Is It Permissible for a Lawyer to Befriend a Witness on Facebook In Order to Gather Information for a Lawsuit?

Ever worry that what you do on a social networking site could be used against you in a court of law? While no one is recommending that Facebook provide users with its own version of the Miranda rights, two Bar Associations have recently considered this issue in the context of lawyers using information from social networking sites to gather impeachment material to use against witnesses in civil lawsuits.

On September 10, 2010, the New York State Bar Association, Committee on Professional Ethics, followed the March 2009 opinion of the Philadelphia Professional Guidance Committee in ruling that it is improper for a lawyer to befriend an adverse witness on Facebook for the purpose of obtaining potential impeachment material to use at a deposition. Both legal ethical bodies “determined that the proposed ‘friending’ by a third party would constitute deception in violation of Rules [of Professional Conduct] 8.4 and 4.1, and would constitute a supervisory violation under Rule 5.3 because the third party would omit a material fact (i.e. that the third party would be seeking access to the witness’s social networking pages solely to obtain information for the lawyer to use in the pending lawsuit).” New York State Bar Assoc. Op. 843 (9/1//10).

The New York State Committee, however, dealt with the additional issue of whether a lawyer may simply view and access the publicly available Facebook and My Space pages of a party in a pending litigation in order to gather possible impeachment material for use in litigation. The Committee concluded “that the lawyer may ethically view and access the Facebook and MySpace profiles of a party other than the lawyer’s client in litigation as long as the party’s profile is available to all members in the network and the lawyer neither ‘friends’ the other party nor directs someone else to do so.”

The Committee explained that New York’s Rule 8.4 [of Professional Conduct prohibiting deceptive conduct by a lawyer] would not be implicated because the lawyer is not engaging in deception by accessing a public website that is available to anyone in the network, provided that the lawyer does not employ deception in another way (including, for example, employing deception to become a member of the network).” Thus, ‘[o]btaining information about a party available in the Facebook or MySpace profile is similar to obtaining information that is available in publicly accessible online or print media, or through a subscription research service such as Nexis or Factiva.” These ethical opinions notwithstanding, the lesson to the public is to be aware that whatever you post on a social networking site can come back to haunt you in unexpected ways.

Maryland Court: Employees Who Steal Data from the Company Computer do not Violate the Computer Fraud and Abuse Act

A federal district court in Maryland held that an employee who allegedly stole proprietary data from his prior employer did not violate the Computer Fraud and Abuse Act (“CFAA”) because he was authorized to access the data and use the data on the job before he terminated his employment with his prior employer. Océ North America, Inc. v. MCS Services, Inc., 2010 WL 3703277 *3-*5 (D. Md. Sept. 16, 2010).

Océ North America (Océ) “designs, manufactures, sells, and services high volume production printing systems . . .for commercial printing functions.” Id. at *1. The complaint alleged that a former Océ employee went to work for a direct competitor, the defendant MCS Services, Inc.(“MCS”). Océ claimed that before leaving its employ the former employee copied from its computers its proprietary “diagnostic software, a parts manual, and a maintenance manual” and that MCS distributed this stolen material to “its engineers who are using these copies in their daily work.” Id.

The court dismissed the CFAA claim based on Océ’s failure to allege facts showing that its former employee accessed its computers “without authorization,” an essential element of the CFAA. The court held that Océ’s former employee could not have accessed its computers without authorization when he stole the proprietary material because “it was part of his job to use . . . [Océ’s] computers and the software on the computers.” Id. at *4. In support of its decision the court did not address the division in the Circuit courts on this issue created by the 9th Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir.2009) or explain why it believed its position was more correct than the other courts which have found that employees are can violate the CFAA.

The court did not address Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) which held that an employee’s authorization to access the company computer is predicated on his agency relationship with his employer such that when the employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates.

The court also found that the copying of the software “may have been a violation of . . . [the former Océ employee’s] employment agreement” (Id. at *4) but did not address the caselaw in the First and Fifth Circuits which allow the employer to place limits on the scope of the employee’s authorization to access the company computers. U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001). Instead, the court simply cited three district court opinions that support its position.

