This is a case where I really wish there had been a Computer Fraud and Abuse Act claim but there wasn’t, though the court mentioned it anyway as if to goad the attorneys by saying “hey, you missed this one!” Nonetheless, the court’s passing comment sheds some light on the recent debate over using offensive counter-measures to combat hacking so it is worth reading.
The case is Direct Route, LLC v. OnOffline, Inc., 2013 WL 139532 (W.D. Wash. Jan 10, 2013) and the relevant facts are fairly straightforward. Plaintiff licensed its software to its competitor, the Defendant, who used it for a few months before terminating the license to use its own software. Plaintiff then discovered its source code on a Russian Internet site and became concerned that Defendant had been using or disseminating the code. Perhaps this wasn’t Plaintiff’s first rodeo, however, because unbeknownst to Defendant, Plaintiff had previously installed on Defendant’s server a “backdoor node” that allowed it to access Defendant’s server.
Plaintiff used this backdoor node to access Defendant’s server, without authorization, and view files and directories associated with Defendant’s routing software. Plaintiff also used that access to obtain Defendant’s source code. Plaintiff then determined that Defendant’s software infringed the (now) patent that it had obtained over its system and demanded royalties from Defendant. Plaintiff then sued Defendant for Patent infringement, among other things, but the case was later dismissed because the patent was invalidated. Defendant then sought from Plaintiff its costs associated with defending the lawsuit by way of a Motion for Sanctions. The court denied the Motion for Sanctions and, in doing so, made the following observations:
Next, the fact that Plaintiff broke into OnOffline’s server and stole its source code does not show that the present litigation was brought in subjective bad faith. Defendants allege that this break-in was “a desperate attempt to thwart OnOffline’s development efforts.” Defendants do not allege that Plaintiff orchestrated the break-in to lay the groundwork for a baseless suit. In fact, Plaintiff’s behavior, while despicable and possibly in violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is consistent with that of a company that sincerely believes its intellectual property is being infringed.
The Court concluded that it “cannot condone Plaintiff’s behavior, and a ruling in Plaintiff’s favor should not be viewed as approval of Plaintiff’s conduct,” the Defendant did not meet its burden for the Court to grant the Motion.
TAKEAWAY: I believe the Court was right that, based upon what we are told in the opinion, had the Defendant sued Plaintiff for violating the Computer Fraud and Abuse Act, it is likely that it would have won. The takeaway is, if you are going to try and employ counter-measures to monitor possible infringement of your intellectual property, do not use counter-measures that entail covertly accessing someone else’s computer servers without their authorization — that violation is pretty well settled under the CFAA (for now, anyway).
- District Court of Colorado Dismisses CFAA Claim for Failing to Adequately Plead Cause of Action and Loss (shawnetuma.com)
- Two Year Statute of Limitations of Computer Fraud and Abuse Act Accrued When Plaintiff “Suspected” Wrongdoing (shawnetuma.com)
- Current Employee May Have Violated Computer Fraud and Abuse Act by Downloading for Secret New Employer (shawnetuma.com)
- Fifth Circuit Finds Company Not Liable for Alleged Violations of CFAA and ECPA by Its Regional Manager (shawnetuma.com)