Monday, May 6, 2013

Part 1 (The Facts): CFAA case to test the EFF's proposed reform language

In this first post I will outline the relevant facts of the Fidlar case and how the facts present an interesting issue for the proposed CFAA reform language of the EFF (and Rep. Lofgren). At the end of this post, I note EFF Attorney Hanni Fakhoury's initial take on the case. 

In the second post I will offer my own take. I will then propose some changes to the reform language that would clarify the issue. I will conclude by taking a step back and opining on whether the CFAA should even apply to this kind of contractual dispute, and if so, in what circumstances. Spoiler - I will propose a presumption.

A case in the federal District Court for the Central District of Illinois is worth keeping an eye on if you are interested in the evolution of the CFAA from an anti-hacking statute to one used to enforce terms of service agreements, employee disloyalty, and also contractual disputes.

First, as a point of reference, consider the EFF's proposed language to amend the CFAA (emphasis added):
(6) The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.  
The term “without the express or implied permission” does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer.
This language was adopted in some form in Rep. Lofgren's CFAA reform bill. For Orin Kerr's take on these proposals, see here: Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples, and here: Drafting Problems With the Second Version of “Aaron’s Law” from Rep. Lofgren.

Back to the case at hand, here is the alleged offense in the complaint from Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 4:13-cv-4021 (C.D. Ill. Mar. 13, 2013) (emphasis added):
17. In or around 2012, LPS created one or more computer programs, the sole purpose of which were to mimic the interface between Fidlar’s user-interface software and Fidlar’s server software. The mimicked program allowed LPS to fraudulently present itself to Fidlar’s server software as though it had gained access through the Laredo user-interface, but without the attendant user controls. 
18. Fidlar’s server software programs are designed to prevent Fidlar’s customers from accessing those servers by any means other than through Fidlar’s software. 
19. Fidlar does not train, promote, or explicitly publish, nor intend to publish the techniques necessary to access Fidlar’s server software directly and circumvent the Fidlar user-interface software of Laredo or Tapestry. 
20. Specifically, LPS created mimic software that allowed Defendant to fraudulently obtain documents electronically and search at a higher rate and volume than would otherwise be possible. 
21. This mimic software program that LPS created, allowed Defendant to gain fraudulent access to Fidlar’s server software and bypass user controls embedded in the Laredo program. In this manner LPS fraudulently obtained documents that Fidlar server software had retrieved from governmental databases. 
Later in the complaint, Fidlar alleges that LPS's use of this mimicked interface allowed LPS to access documents that they would normally have to pay for; caused a burden on Fidlar's servers that damaged their operations; prevented Fidlar from being able to track LPS's use; and, caused damages in excess of $80,000. Relating to damages, the complaint states: "As a result of Defendant’s unauthorized use of Fidlar’s computers and computer servers, Fidlar has been damaged in excess of $5,000 in the past calendar year. . . . To date, Fidlar has incurred economic damages in excess of $80,000 in attempting to determine the extent of Defendant’s fraudulent invasion of its computers and computer servers, and those damages are ongoing and increasing."

Fidlar’s complaint does not allege what specific section of 18 U.S.C. § 1030 LPS violated, but the language in the complaint reiterates the phrase "without authorization" (i.e. "Defendant has engaged in a pattern of unauthorized access of Fidlar’s computers and computer servers, in order to intentionally obtain information from Fidlar’s computers"); thus "without authorization" will be the focus of the analysis in my next post.

After reading the complaint, the next logical question is whether any language in the license agreement directly applies; it can be found here: Exhibit A - Fidlar Technologies Laredo End User Agreement. In my opinion it doesn't say much that is helpful to this dispute. The bulk of the agreement relates to Fidlar's protection of its intellectual property; I do not see any limiting language on how a customer may access the database. Feel free to correct me.

