Академический Документы
Профессиональный Документы
Культура Документы
1
2
3
4
5
6
7
8
10
11
12
FACEBOOK, INC.,
Plaintiff,
13
v.
14
15
MARTIN GRUNIN,
Judge:
Hon. William H. Alsup
Location: Courtroom 8 - 19th Floor
Date:
January 8, 2015
Time:
1:30 p.m.
Defendant.
16
17
18
19
20
21
22
23
24
25
I.
Introduction
On December 19, 2014, the Court issued a Request for Briefing (Dkt. 73) asking
Facebook: (1) whether any federal courts have found liability under 18 U.S.C. 1030(a)(2) and
(a)(4) and/or Cal. Penal Code 502(c) based on the actions alleged against Grunin; (2) to explain
specifically how Grunin obtained information from a computer in violation of 18 U.S.C.
1030(a)(2); and (3) whether any federal court ever found liability under 18 U.S.C. 1030(a) or
Cal. Penal Code 502(c) based on a service-users accessing a server to obtain online services or
user accounts after his/her accounts had been revoked or terminated.
26
27
28
LEGAL124582890.8
-1-
1
2
3
II.
Has Any Federal Court Found Liability Under 18 U.S.C. 1030(a)(2), (a)(4),
and/or Cal. Penal Code 502(c) Based on the Actions Grunin Allegedly Took
as Pled in the Operative Complaint?
A number of courts have found liability under the Computer Fraud and Abuse Act
(CFAA) and Cal. Penal Code 502 based on actions similar to those Grunin allegedly took as
pled in the operative complaint. In fact, several courts within the Ninth Circuit have held service
usersnot employeesliable for unauthorized access to public websites after access was
revoked. The most relevant case law on point comes from a pair of fairly recent Northern District
cases: Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025 (N.D. Cal. 2012), and
10
11
craigslist, Inc. v. Kerbel, No. c-11-3309 EMC, 2012 WL 3166798 (N.D. Cal. Aug. 2, 2012).
The defendant in Power Ventures operated www.power.com, which was used to integrate
12
users various social media accounts by inducing Facebook users to provide their login
13
information and then using that information to scrape (or copy) Facebook data and display it on
14
power.com. 844 F. Supp. 2d at 1027-28. Facebook sent Power Ventures a cease-and-desist letter
15
advising Power Ventures that its actions were not authorized and revoking any rights of access to
16
Facebooks site and/or services. Id. at 1031. Facebook also instituted technical measures to
17
block users from accessing Facebook through power.com. Id. When Power Ventures
18
circumvented those technical measures and continued its conduct, Facebook filed suit alleging
19
20
In its first decision on July 20, 2010 (Facebook, Inc. v. Power Ventures, Inc., No. C 08-
21
05780 JW, 2010 WL 3291750 (N.D. Cal. July 20, 2010)), the court considered whether Power
22
Ventures had violated Cal. Penal Code 502(c). To prove a claim under 502, Facebook would
23
have to prove that Power Ventures had confronted Facebooks technical barriers and
24
circumvented them. Id. at *11-12. In a subsequent decision, the court found that Power Ventures
25
implemented proxy servers to avoid IP address blocks placed by Facebook to prevent power.com
26
from accessing the Facebook site and services. Power Ventures, 844 F. Supp. 2d at 1036-38.
27
The court concluded that Defendants circumvented technical barriers to access the Facebook
28
LEGAL124582890.8
-2-
site, and thus accessed [the] site without permission under 502(c). Id. at 1038. The court
relied on the same analysis and evidence in holding that defendants also violated 18 U.S.C.
1030(a)(2). Id. at 1038-39. Based in part on these conclusions of law, on September 25, 2013,
the court awarded Facebook damages and injunctive relief under Cal. Penal Code 502(c) and 18
U.S.C. 1030. Facebook, Inc. v. Power Ventures, Inc., No. 08-CV-5780-LHK, 2013 WL
users to create a campaign through which Kerbels service would auto-post, and repeatedly re-
post, ads to craigslist. 2012 WL 3166798 at *2. Kerbel circumvented craigslists security
10
measures in order to run his services. Id. Despite receiving multiple cease-and-desist letters from
11
craigslist demanding that he stop accessing the craigslist site and services, Kerbel continued. Id.
12
Craigslist filed suit, Kerbel defaulted, and the court awarded injunctive and monetary relief for a
13
14
Cal. Penal Code 502(c). Id. at *10-12, 18-19. Kerbel's conduct was both knowing and
15
16
agree to the TOU with no intention of complying with it, [and] Kerbel . . . continued said conduct
17
18
Other courts have similarly found liability under the CFAA and Cal. Penal Code 502
19
where website users have accessed public websites they were not authorized to access. See
20
Facebook, Inc. v. Fisher, No. C 09-05842 JF (PSG), 2011 WL 250395 (N.D. Cal. Jan. 26, 2011) 1
21
(awarding Facebook injunctive relief under 18 U.S.C. 1030(g) where Facebook user engaged in
22
a massive campaign to phish Facebook usernames and passwords, gain access to the Facebook
23
accounts of others, and send millions of unsolicited commercial messages to other Facebook
24
users through the Facebook serviceall in clear violation of Facebooks terms); Tagged, Inc. v.
