Computer Fraud and Abuse Act

The UK wants to use the blockchain to track the spending of welfare recipients.

Some believe that a recent Ninth Circuit holding could turn sharing passwords into a federal crime under the Computer Fraud and Abuse Act.

And another Ninth Circuit opinion sided with Facebook in a closely-watched case interpreting the same federal law, this time involving unauthorized access to Facebook’s website.

The fashion world is embroiled in a rocky romance with social media.

Snapchat filed a patent application for image-recognition technology that may help the platform’s ad sales.

Scientists think they’ve found a way to tackle virtual reality sickness.

What’s going on at Vine? First a bunch of influencers cut ties with the platform. Now a group of its top executives have jumped ship.

Livestreaming services are giving cable TV networks a run for their money.

You didn’t think we’d ignore the Pokémon Go craze, did you? Here’s advice on how to protect your privacy when you’re using the app. We’re also preparing an article describing the game and the business and legal issues that are arising from it. Stay tuned.

The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we examine the use of the Computer Fraud and Abuse Act to combat web scraping; we explore the launch of Google Glass in the UK and the issues it raises; we analyze the FDA’s latest attempt to provide direction for drug and device manufacturers concerning how and when they may use social media; we report on a recent case concerning whether service providers can avail themselves of certain DMCA safe harbors; we highlight the increasingly important role of social media services in proxy contests; we take a look at how the Supreme Court’s Aereo decision might impact other areas of technology; and we discuss the ongoing controversy regarding website accessibility under the ADA and California’s Unruh Act.

All this—plus a collection of thought-provoking statistics about social media and the World Cup…

Read our newsletter.

 

When an employee uses a social media account to promote his or her company, who keeps that account when the employee leaves? Perhaps more importantly, who keeps the friends, followers and connections associated with that account? Three lawsuits highlight the challenges an employer may face in seeking to gain control of work-related social media accounts maintained by current or former employees.

We start with Eagle v. Edcomm, a federal case out of Pennsylvania involving a dispute over an ex-employee’s LinkedIn account and related connections. The plaintiff, Dr. Linda Eagle, was a co-founder of the defendant company, Edcomm. She established a LinkedIn account while at Edcomm, using the account to promote the company and to build her network. Edcomm personnel had access to her LinkedIn password and helped to maintain the account. Following termination of her employment, Edcomm allegedly changed Dr. Eagle’s LinkedIn password and her account profile; the new profile displayed the new interim CEO’s name and photograph instead of Dr. Eagle’s. (Apparently, “individuals searching for Dr. Eagle were routed to a LinkedIn page featuring [the new CEO]’s name and photograph, but Dr. Eagle’s honors and awards, recommendations, and connections.”) Both parties raced to the courthouse, filing lawsuits against each other over the LinkedIn account and other disputes. Although a final ruling on all the issues has not yet been made, the court has issued two decisions.

In the earlier of the two decisions, the court granted Dr. Eagle’s motion to dismiss Edcomm’s trade secret misappropriation claim, concluding that the LinkedIn connections were not a trade secret because they are “either generally known in the wider business community or capable of being easily derived from public information.”

The most recent decision, however, was largely a win for Edcomm. The court granted Edcomm’s motion for summary judgment on Dr. Eagle’s Computer Fraud and Abuse Act (CFAA) and Lanham Act claims. Regarding her CFAA claims, the court concluded that the damages Dr. Eagle claimed she had suffered—related to harm to reputation, goodwill and business opportunities—were insufficient to satisfy the “loss” element of a CFAA claim, which requires some relation to “the impairment or damage to a computer or computer system.” In rejecting Dr. Eagle’s claim that Edcomm violated the Lanham Act by posting the new CEO’s name and picture on Dr. Eagle’s LinkedIn account, the court found that Dr. Eagle could not demonstrate Edcomm’s actions caused a “likelihood of confusion,” as required by the Act.

