Crowley v. Cybersource Corp., 166 F. Supp. 2d 1263 (N.D. Cal. 2001)

*1264 *1265 William P. Butterfield, Finkelstein Thompson & Loughran, Washington, DC, James C. Krause, Patrick N. Keegan, Krause & Kalfayan, San Diego, for plaintiff.

Alan Cope Johnston, Morrison & Foerster, Palo Alto, CA, Lori A. Schechter, Megan M. Auchincloss, Morrison & Foerster LLP, San Francisco, CA, for Cyber-Source Corporation.

Chun T. Wright, Jennifer Sim, Jennifer S. Sim, Perkins Coie LLP, Menlo Park, CA, David J. Burman, Perkins Coie, LLP, David A. Zapolsky, Amazon.com, Inc., Seattle, WA, for Amazon.com, Inc.

Scott D. Baker, Christine M. Morgan, Crosby Heafy Roach & May, San Francisco, CA, for priceline.com, Inc.

ORRICK, District Judge.

This is a putative class action brought pursuant to the Federal Wiretap Act ("Wiretap Act"), 18 U.S.C. §§ 2510-2522, and the Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. § 2701-2719, by plaintiff Daragh Crowley ("Crowley") against defendants CyberSource Corporation ("CyberSource") and Amazon.com, Inc. ("Amazon"). Crowley alleges that he went to Amazon's web site to purchase goods, and gave Amazon his name, e-mail address, mailing address, credit card number and expiration date, and telephone number. Amazon then transmitted this information to CyberSource, a company that verifies the identity of a person making an online purchase. Crowley's claims focus on his allegation that CyberSource stored the information he sent it, and used it to create a personal profile. Crowley claims that Amazon and CyberSource thus violated the Wiretap Act and the ECPA, invaded his privacy, acted negligently towards him, and committed other unlawful acts.

CyberSource now moves to dismiss Crowley's first amended complaint ("amended complaint") for failure to state a claim pursuant to Rule 12(b) (6) of the Federal Rules of Civil Procedure, and Amazon moves to dismiss the amended complaint *1266 for failure to state a claim pursuant to Rule 12(b) (6) or, in the alternative, for improper venue pursuant to Rule 12(b) (3) of the Federal Rules of Civil Procedure. For the reasons set forth hereinafter, Amazon's and CyberSource's motions to dismiss Crowley's first cause of action for violation of the Wiretap Act are granted with leave to amend. Amazon's motion to dismiss the second cause of action for violation of the ECPA is granted with leave to amend. Amazon's motion to dismiss for improper venue is denied, and the Court declines to exercise supplemental jurisdiction over the state claims.

Crowley filed the amended complaint on behalf of himself and a purported class of persons who "entered into online transactions with Amazon.com prior to August 31, 2000 whose personal and private information was secretly transmitted, used and/or disclosed by CyberSource and/or Amazon.com without such persons' authorization or consent." (Am.Compl.¶ 56.) Crowley's allegations arise out of Amazon's use of CyberSource to verify the identity of a person making a credit card purchase on Amazon's web site.

Amazon is an online merchant that sells, inter alia, books, CDs, and personal electronics devices over the Internet. Amazon uses CyberSource to verify the identity of persons making credit card purchases on its web site. As noted above, when a person makes a purchase on Amazon's site, that person transmits his name, address, telephone number, e-mail address, and credit card information to Amazon. Amazon transmits this information to CyberSource. CyberSource transmits the information to Amazon's bank and to the credit card association, which in turn routes the information to the customer's bank. The customer's bank responds to the credit card association, informing it that the transaction either has or has not been authorized, and that response is routed to CyberSource. If the transaction has not been authorized, CyberSource notifies Amazon, which cancels the transaction. If the transaction has been authorized, CyberSource notifies Amazon, Amazon proceeds with the transaction, and the customer's bank approves a transfer of funds to Amazon's bank. (Id. § 32.)

Crowley asserts that Amazon sends CyberSource "far more information about Plaintiff and the members of the Class than is necessary to obtain authorization for the proposed purchase." (Id. ¶ 34.) He alleges that Amazon sends CyberSource "the Internet user's name, address, phone number, email address and even a description of the type of product being purchased." (Id.) CyberSource allegedly uses the information as follows:

Defendant CyberSource stores this personally identifiable and confidential information about Plaintiff and the Class Members, without their knowledge or consent, for at least six months for the purpose of creating and maintaining personal profiles on Plaintiff and the Class.

