OPINION AND ORDER
Plaintiff brings this action seeking damages and equitable relief for alleged violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, defamation, negligent supervision, and parental liability pursuant to Oregon Revised Statute § 30.765. Defendant, Gary Hill, filed this motion to dismiss for lack of subject matter jurisdiction (# 14). Defendant, S.A., filed this motion for entry of a limited
Because no objections to either F & R were filed, this court reviews only the legal principles de novo. United States v. Reyna-Tapia,
DISCUSSION
Plaintiffs CFAA claim rests on defendants’ alleged use “without authorization” of social media sendees (e.g., Facebook and Twitter) and defendants’ alleged use “exceeding] authorized access” of social media services, i.e., defendants’ violation of the terms of use of the particular social media service. As indicated by Judge Coffin in F & R(# 27), a mere violation of a use restriction, i.e., “exceeding] authorized access,” is not аctionable under the CFAA in the Ninth Circuit. U.S. v. Nosal,
Plaintiffs “without authorization” argument focuses on defendants’ alleged use of plaintiffs name and image in creating “forged” social media accounts (e.g. Facebook and Twitter). Plaintiff attempts to cast defendants’ behavior as analogous to that of hacking
I. LVRC Holdings LLC v. Brekka
In LVRC Holdings LLC v. Brekka,
In United States v. Nosal,
III. The Rule of Lenity
The term “authorization” is not defined in the CFAA. Brekka,
As in both Brekka and Nosal, the rule of lenity precludes CFAA application as to defendants’ alleged conduct. Under the rule of lenity, “penal laws [are] ... to be construed strictly.” Nosal,
We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. [B]eeause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity. If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [defendants] engaged, then we must choose the interpretation least likely to impose penalties unintended by Congress.
Id. (internal citations omitted) (internal quotation marks omitted). The CFAA’s focus is “on hacking” rather than the creation of a “sweeping internet-policing mandate.” Nosal,
CONCLUSION
For these reasons, Judge Coffin’s F & R(# 27) and (# 29) are ADOPTED. Defendant Gary Hall’s motion to dismiss for lack of subject matter jurisdiction (# 14) is GRANTED and defendant S.A.’s motion for entry of a limited judgment and injunction (# 25) is DENIED.
IT IS SO ORDERED.
FINDINGS & RECOMMENDATION
Plaintiff brings this action asserting claims for computer fraud and abuse, defamation and negligent supervision. Defendant Gary Hill moves to dismiss asserting lack of subject matter jurisdiction.
Plaintiff an assistant principal at a middlе school in Salem, Oregon, alleges that one or more of the defendants created social media accounts under his name and likeness. Defendants then allegedly invited students to communicate with them under the accounts falsely tied to plaintiff. Plaintiff further alleges that defendants published false and defamatory statements and images about or attributed to plaintiff using the false accounts. Plaintiff alleges that the parents of defendant CH were negligent in their supervision of CH’s in
Plaintiff asserts the court has subject matter jurisdiction based on the Computer Fraud and Abuse Act. Although it is unclear which provision plaintiff relies upon for his claim, the Act prohibits, among other things, access to a protected computer without authorization, or exceeding authorization, with intent to defraud via use of the computer. 18 U.S.C. § 1030(a)(4).
Although a criminal statute, a civil cause of action may be maintained:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or othеr equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(I). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
18 U.S.C. § 1030(g)
Under 18 U.S.C. § 1030(c)(4)(A)(i)(IV) threats to public health or safety are addressed.
In essence, plaintiff alleges that the actions of CH and the Doe defendants caused harm to plaintiff and to over 70 presumed students who were invited to friend the forged Face book account attributed to plaintiff, by associating plaintiff (and exposing students to) obscene materials. Plaintiff further contends that such actions impaired plaintiff in his professional capacity and compromised the security of the students at the middle school.
While plaintiff alleges that certain defendants created false social media accounts and used protected computers to do so, plaintiff does not allege a direct lack of authorization to use the computers. Plaintiff, rather, asserts “violation of the license under which access is provided.” First Amended Complaint (# 10) at ¶ 24. In other words, plaintiff alleges that defendants violated the terms of use of social media sites such as www.twitter.com and www.facebook. com.