In a federal case out of Illinois, Maremont v. Susan Fredman Design Group LTD, the employee, Jill Maremont, was seriously injured in a car accident and had to spend several months rehabilitating away from work. While recovering, Ms. Maremont’s employer—Susan Fredman Design Group—posted and tweeted promotional messages on Ms. Maremont’s private Facebook and Twitter accounts, where she had developed a large following as a well-known interior designer. The posts and tweets continued after Ms. Maremont had asked her employer to stop, so Ms. Maremont changed her passwords. Following the password changes, Ms. Maremont alleged that her employer started treating her poorly in order to force her to resign. Ms. Maremont then brought claims under the Lanham Act, Illinois’ Right of Publicity Act, and the common law right to privacy. Although the case is still pending, the court issued a decision refusing to dismiss Ms. Maremont’s Lanham Act and Right of Publicity Act claims. The court, however, dismissed her common law right to privacy claims, holding that she had failed to demonstrate that her employer’s “intrusion into her personal ‘digital life’ is actionable under the common law theory of unreasonable intrusion upon the seclusion of another,” and that she failed to allege a false light claim because she did not allege that her employer “acted with actual malice.”

A recently-settled California case, PhoneDog LLC v. Noah Kravitz, which we have written about previously, involved a similar dispute over a former employee’s Twitter account. Unlike the LinkedIn account at issue in the Edcomm case, the Twitter account in PhoneDog was apparently created by the employer, not the employee; the Twitter “handle” identifying the account, however, included both the employer’s name and the employee’s name: @PhoneDog_Noah. According to PhoneDog’s complaint, the account attracted approximately 17,000 Twitter followers. Mr. Kravitz—who after leaving PhoneDog eventually began working for one of PhoneDog’s competitors—kept the Twitter account but removed PhoneDog’s name, changing the handle to @noahkravitz. PhoneDog sued Mr. Kravitz, alleging that Mr. Kravitz wrongfully used the Twitter account to compete unfairly against PhoneDog. Like Edcomm, PhoneDog alleged misappropriation of trade secrets, although PhoneDog appears to have viewed the account log-in information rather than the actual followers as the relevant trade secret information. As noted above, the parties have settled this case, so we will not learn how the court would have ultimately ruled; nevertheless, this case and the other pending suits discussed above, offer important lessons to employers. While the terms of the settlement are confidential, news reports have indicated that the agreement does allow Mr. Kravitz to keep his Twitter account and followers.

These cases have received media attention, and the two pending cases—Eagle and Maremont—will continue to be closely watched by the legal community to see how courts define ownership interests in employee social media accounts. Employers, however, should not wait on the rulings in these pending cases to take steps to protect their interests in their social media accounts. All three of these cases illustrate the importance of creating clear policies regarding the treatment of business-related social media accounts, and making sure that employees are aware of these policies. Other measures an employer can take include: Being certain to control the passwords of the company’s own social media accounts and making sure that the name of the account does not include an individual employee’s name. At the same time, employers need to be mindful of new laws in California restricting an employer’s ability to gain access to its employees’ personal social media accounts.

In light of these developments, it will be particularly important to maintain a clear distinction between company and personal social media accounts.

In two recent decisions issued within a day of each other, two influential federal courts limited the scope of three important federal laws used to prosecute criminal conduct involving computers.  On April 10, 2012, the Ninth Circuit limited the scope of criminal liability for prosecutions under the Computer Fraud and Abuse Act, and on the following day the Second Circuit sharply limited the scope of the National Stolen Property Act and the Economic Espionage Act of 1996.  Together, these decisions indicate a reluctance to accept prosecutors’ expansive views of the reach of federal criminal laws with respect to computer usage, and the Ninth Circuit’s decision in particular may have far-reaching implications for the enforceability of website terms of service and employee policies in the civil context.

The Ninth Circuit’s decision was issued en banc in United States v. Nosal upholding the district court’s dismissal of David Nosal’s indictment for violations of the Computer Fraud and Abuse Act (“CFAA”).  Nosal had worked for an executive search firm and left to start a competing business.  He convinced several of his former colleagues to help him by accessing and then transferring to him source lists, names, and contact information from the firm’s confidential database.  The former colleagues were authorized to access the database, but the firm had a policy forbidding the disclosure of confidential information.  The government charged Nosal with violating 18 U.S.C. § 1030(a)(4) by aiding and abetting the former colleagues in “exceed[ing] authorized access” to the firm’s computers with intent to defraud the firm.

Nosal moved to dismiss the CFAA counts, arguing that the statute was meant to target hackers and not those who accessed a computer lawfully but then misused information obtained from such access.  The district court agreed, and the government appealed.  In a panel decision issued in 2011, the Ninth Circuit reversed the district court, holding that an employee “‘exceeds access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.”  The en banc court found otherwise, holding that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (Emphasis in original.)  To hold otherwise, the court reasoned, would make federal crimes out of “minor dalliances” like playing games or shopping online, if such activities were prohibited by an employer’s computer-use policy.  The court observed:  “Employer-employee and company-consumer relationships are traditionally governed by tort and contract law,” and to interpret the CFAA to apply to use restrictions “allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”  This would implicate “[s]ignificant notice problems.”  Although the government argued that it would not prosecute minor violations of the law, the court found that “we shouldn’t have to live at the mercy of our local prosecutor.”

