Opinion
No. 3:15-cv-00908-LB
07-20-2015
ORDER DENYING MOTION TO QUASH
[ECF Nos. 24, 25-4]
INTRODUCTION
Plaintiff Uber Technologies, Inc. claims that defendant John Doe I breached its secure database, stole information from that database, and thereby violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., and the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502. (Compl. - ECF No. 1 at 2, ¶ 8.) Uber previously sought permission to take expedited discovery from third parties GitHub, Inc. (ECF Nos. 4, 18) and Comcast Business Communications, LLC. (ECF No.16.) Uber seeks to discover (among other things) the names, physical addresses, email addresses, subscription-payment information, and Media Access Control addresses associated with identified Internet Protocol ("IP") addresses or domains that likely were used to access Uber's database. (The full subpoenas are at ECF No. 16-1 at 7 and ECF No. 18-1 at 7.) The court previously granted Uber's motions and ordered the discovery. (See 4/27/15 Order, ECF No. 20.) The Comcast subscriber now moves to quash the subpoena to Comcast and to appear as "Subscriber." The court heard the matter on July 9, 2015. The court denies the motion to quash and grants permission to the Comcast subscriber to appear as "Subscriber."
Record citations are to documents in the Electronic Case File ("ECF"); pinpoint citations are to the ECF-generated page numbers at the tops of the documents, except pinpoint citations to Reporter's Transcripts ("RT") are to the transcript page and line numbers.
* * *
STATEMENT
I. UBER AND ITS CONFIDENTIAL INFORMATION
Uber is a technology company that has developed a smartphone application that connects drivers and riders in cities all over the world. (Compl. - ECF No. 1, ¶ 5.) Uber maintains internal database files with confidential details on the drivers who use its application. (Id. ¶ 6.) Uber closely guards the contents of the internal database files. (Id. ¶ 7.) The database files can be accessed only by using a unique security key. (Id.) The security key "is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files." (Id.)
The Uber security key was posted on Uber pages on the GitHub website that were publicly accessible. (See Ex. A to Kollios Decl., ECF No. 24-2; Opposition, ECF No. 35-3 at 2.) GitHub is a San Francisco-headquartered subscription Internet service where users (such as Uber software engineers) collaborate in developing software. (3/12/15 RT, ECF No. 14, 5:16-20.)
II. UNAUTHORIZED ACCESS OF UBER'S DATABASE
On May 12, 2014, John Doe I used Uber's security key to access and download Uber's driver database files from Uber's protected computers. (Id. ¶¶ 8, 10, 11.) Uber alleges that John Doe I's unauthorized access harmed Uber and caused it to expend resources to investigate and to prevent such access from occurring. (Id. ¶ 12.) As a result, Uber claims that its loss exceeds $5,000. (Id.)
Uber reviewed the IP addresses that accessed Uber's protected computers on May 12 and isolated one unrecognized IP address. (Garbutt Decl., ECF No. 4-2, ¶ 2.) Uber "could not identify from that IP address who accessed the database" because it was an IP address from (Id.; Snell Decl., ECF No. 35-6, ¶ 2.) On May 12, 2014, the IP address visited Uber posts on GitHub's website "right before" the unauthorized access and download. (Garbutt Decl., ECF No. 4-2, ¶ 3, identifying the pages by address; Snell Decl., ECF No. 35-6, ¶ 2.) (At the hearing, Uber's counsel said that the IP address visited the Uber page on GitHub with driver-data files, not the Uber page with the security key. (7/9/15 RT 13:13-18.))
There are IP addresses that visited the relevant web GitHub webpages before the May 12 download "that Uber has not identified as [either] associated with Uber users" or otherwise explained (e.g., automated indexing by Google)." (Snell Decl., ECF No. 35-6, ¶ 2.) Subscriber's Comcast IP address visited the "subject GitHub webpage" on and "is the only IP address not identified by Uber that accessed the GitHub post [containing the security key] after the date it was posted." (Snell Decl., ECF No. 16-1, ¶ 4; Snell Decl., ECF No. 35-6, ¶ 2.)