(Id. ¶ 35.) Crowley further asserts that CyberSource, "through its affiliations with entities such as Amazon.com, is able to and does compile historical records on Plaintiff and members of the class, including but not limited to, name, email address, address, phone number, credit card numbers, description of the product purchased and the amount of money expended on online purchases." (Id. ¶ 43.) This profile includes information regarding purchases made "at any of the websites of Internet merchants with whom CyberSource has a similar relationship [to that which it has with Amazon]." (Id.¶ 44.)

Prior to August 31, 2000, Amazon posted a Privacy Policy that stated that it was "committed to protecting [its customers'] privacy" and "use[d] the information [it *1267 collected] ... to process orders and to provide a more personalized shopping experience." (Id. ¶ 37.)

Based on this course of conduct, Crowley alleges the following causes of action: (1) interception and disclosure of wire, oral, or electronic communications in violation of the Wiretap Act, against both defendants; (2) violations of the ECPA, against Amazon; (3) unjust enrichment, against both defendants; (4) invasion of privacy, against both defendants; (5) negligence, against both defendants; (6) fraud by concealment, against both defendants; and (7) breach of contract, against Amazon.

Both Amazon and CyberSource filed motions to dismiss, challenging each of the causes of action in the amended complaint pursuant to Rule 12(b) (6) of the Federal Rules of Civil Procedure. Additionally, Amazon challenges venue, pursuant to Rule 12(b) (3) of the Federal Rules of Civil Procedure, asserting that a forum selection clause in a contract between it and purported class members provides that proper venue for this action lies in the State of Washington.

Before turning to the motions to dismiss for failure to state a claim, the Court will address Amazon's motion to dismiss for improper venue pursuant to Rule 12(b) (3). In ruling on a 12(b) (3) motion, the Court is permitted to consider both the complaint and evidence extrinsic to the complaint. Argueta v. Banco Mexicano, S.A., 87 F.3d 320, 324 (9th Cir. 1996).

Amazon alleges that a forum selection clause in a contract agreed to by each member of the class applies to this dispute and that the Court must, therefore, dismiss this action for improper venue.

The forum selection clause to which Amazon refers is contained in an agreement entitled the "Participation Agreement," an agreement to which one had to assent before using Amazon's "person-to-person" transaction services, Amazon Auctions and zShops. These person-to-person transaction services differ from Amazon's retail sales operation because, when using them, the buyer purchases goods directly from another Amazon user, rather than Amazon itself. Amazon submitted the declaration of Jayashree Kolhatkar, providing that Amazon only used CyberSource for transactions on its Auctions or zShops. Therefore, according to Amazon, the only persons who can complain of CyberSource's conduct are those who used Auctions or zShops, and each of these persons clicked on the Participation Agreement, thus accepting the forum selection clause.

This argument raises a procedural question regarding definition of the class, because were the Court to accept Amazon's argument it would narrow the definition of the class at this stage of the litigation. The Court will not, however, reach this question because it finds that the forum selection clause does not apply to the claims in this case. The forum selection clause applies to "any action at law or in equity arising out of or relating to these terms and conditions," in other words, the terms and conditions of the Participation Agreement. (See, Ressmeyer Decl. Ex. A, Participation Agreement. ¶ 17.) The Participation Agreement consists of its terms and conditions and "all policies and guidelines incorporated by reference." (Id. at 1.) The Privacy Policy is referenced in the Participation Agreement, but it is not incorporated by reference. (Id. ¶ 12.) The claims in this action relate to the Privacy Policy, and not to the Participation Agreement. The amended complaint is based entirely on the use of customers' credit card and identification information, a subject *1268 covered by the Privacy Policy and not the Participation Agreement. Accordingly, the Court finds that the forum selection clause does not apply to this dispute, and denies Amazon's motion to dismiss for improper venue.

A motion to dismiss under Rule 12(b) (6) cannot be granted unless "it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief." Conley v. Gibson, 355 U.S. 41, 45-46, 78 S. Ct. 99, 2 L. Ed. 2d 80 (1957) (footnote omitted). Dismissal can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory. Balistreri v. Pacifica Police Dept., 901 F.2d 696, 699 (9th Cir.1988).