25
Does 1 Through 10, et al., No. C 09-01713 WHA, 2010 WL 370331 (N.D. Cal. Jan. 25, 2010)
26
1
27
28
Note that cases decided prior to Power Ventures did not explicitly require plaintiffs to
demonstrate the imposition of technical measures to block access and subsequent circumvention by the
defendant in order to establish liability.
LEGAL124582890.8
-3-
(granting default judgment under 1030(a)(4) and 502(c)(1)-(3), (7), where defendant
misrepresented his identity, created fake accounts, and circumvented technological security
measures).
In addition, craigslist Inc. v. 3Taps Inc. is also instructive on the issue of unauthorized
access under 18 U.S.C. 1030(a)(2) (though the case was decided in the context of a motion to
dismiss, not for entry of judgment). Craigslist alleged that 3Taps aggregated and republished ads
from craigslist by scraping (or copying) all content posted to craigslist in real time, directly from
craigslist, in violation of craigslists terms of use. craigslist Inc. v. 3Taps Inc., 964 F.Supp.2d
1178, 1180 (N.D. Cal. 2013). In response to this behavior, craigslist sent a cease and desist letter
10
to 3Taps informing 3Taps that it was no longer authorized to access craigslist's website or
11
services for any reason. Id. at 1181. Craigslist also configured its website to block access from
12
IP addresses associated with 3Taps. Id. The court found that 3Taps bypassed that technological
13
barrier by using different IP addresses and proxy servers to conceal its identity, and continued
14
15
The court held that craigslist had stated a claim under 18 U.S.C. 1030(a)(2) because
16
3Taps continued to access the craigslist site without authorization. Id. at 1183-84.
17
18
19
20
21
22
23
24
25
26
27
[W]here a user is altogether banned from accessing a website . . .[t]he banned user
has to follow only one, clear rule: do not access the website. The notice issue
becomes limited to how clearly the website owner communicates the banning.
Here, Craigslist affirmatively communicated its decision to revoke 3Taps' access
through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests
that those measures did not put 3Taps on notice that Craigslist had banned 3Taps;
indeed, 3Taps had to circumvent Craigslist's IP blocking measures to continue
scraping, so it indisputably knew that Craigslist did not want it accessing the
website at all.
Id. at 1184. The court concluded that where 3Taps: (1) received a personally-addressed ceaseand-desist letter stating that it could not access craigslists website for any reason; (2)
discovered that it could no longer access the website at all from its IP addresses; and
(3) . . . continu[ed] to access that website after circumventing the IP restrictions, its deliberate
28
LEGAL124582890.8
-4-
decision to bypass that barrier and continue accessing the website constituted access without
In all of these cases, the users knew their access was not authorized either having received
cease-and-desist letters revoking access and/or because the users worked around technical barriers
to gain access. The same is true of Grunin. He received two written cease-and-desist letters that
clearly revoked his access rights. (Complaint 25, 49-50.) Facebook took technical steps to
disable his accounts and block him from opening new ones with the same information, but Grunin
circumvented those measures almost 70 times and continued to access and/or use Facebooks
website, advertising accounts, advertising services, and network. (Complaint 23-24, 51, 56,
10
67.) Accordingly, Grunin violated Cal. Penal Code 502(c) and 18 U.S.C. 1030(a)(2).
11
Grunin also violated 18 U.S.C. 1030(a)(4). After receiving his first cease-and-desist
12
letter, and assuring Facebook that he would comply, Grunin continued to access Facebook by
13
impersonating other people and tricking Facebook employees into allowing him to take control of
14
legitimate advertising accounts and obtaining more than $340,000 worth of Facebook advertising
15
without paying for it. (Complaint 31-48, 56.) He also used this unauthorized access to sell
16
other advertising accounts on the underground market for profit. (Complaint 27-30.) This is
17
not a case where Grunin inadvertently violated Facebooks site terms. He knew he no longer had
18
19
The Courts Request for Briefing seeks comment on United States v. Nosal, 676 F.3d 854
20
(9th Cir. 2012), and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). These cases
21
are distinguishable because they involve employee/employer relationships where the employee
22
had exceeded authorization to access the employers computer. Here, once Grunins access had
23
24
25
against Nosal for encouraging corporate employees to access confidential information on their
26
employers computer system and to transfer the information to him. 676 F.3d at 856, 859. The
27
employees were authorized to access the computers, network, and information, but violated a
28
LEGAL124582890.8
-5-
corporate data use policy by disclosing it to Nosal. Id. The Ninth Circuit held that the phrase
information, and not restrictions on its use. Id. at 863-64 (emphasis omitted).
