Accessing Google Drive using an inadvertently discovered long URL may violate the Computer Fraud and Abuse Act

Fromm Greenberg vs. Raydecided yesterday by Judge Douglas Reyes (D. Arizona) (highlighted key legal point):

Amanda Ray runs a 2,000-member Facebook group “dedicated to promoting anti-mask, anti-vaccine, anti-LGBTQ and anti-critical racial policies policies within the Scottsdale United School District.” … Plaintiff[ Mark Greenburg]The son of … serves on … the elected governing body that governs Scottsdale Unified No. 48 school district …

In response to the actions of the defendants [Wray and her husband] and the Facebook group, the plaintiff began collecting information about them, including photos, videos, discussions with third parties about them, personal comments and thoughts, and political memes. The claimant stores these records on his personal Google Drive server. The claimant specifically shares access to the server with three people (including the plaintiff’s son) who can access the server by accessing their own password-protected Google accounts. Although the plaintiff was not aware of it at the time, the sharing settings in his Google Drive also allowed anyone to access the server by typing the correct URL.

In 2021, the plaintiff’s son was charged with defamation. He responded to his prosecutor by emailing “13 photos of public comments on Facebook taken by his prosecutor, some of which were stored on the server.” One of the photos showed the URL to Google Drive, and this photo came to Amanda’s possession, where she noticed the URL and asked a third party to hyperlink the URL. After providing it, she clicked on it to access Google Drive. It reviews, downloads, deletes, adds, reorganizes, renames, and publicly discloses Google Drive content.

The plaintiff learned of the access and hired a team of IT consultants to assess the damage. He then sued the defendants under the Computer Fraud and Abuse Act …, claiming he had lost at least $ 5,000 ….

In order to “successfully bring an action under 18 USC § 1030 (g) on ​​the ground of infringement of 18 USC § 1030 (a) (2)”, the plaintiff must claim that the defendants:

(1) intentionally accessed a computer, (2) without permission or in excess of authorized access, and that (3) has thus obtained information (4) from any secure computer (if the conduct involves interstate or foreign communication), and that (5) there was a loss to one or more persons during any one-year period of a total value of at least $ 5,000.

Citation hiQ Labs, Inc. v. LinkedIn Corp. (9th Cir. 2022), Defendants argue that the plaintiff does not allege that Amanda had access to Google Drive without permission. IN Remove, a data analysis company, hiQ, collected data in public profiles on LinkedIn, data indexed by search engines. LinkedIn found out, sent a letter of termination and refusal to hiQ and imposed technical measures to prevent the deletion of data from the public profile. But hiQ did not stop and instead sought a declaratory solution that LinkedIn “cannot legally invoke CAFA” against it for scraping data found on LinkedIn’s public profiles. ID. In the end, the Ninth Circuit found that hiQ data scraping did not fall within the scope of CAFA, as “anyone with a web browser” could access the data.

In the review, the Ninth District argued that “the prohibition of unauthorized access is properly understood as applicable only to personal information – information outlined as personal through the use of some permission requirement.” Thus, in order for a website to fall under the protection of CAFA, it must have set “access restrictions”. And if “anyone with a browser” could access the website, it had no access restrictions.

This is a close call. The applicant acknowledges that the part of Google Drive available from Amanda was not password protected; The inadvertent plaintiff has enabled a setting that allows anyone with a URL to access the site. But the plaintiff claims that this setting did not in itself make Google Drive public, given that the URL is a string of 68 characters.

Moreover, Google Drive was not indexed by any search engines, unlike the website in Remove. Therefore, not only “everyone with a browser” could come across Google Drive when searching the web – the Internet resident who wanted to access Google Drive had to get the exact URL in the browser. According to the court, the plaintiff claims that Google Drive had restrictions and therefore those who try to access it need permission.

The plaintiff claims that the disclosure of the URL – the restriction – did not grant Amanda permission to access Google Drive. He claims that the disclosure was inadvertent. As the Ninth Circle acknowledged, the unintentional disclosure of means of restricting access does not in itself provide a solution. The applicant has sufficiently indicated the elements of infringement of 18 USC § 1030 (a) (2).

Defendants then argued that the plaintiff’s claims for $ 5,000 in damages were too extreme to sue. Not so. The plaintiff alleges that Amanda gained access to Google Drive without permission, causing changes to the files recorded there, and that she had to hire a forensic IT team to determine the extent of the damage, all of which he said cost at least $ 5,000. . The plaintiff is not obliged to provide detailed receipts at the stage of the pleadings ….

Related Posts

Leave a Reply

Your email address will not be published.