Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page1 of 8

1
2
3
4
5

Judith B. Jennison, Bar No. 165929

JJennison@perkinscoie.com
PERKINS COIE LLP
1201 Third Avenue, Suite 4900
Seattle, WA 98101-3099
Telephone: 206.359.8000
Facsimile: 206.359.9000
Attorneys for Plaintiff
FACEBOOK, INC.

6
7
8

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF CALIFORNIA

10

SAN FRANCISCO DIVISION

11
12

FACEBOOK, INC.,
Plaintiff,

13

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR
BRIEFING

v.

14
15

Case No. 2014-CV-02323

MARTIN GRUNIN,

Judge:
Hon. William H. Alsup
Location: Courtroom 8 - 19th Floor
Date:
January 8, 2015
Time:
1:30 p.m.

Defendant.

16
17
18
19
20
21
22
23
24
25

I.

Introduction
On December 19, 2014, the Court issued a Request for Briefing (Dkt. 73) asking

Facebook: (1) whether any federal courts have found liability under 18 U.S.C. 1030(a)(2) and
(a)(4) and/or Cal. Penal Code 502(c) based on the actions alleged against Grunin; (2) to explain
specifically how Grunin obtained information from a computer in violation of 18 U.S.C.
1030(a)(2); and (3) whether any federal court ever found liability under 18 U.S.C. 1030(a) or
Cal. Penal Code 502(c) based on a service-users accessing a server to obtain online services or
user accounts after his/her accounts had been revoked or terminated.

26
27
28
LEGAL124582890.8

-1-

PLAINTIFF FACEBOOK, INC.'S RESPONSE

TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page2 of 8

1
2
3

II.

Responses to the Courts Questions

A.

Has Any Federal Court Found Liability Under 18 U.S.C. 1030(a)(2), (a)(4),
and/or Cal. Penal Code 502(c) Based on the Actions Grunin Allegedly Took
as Pled in the Operative Complaint?

A number of courts have found liability under the Computer Fraud and Abuse Act

(CFAA) and Cal. Penal Code 502 based on actions similar to those Grunin allegedly took as

pled in the operative complaint. In fact, several courts within the Ninth Circuit have held service

usersnot employeesliable for unauthorized access to public websites after access was

revoked. The most relevant case law on point comes from a pair of fairly recent Northern District

cases: Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025 (N.D. Cal. 2012), and

10
11

craigslist, Inc. v. Kerbel, No. c-11-3309 EMC, 2012 WL 3166798 (N.D. Cal. Aug. 2, 2012).
The defendant in Power Ventures operated www.power.com, which was used to integrate

12

users various social media accounts by inducing Facebook users to provide their login

13

information and then using that information to scrape (or copy) Facebook data and display it on

14

power.com. 844 F. Supp. 2d at 1027-28. Facebook sent Power Ventures a cease-and-desist letter

15

advising Power Ventures that its actions were not authorized and revoking any rights of access to

16

Facebooks site and/or services. Id. at 1031. Facebook also instituted technical measures to

17

block users from accessing Facebook through power.com. Id. When Power Ventures

18

circumvented those technical measures and continued its conduct, Facebook filed suit alleging

19

violations of both Cal. Penal Code 502(c) and the CFAA.

20

In its first decision on July 20, 2010 (Facebook, Inc. v. Power Ventures, Inc., No. C 08-

21

05780 JW, 2010 WL 3291750 (N.D. Cal. July 20, 2010)), the court considered whether Power

22

Ventures had violated Cal. Penal Code 502(c). To prove a claim under 502, Facebook would

23

have to prove that Power Ventures had confronted Facebooks technical barriers and

24

circumvented them. Id. at *11-12. In a subsequent decision, the court found that Power Ventures

25

implemented proxy servers to avoid IP address blocks placed by Facebook to prevent power.com

26

from accessing the Facebook site and services. Power Ventures, 844 F. Supp. 2d at 1036-38.

27

The court concluded that Defendants circumvented technical barriers to access the Facebook

28
LEGAL124582890.8

-2-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page3 of 8

site, and thus accessed [the] site without permission under 502(c). Id. at 1038. The court

relied on the same analysis and evidence in holding that defendants also violated 18 U.S.C.