The Ninth Circuit has analyzed the term “without authorization” in LVRC Holdings LLC v. Brekka,
The Act defines “exceeds authorized access” as accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6). Here, Congress intended (interpreting the Act under the rule of lenity as is necessary for criminal statutes) to target the unauthorized procurement or alteration of information, not its misuse or misappropriation. United States v. Nosal,
Plaintiff argues that if his Computer Fraud and Abuse Act claim is dismissed, he should be granted leave to amend to add a Racketeer Influenced and Corrupt Organizations Act (RICO) claim. To state a claim under RICO, 18 U.S.C. § 1961 et seq., plaintiff must allege that he has beеn injured by “(1) conduct, (2) of an enterprise, (3) through a pattern, (4) of racketeering activity.” Jarvis v. Regan,
Plaintiff asserts that he can allege the predicate acts of obscenity and wire fraud. It is highly questionable whether the allegedly obscene material (submitted by plaintiff, unsealed, as exhibit 1 to the declaration of counsel (# 16)), qualifies as obscene given contemporary standards. In addition, it is difficult to understand how plaintiff could allege wire fraud as a predicate act. To establish the predicate act of mail or wire fraud a plaintiff must allege that defendants engaged in (1) a scheme to defraud (2) to get money or property, (3) furthered by the use of interstate mail or wires. USA Certified Merchants, LLC v. Koebel
Moreover, Congress did not intend to target the misguided attempts at retribution by juvenile middle school’ students against an assistant principal in enacting RICO. The legislative history demonstrates that the RICO statute was intended to provide a new weapons for an assault upon organized crime and its economic roots. Congress’ statement of findings and purpose in enacting Pub.L. 91-452, 84 Stat. 922 (1970), is set forth in section 1. The statement describes the problem presented by organized crime. Congress declared: “It is the purpose of this Act to seek the eradication of organized crime in the United States ... by providing enhanced sanctions and new remedies to deal with the unlawful activities of those engaged in organized crime.” Id., at 923. Congress emphasized the need to fashion new remedies in order to achieve its objectivеs. See S.Rep. No. 91-617, p. 76 (1969). “What is needed here ... are new approaches that will deal not only with individuals, but also with the economic base through which those individuals constitute such a serious threat to the economic well-being of the Nation. In short, an attack must be made on their source of economic power itself, and the attack must take place on all available fronts.” Id., at 79. The legislative history shows that the economic power of organized crime derived from its huge illegal profits. See Blakey, The RICO Civil Fraud Action in Context: Reflections оn Bennett v. Berg, 58 Notre Dame L.Rev. 237,249-256 (1982). In short, Congress’ overriding goal was remove profit from organized crime. Russello v. United States,
Perhaps recognizing that a claim under RICO is implausible, plaintiff also asserts that the proper remedy for defendant in its motion to dismiss is remand for the remaining state law claims. However, this case has not been removed from state court and thus there is nowhere for this court to remand the state law claims. Jurisdiction over the state law claims is based on supplemental jurisdiction with the Computer Fraud and Abuse Act claim which, as noted above, should be dismissed.
When the federal claims are dismissed before trial, it is wholly within the district court’s discretion to dismiss the state claims. United Mine Workers v. Gibbs,
CONCLUSION
For the reasons stated above, defendant Gary Hill’s motion to dismiss (# 14) should
This recommendation is not an order that is immediately appealable to the Ninth Circuit Court of appeals. Any notice of appeal pursuant to Rule 4(a)(1), Federal Rules of Appellate Procedure, should not be filed until entry of the district court’s judgment or appealable order. The parties shall have fourteen (14) days from the date of service of a copy of this recommendation within which to file specific written objections with the court. Thereafter, the parties shall have fourteen (14) days within which to file a response to the objections. Failure to timely file objections to any factual determination of the Magistrate Judge will be considered as a waiver of a party’s right to de novo consideration of the factual issues and will constitute a waiver of a party’s right to appellate review of the findings of fact in an order or judgment entered pursuant to this recommendation.
Notes
. Plaintiff does not articulate a particular provision under the CFAA. However, for purposes of this analysis, this Court will assume that plaintiff seeks recovery under 18 U.S.C. § 1030(a)(2)(C), (a)(4), and/or (a)(5)(B) & (C).
. Plaintiff also casts defendants’ conduct as trespass under false pretenses.
. In Brekka, defendant, as an employee of plaintiff, was given an administrative log-in to access company documents and information. During his employment, Brekka emailed company documents to his personal computer. The Court found that Brekka was still employed by plaintiff when “he emailed the documents to himself” and thus, Brekka "had authorization to use the computer.”
. First, in Brekka, the Court stated "[tjhere is no dispute that if Brekka accessed LVRC’s information on the LOAD website after he left the company ... Brekka would have accessed a protected computer 'without authorization’ for purposes of the CFAA.” In so stating, the Court focused on Brekka’s alleged use of the “cbrеkka” log-in (i.e., use of cbrekka user-name and password), and not Brekka’s alleged access of the website itself. Thus, the Court’s own analysis ignored possible permissible website access and instead focused on impermissible use of log-in information. Second, the Brekka Court cited an earlier Ninth Circuit opinion, Theofel v. Farey-Jones, to support its finding that "there is no dispute that Brekka had permission to access the computer.”