At the July 9 hearing, Uber's counsel confirmed the following. First, he confirmed that March 11, 2014 (the start of the time period in the subpoena) (see infra next section) was the date that the security key was posted on the relevant GitHub page. (7/9/15 RT 4:20-5:3.) Second, the IP addresses that visited the GitHub pages between March 11, 2014 and May 12, 2014 were (1) Uber software engineers (see ECF No. 35-6, ¶ 2, describing the "Uber users"), or (2) at the beginning, "bots." (7/9/15 RT 9:22-11:5.) Bots are automatic web crawlers - software applications - that create entries for search-engine indexes. (See ECF No. 35-6, ¶ 2, describing "automated indexing.") Third, he confirmed that Subscriber's Comcast IP address "is the only IP address not identified with Uber that accessed the post [containing the security key] after the date it was posted." (Id.; 7/9/15 RT 4:20-5:3, 24:8-21.) Fourth, he explained that before Uber confirmed that the IP address visited the GitHub post right before the download, it assumed that John Doe I obtained the key from the GitHub post because that was the way an outsider could get the key. (7/9/15 RT 8:18-25.)
The inference is that Uber software engineers, who were using the GitHub site to collaborate on code, did this "inadvertently." (7/9/15 RT 8:18-21.)
At the hearing, Uber's counsel proffered that Uber's investigation revealed that the Subscriber's Comcast IP address "scraped Uber's driver data" during the relevant time period (meaning, between March 11, 2014 and May 12, 2014). (7/9/15 RT 14:24-16:2.) This proffer is not supported by a declaration. The court mentions it only to make it explicit that the court does not consider it.
III. THE COMCAST SUBPOENA
The court previously authorized service of a subpoena on Comcast to produce:
1. The name, address, telephone number, email address, Media Access Control addresses, and any other identifying information for each subscriber assigned the Internet Protocol address [REDACTED] ("Subscribers") from March 11, 2014 until May 13, 2014.(Subpoena, ECF No. 17-3 at 1; 4/27/15 Order, ECF No. 20 at 3.) In authorizing the subpoena, the court authorized disclosure under 47 U.S.C. § 551(c)(2)(B), which provides:
2. Any logs or other information regarding Subscribers' access to the following IP addresses or domains between March 11, 2014 and May 13, 2014: (a) ; and (b) [REDACTED].
3. Any logs or other information regarding Subscribers' access to the following IP addresses or domains on May 12, 2014 on or about 9:47 pm PDT: (a) ; and (b) [REDACTED].
4. The name, address, telephone number, email address, Media Access Control address, and any other identifying information for any individual user or machine on Subscribers' networks that accessed
https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b29826096fe043409e2c305bb79/insurance fun.py, https://api.github.com/gists/9556255/ and/or https://gist.github.com/hhlin/9556255 on or about .
5. The Subscribers' means and source of payment (including any credit card or bank account number).
(c) Disclosure of personally identifiable information47 U.S.C. § 551(c)(2)(B).
. . . .
(2) A cable operator may disclose such information if the disclosure is —
. . . .
(B) . . . made pursuant to a court order authorizing such disclosure, if the subscriber is notified of such order by the person to whom the order is directed.
The order authorized disclosure to John Doe I, directed Comcast to notify John Doe I of the subpoena, and set forth the procedures for John Doe I to file a motion to quash or modify the subpoena. (4/27/15 Order, ECF No. 20 at 3-4, 8-9.)
IV. ADDITIONAL PROCEDURAL HISTORY
After receiving notice of the subpoena, Subscriber moved to quash it. (Motion, ECF No. 25, 25-4.) The court held a hearing on July 9, 2015. (Minute Order, ECF No. 42.)
ANALYSIS
A court may authorize early discovery before the Rule 26(f) conference for the parties' and witnesses' convenience and in the interests of justice. Fed. R. Civ. P. 26(d). Courts within the Ninth Circuit generally consider whether a plaintiff has shown "good cause" for early discovery. See, e.g., IO Grp., Inc. v. Does 1-65, No. C 10-4377 SC, 2010 WL 4055667, at *2 (N.D. Cal. Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron Am., Inc., 208 F.R.D. 273, 275-77 (N.D. Cal. 2002); Tex. Guaranteed Student Loan Corp. v. Dhindsa, No. C 10-0035, 2010 WL 2353520, at *2 (E.D. Cal. June 9, 2010); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 613-14 (D. Ariz. 2001) (collecting cases and standards). "Good cause may be found where the need for expedited discovery, in consideration of the administration of justice, outweighs the prejudice to the responding party." Semitool, 208 F.R.D. at 276.
In evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery, courts examine whether the plaintiff: (1) identifies the Doe defendant with sufficient specificity that the court can determine that the defendant is a real person who can be sued in federal court; (2) recounts the steps taken to locate and identify the defendant; (3) demonstrates that the action can withstand a motion to dismiss; and (4) shows that the discovery is reasonably likely to lead to identifying information that will permit service of process. Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578-80 (N.D. Cal. 1999) (citations omitted). "'[W]here the identity of alleged defendants [is not] known prior to the filing of a complaint[,] the plaintiff should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds.'" Wakefield v. Thompson, 177 F.3d at 1160, 1163 (9th Cir. 1999) (quoting Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980)).
The court previously granted Uber's motions to take early discovery from GitHub and Comcast to identify John Doe I. (3/16/15 Order, ECF No. 11; 4/27/15 Order, ECF No. 20.) The court found that Uber established good cause to engage in early discovery to identify John Doe I by showing the following: (1) John Doe I is a real person who may be sued in federal court; (2) Uber attempted unsuccessfully to identify John Doe I before filing this motion; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the subpoena will lead to information identifying John Doe I. (See 4/27/15 Order, ECF No. 20 at 2; 3/16/15 Order, ECF No. 11.) The court incorporates by reference the factual and legal discussions in its prior orders.
Subscriber challenges the court's conclusions as follows: (I) Uber has not shown that the subpoena will identify John Doe I; (II) a suit against Subscriber will not withstand a motion to dismiss; (III) the subpoena impinges on Subscriber's right to participate in online forums anonymously; and (IV) the subpoena is overbroad. (Motion, ECF No. 24 at 3, 8, 10-11; Reply, ECF No. 39-4 at 2-7.)
* * *
I. REASONABLE LIKELIHOOD OF IDENTIFYING JOHN DOE
The first issue is whether Uber has demonstrated that the proposed subpoena seeks information reasonably likely to lead to uncovering John Doe's identity. (Motion, ECF No. 24 at 7.) The court previously held that it has (3/16/15 Order, ECF No. 11 at 5) and affirms that holding now based on the following facts. On May 12, 2014, John Doe I used an IP address to download Uber's driver data base. (Snell Decl., ECF No. 35-6, ¶ 2.) Right before that, the IP website visted Uber posts on GitHub. (Id.) Subscriber's Comcast IP address visited the GitHub page that contained the security key on . (Id.) Besides authorized or automated IP addresses identified by Uber (such as those affiliated with Uber software engineers and bots that do automatic indexing), Subscriber's Comcast IP address is the "only IP address . . . that accessed the post [with the security key] after [March 11, 2014,] the date it was posted." (Id.)
Subscriber nonetheless argues that there is no link between Subscriber and the download. (Reply, ECF No. 39-4 at 2-3.) Subscriber argues that (1) Subscriber is only "one of IP addresses who visited the public GitHub posts before May 12," (2) an "unknown number of Uber employees [also] visited the posts," (3) Uber did not explain adequately the basis for its belief that John Doe I accessed the GitHub post before downloading the driver data on May 12, 2014, and (4) it is the IP address that necessarily will reveal the bad actor, not the Comcast IP address. (Reply, ECF No. 39-4 at 2-6.) These arguments are not persuasive. First, while IP addresses did visit the relevant GitHub pages, Subscriber's Comcast IP address is the only IP address (other than authorized or automated IP addresses) that accessed the post (on ) after it was posted on March 11, 2014. (Snell Decl., ECF No. 35-6, ¶ 2.) Second, it is reasonable for Uber to investigate and then eliminate as suspects its own software engineers (who are the Uber employees who accessed the GitHub pages to code). After all, presumably the driver data is information particularly valuable to a competitor or others outside the Uber organization. Subscriber's counsel suggested at the hearing that a disgruntled software engineer might take driver data to get a new job with a competitor. The court does not think that Uber has to prove the lack of a disgruntled software engineer to get Doe discovery under the operable legal standard. Third, in support of its February 2015 request for discovery from GitHub, Uber did say that it "is informed and believes" that the person who downloaded the driver data on May 12 visited the GitHub websites. (Garbutt Decl., ECF No. 4-2, ¶ 3.) It was reasonable for Uber to conclude that John Doe I obtained the key from the GitHub post (where it was publicly available from March 11, 2014 to May 12, 2014) because that was the (only) way an outsider could get the key. (See 7/9/15 RT 8:18-25.) Moreover, the GitHub discovery rendered that conclusion more certain: it is now undisputed that the IP address visited Uber posts on the GitHub pages right before it downloaded the driver data. (Garbutt Decl., ECF No. 4-2, ¶ 3; Snell Decl., ECF No. 35-6, ¶ 2.) Fourth, it is reasonable to conclude that John Doe I did not stumble across the GitHub post for the first time on May 12. It seems plausible - especially because no one else except Uber engineers and bots (at the beginning) visited the pages - that Subscriber visited GitHub on and thereafter visited it again on May 12, 2014 via the IP address right before using the IP address to download the driver data. Subscriber's counsel at the hearing suggested that Uber must subpoena but the court does not think that necessary for . (Snell Decl., ECF No. 35-6, ¶ 2.)