Plaintiff asserts that both Amazon and CyberSource violated the Wiretap Act. His opposition brief makes clear his theory of his Wiretap Act claim:

Amazon intercepted Plaintiff's electronic communications in violation of the Wiretap Act with the tortious purpose of invading Plaintiff's privacy, disclosed those intercepted communications to CyberSource in violation of the Wiretap Act, and conspired with CyberSource to use these intercepted communications to compile and store a personal profile of Plaintiff, thereby tortiously invading his privacy.

(Pl.'s Opp'n to Amazon's Mot. at 1:19-2:1.)

The Wiretap Act proscribes the interception of wire, oral, and electronic communications. It defines "intercept" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4). The Court need not accept a conclusory allegation that conduct alleged in the complaint constituted an interception under the Wiretap Act. See Holden v. Hagopian, 978 F.2d 1115, 1121 (9th Cir.1992) (court need not accept as true conclusory allegations, unsupported by the facts alleged). The Wiretap Act brings within its parameters any person who:

(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

. . . . .

(c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;

(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection[.]

18 U.S.C. § 2511(1) (a), (c), (d). The Wiretap Act expressly provides, however, that:

It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.

18 U.S.C. § 2511(2) (d) (emphasis added).

The Wiretap Act creates both criminal and civil liability for violation of its *1269 provisions. The private right of action is found in 18 U.S.C. § 2520. Section 2520, however, does not provide for a civil action against one who aids and abets a violation of the Wiretap Act. Peavy v. WFAA-TV, Inc., 221 F.3d 158, 169 (5th Cir.2000).

The Court finds that the amended complaint fails to allege that Amazon intercepted a communication between it and Crowley within the meaning of the Wiretap Act. The Wiretap Act requires, first, that there be a communication and, second, that there be an acquisition of that communication by an "electronic, mechanical, or other device." 18 U.S.C. § 2510(4). According to the amended complaint, Crowley sent certain information to Amazon, which then conveyed it to CyberSource. This transfer constitutes an electronic communication within the meaning of the Wiretap Act. See 18 U.S.C. § 2510(12) ("`electronic communication' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate ... commerce[.]"). Crowley transmitted this information via e-mail over the Internet, and Amazon received the information, effectively completing the communication. Amazon did not, however, "intercept" the communication within the meaning of the Wiretap Act, because Amazon did not acquire it using a device other than the drive or server on which the e-mail was received. The fact that this necessarily entailed storage of the communication is not relevant. As the Ninth Circuit has noted, some storage is essential to communication via e-mail. See Konop v. Hawaiian Airlines, Inc., 236 F.3d 1035, 1045 (9th Cir.2001). Amazon merely received the information transferred to it by Crowley, an act without which there would be no transfer. Amazon acted as no more than the second party to a communication. This is not an interception as defined by the Wiretap Act.

Crowley's argument, moreover, would result in an untenable result. Holding that Amazon, by receiving an e-mail, intercepted a communication within the meaning of the Wiretap Act would be akin to holding that one who picks up a telephone to receive a call has intercepted a communication and must seek safety in an exemption to the Wiretap Act. Such a result would effectively remove from the definition of intercept the requirement that the acquisition be through a "device." Therefore, the amended complaint fails to state a claim against Amazon under the Wiretap Act, and Amazon's motion to dismiss that claim is granted.

The Court's finding that the amended complaint states no Wiretap Act claim against Amazon disposes of any possible use or disclosure case under the Wiretap Act against CyberSource based on Amazon's interception of communications between Amazon and customers. Crowley's opposition to CyberSource's motion to dismiss argues only that CyberSource violated the Wiretap Act by using intercepted information:

Plaintiff has adequately alleged that Amazon.com intercepted Plaintiff's electronic communications in violation of the Wiretap Act. The only question is whether CyberSource's use of this intercepted information was in violation of the Wiretap Act.

(Pl.'s Opp'n to CyberSource's Mot. at 6:7-10.) Thus, Crowley's claim against CyberSource rises and falls on whether CyberSource used information intercepted by Amazon. Amazon did not intercept the information transmitted to it, and Crowley's claim against CyberSource fails. CyberSource's motion to dismiss the claims for violation of the Wiretap Act is granted.

Next, Crowley alleges that Amazon violated the ECPA. He alleges that:

Amazon.com ... intentionally accessed without authorization and/or intentionally exceeded its authorization to access Plaintiff's and the Class' computer systems through which electronic communications systems^[1] are provided[.]

