposes of liability under the Act. Second, the question of whether Defendants had control over the headers is also irrelevant. In particular, the Court finds that the fact that Defendants used a program that was created and controlled by another to send e-mails with misleading headers does not absolve them of liability for sending those e-mails.
(Defendant's Motion at 14.) The latter argument was also made by Amicus Curiae Electronic Frontier Foundation (“EFF”), which contends that because the Facebook system auto-generates the header information provided in the e-mails, commercial users should not be held responsible for their content. ( See Brief of Amicus Curiae Electronic Frontier Foundation in Support of Defendant Power Ventures' Motion for Summary Judgment on Count 1 (CAN–SPAM Act, 15 U.S.C. § 7704) and Under California Penal Code § 502 and the Computer Fraud and Abuse Act at 18–19, hereafter, “EFF Brief,” Docket Item No. 206–2.)
See15 U.S.C. § 7704(a)(1).
Amicus EFF contends that the CAN–SPAM Act's prohibition on the sending of misleading commercial e-mails should not be applied to e-mails sent through a system like that of Facebook, in which the headers are auto-generated by servers and not controlled by the individual users. (EFF Brief at 20.) However, the Court finds no statutory basis for creating such an exception to the CAN–SPAM Act. The Act makes it unlawful to “initiate the transmission” of any e-mail message that is “accompanied by” misleading header information. 15 U.S.C. § 7704(a)(1). Nothing in this language requires that the user actually create the misleading header information, as opposed to utilizing a system already in place to auto-generate a header.
In sum, the Court finds that the undisputed facts establish that Defendants initiatedthe sending of e-mails with false or misleading heading information under the CAN–SPAM Act, and that Plaintiff suffered adverse effects as contemplated by the Act sufficient to convey standing to maintain a private cause of action. Accordingly, the Court GRANTS Plaintiff's Motion for Summary Judgment on Count One, and DENIES Defendants' Motion for Summary Judgment as to Count One.
B. California Penal Code § 502
At issue is whether Defendants' conduct, as established by the undisputed facts, violated California Penal Code § 502 (“Section 502”).
Section 502(c) provides that a person is guilty of a public offense if he, inter alia: (1) knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network; (2) knowingly and without permission uses or causes to be used computer services; or (3) knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. See Cal.Penal Code § 502(c)(2), (3) & (7). Section 502(e) provides that “the owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief.” See Id. § 502(e).
Here, the Court has already held that Plaintiff has suffered sufficient harm to have standing under Section 502. ( See July 20 Order at 8.) In addition, Defendants admit that they took, copied, or made use of data from Facebook website without Facebook's permission to do so. (Defendants' Admissions at 22.) Therefore the only question remaining before the Court, in determining whether Defendants violated Section 502, is whether Defendants' access to Facebook was “without permission” within the meaning of Section 502.
Defendants continue to contend that Plaintiff did not suffer any loss as is required by Section 502 and therefore lacks standing to bring a private cause of action. ( See Defendants' MSJ at 19–20.) In so doing, Defendants suggest that the Court's July 20 Order declined to reach the issue of loss because it denied both parties' motions for summary judgment at that time. ( Id.) The Court finds, however, that this interpretation of its Order is misguided, as it ignores the plain statement that “[s]ince the undisputed facts demonstrate that Facebook has suffered some damage or loss in attempting to block Power's access to Plaintiff's website, the Court finds that Facebook has standing to bring suit under Section 502.” (July 20 Order at 8.)
In its July 20 Order, the Court explained at great length that a particular use of a computer network which violates that network's terms of use is insufficient to establish that the use was “without permission” pursuant Section 502. Where, however, a party accesses the network in a manner that circumvents technical or code-based barriers in place to restrict or bar a user's access, then the access does qualify as being “without permission.” ( See Id. at 18–20.) Accordingly, the question before the Court is whether the undisputed evidence establishes that Defendants circumvented technical or code-based barriers in order to access Facebook.
( See July 20 Order at 8–20.)
In support of the contention that Defendants did circumvent technical barriers designed to block their access to Facebook, Plaintiff relies on the following evidence:
(1) In response to the question if he at any time became aware that Facebook was attempting to block Power, Vachani answered: “I don't know if they were—[o]bviously, we expected that they would but he we [sic] also know that our system doesn't get blocked because there's nothing—there's nothing it's technically doing. It's just users accessing the site so that it can't really be blocked.... We know [sic] that they would try, but we also know that it was built to—it would not be blockable.”