Subscriber also argues that "anyone might have viewed the posts through the cached copies on Google . . . ." (Reply, ECF No. 39-4 at 2-3.) Subscriber elaborates that Google's indexing bot downloads a copy of every page, so the "secret key that Uber published on GitHub was apparently also available on Google's servers." (Id. at 3-4.) "Uber has not explained why it is so sure that John Doe visited GitHub directly, rather than viewing the security key through Google's 'cached' backups." (Id. at 4.) There is no evidence that the security key was available in cached backups. That said, Subscriber's suggestion that others "might" have seen information "apparently" available does not detract from (1) the connection that Uber identifies between the GitHub visits and the unauthorized access or (2) the court's conclusion that Uber has shown that there is a reasonable likelihood that the subpoena will lead to information identifying John Doe I.
Uber proffered at the hearing that it found no evidence in its investigation that the security key was available in cached backups. (7/9/15 RT 11:7-19.) This proffer is not supported by a declaration, and the court does not rely on it. --------
Subscriber also asserts that Uber did not prove that the discovery is "very likely" to disclose his identity. He argues the following: "As the Ninth Circuit has stated, early discovery is only permitted if such discovery is 'very likely' to 'disclose[] the identities of the "John Doe" defendants.' Gillespie v. Civiletti, 629 F.2d 637, 643 (9th Cir. 1980); Hard Drive Prods.[v. Does 1-90, No. 5:11-cv-03825-HRL,] 2012 WL 1094653, at *2 [(N.D. Cal. Mar. 30, 2012)]. Uber admits that it cannot make such a showing, merely stating that the Comcast Subpoena will 'further Uber's investigation.'" (Motion, ECF No. 24 at 7.) In making this argument, Subscriber reads Gillespie out of context.
In Gillespie, a prisoner sued unnamed U.S. Marshals as Doe Defendants in claims regarding the conditions of his confinement. 629 F.2d at 639. The trial court dismissed the complaint without requiring replies to interrogatories for the names and addresses of the Marshals. Id. at 643. The Ninth Circuit reversed, holding that the district court abused its discretion by not permitting the discovery. Id. "The use of "John Doe" to identify a defendant is not favored." Id. at 642. But when the identity of a defendant cannot be known before the filing of a complaint, "the plaintiff should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds." Id. (citation omitted). In finding that the denial of discovery was an abuse of discretion, the court noted that "[i]t was very likely that the answers to the interrogatories would have disclosed the identities of the 'John Doe' defendants." Id.
Read in context, then, the conclusion that "it was very likely" that the discovery would lead to identifying information is the support for reversing (for an abuse of discretion) the denial of discovery. It does not change the standard for obtaining the discovery: the plaintiff should be given an opportunity to identify unknown defendants unless it is clear that discovery would not uncover the identities or the complaint would be dismissed on other grounds. Id.
Subscriber also argues that this is "'merely the first step in what could prove to be an extensive, expensive, and . . . highly intrusive discovery process.'" (Reply, ECF No. 39-4 at 5) (citing Boy Racer, Inc. v. Does 1-52, No. 3:11-cv-02329-PSG, 2011 WL 7402999, at *2 (N.D. Cal. Sept. 13, 2011)). This argument is not a basis for denying discovery given that the Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated as non-suspect.
