August 04, 2011
Sixth Circuit: Email and Phone Advocacy Campaign Can Violate the Computer Fraud & Abuse Act -- Pulte Homes v. LIUNA
[Post by Venkat Balasubramani]
Pulte Homes, Inc. v. Laborers' Int'l Union, et al., 09-2245; 10-1673 (6th Cir. Aug 2, 2011)
I blogged about a case involving a labor dispute between Pulte Homes and Laborers' International Union of North America (LIUNA). After Pulte terminated a LIUNA member for alleged misconduct and poor performance, LIUNA became embroiled in a labor-relations dispute with Pulte. LIUNA allegedly exhorted its members and others to "bombard Pulte's sales offices and three of its executives with thousands of phone calls and e-mails." LIUNA allegedly hired an auto-dialing service and encouraged its members to call Pulte. It also used engaged in a web-based email campaign where it encouraged visitors to its website to "fight back" and send e-mails to "specific Pulte executives."
Pulte sued LIUNA, asserting claims under the Computer Fraud and Abuse Act and state law. The district court denied Pulte's request for an injunction and dismissed Pulte's claims. Here is my blog post covering the district court's ruling: "Web-based Email Bombardment Campaign Does Not Amount to a Violation of the Computer Fraud and Abuse Act." The Sixth Circuit reversed the district court's ruling, finding that a phone or email bombardment campaign can constitute a violation of the Computer Fraud and Abuse Act. Pulte asserted two claims under the CFAA, one for unauthorized access which causes damage and the other for transmission of information, code, or a program which caused damage.
Access claim: The CFAA creates a cause of action based on the unauthorized access, or access in excess of authorization, of a protected computer. While acknowledging grey area in the statute over when conduct crosses the line from authorized to unauthorized access, the court holds that there's no grey area in this case, because the phone and email systems were set up to receive calls and emails without restriction:
LIUNA used unprotected public communications systems, which defeats Pulte's allegation that LIUNA accessed its computers "without authorization." Pulte allows all members of the public to contact its offices and executives: it does not allege, for example, that LIUNA, or anyone else, needs a password or code to call or email its business. Rather, like an unprotected website, Pulte's phone and email systems 'were open to the public, so LIUNA was authorized to use them.'
So far, so good.
Transmission claim: The court's resolution of the transmission claim was a little more problematic. The court assumes that LIUNA's communications constitute transmissions and that Pulte's phone and email systems qualify as "protected computers." This leaves two questions: (1) whether the transmissions caused "damage" and (2) whether LIUNA intended to cause damage.
The court notes that the statute only defines damage as "impairment to the integrity or availability of data, a program, a system, or information." Because the statute did not further define "impairment," "integrity," or "availability," the court looked to the ordinary meaning of these words:
'Impairment' means a 'deterioration' or an 'injurious lessening or weakening.' The definition of 'integrity' includes an 'uncorrupted condition,' an 'original perfect state,' and 'soundness.' And 'availability' is the 'capability of being employed or made use of.'
Applying these ordinary meanings, the court concludes that a transmission that weakens a sound computer system--or, similarly, one that diminishes a plaintiff's ability to use data or a system--causes damage. The court further concludes that taking Pulte's allegations as true:
LIUNA's barrage of calls and e-mails allegedly did just that. At a minimum, according to the complaint's well-pled allegations, the transmission diminished Pulte's ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some emails.
With respect to the intent element, the district court found that LIUNA did not intent to damage Pulte's systems because LIUNA did not fully "grasp . . . the actual consequences of its email campaign." The Sixth Circuit says this is too strict a standard. As long as LIUNA intended to cause a denigration of Pulte's systems, this is sufficient. The court looked to several of the allegations and found this intent satisfied: (1) LIUNA instructed its members to send thousands of emails to specific Pulte executives; (2) the emails came from LIUNA's server; (3) LIUNA encouraged its members to "fight back" after Pulte terminated several employees; (4) LIUNA used an auto-dialing service; and (5) some of the messages included threats and obscenity.
[Interestingly, after concluding that Pulte satisfied the elements of a CFAA claim, the court concludes that the district court properly denied the injunction on the basis that Pulte failed to comply with certain provisions of a statute relating to labor disputes: the Norris-Laguardia Act.]
This case is Intel v. Hamidi revisited. That case involved a departed employee who engaged in an email bombardment campaign, and although the California Supreme Court rejected Intel's claims, it held that if a sufficient quantity of emails were sent which caused damage or disruption to Intel's system, this could state a claim for trespass. (I'm not sure what's up with email bombardment, but there have been several cases which address legal liability for this. Television pitchman Kevin Trudeau was hit with a contempt order after encouraging his supporters to send email to the judge hearing his case. The Seventh Circuit vacated this contempt order on procedural grounds. See "Seventh Circuit Vacates Contempt for E-Mail Barrage.")
Neither of the cases are perfectly analogous because in this case the plaintiff was proceeding under the Computer Fraud and Abuse Act. This is a statute that provides for civil and criminal liability, and is widely acknowledged as intended to deal with hacking.
The court cites to AOL v. National Health Care Disc., Inc., 121 F. Supp.2d 1255, 1274 (N.D. Iowa 2000) for the proposition that if "a large volume of [spam messages] cause slowdowns . . . [to AOL's servers] an impairment has occurred." However, this case relied in part on AOL's zany argument that by transmitting email to AOL members through AOL's servers, defendants were engaged in unauthorized access because spam violated AOL's member agreement. AOL argued also that the emailers extracted information in the form of email addresses, but the court denies AOL's motion for summary judgment finding that it's unclear whether the emailers were AOL members or third parties and whether the emails caused damage. The court in that case pointedly questioned whether the CFAA applied to the transmission of spam at all: "realistically, no federal statute currently exists which would prohibit a non-AOL member from sending UBE to any number of AOL members' e-mail addresses, without ever accessing AOL directly." Since the date of that ruling, a federal statute now exists (CAN-SPAM) but this statute would not cover LIUNA's actions in this case since none of the messages in question appear to be commercial email messages.
What's problematic about this case to me is that there were scant allegations that LIUNA engaged in any technical measures designed to slow down or cause "damage" to Pulte's website. The sole allegation was that LIUNA used an auto-dialer, but I wasn't swayed by the court's summary conclusion that the telephone lines were necessarily 'protected computers' or there had been a real 'slowdown' to the phone lines. Indeed, LIUNA's conduct--encouraging supporters to contact a third party to influence action--is something that others engage in with some regularity in the context of political and consumer advocacy. There's nothing in this case which distinguishes LIUNA's conduct from any other web-based action campaign. If you encourage people to flood someone's office with phone calls, you can be liable under the Computer Fraud and Abuse Act? Say what?
Given the fact that LIUNA lacked an obvious commercial purpose, and given the First Amendment interests involved, this decision is somewhat troubling.
Posted by Venkat at August 4, 2011 03:00 PM | Privacy/Security