Facebook Places Has Checked-in: Brand Owners Should Consider Proactively Setting Up Pages to Prevent Unfixable Errors

By: Jamie N. Nafziger
Dorsey & Whitney, Partner.

Those familiar with Foursquare, Yelp, Gowalla and other location-based social networking sites will not be surprised that Facebook has jumped into the fray and recently launched several geolocation-related services. This article includes recommendations on how brand owners can protect their brands in connection with these new services.

1. Facebook Places 
Facebook Places launched in August 2010 and provides a place for users to “check-in” at a physical location from their iPhone (similar functionality for Android and Blackberry devices is in the works). They can also check-in their friends (if their friends do not opt out) at a physical location. Thus, by checking-in at your business, one of your customers or employees can indicate that they visited your company and their “friends” will be alerted to their visit. Presumably, the ability to review or comment on a company will be included in the future, as it is in Foursquare, Yelp, and other services.

Key issues for brand owners to consider include:

• Once it is created, the title of a Facebook Places Page about your company cannot be edited, so if you want to make sure it is correct, it is best to set up the Facebook Places Page yourself now (we can assist you with the process if you need help).

• If someone else has already set up a Facebook Places Page for your company, you can claim it. If you claim the Page, you can edit the address, business hours, profile picture, and contact information and can designate administrators who will control the Page on behalf of your company. We recommend that you consider claiming any existing Pages so they will reflect accurate information about your company and its brands.

• If your company has a Facebook Places Page, it exists independently from your company’s main Facebook Page. You can now merge your main Facebook Page with your Facebook Places Page. However, Facebook currently does not have functionality that will work for businesses with multiple locations (and thus, multiple Facebook Places Pages). The Facebook Places Guide for Businesses states that a solution to this problem will become available in the future.

• It would be difficult for another company or individual to claim your Facebook Places Page because of the fairly rigorous requirements for claiming a Page (including submitting your company’s Federal Employee Identification Number (EIN) and faxing in corporate documents), but we advise monitoring for this type of activity.

• If you have concerns about your employees checking-in during the course of their workday at places that might give away a company trade secret, you may want to update your social networking policy accordingly.
2. Integration with Foursquare, Gowalla, Yelp, Booyah, and Citysearch 
Based on a recent integration, check-in updates and customer reviews of your business from these five other location-based sites now also appear in Facebook. Thus, we recommend that you search your company’s key brands on these other sites as well. From the search results, you can determine whether you want to claim any profiles or whether any infringement or other unfavorable activity is occurring on them. The increased visibility of the content of these sites to Facebook’s over 500 million users will likely increase both the benefit and the harm your business might experience from that content.

3. Content for Multiple Locations on Main Company Facebook Page 
If your company has multiple locations, you have probably struggled with how to maintain a coherent presence on Facebook and allow your locations to include local information as well. In May, the McDonald’s Page on Facebook became the first corporate Page to include geolocation functionality and now includes a “Local” tab which allows individual McDonald’s locations to post content and special offers within the main company Facebook Page. It is unclear how or whether this functionality will be integrated with Facebook Places.

We expect the geolocation social networking space to remain competitive and to continue to change rapidly. Please feel free to contact us if you have questions or need assistance in protecting your brands in this area.

Win for Apple on Its iPhone Operating System: Computer Fraud and Abuse Act Claim Dismissed

A critical element in proving either a civil or criminal violation of the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute, is that the defendant act with criminal intent as opposed to mistake or negligence. In discussing the breadth of computers covered by the CFAA the Eight Circuit emphasized the importance of this critical element of intent: “[w]hat protects people who accidentally erase songs on an iPod, trip over (and thus disable) a wireless base station, or rear-end a car and set off a computerized airbag, is not judicial creativity but the requirements of the statute itself: the damage must be intentional.” U.S. v. Mitra, 405 F.3d 492, 495-96 (8th Cir. 2005). Indeed, the CFAA expressly provides that a defendant who is charged with violating the CFAA for damaging a computer must be shown to have “intentionally caus[ed] damage without authorization.” 18 U.S.C. § 1030 (a) (5) (A) (i).