(Declaration of Morvarid Metanat in Support of Facebook's Motion for Partial Summary Judgment Under California Penal Code § 502 and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, hereafter, “Metanat Decl.,” Ex. 2, Deposition of Steve Vachani at 323:17–324:8, hereafter, “Vachani Depo. 2,” Docket Item No. 236–2.)
(2) The expert of report of Bob Zeidman and Lawrence Melling, who analyzed the code and software used by Power.com to determine if it was designed to circumvent technical barriers. The report concludes that the code used a number of routines to avoid being blocked by websites like Facebook, including the use of proxy servers if one server was blocked by a website. ( Id. ¶¶ 55–60.) The code would routinely monitor each server to see if an IP address was blocked and change the IP address if it was. ( Id. ¶¶ 59–60.) The report concludes that substantial effort went into designing the proxy system and that one of the objectives of the design was to reconfigure the IP connections if an IP address was blocked. ( Id. ¶ 61.)
(Expert Report of Bob Zeidman and Lawrence Melling ¶¶ 25, filed under seal.) This Report was filed under seal. However, the Court finds that the portions of the Report discussed in this Order were not appropriately sealed. Accordingly, the Court UNSEALS the Report for purposes of discussing its contents in this Order.
(3) The testimony of Ryan McGeehan that on December 12, 2008, Facebook attempted to block Power's access to the site by blocking what appeared to be its primary IP address. (McGeehan Decl. ¶ 13.) Following the block, Facebook determined that Powers was circumventing the block by using other IP addresses. ( Id.) Facebook attempted to block these addresses as they discovered them “in a game of cat and mouse.” ( Id.)
(4) An e-mail from Vachani to members of his staff, sent after Vachani received a cease and desist letter from Plaintiff, stating “we need to be prepared for Facebook to try and block us and then turn this into a national battle that gets us huge attention.”
(Metanat Decl., Ex. 6, E-mail from Steven Vachani, Docket Item No. 236–6; see also Vachani Depo. 2 at 313:3–313:7.)
(5) A transcript of a discussion between Vachani and a member of his staff in which the they discuss the process of starting to fetch profile data from another social networking website, Orkut. Vachani says “we also need to do some planning to make sure that we do it in a way where we are not really detected. [P]ossible rotating IP's or something. [D]on't really understand this too well. Greg may also have some ideas.” ( Id. at 3.) The staff member responds “yah. [R]otating IP if we can set then its very good as when [O]rkut will see so much band[w]idth use by perticular[sic] IP then they will block that perticulat [sic] IP.” ( Id. at 3–4.) Vachani responds “We need to plan this very carefully since we will have only one chance to do it ... we might need to rotate with over 200 IP's or even more to do it perfectly.” ( Id. at 4.)
(Declaration of I. Neel Chatterjee in Support of Reply Memorandum in Support of Facebook's Motions for Partial Summary Judgment Under: 1) on [sic] Count 1 the Can–Spam Act; and 2) California Penal Code § 502 and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, (Ex. 2, Docket Item No. 248–2.)
In support of their contention that they did not circumvent technical barriers imposed by Plaintiff, Defendants offer the following evidence:
Vachani's testimony that in December 2008, Facebook attempted to prevent Power's users from accessing Facebook through Power.com by blocking one IP address utilized by Power. “Facebook's IP block was ineffective because it blocked only one outdated IP address Power had used, and did not block other IPs that Power was using in the normal course of business.” ( Id. ¶ 11.) “Power did not undertake any effort to circumvent that block, and did not provide users with any tools designed to circumvent it.” ( Id.) After it became aware of the attempted IP blocking, Power undertook efforts to implement Facebook Connect as Facebook had requested. ( Id. ¶ 12.)
(Declaration of Steve Vachani in Support of Defendants' Opposition to Facebook's Motions for Partial Summary Judgment on Count 1 (Can-spam Act, 15 U.S.C [sic] § 7704) and Under California Penal Code § 502 and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ¶ 10, Docket No. 189.)
Plaintiff objects to Vachani's testimony regarding Facebook's blocks of the Power site on the grounds that Vachani lacks personal knowledge of how such technical measures worked and because he is not an expert qualified to opine on the functionality of a technical barrier. ( See Docket Item No. 240 at 14.) For purposes of this Order only, the Court finds that Vachani's lack of qualifications as an expert affects the weight his testimony should be accorded and not its admissibility. Thus, Plaintiff's objection is OVERRULED.
Upon review, the Court finds that the undisputed facts establish that Defendants circumvented technical barriers to access Facebook site, and thus accessed the site “without permission.” Although the evidence shows that Defendants did not take additional steps to circumvent individual IP blocks imposed by Plaintiff after the fact, this does nothing to cast doubt on the overwhelming evidence that Defendants designed their system to render such blocks ineffective. The Court finds no reason to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed. This is particularly true where, as here, Defendant Vachani's own statements provide compelling evidence that he anticipated attempts to block access by network owners and intentionally implemented a system that would be immune to such technical barriers. Thus, in light of the undisputed evidence that Defendants anticipated attempts to block their access by Plaintiff, and utilized multiple IP addresses to effectively circumvent these barriers, the Court finds that Defendants violated Section 502 by accessing Plaintiff's network without permission.
(See, e.g., Vachani Depo. 2 at 323:17–324:8.)
Accordingly, the Court GRANTS Plaintiff's Motion for Summary Judgment as to Count Three and DENIES Defendants' Motion for Summary Judgment as to Count Three.
C. The Computer Fraud and Abuse Act
At issue is whether Defendants' conduct constitutes a violation of the CFAA.
The CFAA imposes liability on any party that “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains,” inter alia, “information from any protected computer.” 18 U.S.C. § 1030(a)(2). Suit may be brought by any person who suffers damage or loss in an amount above $5000. See Id. § 1030(g); § 1030(c)(4)(A)(i)(I).
Here, for the reasons discussed above, the undisputed facts establish that Defendants' access to Facebook was without authorization. In addition, Defendants admit that they obtained information from Facebook website. (Defendants' Admissions at 22.) Thus, the only finding necessary for Plaintiff to prevail on its CFAA claim is whether Plaintiff's damages exceed $5000, thereby giving Plaintiff standing under the statute.
See Multiven, Inc. v. Cisco Sys., Inc., 725 F.Supp.2d 887, 895 (N.D.Cal.2010) (explaining that elements of a CFAA claim do not differ materially from the elements of a claim under Section 502).
The CFAA defines “loss” to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). “Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute.” Multiven, 725 F.Supp.2d at 895 (citation omitted).
Here, as discussed above with regard to Plaintiff's CAN–SPAM claim, Plaintiff has provided uncontradicted evidence of the costs of attempting to thwart Defendants' unauthorized access into its network. These documented costs were well in excess of the $5000 CFAA threshold. ( See Cutler Decl. ¶ 15.) Thus, the Court finds that on the basis of these costs, Defendants' unauthorized access of Plaintiff's network did cause sufficient loss to Plaintiff to confer standing upon Plaintiff.
( See, e. g., McGeehan Decl. ¶¶ 11–17; Cutler Decl. ¶¶ 7–15.)
In sum, for the reasons discussed above regarding Plaintiff's Section 502 claim, the Court finds that Defendants accessed Plaintiff's website without authorization and obtained information from Facebook. The Court further finds that Plaintiff suffered loss sufficient to confer standing as a result of such access. Accordingly, the Court GRANTS Plaintiff's Motion for Summary Judgment as to Count Two and DENIES Defendants' Motion for Summary Judgment as to Count Two.
V. CONCLUSION
The Court GRANTS Plaintiff's Motions for Summary Judgment on all counts. The Court DENIES Defendants' Motion for Summary Judgment on all counts.
Because the Court finds that the undisputed evidence submitted by Plaintiff with its Motions for Summary Judgment establishes that Plaintiff is entitled to judgment as a matter of law, the Court DENIES as moot Plaintiff's Motion to File Supplemental Evidence. ( See Docket Item No. 251.)
In addition, the Court DENIES as moot Plaintiff's Motion to Enlarge Time for Hearing Dispositive Motions. ( See Docket Item No. 261.)
In light of this Order, the Court finds that additional briefing is warranted on two issues: (1) the amount of damages Plaintiff should receive in light of this Order; and (2) the individual liability of Defendant Vachani.
On or before March 2, 2012, the parties shall file simultaneous briefings addressing the two issues identified above. Unless 1040otherwise indicated by the Court, the matter will be taken under submission for decision without a hearing. See Civ. L.R. 7–1(b).