* * *
II. THE CLAIMS WOULD WITHSTAND A MOTION TO DISMISS
The court previously held that Uber has pleaded the essential elements of the claims sufficient to withstand a motion to dismiss. (3/16/15 Order, ECF No. 11 at 5.) Subscriber asserts that Uber's claim "against Subscriber" would not withstand a motion to dismiss, arguing that Uber must show that "its clams against Subscriber, not John Doe [I], could withstand a motion to dismiss."(Motion, ECF No. 24 at 8 (emphasis in original).) Uber responds that it need show only that its claims would survive a motion to dismiss against John Doe I and that the discovery is aimed at identifying John Doe I. (Opposition, ECF No. 35-4 at 9.) Subscriber did not respond to this point in his reply.
Uber is correct. A "plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed that act." Columbia, 185 F.R.D at 579. Uber has done that.
* * *
III. RIGHT TO PARTICIPATE IN ONLINE FORUMS ANONYMOUSLY
Subscriber argues that the subpoena impinges on his right to participate in online forums anonymously. (Motion, ECF No. 24 at 3; Reply, ECF No. 39-4 at 6 n.3.) The court addressed the First Amendment in its earlier order, holding that the case was not about speech and instead is about conduct that cannot have been legitimate under any scenario. (4/27/15 Order, ECF No. 20 at 4-7.) As the court held in Columbia Ins.,"people are permitted to interact pseudonymously and anonymously with each other so long as those acts are not in violation of the law." 185 F.R.D. at 578.
* * *
IV. THE SUBPOENA IS NOT OVERBROAD
Subscriber argues that the subpoena is overbroad because Uber has not identified a sufficient connection between Subscriber and the May 12 download. (Motion, ECF No. 24 at 10; Reply, ECF No. 39-4 at 7.) It must, Subscriber argues, show that Subscriber accessed Uber's database on his own or via the IP address. (Reply, ECF No. 39-4 at 7.) The court already found a sufficient connection. The subpoena is not otherwise overbroad. It is tailored to the limited time period relevant to this lawsuit: March 11, 2014 to May 12, 2014. It is targeted only at identifying information that Uber has a right to discover: (1) Request 1 is for the name and other identifying information for Subscriber; (2) Request 2 is for information connecting the Comcast IP address to the IP address; (3) Request 3 is for information connecting the Comcast IP address to the IP address around the time of the illegal download; (4) Request 4 is for information about the access to the GitHub webpages on ; and (5) Request 5 is for payment information that can confirm Subscriber's identity.
* * *
V. REQUEST TO PROCEED AS "SUBSCRIBER"
Subscriber asks to proceed as "Subscriber" on grounds that include avoiding embarrassment and reputational harm. (Motion, ECF No. 24 at 12.) Uber does not oppose the motion to file the motion anonymously; it notes that the information that is revealed by the subpoena will not be anonymous in (for example) a future court filing. (Opposition, ECF No. 35-4 at 13.)
Courts "allow parties to use pseudonyms in the 'unusual case' when nondisclosure of the party's identity is necessary to protect a person from harassment, injury, ridicule or personal embarrassment." Does I thru XXIII v. Advanced Textile Corp., 214 F.3d 1058, 1067-68 (9th Cir. 2000). The court grants the motion to file the motion as "Subscriber" on this ground.
* * *
VI. STAY PENDING APPEAL
At the July 9, 2015 hearing, Subscriber asked the court to stay its order to allow an appeal.
A stay is not a matter of right, even if irreparable injury might otherwise result. Nken v. Holder, 556 U.S. 418, 433 (2009). "It is instead 'an exercise of judicial discretion,' and '[t]he propriety of its issue is dependent upon the circumstances of the particular case.'" Id. (quoting in part Virginian Ry. Co. v. United States, 272 U.S. 658, 672-73 (1926) and Hilton v. Braunskill, 481 U.S. 770, 777 (1986)). The party requesting a stay bears the burden of showing that the circumstances justify an exercise of that discretion. Nken, 556 U.S. at 433-34.
The court stays its order until July 31, 2015 to allow Subscriber to file any notice of appeal and a simultaneous motion to stay. If Subscriber appeals and moves to stay the case, the case will be stayed until the court addresses the motion to stay.
CONCLUSION
The court denies the motion to quash and grants the Subscriber's request to file the motion as "Subscriber." The court stays its order until July 31, 2015 to allow Subscriber to file a notice of appeal and move to stay the case pending appeal. This disposes of ECF Nos. 24 and 25-4.
IT IS SO ORDERED. Dated: July 20, 2015
/s/_________
LAUREL BEELER
United States Magistrate Judge