The Second Circuit’s decision in United States v. Aleynikov, issued on April 11, 2012, limits the reach of computer crime prosecutions under the National Stolen Property Act (“NSPA”) and the Economic Espionage Act of 1996 (“EEA”).  Sergei Aleynikov was convicted of violating both acts based on his theft and transfer of his company’s proprietary source code.  Aleynikov was a computer programmer at Goldman Sachs, where he developed source code for the company’s proprietary high-frequency trading (“HFT”) system.  Goldman’s policies bound Aleynikov to keep the firm’s proprietary information confidential and barred him from taking or using it when his employment ended.  Aleynikov accepted an offer from a new company that was looking to develop its own HFT system.  On his last day at Goldman, Aleynikov uploaded source code for Goldman’s HFT system to a server in Germany, which he then downloaded to his home computer for use at his new job. 

Aleynikov was sentenced to 97 months in prison.  He appealed, arguing that the district court should have dismissed his indictment for failure to state an offense.  The Second Circuit reversed his conviction on both counts, finding that his conduct did not constitute an offense under either statute.  (Aleynikov has also been charged with a criminal violation of the CFAA, but the district court had dismissed that charge on the ground that “authorized use of a computer in a manner that misappropriates information is not an offense” under the act.  This ruling predates the similar en banc Nosal decision discussed above, and the government did not appeal the ruling.)

The NSPA criminalizes transmittal of a stolen “good” in interstate or foreign commerce.  The Second Circuit held that source code is not a “good,” and therefore, “the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA.”  The court “decline[d] to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”  Significantly, the court noted that a different conclusion might apply if the stolen source code had been removed from Goldman’s premises on a tangible item, like a CD or flash drive, instead of having been stolen through uploading to an off-premises server.

The EEA prohibits the unauthorized downloading, uploading, transmitting, or conveying of trade secrets related to or included in a product that is produced for or placed in interstate or foreign commerce, with the intent to convert the trade secret, while intending or knowing that the offense will injure the owner of the trade secret.  On this count, the Second Circuit held that Goldman’s HFT system was neither “produced for” nor “placed in” interstate commerce because Goldman had no intention of selling or licensing the system and, in fact, “went to great lengths to maintain the secrecy of its system.” 

Although neither the NSPA nor EEA provides for a private right of action, we think it is possible the rationales of these decisions could influence civil litigation involving misuse of an employer’s computer system, including, in particular, civil litigation under the CFAA based on violations of website terms of service or employee policies.  For examples of previous such cases, see, e.g., Am. Online, Inc. v. LCGM, Inc. and EF Cultural Travel BV v. Explorica, Inc. In most of these cases, it appears that the defendant was authorized to access the website or system in question, but misappropriated the data on those websites or systems.  In addition to limiting criminal exposure, the Ninth Circuit’s interpretation of “exceeds authorized access” in Nosal may be construed to undermine this basis for a civil suit.  Watch these pages for further reports on these issues.

As we reported last month, the safe harbor in Section 230 of the Communications Decency Act (“CDA”) immunizes social media providers from liability based on content posted by users under most circumstances, but not from liability for content that the providers themselves generate.  But what about when providers block Internet traffic such as “spam” – does the CDA immunize service providers from liability for claims related to messages not reaching their intended recipients?

In two recent unpublished cases, Holomaxx Techs. Corp. v. Microsoft Corp. and Holomaxx Techs. Corp. v. Yahoo! Inc., Judge Fogel of the Federal District Court for the Northern District of California held that the CDA does provide immunity in such circumstances.  (Notably, Judge Fogel also decided earlier this year that Facebook postings qualify as “commercial electronic mail messages” regulated under CAN-SPAM, the federal anti-spam statute.)  The Holomaxx holdings did not break new ground, but the cases clearly show that Section 230 of the CDA provides immunity not just with respect to user-posted content, but also for service providers’ blocking and restriction of messages.