1030(a)(2). Id. at 1038-39. Based in part on these conclusions of law, on September 25, 2013,

the court awarded Facebook damages and injunctive relief under Cal. Penal Code 502(c) and 18

U.S.C. 1030. Facebook, Inc. v. Power Ventures, Inc., No. 08-CV-5780-LHK, 2013 WL

5372341, at *9, 14 (N.D. Cal. Sept. 25, 2013).

The defendant in Kerbel owned and operated www.craigslist-poster.com, which enabled

users to create a campaign through which Kerbels service would auto-post, and repeatedly re-

post, ads to craigslist. 2012 WL 3166798 at *2. Kerbel circumvented craigslists security

10

measures in order to run his services. Id. Despite receiving multiple cease-and-desist letters from

11

craigslist demanding that he stop accessing the craigslist site and services, Kerbel continued. Id.

12

Craigslist filed suit, Kerbel defaulted, and the court awarded injunctive and monetary relief for a

13

range of claims, including violations of 18 U.S.C. 1030(a)(2)(C), 18 U.S.C. 1030(a)(4), and

14

Cal. Penal Code 502(c). Id. at *10-12, 18-19. Kerbel's conduct was both knowing and

15

intentional[,] . . . it was designed to circumvent craigslist's security features . . . [Kerbel] had to

16

agree to the TOU with no intention of complying with it, [and] Kerbel . . . continued said conduct

17

despite receiving cease and desist letters. Id. at *11.

18

Other courts have similarly found liability under the CFAA and Cal. Penal Code 502

19

where website users have accessed public websites they were not authorized to access. See

20

Facebook, Inc. v. Fisher, No. C 09-05842 JF (PSG), 2011 WL 250395 (N.D. Cal. Jan. 26, 2011) 1

21

(awarding Facebook injunctive relief under 18 U.S.C. 1030(g) where Facebook user engaged in

22

a massive campaign to phish Facebook usernames and passwords, gain access to the Facebook

23

accounts of others, and send millions of unsolicited commercial messages to other Facebook

24

users through the Facebook serviceall in clear violation of Facebooks terms); Tagged, Inc. v.

25

Does 1 Through 10, et al., No. C 09-01713 WHA, 2010 WL 370331 (N.D. Cal. Jan. 25, 2010)

26
1

27
28

Note that cases decided prior to Power Ventures did not explicitly require plaintiffs to
demonstrate the imposition of technical measures to block access and subsequent circumvention by the
defendant in order to establish liability.
LEGAL124582890.8

-3-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page4 of 8

(granting default judgment under 1030(a)(4) and 502(c)(1)-(3), (7), where defendant

misrepresented his identity, created fake accounts, and circumvented technological security

measures).

In addition, craigslist Inc. v. 3Taps Inc. is also instructive on the issue of unauthorized

access under 18 U.S.C. 1030(a)(2) (though the case was decided in the context of a motion to

dismiss, not for entry of judgment). Craigslist alleged that 3Taps aggregated and republished ads

from craigslist by scraping (or copying) all content posted to craigslist in real time, directly from

craigslist, in violation of craigslists terms of use. craigslist Inc. v. 3Taps Inc., 964 F.Supp.2d

1178, 1180 (N.D. Cal. 2013). In response to this behavior, craigslist sent a cease and desist letter

10

to 3Taps informing 3Taps that it was no longer authorized to access craigslist's website or

11

services for any reason. Id. at 1181. Craigslist also configured its website to block access from

12

IP addresses associated with 3Taps. Id. The court found that 3Taps bypassed that technological

13

barrier by using different IP addresses and proxy servers to conceal its identity, and continued

14

scraping data. Id.

15

The court held that craigslist had stated a claim under 18 U.S.C. 1030(a)(2) because

16

3Taps continued to access the craigslist site without authorization. Id. at 1183-84.