Unsurprisingly, LPS's side of the story is quite different. Its Motion to Dismiss for Failure to State a Claim (filed Apr. 8, 2013) (emphasis added & internal cites omitted, except where relevant) states:
Fidlar’s CFAA claim fails for two reasons: 1) LPS was authorized to access Fidlar’s computers, and 2) Fidlar does not allege that it suffered “damage” or “loss” as those terms are defined by the CFAA.
a. LPS was authorized to access Fidlar’s computers. 
Fidlar’s complaint explicitly concedes that LPS has been a customer of Fidlar “since at least 2009 using the Laredo program and has installed the Laredo program on its own computers.” The complaint further admits, “LPS has purchased Laredo licenses in 76 counties where Fidlar has provides [sic] access to documents.” In other words, LPS had paid for and was granted authorization to access the data on Fidlar’s servers relating to those counties.
Even though LPS was authorized to access Fidlar’s servers, Fidlar complains that LPS went about it the wrong way. Specifically, LPS did not employ an individual to manually review the documents one at a time. Instead, LPS employed a computer program that allegedly circumvented controls that Fidlar claims were in place to “prevent customers from electronically capturing and downloading documents” instead of paying for copies. 
As a matter of law, these allegations do not constitute “intentionally access[ing] a computer without authorization.” The term “without authorization” means “without any permission at all.” AtPac, Inc., 730 F. Supp. 2d at 1179 (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009)). On this issue, the decision in State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009) is particularly instructive. There were two defendants in State Analysis: the first was alleged to have accessed the plaintiff’s website using usernames and passwords that did not belong to it and to which it had never been given lawful access, while the second was alleged to have misused the passwords with which it had been entrusted. The court allowed the CFAA claim to proceed against the first defendant, but granted the second defendant’s motion to dimiss, explicitly holding that while use of an unauthorized password to access password- protected content may constitute a CFAA violation, a mere allegation that a defendant “used the information [which it had been given lawful authority to access] in an inappropriate way” did not state a claim for relief. 
Fidlar wrongly contends that authorized access becomes unauthorized if the user violates contractual or embedded limitations on the use of the data (i.e., saves the images rather than printing them out). This is not the law. . . .
The logic here is simple. By its terms, the CFAA only addresses access to electronically stored data as opposed to the use of that data. . . . [FN1]
[FN1] - The only Seventh Circuit decision LPS could find that touches on the definition of “authorized access” is International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006), but it is inapposite. In that case, the Court held that an employee’s authority to access his employer’s computers ceases when he decides to leave his job, go into competition against his employer, and abandon his duty of loyalty.
In short, LPS had authority to access Fidlar’s database of public records and Fidlar’s claim to the contrary is not plausible. LPS did not violate the CFAA merely by saving images of those public records instead of printing them. In fact, this conduct is not even a breach of Fidlar’s user agreement that a Laredo user must accept before accessing a county’s records through Laredo. A true and correct copy of a Fidlar user agreement is attached as Exhibit A, and the Court may consider it on a Rule 12(b)(6) motion because it is referenced in the complaint and Fidlar’s user agreement is central to Fidlar’s claim. . . . Nothing in the User Agreement prohibits any of the conduct alleged in the complaint. Thus, even if Fidlar attempted to rely on the User Agreement to argue that LPS lacked authorization to access the data in the manner that did, it would still not violate the CFAA. 
b. Fidlar does not allege damage or loss under the CFAA.
... 
Fidlar’s complaint does not even attempt to allege it suffered “damage.” Fidlar’s complaint only alleges that it became “aware of a strange usage pattern” related to LPS’s licenses, and as a result, “audited several LPS accounts to determine account activity.” Notably, Fidlar alleges that LPS’s conduct only “continues to threaten to overload those servers” and “continues to be able to disrupt Fidlar’s operations.” There is no allegation that LPS’s conduct actually caused Fidlar’s servers to crash, overload, or otherwise malfunction. Indeed, it is the lack of activity recorded on Fidlar’s servers that underlies its complaint. 
Thus, Fidlar may only maintain a civil action for CFAA violations if it suffered a “loss.” As the statutory definition makes clear, its claim for unpaid printing charges is not recoverable. Lost revenue and consequential damages are only losses if they were caused by an interruption in service. 18 U.S.C. §1030(e)(11).
The only allegations in Fidlar’s complaint that even approach the definition of loss relate to its investigation into LPS’s access. This investigation, however, was not into an interruption in service, destruction of data, or impairment of a program. Instead, it was an investigation into unpaid printing charges and unmonitored usage. The cost of this type of investigation does not meet the statutory definition of loss. 
The court has not yet ruled on LPS's motion to dismiss. There have been counterclaims, motions for temporary restraining orders, and issues related to discovery. If the MTD is denied (which seems likely), or granted before I get the next post up, I will pass that on immediately.

As stated above, I mentioned this case to Hanni Fakhoury, Staff Attorney at the Electronic Frontier Foundation. Here are his comments (emphasis added):
I read the complaint and the MTD portions re: the CFAA claim . . . sounds very much to me like Nosal (re: use v. access) and Facebook v. Power Ventures (https://www.eff.org/cases/facebook-v-power-ventures). 
I think the issue comes down to whether LPS violated a code-based restriction on access to that data or a contractual restriction, and the complaint and MTD don't really shed much light on that point (other than to claim it wasn't a violation of the contractual terms of service). Interesting case and a good find. It also provides an opportunity for the court to decide whether Citrin applies beyond the employment context.
Assuming that the End User Agreement (Exhibit A) is the only document governing the relationship between Fidlar and LPS, I can't see how this comes down to a contractual dispute in isolation (or if that guides the court's decision much, except to say that the contract is void of informative language). Therefore, I see this as being forced under the CFAA and hence why the case should be interesting to watch.

Last note (if you didn't read the complaint in its entirety) - The other causes of action in the complaint are a violation of the Illinois Computer Tampering Statute and common law trespass to chattels.

0 comments:

Post a Comment