Similarly, LVRC Holdings involved a claim against a former employee for the employees
use of his company-owned computer to send emails to his personal account containing work-
related information that LVRC Holdings considered proprietary. 581 F.3d at 1129-30. The Ninth
Circuit held that the defendant had not violated 18 U.S.C. 1030(a)(2) or 1030(a)(4) because he
sent the emails while still employed by LVRC Holdings and while he was still authorized to
access and use both the corporate computer he had been issued and the corporate network from
10
which he obtained the files and used the email service to send himself the documents. Id. at 1135.
11
Both of these cases hinged on the courts finding that because the access to the computers,
12
networks, and information was authorized, the use of those resources was not unauthorized. In
13
contrast, the Fourth Circuit has recently affirmed a CFAA verdict against a former employee who
14
continued to access his employers corporate network long after his employment ended. U.S. v.
15
Steele, No. 13-4567, 2014 WL 7331679, (4th Cir. December 24, 2014). Similar to Steele, and
16
unlike the defendants in Nosal and LVRC Holdings, Grunins access rights were completely
17
revoked, leaving him with no right to be on Facebooks site, network, or platform, or to use
18
Facebooks services for any reason. The concerns about use restrictions versus access
19
restrictions that were at issue in the Nosal, LVRC Holdings, and other employer-employee
20
disputes are simply not present here. As noted by the court in 3Taps, [t]he calculus is different
21
where a user is altogether banned from accessing a website. The banned user has to follow only
22
one, clear rule: do not access the website. 964 F. Supp. 2d at 1184.
23
24
25
26
27
B.
Where Did Facebook Allege that Grunin Accessed and Obtained Information
from a Computer?
28
LEGAL124582890.8
-6-
information can be stolen without asportation, and the original usually remains intact.).
Facebook alleged that Grunin interacted with the Facebook website to create and transfer
multiple new Facebook and advertising accounts and that he continued to create and run new
advertising campaigns on Facebook, all of which logically involved using his computer to contact
and read information from the Facebook website. (Complaint 67.) Facebook also alleged that
Grunin accessed the new advertising accounts that Facebook employees had created for
Thinkmodo and Imprezzio Marketing as a result of his fraudulent representations, and used them
to run ad campaigns, which also logically would have involved using his computer to contact and
10
read information from the Facebook website. (Complaint 33, 39, 46.) Facebook also alleged
11
generally that Grunin interacted with the Facebook website and service after his access privileges
12
were revoked, which would satisfy the requirement to access and view information on the
13
Facebook website. (Complaint 27 (using Facebook to run noncompliant and deceptive ads),
14
15
accounts after his first account was disabled and his access privileges were revoked).)
16
Thus, Grunin accessed Facebook without authorization and obtained information within
17
the meaning of 18 U.S.C. 1030(a)(2)(C) and Cal. Penal Code 502(c)(2) many times after his
18
19
20
21
C.
Has Any Federal Court Ever Found Liability Under 1030(a) or 502(c)
Based on a Service-User Accessing a Server to Obtain Online Services or User
Accounts After His/Her Accounts Had Been Revoked or Terminated?
As discussed in section A above, several courts have indeed found liability under
22
1030(a) and 502(c) based on a users accessing an online service or user accounts after the
23
users access to that service or those accounts has been revoked or terminated. See Facebook,
24
Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025 (N.D. Cal. 2012) (user violated Cal. Penal
25
Code 502(c) and 18 U.S.C. 1030(a)(2) by circumventing technical measures to block the
26
users access to online services after receiving a letter revoking the users access rights);
27
craigslist, Inc. v. Kerbel, 2012 WL 3166798 (N.D. Cal. Aug. 2, 2012) (granting default judgment
28
LEGAL124582890.8
-7-
to craigslist under 18 U.S.C. 1030(a)(2), (a)(4) and Cal. Penal Code 502(c) where defendant
ignored several cease and desist letters and continued his unauthorized services that utilized
access to craigslist online services); Tagged, Inc. v. Does 1 Through 10, 2010 WL 370331 (N.D.
Cal. Jan. 25, 2010) (granting default judgment under 18 U.S.C. 1030(a)(4) and Cal. Penal Code
502(c)(1)-(3), (7), based on continued access to online services through fake accounts and
proxy IP servers to circumvent Taggeds technical blocking measures and perpetuate a fraud
against Tagged).
III.
9
10
11
Conclusion
For the foregoing reasons, as well as those contained in Facebooks moving papers,
Facebook respectfully requests that judgment be entered in Facebooks favor on each of its
claims.
12
13
14
By:
15
16
Attorneys for Plaintiff
FACEBOOK, INC.
17
18
19
20
21
22
23
24
25
26
27
28
LEGAL124582890.8
-8-