Wednesday, October 16, 2013

The Assistant Principal, Facebook and Exceeding Authorized Access


This post examines an opinion a federal district court judge in Oregon issued recently in a civil suit.  Matot v. CH, 2013 WL 5431586 (U.S. District Court for the District of Oregon 2013). In his opinion, the District Court judge is deciding whether to adopt the Findings and Recommendations [F&R] filed by the U.S. Magistrate Judge to whom he referred certain motions that challenged the viability of the plaintiff’s – Matot’s – suit.  Matot v. CH, supra.
  
(As Wikipedia explains, a District Court judge can refer certain issues to a Magistrate Judge to have the latter draft a preliminary opinion analyzing those issues.)

In his F&R, the Magistrate Judge explains that in the lawsuit Matot,

an assistant principal at a middle school in Salem, Oregon, alleges that one or more of the defendants created social media accounts under his name and likeness. Defendants then allegedly invited students to communicate with them under the accounts falsely tied to plaintiff.

[Matot] further alleges that defendants published false and defamatory statements and images about or attributed to [him] using the false accounts. [He] alleges that the parents of defendant CH were negligent in their supervision of [his] internet and computer use causing harm to [him].

Matot v. CH, supra.

Neither the F&R nor the judge’s opinion explains what happened in any more detail, but a Complaint Matot filed, apparently before he knew the defendants’ names, sheds a little light on what happened. It says that “one or more” of the students named as defendants was/were “known” to use a “procedure” in which they/one/some of them would “create an account” on a social networking site, “include[ing] Twitter and Facebook”, “using [Matot’s] name and likeness, appearing at least initially to be an account” belonging to him.  Matot v. Does 1-5, Complaint 18, U.S. District Court for the District of Oregon (6:13-cv- 00153). 

“One or more defendants would then send an invitation to communicate to a child-student, appearing at least initially to be a communication from” Matot.  Matot v. Does 1-5, supra, Complaint 19. The Complaint then says that once a student accepted “an invitation to communicate from defendants, third parties, including children, were then exposed to pornographic and obscene material of a prurient nature which was displayed and presented as if it were associated with or from” Matot. Matot v. Does 1-5, supra, Complaint 19.  Matot seems to have filed an amended complaint later, since at least one defendant is identified in this opinion, and it may have added more details.

In the Complaint these judges are dealing with, Matot seeks “damages and equitable relief for alleged violation of the Computer Fraud and Abuse Act, 18 U.S. Code § 1030, defamation, negligent supervision, and parental liability pursuant to Oregon Revised Statute § 30.765.”  Matot v. CH, supra.  As the district court judge notes in his opinion, the defendant in this case (“Gary Hill”) filed a motion to dismiss the lawsuit for “lack of subject-matter jurisdiction.”  Matot v. CH, supra. 

And as Wikipedia explains, subject-matter jurisdiction “is the authority of a court to hear cases of a particular type”.  As it also explains, most state courts in the United States are courts of “general” jurisdiction, which means they can hear “any case over which no other tribunal has exclusive jurisdiction.”  And as Wikipedia notes, U.S. federal courts, including district courts like this one, are courts of limited jurisdiction, which basically means that if no federal statute confers jurisdiction on a federal district court to hear certain types of cases, it will not be able to hear those cases.

Here, Gary Hill filed a motion under Rule 12(b)(1) of the Federal Rules of Civil Procedure in which he claimed the federal court did not have subject-matter jurisdiction.  Matot v. CH, supra.  Since Matot’s claims for defamation, negligent supervision and parental liability arose under Oregon law, the federal court would not have jurisdiction over them unless jurisdiction existed under what is known as pendent jurisdiction.  As Wikipedia explains, pendent jurisdiction “is the authority of a United States federal court to hear a closely related state law claim against a party already facing a federal claim”.  The theory is that it is efficient to decide all the claims in a single case.

Matot argued that the court had pendent jurisdiction because his claim under 18 U.S. Code § 1030 arose under federal law, which gave the court jurisdiction over the “case.” Matot v. CH, supra.  If he did, in fact, have a valid claim under § 1030, then the Oregon District Court would have jurisdiction over that claim and pendent jurisdiction would give it subject-matter jurisdiction over the related state-law claims.  Matot v. CH, supra. In other words, he would be able to keep the case in federal court if he had a viable § 1030 claim. 

The district court judge began his analysis of this issue by noting that Matot’s § 1030

claim rests on defendants' alleged use `without authorization’ of social media services (e.g., Facebook and Twitter) and defendants' alleged use `exceed[ing] authorized access’ of social media services, i.e., defendants' violation of the terms of use of the particular social media service. As indicated by Judge Coffin in the F&R, a mere violation of a use restriction, i.e.,`exceed[ing] authorized access,’ is not actionable under [18 U.S. Code § 1030] in the [U.S. Court of Appeals for the 9th Circuit].  Thus, the crux of [Matot’s] argument is that defendants accessed social media services `without authorization’ under 18 U.S. Code § 1030.

Matot v. CH, supra.  (The U.S. District Court for the District of Oregon is in the 9th Circuit, which means the 9th Circuit’s decisions are binding on it.)

The district court judge noted that Matot’s

`without authorization’ argument focuses on defendants' alleged use of [his] name and image in creating `forged’ social media accounts (e.g. Facebook and Twitter). [Matot] attempts to cast defendants' behavior as analogous to that of hacking proscribed by [18 U.S. Code § 1030].

Matot v. CH, supra.  He found that Matot’s argument was “unpersuasive in light of” two decisions from the U.S. Court of Appeals for the 9th Circuit and “the rule of lenity.”  Matot v. CH, supra. 

