Does the Computer Fraud Act Apply to ‘Dumbphones’?

While this Court does not disagree that unwanted text messages, like spam e-mail, are an annoyance, whether receipts of such messages can establish a civil action under the CFAA is, of course, a different question.

Czech v. Wall Street on Demand, Inc. 674 F.Supp. 1102, 1106 (N.D.Minn. 2009).

Anti-spam (e-mail and text) lawsuits and legislation are legion: a flurry of Federal and state laws govern junk e-mails and texts.  This post briefly discusses one case which examined whether sending unwanted texts can subject the texter to Federal Computer Fraud liability. 

In Czech v. Wall Street on Demand, 674 F.Supp. 1102 (N.D. Minn. 2009) a Minnesota plaintiff (representing a proposed class of spam texts recipients) was so fed up with unwanted texts that she literally made a Federal case out of it.  She sued in Minn. District Court under the Computer Fraud and Abuse Act, 18 U.S.C. s. 1030 et seq. (CFAA) after receiving unsolicited texts from an online trading company that mass-texted financial information to phone numbers in its database.  The Court granted the defendant’s 12(b)(6) motion to dismiss the Complaint. 

The basis for the court’s dismissal was that the plaintiff – who owned a cellphone which only made and received calls and texts (colloquially, a “dumbphone”)  – was unable to show (1) that defendant obtained information from plaintiff’s phone; or (2) that defendants intentionally tried to damage plaintiff’s phone; or (3) any statutory “damage” or “loss” due to the unwanted texts.  Id.  As noted in an earlier post, damage and loss are terms of art under the CFAA: damage denotes physical damage to a computer or data; while loss refers to the monetary expense incurred in ameliorating a CFAA violation.  See (discussion of CFAA damage and loss under 18 U.S.C. s. 1030(e)).

While the Czech Court ultimately dismissed the plaintiff’s CFAA claims, it also applied the CFAA’s expansive definition of “computer” by acknowledging that the plaintiff’s no-frills cell phone qualified as a “computer” under the CFAA.  674 F.Supp.2d at 1107 (“there is no dispute that [plaintiff’s] cell phone (as well as the various similar wireless devices used by the proposed class members) would constitute…a ‘computer’ as further defined in [the CFAA]).  The CFAA defines a computer as any high-speed data processing device performing logical, arithmetic and storage functions – but that is not a calculator or typewriter.  18 U.S.C. s. 1030(e)(1).  The 8th Circuit Court of Appeals also held that a cell phone that only made calls and texts qualified as a protected computer under the CFAA in a criminal case setting in  U.S. v. Kramer, 631 F.3d 900 (8th Cir. 2011)(defendant used cell phone to entice minor across state lines to engage in criminal sexual conduct).

Declining to extend the Act to unwanted texts, the Czech Court stated succinctly that unwanted texts may be annoying, but they do not give rise to CFAA civil liability: “An annoyance? Quite possibly.  The basis for a civil action under [the CFAA]?  The Court thinks not.”  674 F.Supp.2d at 1105.

Take-away: Czech provides a very detailed analysis of CFAA information (defendant obtained information from a protected computer) transmission (defendant transmitted a virus or worm that damaged plaintiff’s computer), and access (defendant accessed plaintiff’s computer and caused damage or loss to plaintiff)claims.  All three of these claims are predicate acts under CFA sections 1030(a)(2)(C), (a)(5)(A) and (a)(5)(C).  The Court describes the elements and the damage and loss requirements for each of the three claims.  The Court also engages in an intricate and interesting (at least I think so) discussion of the difference between obtaining information from a plaintiff’s website as opposed to a plaintiff’s cell number.  But for this post’s purposes, the case is representative of the CFAA’s expansive definition of a “protected computer” and shows that virtually any mechanical device, wired or not, will qualify for coverage under the statute.

Facebooking at Work: A Federal Offense? (With ‘Aarons Law’ Update)

Can surfing the Net on company time get you fired?  Perhaps.  Can it subject you to Federal criminal and civil penalties?  Not yet.  At least not in the  Tampa, Florida area.  Wendy Lee v. PMSI, 2011 WL 1742028 (M.D.Fla. 2011) illustrates a creative attempt to expand the reach of the Computer Fraud and Abuse Act (CFAA)(which, incidentally, will be the subject of some future posts).  The CFAA, codified at 18 U.S.C. s. 1030, is a criminal statute with a civil component. It provides a private civil cause of action for anyone who sustains damage or loss as a result of an unauthorized user hacking into a computer system who then destroys, erases or transfers computer data.  It also prohibits authorized users from accessing protected information and from exceeding the limits of their authorization.  In this latter context, the CFAA is typically used by an employer when a rogue employee or “insider” accesses private employer computer data and sends the data to a competitor.

In PMSI, the Plaintiff filed a Federal pregnancy discrimination suit against her employer.  The employer fired back with a counterclaim based on the CFAA – saying that the Plaintiff spent her workdays surfing the Internet and playing on Facebook.  So egregious was the Plaintiff’s personal computer use, that the employer asserted a CFAA violation claiming the Plaintiff violated her employer’s published computer/Internet use policy.

The Court dismissed the CFAA count and said that while Facebooking at work may be a fireable offense; it does not subject one to Federal criminal or civil liability.  The court gave a narrow reading to the CFAA and held that the statute did not apply to a private employee’s violation of an employer’s internet policy.  Otherwise, the court said, every employee across the land who used a company computer to send and receive personal e-mails or who surfed the Net for non-work reasons could potentially be subject to Federal liability.

So, for now, Tampa area office workers can safely surf the net on company time without being subject to CFAA liability.   Whether the same workers can be fired for violating an employer computer policy, is an issue for another day and perhaps another post.

Update (7.15.13):  Recently, some proposed changes to CFAA were introduced by Zoe Lofgren and Ron Wyden, democratic congressman and senator from California and Oregon, respectively.  These changes, known as “Aarons” law (named for the late internet activist Aaron Schwartz), are designed to narrow the reach of the CFAA so that the statute is only used to prosecute outside hackers, rather than criminalize every-day violations of private employer computer policies or Internet terms of use.  Some helpful links follow.