Designer Skin LLC v. S & L Vitamins, Inc., et al.
America Online Inc. v. National Health Care Discount, Inc.
2000 U.S. Dist. Lexis 17055, 121 F. Supp. 2d 1255 (N.D. Iowa, September 29, 2000)
The court denied plaintiff AOL's motion for summary judgment seeking to hold defendant liable for violations, inter alia, of the Computer Fraud and Abuse Act, the Virginia Computer Crimes Act, and common law trespass to chattels, as a result of the transmission of unsolicited bulk e-mail advertising defendant's products to AOL users. The court reached this conclusion because, based on the record before it, it could not determine whether the parties who sent the e-mail in question were defendant's agents, acting under its control, or independent contractors.
America Online Inc. ("AOL") is an interactive service provider which, among other things, provides e-mail services to its subscribers. Throughout the time period relevant to this suit, AOL had various policies in place, including Terms of Service, Rules of the Road, and Community Guidelines, which prohibited AOL subscribers from using AOL accounts to send unsolicited bulk e-mail ("UBE") to other AOL subscribers, or from "harvesting" the e-mail addresses of AOL subscribers from chat rooms for the purpose of sending them UBE.
Defendant National Health Care Discount ("NHCD") provides discount optical and dental service plans to the general public. NHCD has made arrangements with a number of self-employed sales representatives to market its services to the general public from leads provided by NHCD. NHCD uses a number of different forms of advertising to generate these leads, including direct mail, newspaper, radio, television and door-to-door sales.
Commencing in or about late 1997, various third parties, including Forrest Dayton, began sending UBE to AOL subscribers which contained advertisements for defendant's products. The text of this advertisement came from NHCD. Defendant paid these e-mailers $1.00 for each lead they generated as a result of their activities. Defendant was aware that e-mail advertising its product was being sent to third parties. It was unclear from the record before the court, however, whether defendant knew the manner in which such e-mail was being sent, or provided any direction with respect thereto. In July 1998, AOL sent several cease and desist letters to NHCD, requesting that it stop sending UBE to AOL subscribers. NHCD replied that the e-mail was sent by "independent contractors" that NHCD did not control. The court estimated that between 76 and 300 million pieces of UBE advertising NHCD's products were sent to AOL subscribers between 1997 and 1999.
AOL commenced suit against NHCD, charging that the activities described above constituted violations of the US Computer Fraud and Abuse Act, 18 U.S.C. Section 1030 et seq., the Virginia Computer Crimes Act, and common-law trespass to chattels. AOL moved for summary judgment. Finding that questions of fact existed as to whether NHCD could be held liable for the conduct of the e-mailers in question, the court denied AOL's motion.
At the outset, the court determined that Virginia law should apply to this dispute, because Virginia was the location of the AOL computers which were allegedly overburdened by the receipt of the UBE at issue. In reaching this conclusion, the court noted that there were no significant contacts between the acts in question and any other forum, given that the relevant participants in these events, the e-mailers who sent the UBE, the recipients of the UBE and the relevant NHCD employees, were located in various states in the United States.
AOL moved for summary judgment under sections 1030(a)(5)(C) and (a)(2)(C) of the Computer Fraud and Abuse Act. Section 1030(a)(5)(C) prohibits a person or entity from "intentionally accessing a protected computer without authorization and as a result of such conduct, causing damage." A "protected computer" is defined elsewhere in the Act as any computer used in interstate or foreign commerce or communication. Section 1030(a)(2)(C) prohibits a person or entity from "intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining ... information from any protected computer if the conduct involved an interstate or foreign communication."
On the record before it, the court was unwilling to hold that either the defendant or the e-mailers had violated section 1030(a)(5)(C). The court held that under section (a)(5)(C), AOL's computers were "protected computers" within the meaning of the statute. The court further held that by sending an e-mail from a computer addressed to an AOL subscriber, the sender had accessed AOL's computers within the meaning of the statute, even though that e-mail was transmitted over the Internet by many computers before it actually reached AOL's computers.