This past summer, as part of a class action suit against Apple, Inc. (“Apple”) and AT&T Mobility, LLC alleging various causes of action including the Sherman Antitrust Act, a California federal court granted summary judgment to Apple dismissing the CFAA claim because of a lack of proof that Apple had intended to damage consumers’ iPhones with its 1.1.1 Operating System Software. In re Apple & ATTM Antitrust Litigation, 2010 WL 3521965 *5-7 (N.D. Ca. July 8, 2010).

The CFAA claim was premised on the plaintiffs’ claim that “they lost third party applications [on their iPhones] when the 1.1.1 Software bricked [made inoperable] their iPhones and they were unable to use their iPhones for a period of days after their iPhones were bricked.” Id. at *5. These third party applications apparently cost the plaintiffs “between $10 and $70.” Id. at *6. The court found that the plaintiffs had not established standing because they had “not produced sufficient evidence of injury resulting from the 1.1.1 Software” since Apple had promptly provided them with “a free replacement iPhone,” and there was not “sufficient evidence of harm based on loss of third party software applications.” Id. at *7.

Nonetheless, the court held that even if the plaintiffs had established such evidence of harm, they had “not produced sufficient evidence to show that the Defendant Apple acted with an intent to damage Plaintiffs’ iPhones with the 1.1.1 Software.” Id. at 7. In particular, the court found that “Plaintiffs have not produced documents or testimony showing that Defendant Apple designed the 1.1.1 Software to “brick” iPhones containing third party applications,” and therefore the “Plaintiffs have failed to introduce specific evidence to create [a] triable issue that in offering the 1.1.1 Software, Apple acted with intentional conduct to cause Plaintiffs harm.” Id.

The court also found it significant that the Plaintiffs failed to produce ‘any evidence that they were required to download and install the 1.1.1 Software,” but “[i]nstead, they each voluntarily installed it.” Id. Thus, the court concluded that this “[v]oluntary installation runs counter . . . to CFAA’s requirement that the act was ‘without authorization.” Id.

This case is significant because it underscores the legal requirement that a CFAA claim can only be successful if the plaintiff is able to prove criminal intent. Non-criminal practitioners who traditionally file civil lawsuits can easily lose sight of the fact that the CFAA is essentially a criminal statute, and that even though a civil case need only be proven by a preponderance of the evidence as opposed to the beyond a reasonably doubt criminal standard, the CFAA still requires proof of the traditional criminal element of intent.

Computer Fraud and Abuse Act Count Dismissed Against Goldman Sachs Computer Programmer Charged with Stealing Source Code

A New York federal Judge dismissed the Computer Fraud and Abuse Act (“CFAA”) count charging Sergey Aleynikov, a former computer programmer for Goldman Sachs & Co., with stealing the computer source code used in Goldman’s high-frequency trading system. U.S. v. Aleynikov, 2010 WL 3489383 *14-17 (S.D.N.Y. Sept. 3, 2010). The reasoning underlying this opinion underscores the need for the U.S. Supreme Court to resolve the conflict between the 9th Circuit and the 1st, 5th, 7th and 11th Circuits on the applicability of the CFAA to employees who steal data from their employers.

As described by the court, ”Aleynikov was responsible for developing and maintaining some of the computer programs used to operate Goldman’s high-frequency trading system. Aleynikov resigned in June 2009 to work for Teza Technologies, LLC (“Teza”), a company founded earlier that year. Teza offered Aleynikov the title of ‘Executive Vice President, Platform Engineering,’ in which position he would be responsible for developing Teza’s own high-frequency trading business that would compete with Goldman.” Id. at 1.

Based on his theft of Goldman’s source code, Aleynikov was charged with one count of violating the Economic Espionage Act for theft of trade secrets, Title 18, U.S.C. §§ 1832(a)(2) and (4), one count of violating the Interstate Transportation of Stolen Property Statute, Title 18 U.S. C. §2314, and one count of violating the CFAA, Title 18 U.S.C. §1030(c)(2)(B)(i)-(iii). The court granted the motion to dismiss the CFAA count while denying Aleynikov’s motion to dismiss the other two counts.

