Apple iTracking Case: will Apple be WINNING on Computer Fraud and Abuse Act claim?

Image representing Apple as depicted in CrunchBase
Image via CrunchBase

From what I’ve seen thus far, it should.

But first let’s start with a little background …

Apple Was iTracking and Got Sued!

As anyone who is not living under a rock knows by now, Apple has been sued over the allegations that it has surreptitiously tracked and recorded the details of all iPhone and 3G iPad owners’ movements since approximately June 2010. These are the allegations underlying the plaintiff’s claims in Ajjampur v. Apple, Inc., (the “Apple iTracking Case”) filed in the Middle District of Florida, Tampa Division on April 22, 2011. Here is a copy of the Complaint.

The CFAA Violations Alleged

The plaintiffs seek to make this a class action lawsuit and claim it is worth in excess of  $5,000,000 for violations of, among other things, the Computer Fraud and Abuse Act (“CFAA”). Their claims are premised upon 2 violations of the CFAA:

  1. Subsection (a)(2)(C) which is the standard “obtains information from a protected computer” “fraud” section that is almost always used. (Last weeks’ blog Basic Elements of a Computer Fraud and Abuse Act – “Fraud” Claim sets out the elements of proof for this “standard” claim); and
  2. Subsection (a)(5)(A) which provides that a violation is committed by “[w]hoever … knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.

Apple will certainly file a Motion to Dismiss the Computer Fraud and Abuse Act claim on the issues of “jurisdictional loss” and “damage” and, in all likelihood, “access” as well. We will start by looking at access, as courts usually do when analyzing Computer Fraud and Abuse Act cases.

The Access Issue

Under the “fraud” violation the plaintiffs must prove that Apple accessed a computer (see Smartphones and the Computer Fraud and Abuse Act–Already Covered?) “without authorization” or that its access of the computer “exceeds authorized access”. This is the first hurdle the plaintiffs must clear. In yesterday’s blog I discussed what I referred to as the Trilogy of Access Theories and (very briefly) summarized the three general lines of cases on this issue of access. The Apple iTracking Case was filed in the United States District Court in Florida which is in the Eleventh Circuit.

The Eleventh Circuit, on December 27, 2010, handed down its opinion in United States v. Rodriguez, an employment case under the CFAA in which it seemed to align itself conceptually with the Fifth Circuit’s “Intended-Use Theory” set out in United States v. John.

The general principle deduced from John is that one’s right to access a computer and use data obtained therefrom can be defined by either the computer’s owner (through contracts such as policies and agreements), or by law, so that the one accessing knows what is the proper intended use of that data, and any use of that data in violation of that intended use is unauthorized for purposes of the CFAA.

The Rodriguez Court essentially finds the same is true for the computer owner’s ability to define one’s right to access the computer and information thereon by contractual agreements such as policies, employment agreements, and presumably terms of use agreements. A violation of this defined access will be found to have exceeded authorized access and violated the CFAA: “Rodriguez exceeded his authorized access and violated the Act when he obtained personal information for a nonbusiness reason.”

Now, following on the reasoning of Rodriguez, one would think that if a computer owner can contractually define the limits of access to its computer, so too can it define the rights to access its computer, correct?

Apple’s iPhone Software License Agreement provides as follows:


Now, do I think the plaintiffs read this? Of course not … who does, right? But that’s irrelevant, they indicated by their use that they had and, although these agreements now make liars out of all of us, they are still enforceable agreements … haven’t you heard about Hotz, the guy who hacked his own Sony PS3 and got smacked down for it because in doing so he violated the agreement that was similar to this one? (If you don’t believe me, check out what he agreed to just to make it all go away: Final Judgment Upon Consent and Permanent Injunction)

Regarding Apple’s right to access and collect data, the Software License Agreement provides the following:

4. Consent to Use of Non-Personal Data You agree that Apple and its subsidiaries may collect and use technical and related information, including but not limited to technical information about your iPhone, computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the iPhone Software, and to verify compliance with the terms of this License. Apple may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you.

The questions for the court will be whether (1) the information collected, i.e., the location of the “computer”, is considered to be “technical and related information, including but not limited to technical information about your iPhone, computer, system and application software, and peripherals; and (2) whether the computer owner’s intended use for that right to access the “computer” and information therein that it is giving to Apple is actually the purpose for which Apple is accessing the computer and information.