The court refused, however, on the record before it, to find that the parties who sent the bulk e-mail in question, who were also AOL account holders, had "accessed ... [AOL's computers] without authorization" within the meaning of the section 1030(a)(5)(C) of the statute. The court said that "it is not clear that a violation of AOL's membership agreements results in "unauthorized access." ... AOL members, such as Dayton, obviously have "authorization" to access the AOL network. Having done so, is a member's authorized access converted into unauthorized access when the member violates one of the terms and conditions of membership?"
As interpreted by the court, section 1030(a)(5)(c) (and (b)) were intended to cover situations where hackers and others who had no authority to use a computer accessed that computer and caused harm to it. Section 1030(a)(5)(a), on the other hand, was applicable to those who had authority to access a computer, and caused damage to it. Under the statutory scheme, those who had permission to access a computer could only be held liable if they intended to cause damage, whereas those who did not have authority to access the computer would be held liable so long as they caused damage, regardless of their intent. The court expressed great concern as to whether an AOL subscriber who had permission to access AOL's computers, but not to send e-mail therefrom, fell within the class of individuals (hackers etc.) covered by Section 1030(a)(5)(c), as opposed to section 1030(a)(5)(a).
Moreover, the court was unwilling, on this motion, to hold that the activities of the e-mailers in question had caused the damage required for a violation of 1030(a)(5)(C). "Damage" under the CFAA is defined as "any impairment to the integrity or availability of data, a program, a system or information that ... causes loss aggregating at least $5000 in value during any 1 year period to one or more individuals ...". 18 U.S.C. Section 1030(e)(8)(A). Given that an e-mail costs AOL at least $.00078 to process, if 76 million e-mails were sent by the e-mailers in question, they caused AOL at least $59,000 in damages.
Moreover, the court "concluded that when a large volume of UBE causes slowdowns or diminishes the capacity of AOL to serve its customers, an 'impairment' has occurred to the 'availability' of AOL's system" within the meaning of the Act.
However, the court held that it could not determine on the record before it that NHCD's UBE caused such an impairment to AOL's system. Said the court: "AOL's problem, both for purposes of summary judgment and at trial, is showing specifically that NHCD's UBE, which by AOL's admission represents a mere fraction of the quantity of UBE regularly forced through AOL's system, caused the requisite damage contemplated by the statute." The court accordingly declined to grant AOL summary judgement on this claim.
In so doing, the court questioned whether section 1030(a)(5)(c) addressed the sending of UBE at all. According to the court "realistically, no federal statute currently exists which would prohibit a non-AOL member from sending UBE to any number of AOL members' e-mail addresses, without ever accessing AOL directly."
The court held that the e-mailers' conduct at issue did violate Section 1030(a)(2)(c) of the CFAA, which "proscribes intentionally accessing a computer either without authorization or in excess of authorized access, and thereby obtaining "information from any protected computer if the conduct involved an interstate or foreign communication." The e-mailers violated this section by intentionally accessing AOL's computers, and in violation of AOL's Terms of Service harvesting e-mail addresses. The court also held that the e-mailers violated the Virginia Computer Crimes Act, Vir. Code Annot. Section 18.2-152.3. That statute provides that "any person who uses a computer or computer network without authority and with the intent to ... (3) convert the property of another shall be guilty of the crime of computer fraud ...". The statute expressly states that one uses a computer "without authority" when he either uses a computer in a manner exceeding the rights or permissions given him to use it, or uses such computer to transmit UBE in contravention of the authority given to him to use that computer. The court accordingly found that the e-mailers who sent the UBEs in question violated this act. The court did not comment on how their conduct constituted a conversion of property.
The court also noted that it had previously held that the e-mailers conduct constituted a trespass to chattels.
The court was unwilling, however, on the record before it to find that NHCD could be held liable for the acts of the e-mailers in question, or their violations of the CFAA, the Virginia Computer Crime Act, or trespass to chattels. Said the court:
Because the court was unwilling to make such a determination on this record, it denied plaintiff's motion for summary judgment.