The first decision was LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009).  The judge explained that in Brekka, the Court of Appeals held that someone

`uses a computer “without authorization” under [§ 1030] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’ LVRC Holdings v. Brekka, supra (emphasis added). The Court further provided that `a person who uses a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer in question.’ LVRC Holdings v. Brekka, supra.

Matot v. CH, supra. 

The judge noted that notwithstanding this

relatively bright-line rule, this Court is reluctant to use it as an absolute bar to [Matot’s] claim. To begin with, unlike in Brekka, defendants are not employees of Twitter or Facebook who initially used the service for purposes of employment. Rather, as [Matot] alleges, defendants' relationship with the social media websites was `forged . . . from the ground up,’ i.e., the defendants, as social media users, never were authorized because they breached the terms of use at the inception of the relationship. . . .

[T]his court doubts that even the Brekka Court would enforce its `without authorization’ language to the extent implicated. For example, if a hacker targeted a United States governmental website for malicious purposes, such a hacker may be `authorized’ to access the website under Brekka because many governmental websites are open to the public.  In other words, if interpreted strictly, Brekka could preclude [§ 1030] application of `without authorization’ to hackers who breach governmental websites that are open to the public.  For the same reason, strict adherence to Brekka's bright-line rule outside of the employment context appears to be in conflict with the underlying legislative purpose.

Matot v. CH, supra. 

The second decision was U.S. v. Nosal, 676 F.3d 854 (U.S. Court of Appeals for the 9th Circuit 2012), in which the9th Circuit,

in dicta, found that `without authorization would apply to outside hackers (individuals who have no authorized access to the computer at all).’ 676 F.3d at 858 (internal quotation marks omitted) (emphasis added). In contrast, the Court found that `exceeds authorized access would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).’ Id. (internal quotation marks omitted).

The Court further provided that `hacking’ colloquially refers to `someone who's authorized to access only certain data or files but accesses unauthorized data or files.’ Id. at 856–57. Unfortunately, the Court's colloquial definition provides little insight as to `outside hackers’ because `hackers,’ by definition, lack authorized access.

Matot v. CH, supra (quoting U.S. v. Nosal, supra). 

The judge explained that the Nosal court, in affirming the district court’s dismissal of the

claim [in that case], discussed numerous forms of relevant online conduct it was unwilling to criminalize. . . . [M]any dealt with [Matot’s] `trespass under false pretenses’ scenario. The Court found `lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight.’ U.S. v. Nosal, supra.

The Court referenced U.S. v. Drew, to combat the notion that the government could be trusted to not `prosecute minor violations.’ U.S. v. Drew, 259 F.R.D. 449 (U.S. District Court for the Central District of California 2009). In Drew, a mother posed as a 16–year old boy (`Josh Evans’) and cyber-bullied her daughter's classmate who ultimately committed suicide. U.S. v. Drew, supra.  Although Drew's `Josh Evans’ profile was fictitious, it did include `a photograph of a boy without that boy's knowledge or consent.’ U.S. v. Drew, supra.

Nosal's extensive discussion of `lying on social media websites’ and its subsequent disapproval of prosecution under Drew, indicate that the 9th Circuit is unwilling to recognize [Matot’s] claim under [§ 1030].

Matot v. CH, supra. 

Finally, the judge relied on the “rule of lenity.”  As Wikipedia notes, this is a principle of statutory interpretation under which a court “construing an ambiguous criminal statute . . . should resolve the ambiguity in favor of the defendant.”  He noted that the Brekka court relied on the rule of lenity in interpreting “authorization” under § 1030 “narrowly” and finding that the statute does not apply to “employee breach of loyalty scenarios.”  Matot v. CH, supra.  He also noted the Nosal court explained that it construes criminal statutes

narrowly so Congress will not unintentionally turn ordinary citizens into criminals. [B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity. If there is any doubt about whether Congress intended [§ 1030] to prohibit the conduct in which [defendants] engaged, then we must choose the interpretation least likely to impose penalties unintended by Congress.

Matot v. CH, supra. (quoting U.S. v. Nosal, supra).  While this is a civil case, rather than a criminal prosecution, § 1030 is a criminal statute, so the principle would still apply,

The judge then explained that § 1030’s

focus is `on hacking’ rather than the creation of a `sweeping internet-policing mandate.’ U.S. v. Nosal, supra. This court cannot fail `to consider the effect on millions of ordinary citizens caused by’ recognizing [Matot’s] claim.  U.S. v. Nosal, supra. [Matot] alleges that defendants created false social media profiles in his name and likeness.

Yet, as indicated in Nosal, `lying on social media websites is common.’ U.S. v. Nosal, supra.  For example, in June 2011, Facebook predicted that approximately 83 million of 855 million active users were duplicates, false or undesirable.  Twitter is also thought to have a large number of `fake’ accounts. More recently, police departments have taken to creating false profiles for the purpose of law enforcement.  

Were this court to `adopt the [plaintiff's] proposed [argument], millions of unsuspecting individuals would find that they are engaging in criminal conduct,’ in addition to any civil liability. U.S. v. Nosal, supra. This Court “must choose the interpretation [of `authorization’] least likely to impose penalties unintended by Congress.’ U.S. v. Nosal, supra (quoting U.S. v. Cabaccang, 332 F.3d 622 (9th Circuit 2003) (quotations omitted)).

Matot v. CH, supra. 

The judge therefore found that “the rule of lenity precludes application of [§ 1030] (`access without authorization’) to defendants' alleged creation of fake social media profiles in violation of social media websites terms of use.”  Matot v. CH, supra.  For this and the reasons noted above, he therefore granted Hall’s motion to dismiss for lack of subject matter jurisdiction, which meant the case was dismissed.  Matot v. CH, supra.  Matot can presumably try suing in state court.

If you would like to read a little more about the facts in the case and see a photo of Matot, check out the news story you can find here.

No comments: