BY SAAD GUL AND MIKE SLIPSKY
U.S. Magistrate Judge Christopher J. Burke of the District of Delaware recently held that “click fraud” violates the federal Computer Fraud and Abuse Act (CFAA). “Click fraud” refers to a phenomenon when an online advertising service enhances its perceived value by inflating the number of users who “click” on the ads. In Juju, Inc. v. Native Media, LLC, the defendants, Native Media, emailed messages with job search results. The contract between the plaintiff and defendants provided that the plaintiff, Juju, paid defendants a certain sum each time a user clicked a link.
This incentive structure was designed to encourage effective electronic marketing. The clicks gauged user interest. User interest is a precursor to use or “conversion.” Over time, the plaintiff observed that the defendants’ conversion rate was low. In theory, users were interested in the advertised openings but they were not applying for jobs. This pattern of clicks with no conversions eventually aroused suspicion. The plaintiff analyzed the available data: IP addresses, repeated clicks, click location and click timing to determine whether the clicks reflected genuine user interest, or phantom users fudging figures. The plaintiff ultimately concluded that the defendants were using automated scripts, or some other technical means, to cloak actual user figures behind a wall of phantom clicks. It was paying for users that were not there.
The plaintiff, Juju, eventually sued defendants, Native Media. The complaint asserted contract and other claims; it also asserted a rare CFAA claim. To prevail on the CFAA claim, the plaintiff had to prove that defendants had (1) accessed a computer; (2) without, or exceeding, authorization; (3) intentionally and; (4) advanced fraud, obtained value or both.
The defendants moved to dismiss. They argued that alleged click fraud could not constitute unauthorized access to a computer. Unauthorized access was limited to hacking. The court rejected this argument. It noted that under 3rd Circuit precedent, accessing plaintiff’s computers in violation of a contractual restriction constituted unauthorized CFAA access. The 3rd Circuit had held that if prohibited by the parties, otherwise permissible access became unauthorized. Access to plaintiff’s computers and information met the CFAA test. That was precisely what the plaintiff was alleging: that the defendants had violated a contractual provision. In doing so, they had directed a stream of unauthorized clicks at plaintiff’s computers.
This constituted access. Because of the parties’ agreement, it was unauthorized access. For this reason, the court recommended denying the motion to dismiss. The assertion of a CFAA claim in the context of a business contractual dispute signals the growing popularity of an old statute. Combined with the CFAA’s upcoming trip to the U.S. Supreme Court, we have not heard the last of this once obscure statute.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or [email protected] Mike may be reached at 919.783.2851 or [email protected]