Accessing Google Drive using an inadvertently revealed long URL may violate the Computer Fraud and Abuse Act
Of Greenburg vs. Wraydecided yesterday by Judge Douglas Rayes (D. Ariz.) (key legal point highlighted):
Amanda Wray runs a 2,000-member Facebook group… “dedicated to spreading anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District.” … Applicant[ Mark Greenburg]The son of is a member of…the elected governing body that runs Scottsdale Unified School District #48….
In response to the activities of the defendants [Wray and her husband] and the Facebook group, the plaintiff began collecting information about them, including photographs, video footage, third-party chats about them, personal comments and thoughts, and political memes. The plaintiff stored these recordings on his personal “Google Drive” server. The plaintiff specifically shared access to the server with three people (including the plaintiff’s son), who could access the server by logging into their own password-protected Google accounts. Although the requester didn’t realize it at the time, his Google Drive sharing settings also allowed anyone to access the server by entering the exact URL.
In 2021, the plaintiff’s son was charged with defamation. He responded to his accuser by emailing “13 photographs of public Facebook comments made by his accuser, some of which were stored on the server.” One of the photographs displayed the Google Drive URL, and this photograph came into Amanda’s possession, where she noticed the URL and asked a third party to hyperlink to the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, rearranged, renamed and publicly disclosed content from Google Drive.
The plaintiff learned of the access and hired a team of computer forensic consultants to conduct a damage assessment. He then sued the defendants under the Computer Fraud and Abuse Act…, alleging a loss of at least $5,000….
To “successfully bring an action under 18 USC § 1030(g) based on a violation of 18 USC § 1030(a)(2)”, the plaintiff must allege that the defendants:
(1) intentionally accessed a computer, (2) without or beyond authorized access, and (3) thereby obtained information (4) from any protected computer (if conduct involved interstate or foreign communication), and that (5) there has been a loss to one or more persons during a period of one year aggregating a value of at least $5,000.
Citing hiQ Labs, Inc. vs. LinkedIn Corp. (9th Cir. 2022), defendants argue that plaintiff did not allege that Amanda accessed Google Drive without permission. In Hello, a data analysis company, hiQ, collected data on public LinkedIn profiles, data indexed by search engines. LinkedIn discovered this, sent hiQ a cease and desist letter, and imposed technical measures to prevent the public profile data from being deleted. But hiQ didn’t stop and instead sought a declaratory judgment that LinkedIn “could not legally invoke the CFAA” against it for deleting data found on LinkedIn’s public profiles. Identifier. Ultimately, the Ninth Circuit determined that the scraping of hiQ’s data did not fall within the scope of the CFAA because “anyone with a web browser” could access the data.
In review, the Ninth Circuit held that “the prohibition on unauthorized access is properly understood to apply only to private information – information defined as private through the use of an authorization requirement any”. Thus, for a website to fall under CFAA protection, it must have erected “limited access”. And while “anyone with a browser” could access the website, there were no access limitations.
It’s a close call. Plaintiff acknowledges that the portion of Google Drive accessed by Amanda was not password protected; The requester had inadvertently enabled the setting allowing anyone with the URL to access the site. But, the plaintiff alleges that this parameter did not in itself make Google Drive public, since the URL was a 68-character string.
Also, Google Drive was not indexed by any search engine, unlike the website of Hello. Therefore, it wasn’t just “anyone with a browser” who could stumble upon Google Drive while searching the web – the internet user wishing to access Google Drive had to get the exact URL in the browser. . In the eyes of the Court, the plaintiff alleges that Google Drive had limitations and therefore people trying to access it needed permission.
The plaintiff alleges that disclosing the URL – the limitation – did not grant Amanda permission to access Google Drive. He claims the disclosure was made inadvertently. As the Ninth Circuit recognized, inadvertent disclosure of the means surrounding an access limitation does not in itself grant authorization. Plaintiff has sufficiently pleaded the elements of a violation of 18 USC § 1030(a)(2).
Defendants then argue that Plaintiff’s claims of $5,000 in damages are too conclusive to state a claim. Not so. The plaintiff alleges that Amanda accessed Google Drive without permission, causing changes to the files stored there, and that he had to hire a forensic IT team to determine the extent of the damage, which he claims, cost at least $5,000. The plaintiff is not required to provide itemized receipts at the pleading stage….