Plaintiff Holomaxx Technologies runs an email marketing and ecommerce business development service.  After what it alleged was MSN’s and Yahoo!’s continued refusal to deliver its legitimate emails, Holomaxx sued both companies for state law tort claims alleging interference with contract and business advantage, defamation, false light, and unfair competition, and for federal claims under the Wiretap Act, the Computer Fraud and Abuse Act, and the Stored Communications Act.  Seeking both damages and an injunction, Holomaxx claimed that MSN and Yahoo! “knowingly relie[d] on faulty spam filters” and that it was “entitled to send legitimate, permission-based emails to its clients’ customers now.”

In its complaints against Microsoft and Yahoo!, Holomaxx explained that it delivers for its customers ten million email messages a day, including three million to Hotmail/MSN users and six million to Yahoo! users.  Holomaxx claimed that it sent only legitimate, requested emails to consenting users and complied with CAN-SPAM.  According to Holomaxx, MSN’s and Yahoo!’s email filtering systems began blocking, rerouting, and/or throttling Holomaxx-generated emails to MSN and Yahoo! users, and MSN and Yahoo! ignored its requests to be unblocked and failed to identify specific problems with Holomaxx’s emails.  Also according to Holomaxx, MSN and Yahoo! users acted in bad faith because they did not work with Holomaxx in the manner prescribed by the abuse desk guidelines of the Messaging Anti-Abuse Working Group, to which both companies belong and which Holomaxx characterized as an “industry standard.”  Finally, Holomaxx claimed that anticompetitive purposes drove MSN’s and Yahoo!’s blocking, and that the fact that the two companies had initially resumed delivery of Holomaxx emails and then stopped again showed that the companies acted in bad faith.

MSN and Yahoo! moved to dismiss, citing CDA Section 230(c)(2), which on its face immunizes service providers for “any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers … objectionable,” and arguing that the facts that Holomaxx alleged were insufficient to overcome this statutory immunity.

Agreeing, Judge Fogel called CDA immunity “robust” and, citing the Ninth Circuit’s opinion in Fair Housing Council v. Roommates.com, LLC, noted that “all doubts must be resolved in favor of immunity.”  The court cited Zango v. Kaspersky, where the Ninth Circuit explained that the CDA “plainly immunizes” providers that “make[s] available software that filters or screens material that the user or the provider deems objectionable.”  In Zango, the Ninth Circuit affirmed the district court’s dismissal of a software maker’s suit against an anti-adware security firm for allegedly making it difficult for users who had installed the security firm’s anti-adware tools to use the plaintiff’s software.  However, the Ninth Circuit explained that a provider might lose immunity where it “block[s] content for anticompetitive purposes or merely at its malicious whim.”  Under that standard, the question was whether Holomaxx alleged sufficient facts to show that MSN and Yahoo! acted in an “absence of good faith” when they blocked Holomaxx’s emails.

The answer was no.  The court discounted Holomaxx’s reliance on the MAAWG guidelines because Holomaxx had not shown them to be an industry standard.

The fact that the companies temporarily resumed delivery of Holomaxx’s emails did not demonstrate an anticompetitive motive because the CDA gives providers wide discretion in deeming content objectionable.  As to alleged malice, the court explained that, “[T]o permit Holomaxx to proceed solely on the basis of a conclusory allegation that Yahoo! acted in bad faith essentially would rewrite the CDA.”  (Note:  On its face, the CDA did not apply to Holomaxx’s Wiretap Act and Stored Communications Act claims; the court dismissed those claims because it found that Holomaxx failed to adequately allege how MSN or Yahoo! had violated those statutes.)

A leading commentator has noted that the Ninth Circuit’s Zango case provided website operators a “high degree of freedom to make judgments about how to best serve their customers.”  The Holomaxx dismissals confirm that point.  With social media spam on the rise even  as email spam decreases and web-based email in general declines, both the Holomaxx and Zango cases could assist social media providers in their efforts to prevent unsolicited messages and abuse while at the same time maintaining the instant, social, viral qualities that keep users engaged and advertisers paying.

One final point – as one observer notes, Holomaxx’s compliance with CAN-SPAM, described in great detail in each of the complaints, did not matter to Judge Fogel’s holding.  That is, the mere fact that Holomaxx’s marketing messages were legal, did not compel Microsoft or Yahoo! to either deliver those messages or lose CDA immunity.  Thus, the court rejected an argument that might have resulted implicitly in the requirements of CAN-SPAM setting a ceiling, rather than a floor, for service providers’ anti-abuse efforts.