In dismissing the CFAA the count court relied on LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir.2009) for its proposition that “an employee with authority to access his employer’s computer system does not violate the CFAA by using his access privileges to misappropriate information.” Id. at 13. Thus, the court concluded that the ordinary meaning of the statute outlawing unauthorized access cannot apply to employees who are provided access to the company computers and that “[w]hat use an individual makes of the accessed information is utterly distinct from whether the access was authorized in the first place.” Id. at 15.

The court rejected the premise of the Seventh Circuits opinion in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) that an employee’s authorization to access the company computer is predicated on the agency relationship with his employer and the First and Fifth Circuits which allow the employer to place limits on the scope of the employee’s authorization to access the company computers. U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001).

The court faults these three circuit cases because “they identify no statutory language that supports interpreting the CFAA to reach misuse or misappropriation of information that is lawfully accessed, but that “[i]nstead, they improperly infer that “authorization” is automatically terminated where an individual “exceed[s] the purposes for which access is ‘authorized.’ ” Id. at 17. Other than point out the obvious that these “cases would require an analysis of an individual’s subjective intent” (Id.) in accessing the computer (a requirement in every criminal statute for determining whether a defendant’s actions amounted to a crime), the court does not address why the First Circuit is incorrect in its view that ‘the CFAA permits computer owners to “spell out explicitly what is forbidden” on its computers, EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).

Indeed, if the ordinary meaning of “authorization,” as the court explains is to “to grant authority or permission to do something,” (Aleynikov at *15.) why cannot an employer set out the scope of an employee’s permissions to access the computer? That such employer generated permissions may form the basis for a criminal violation of the CFAA is totally proper and is no different than the long established principle that a “No Trespass” sign can form the predicate for criminal trespass in some jurisdictions.

In U.S. v. Salum, 257 Fed. Appx, 225, 230-31 (11th Cir. 2007), a case not discussed by the court, a police officer with the Montgomery, Alabama Police Department was convicted for violating the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization” because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose” that was contrary to the work rules governing how the database was to be used. Id. at 230.

Second, the court held that “an interpretation of the CFAA based upon agency principles would greatly expand the reach of the CFAA to any employee who accesses a company’s computer system in a manner that is adverse to her employer’s interests” and that “[t]his would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense.” Id at 17. This statement by the court ignores the Supreme Court’s holding in Carpenter v. United States, 484 U.S. 19, 27 (1987) which has already approved converting an ordinary violation of a duty of loyalty to a federal offense. In Carpenter the Court relied upon the Restatement (Second) of Agency to affirm the mail and wire fraud convictions of a Wall Street Journal reporter who prior to publication had provided his upcoming financial columns to his confederates who bought or sold stock “based on the probable impact of the column on the market.” Id. at 23.

The defendant columnist argued that that his “conduct in revealing prepublication information was no more than a violation of workplace rules and did not amount to fraudulent activity that is prescribed by the mail and wire fraud statutes.” Id. 27. Based on the Restatement, the Court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment” and that intentionally exploiting that information for his own personal benefit was a scheme to defraud his employer of confidential information outlawed by the mail and wire fraud statutes. Id.

If the Restatement can proscribe the duty of an employee in the context of the mail and wire fraud statutes to safeguard his employer’s confidential information, there is no sound reason why it cannot also proscribe the scope of an employee’s authorization to access his employer’s computer in the context of the CFAA. What is remarkable in the Aleynikov case is that the court did cite to Carpenter in that portion of its opinion dealing with the interstate transportation of stolen property count but ignored its relevance to the CFAA count. Aleynikov at *11, n.16.

In short, as the Aleynikov decision reflects, the conflict among the Circuits created by the Ninth Circuit’s opinion in Brekka and the inconsistencies in its reasoning with established Supreme Court precedent can only be resolved by the Supreme Court.

California Court Permits Company to Subpoena Yahoo, Google and ISPs to Identify Anonymous Computer Hacker

A federal court in San Jose California last week permitted SolarBridge Technologies, Inc. (“SolarBridge”) to serve subpoenas on Yahoo, Google and various Internet Service Providers to identify the sender of an email containing SolarBridge’s confidential and trade secret protected data including schematics and other product designs of current and future products. SolarBridge Technologies, Inc. v. John Doe, 2010 WL 3419189 (N.D. Ca. Aug. 27, 2010). With criminals hiding behind the anonymity provided by the Internet this case has widespread application to companies willing to take aggressive action to protect their data and provides an excellent blueprint for going after anonymous computer hackers.

A Mark Tatley ostensibly sent the email at issue from his Yahoo email address to a competitor of SolarBridge. The competitor responsibly notified SolarBridge of the receipt of the email. In response SolarBridge conducted its own investigation into the email, including an effort to locate Mark Tatley through the Yahoo email address and a search of public records and concluded that there was “no real individual named “Mark Tatley” and that the email address was created anonymously with fake information.” Id. at *1. Having exhausted all means to identify the person who had stolen its competitively sensitive data, SolarBridge filed a John Doe lawsuit alleging, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) and asked the court for limited discovery so it could identify the proper defendant to be served in the action.

While recognizing that “[t]he practice of suing Doe defendants is generally disfavored in the Ninth Circuit,” the court stated that “where the identity of the alleged defendant will not be known prior to the filing of a lawsuit, ‘the plaintiff should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds.'” Wakefield v. Thompson, 177 F.3d 1160, 1163 (9th Cir.1999) (quoting Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir.1980)).

Thus, the court stated that limited discovery to identify “an anonymous Internet user” is permitted when the plaintiff:

(1) identifies the missing party with sufficient specificity such that the court can determine that defendant is a real person or entity who could be sued in federal court;
 (2) identifies all previous steps taken to locate the elusive defendant;
 (3) establishes to the court’s satisfaction that the lawsuit against defendant could withstand a motion to dismiss; and
 (4) states reasons justifying the specific discovery requested, and identifies a limited number of persons or entities upon whom discovery might be served and for which there is a reasonable likelihood that the discovery will lead to identifying information about defendant that would make service of process possible.

The court concluded that SolarBridge had met its burden –
1) John Doe “is an individual or entity that accessed SolarBridge’s confidential information and disclosed that information to one of its competitors, and the email sent by Defendant is associated with San Jose-based company Yahoo!, Inc,”
2) SolarBridge had “undertaken a diligent investigation to identify Defendant without the use of third party discovery, to no avail,”
3) “SolarBridge’s action would likely withstand a motion to dismiss, as it appears to have sufficiently alleged claims for violations of the CFAA” and other causes of action, and
4) “SolarBridge has shown that there is a reasonable likelihood that its requested discovery will lead to information to identify Defendant and make service on Defendant possible.” Id. at *2.

When a hacker strikes, the procedures outlined in SolarBridge should be considered as a proactive option to sue the perpetrator for damages and an injunction to prevent further intrusions into the company computers. Every hacker leaves behind an IP address or a trail of IP addresses. It is virtually impossible, however, to identify the owner of an IP address from the public record. Given privacy concerns, companies like Yahoo and Google are harder to penetrate than a Swiss bank and will not voluntarily turn over the identities or records associated with IP or email addresses unless subpoenaed or ordered to do so by a court. Thus, as I have found in my own practice, a well-planned John Doe lawsuit, like that in SolarBridge, can provide a powerful strategic tool to retrieve stolen data and prevent its dissemination.

Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction

Two federal district courts, one in Maryland and the other in Texas, dismissed what each court considered to be valid civil claims under the Computer Fraud and Abuse Act (“CFAA”). Title 18 U.S.C. § 1030. The CFAA is the federal computer crime statute that provides a civil cause of action to “any person who suffers damage or loss by reason of a violation of the” statute. The ground for dismissal in each case was the lack of federal jurisdiction for failure to meet the CFAA’s jurisdictional requirement of $5,000 in loss. Continue reading