17

Specifically, the court found:

18
19
20
21
22
23
24
25
26
27

[W]here a user is altogether banned from accessing a website . . .[t]he banned user
has to follow only one, clear rule: do not access the website. The notice issue
becomes limited to how clearly the website owner communicates the banning.
Here, Craigslist affirmatively communicated its decision to revoke 3Taps' access
through its cease-and-desist letter and IP blocking efforts. 3Taps never suggests
that those measures did not put 3Taps on notice that Craigslist had banned 3Taps;
indeed, 3Taps had to circumvent Craigslist's IP blocking measures to continue
scraping, so it indisputably knew that Craigslist did not want it accessing the
website at all.
Id. at 1184. The court concluded that where 3Taps: (1) received a personally-addressed ceaseand-desist letter stating that it could not access craigslists website for any reason; (2)
discovered that it could no longer access the website at all from its IP addresses; and
(3) . . . continu[ed] to access that website after circumventing the IP restrictions, its deliberate

28
LEGAL124582890.8

-4-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page5 of 8

decision to bypass that barrier and continue accessing the website constituted access without

authorization under the CFAA. Id. at 1186.

In all of these cases, the users knew their access was not authorized either having received

cease-and-desist letters revoking access and/or because the users worked around technical barriers

to gain access. The same is true of Grunin. He received two written cease-and-desist letters that

clearly revoked his access rights. (Complaint 25, 49-50.) Facebook took technical steps to

disable his accounts and block him from opening new ones with the same information, but Grunin

circumvented those measures almost 70 times and continued to access and/or use Facebooks

website, advertising accounts, advertising services, and network. (Complaint 23-24, 51, 56,

10

67.) Accordingly, Grunin violated Cal. Penal Code 502(c) and 18 U.S.C. 1030(a)(2).

11

Grunin also violated 18 U.S.C. 1030(a)(4). After receiving his first cease-and-desist

12

letter, and assuring Facebook that he would comply, Grunin continued to access Facebook by

13

impersonating other people and tricking Facebook employees into allowing him to take control of

14

legitimate advertising accounts and obtaining more than $340,000 worth of Facebook advertising

15

without paying for it. (Complaint 31-48, 56.) He also used this unauthorized access to sell

16

other advertising accounts on the underground market for profit. (Complaint 27-30.) This is

17

not a case where Grunin inadvertently violated Facebooks site terms. He knew he no longer had

18

a right to access the site and intentionally did so anyway.

19

The Courts Request for Briefing seeks comment on United States v. Nosal, 676 F.3d 854

20

(9th Cir. 2012), and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). These cases

21

are distinguishable because they involve employee/employer relationships where the employee

22

had exceeded authorization to access the employers computer. Here, once Grunins access had

23

been revoked, he no longer had any right to access Facebooks servers.

24

In Nosal, the government brought criminal charges under 18 U.S.C. 1030(a)(2)(C)

25

against Nosal for encouraging corporate employees to access confidential information on their

26

employers computer system and to transfer the information to him. 676 F.3d at 856, 859. The

27

employees were authorized to access the computers, network, and information, but violated a

28
LEGAL124582890.8

-5-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page6 of 8

corporate data use policy by disclosing it to Nosal. Id. The Ninth Circuit held that the phrase

exceeds authorized access in the CFAA is limited to violations of restrictions on access to

information, and not restrictions on its use. Id. at 863-64 (emphasis omitted).

Similarly, LVRC Holdings involved a claim against a former employee for the employees

use of his company-owned computer to send emails to his personal account containing work-

related information that LVRC Holdings considered proprietary. 581 F.3d at 1129-30. The Ninth

Circuit held that the defendant had not violated 18 U.S.C. 1030(a)(2) or 1030(a)(4) because he

sent the emails while still employed by LVRC Holdings and while he was still authorized to

access and use both the corporate computer he had been issued and the corporate network from

10

which he obtained the files and used the email service to send himself the documents. Id. at 1135.

11

Both of these cases hinged on the courts finding that because the access to the computers,

12

networks, and information was authorized, the use of those resources was not unauthorized. In

13

contrast, the Fourth Circuit has recently affirmed a CFAA verdict against a former employee who

14

continued to access his employers corporate network long after his employment ended. U.S. v.

15

Steele, No. 13-4567, 2014 WL 7331679, (4th Cir. December 24, 2014). Similar to Steele, and

16

unlike the defendants in Nosal and LVRC Holdings, Grunins access rights were completely

17

revoked, leaving him with no right to be on Facebooks site, network, or platform, or to use

18

Facebooks services for any reason. The concerns about use restrictions versus access

19

restrictions that were at issue in the Nosal, LVRC Holdings, and other employer-employee

20

disputes are simply not present here. As noted by the court in 3Taps, [t]he calculus is different

21

where a user is altogether banned from accessing a website. The banned user has to follow only

22

one, clear rule: do not access the website. 964 F. Supp. 2d at 1184.

23
24
25
26
27

B.

Where Did Facebook Allege that Grunin Accessed and Obtained Information
from a Computer?

Interacting with a website or online service constitutes obtaining information from a

computer under 18 U.S.C. 1030(a)(2)(C). See S. Rep. No. 104-357 at *7 (1996) ([T]he term
obtaining information includes merely reading it. There is no requirement that the information

28
LEGAL124582890.8

-6-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page7 of 8

be copied or transported. This is critically important because, in an electronic environment,

information can be stolen without asportation, and the original usually remains intact.).

Facebook alleged that Grunin interacted with the Facebook website to create and transfer

multiple new Facebook and advertising accounts and that he continued to create and run new

advertising campaigns on Facebook, all of which logically involved using his computer to contact

and read information from the Facebook website. (Complaint 67.) Facebook also alleged that

Grunin accessed the new advertising accounts that Facebook employees had created for

Thinkmodo and Imprezzio Marketing as a result of his fraudulent representations, and used them

to run ad campaigns, which also logically would have involved using his computer to contact and

10

read information from the Facebook website. (Complaint 33, 39, 46.) Facebook also alleged

11

generally that Grunin interacted with the Facebook website and service after his access privileges

12

were revoked, which would satisfy the requirement to access and view information on the

13

Facebook website. (Complaint 27 (using Facebook to run noncompliant and deceptive ads),

14

28-29 (procuring Facebook advertising accounts to sell), 56 (creating at least 70 new

15

accounts after his first account was disabled and his access privileges were revoked).)

16

Thus, Grunin accessed Facebook without authorization and obtained information within

17

the meaning of 18 U.S.C. 1030(a)(2)(C) and Cal. Penal Code 502(c)(2) many times after his

18

access rights were revoked.

19
20
21

C.

Has Any Federal Court Ever Found Liability Under 1030(a) or 502(c)
Based on a Service-User Accessing a Server to Obtain Online Services or User
Accounts After His/Her Accounts Had Been Revoked or Terminated?

As discussed in section A above, several courts have indeed found liability under

22

1030(a) and 502(c) based on a users accessing an online service or user accounts after the

23

users access to that service or those accounts has been revoked or terminated. See Facebook,

24

Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025 (N.D. Cal. 2012) (user violated Cal. Penal

25

Code 502(c) and 18 U.S.C. 1030(a)(2) by circumventing technical measures to block the

26

users access to online services after receiving a letter revoking the users access rights);

27

craigslist, Inc. v. Kerbel, 2012 WL 3166798 (N.D. Cal. Aug. 2, 2012) (granting default judgment

28
LEGAL124582890.8

-7-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)

Case3:14-cv-02323-WHA Document74 Filed12/30/14 Page8 of 8

to craigslist under 18 U.S.C. 1030(a)(2), (a)(4) and Cal. Penal Code 502(c) where defendant

ignored several cease and desist letters and continued his unauthorized services that utilized

access to craigslist online services); Tagged, Inc. v. Does 1 Through 10, 2010 WL 370331 (N.D.

Cal. Jan. 25, 2010) (granting default judgment under 18 U.S.C. 1030(a)(4) and Cal. Penal Code

502(c)(1)-(3), (7), based on continued access to online services through fake accounts and

proxy IP servers to circumvent Taggeds technical blocking measures and perpetuate a fraud

against Tagged).

III.

9
10
11

Conclusion
For the foregoing reasons, as well as those contained in Facebooks moving papers,

Facebook respectfully requests that judgment be entered in Facebooks favor on each of its
claims.

12
13

DATED: December 30, 2014

PERKINS COIE LLP

14

By:

15

/s/ Judith B. Jennison

Judith B. Jennison, Bar No. 165929
JJennison@perkinscoie.com

16
Attorneys for Plaintiff
FACEBOOK, INC.

17
18
19
20
21
22
23
24
25
26
27
28
LEGAL124582890.8

-8-

PLAINTIFF FACEBOOK, INC.'S

RESPONSE TO REQUEST FOR BRIEFING
(Case No. 14-cv-02323)