Based solely on the information we have available at this time, I do not believe the answer to either of these questions is clear cut. While there is likely enough contractual authorization there to justify the court’s granting of Apple’s (forthcoming) Motion to Dismiss, the court may not even get to the access issue because, as the Complaint currently reads, the plaintiffs have satisfied neither the “damage” nor “loss” requirements for a CFAA claim.

The Harm Alleged

The plaintiffs’ allegations of harm in the Complaint can be summarized as follows:

The accessibility of the unencrypted information collected by Apple places users at serious risk of privacy invasions, including stalking.

Plaintiffs and proposed Class members were harmed by Apple’s accrual of personal location, movement and travel histories because their personal computers were used in ways they did not approve, and because they were personally tracked justice if by tracking device for which a court – ordered warrant would ordinarily be required.

Apple further violated the Fraud Act by causing the transmission of a program, information, code or command – both in deploying the iOS 4 operating systems, and also as a result of the syncing of user handheld devices with their laptop or desktop computers – and the result caused harm aggregating at least $5,000 in value.

Apple’s practices have caused substantial injury to Plaintiffs and Class members by depriving them of money they would have spent elsewhere and by covertly delivering software that tracks users’ every movements.

Plaintiff’s and Class members have suffered injury as a result of Apple’s deceptive acts and omissions because Plaintiffs would not have bought Apple devices had they known that they would be tracked.

Plaintiffs have suffered injury as a direct and proximate result of Apple’s deceptive acts, practices and omissions. Injury includes Plaintiffs’ purchase of their Apple devices. Actual injury to Plaintiffs also includes the collection of their private location information and the continued existence of databases of that same information – databases that are unencrypted and accessible to the public.

Plaintiffs and Class members were damaged in the amount of money required to purchase Apple’s products.

Apple’s omissions were material and directly and proximately caused ordinary consumers acting reasonably, Plaintiffs and the Class members included, to buy the iPhone and iPad products. Without Apple’s omissions of its covert intentions, the products would not have been purchased, and Plaintiffs would not have suffered damages.

The question is, accepting all of the above allegations as true, do they satisfy the “damage” and “loss” requirements for a valid CFAA claim?

The Damage Issue

Under the “transmission” violation, listed #2 in the List of CFAA Violations Alleged above, the plaintiffs must prove that Apple intentionally caused damage to the iPhones / iPads. The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system, or information.” (18 U.S.C. § 1030(e)(8) (see Former Employee’s Deletion of Data May Constitute CFAA “Damage”).

My analysis of the plaintiffs’ allegations reveal that they do not allege that any data, program, system, or information was impaired or destroyed. Privacy violations and money spent on purchasing an iPhone or iPad do not fit within this definition — those things simply didn’t damage the computer or data thereon and, therefore, do not count.

The Loss Issue

I covered this issue extensively in yesterday’s blog: New “Employment” Computer Fraud and Abuse Act case … but with a twist! I would apply the same loss analysis to this case. For the sake of convenience, I will reproduce much of the analysis here as well.

Like most other civil claims brought under the Computer Fraud and Abuse Act, this one is brought pursuant to subsection (c)(4)(A)(i)(I) which requires the following be established for the court to have jurisdiction over the claim. There must be a “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). The term loss is defined by the CFAA as

any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

18 U.S.C. § 1030(e)(11). This issue has been litigated for a while and the courts have been pretty clear on it what it takes to qualify for a loss. “[C]ase law has consistently interpreted the loss provision to encompass only the costs incurred as a result of investigating or remedying damage to a computer, or costs incurred because the computer’s service was interrupted.” M-1 LLC v. Stelly (S.D. Tex. Aug. 17, 2010) In other words, the term “loss” encompasses only two types of harm: costs to investigate and respond to an offense, and costs incurred because of a service interruption. Alliantgroup, L.P. v. Feingold (S.D. Tex. Mar. 24, 2011)

The plaintiffs in the Apple iTracking Case case do not make any allegations of interruption of service so we must be talking about the first type of harm: costs to investigate and respond to an offense. That means that, based upon the prevailing view of most courts, the only way the plaintiffs can satisfy the loss requirement is if they can show that they have incurred costs to investigate and respond to the offense.

Based upon the allegations in the Complaint, they have not. They have not even pleaded any costs to investigate or respond to the offense.

This issue seems pretty clear, doesn’t it? There is no “loss” and, without an adequate “loss”, the court simply does not have jurisdiction to hear this civil claim under the CFAA. Accordingly, as the plaintiffs’ Complaint currently stands, my prediction is that the court will grant Apple’s forthcoming Motion to Dismiss the Computer Fraud and Abuse Act claim and, on this issue at least, Apple will be WINNING in the end.