. In this example, the term “hacker” refers to "a person who uses his skill with computers to try to gain unauthorized access to computer files or networks.” The Oxford-English Dictionary Vol. VI, 1000 (2d ed.2001); see also American Heritage Dictionary of the English Language 787 (4th ed.2000) (defining hacker as "one who uses programming skills to gain illegal access to a computer network or file.”).
. See, e.g., United States Central Intelligence Agency, https://www.cia.gov/about-cia/sitepolicies/ (last visited Sep. 18, 2013) ("information presented on this Web site is considered public information and may be distributed or copied freely____”); United States National Security Agency, http://www.nsa. gov/terms_of_use.shtml# security (last visited Sep. 18, 2013) ("The National Security Agency Web site (NSA.gov) is provided as a public service by the National Security Agency.”); United States Department of Defense, http:// www.defense.gov/landing/privacy.aspx (Past visited Sep. 18, 2013) ("Information presented on this website is considered public....”).
. See. e.g., Southwest Airlines Co. v. Board-First, L.L.C.,
. In Senate Report 104-357, the Senate Judiciary Committee stated that the purpose of
.In Nosal, defendant, a former employee of Korn/Ferry, encouraged some of his former colleagues to transfer company documents and information to him. At the time, defendant’s former colleagues were authorized to access the database, but were prohibited from disclosing the confidential information.
. In Nosal, the Ninth Circuit reviewed Nosal’s conviction under 18 U.S.C. 1030(a)(4) for aiding and abetting the Korn/Ferry employees in “exceeding their] authorized access” with intent to defraud.
. The term "authorization” is potentially subject to varying degrees of technical interpretation. For example, in United States v. Morris, the Second Circuit affirmed the criminal conviction of a defendant graduate student who used his access to a university’s computer system to upload malware.
. Somini Sengupta, Facebook’s False Faces Undermine its Credibility, N.Y. Times, Nov. 12, 2012, http://www.nytimes.com/2012/ll/ 13/technology/false-posts-on-facebook undermine-its-credibility.html.
. See, e.g., Nicole Perlroth, Researchers Call Out Twitter Celebrities with Suspicious Followings, N.Y. Times, Apr. 25, 2013, http://bits. blogs.nytimes.com/2013/04/25/researcherscall-outtwitter-celebrities-with-suspiciousfollowings/?_r=0 ("fake Twitter followers offer potential for a $40 million to $360 million business.”); Caitlin Moore, Fake Twitter: The parody accounts to lighten up your news streаm, Wash. Post, Mar. 6, 2012, http://www. washingtonpost.com/blogs/arts-post/post/faketwitter-the-parodyaccounts-to-lighten-upyournews-stream/2012/03/0 l/gIQALpiptR_ blog.html ("Twitter allows untruths and parody to flourish with fake accounts .... ”); Ashley Parker, Fake Twitter Accounts Get Real Laughs, N.Y. Times, Feb. 9, 2011, http://www. nytimes.com/2011/02/10/us/politics/10faketwitter.html ("Fake Twitter personalities mock actors like Chuck Norris and world leaders like President Hosni Mubarak----”).
. See, e.g., Heather Kelly, Police embrace social media as crime-fighting tool, CNN, Aug. 20, 2012, http://www.cnn.com/2012/08/30/ tech/social-media/fighting-crimesocial-media/ index.html ("A more controversial approach to getting information ... creating fake profiles to befriend suspects.”).
. Sections 1030(a)(5)(B) and (C) also prohibits intentional access without authorization causing damage, but does not include the exceeding authorized access language prohibited by section 1030(a)(4).
. Although Nosal is a criminal case, because the Computer Fraud and Abuse Act has both criminal and civil applications, it is to be interpreted consistently. See Leocal v. Ashcroft,
. Plaintiffs attempt to cast the complaint as one of “hacking” because permission to access Facebook was "arguably” granted to only plaintiff when defendants used his “stolen name and stolen image to create a forged account” (Memorandum in Opposition (# 15) at p. 4) is unavailing. Plaintiff does not, and cannot, allege that defendants accessed, without authorization, his Facebook account by stealing, for example his i.d. and password, but rather that they created an account in his name after accessing Facebook in violation of Facebook's license for use. There is no allegation that defendants were not authorized to access Facebook's computers to set up an account that did abide by Facebook's policies.