(Am.Compl. ¶ 63.) Further, he alleges that Amazon:

obtained access to [Crowley's and purported class members'] wire and electronic communications while in electronic storage in such computer systems and/or knowingly divulged the contents of such communications while in electronic storage[.]

(Id.)

Thus, this cause of action is based on two provisions of the ECPA: the one addressing unauthorized access to facilities through which electronic communication services are provided, and the other addressing disclosure of information by persons or entities providing electronic communication services and remote computing services to the public. The Court will first address the applicability of the second provision, which deals with disclosure by service providers.

The ECPA provides that, with certain exceptions, a person or entity providing either an electronic communication service or remote computing service to the public shall not "knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service[.]" 18 U.S.C. § 2702(a) (1). Therefore, for Amazon to be liable for improper disclosure of electronic communications under the ECPA, it must provide either electronic communication service or remote computing service. The amended complaint makes clear that it does neither.

The amended complaint alleges that Amazon is an online merchant, not an electronic communication service provider. In an effort to save this claim, Crowley argues that Amazon is an electronic communication service provider because it receives electronic communications from customers, saying that "without recipients such as Amazon.com, users would have no ability to send electronic information." (Pl.'s Opp'n to Amazon's Mot. at 4:12-13.) This argument was expressly rejected in Andersen Consulting LLP v. UOP, 991 F. Supp. 1041 (N.D.Ill.1998). Faced with the argument that UOP provided an electronic communication service to Andersen because it permitted Andersen personnel to use its e-mail system to communicate with UOP personnel and Andersen personnel, the court stated:

[T]he fact that Andersen could communicate to third-parties over the Internet and that third-parties could communicate with it did not mean that UOP provided an electronic communication service to the public.... UOP must purchase Internet access from an electronic communication service provider ...; it does not independently provide such services.

Id. at 1043. The Court agrees with Andersen Consulting, and rejects the argument that because Amazon receives e-mails from Crowley it provides an electronic communication service. Additionally, such a definition would equate a user with a provider and, thus, ignore language in § 2701(c) that treats users and providers as different.

If Crowley is to state a claim for relief under the ECPA, therefore, that *1271 claim must rest on the provisions addressing unauthorized access to facilities through which an electronic communication service is provided.

These provisions, which govern unauthorized access to stored communications, found at 18 U.S.C. § 2701(a), concern whoever:

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system[.]

Subsection (c) of the statute provides that subsection (a) does not apply "to conduct authorized" "(1) by the person or entity providing a wire or electronic communications service; [or] (2) by a user of that service with respect to a communication of or intended for that user[.]" 18 U.S.C. § 2701(c). Accordingly, for Amazon to be liable for unauthorized access under the ECPA, it must have gained unauthorized access to a facility through which electronic communications services are provided (or its access must have exceeded the scope of authority given), it must thereby have accessed electronic communications while in storage, and its access must not fall within the exception of subsection (c).

Crowley argues both that the facility to which Amazon gained unauthorized access was his computer (Am.Compl. ¶ 63) and that the facility was Amazon's own computer system:

The "facility" at issue in this case is Amazon.com's own computer system, which stores and holds Plaintiff's and the Class' personally identifiable and confidential information. This facility, through which Amazon provided an electronic communications service, is protected against unauthorized access under the Stored Communications Act.

(Pl.'s Opp'n at 4:6-8 (citation omitted) (footnote omitted).) The Court will address both assertions, starting with the one found in the amended complaint.

First, the Court notes that the success of Crowley's argument depends on a holding that computers of users of electronic communication service, as opposed to providers of electronic communication service, are considered facilities through which such service is provided. This argument seems destined to failure, especially in light of the fact that all one needs to render access to such a facility authorized is consent by a provider of an electronic communication service. See 18 U.S.C. 2701(c) (1). It would certainly seem odd that the provider of a communication service could grant access to one's home computer to third parties, but that would be the result of Crowley's argument. The Court, however, need not treat this question any further, because the Court finds no unauthorized access to have occurred.

The allegations of the amended complaint do not demonstrate that Amazon accessed Crowley's computer. Although Crowley makes a conclusory allegation to that effect, the Court is not bound to accept such an allegation in ruling on a motion to dismiss pursuant to Rule 12(b) (6). The facts alleged tell a different story. Crowley sent his information to Amazon electronically; Amazon did not gain access to his computer in order to obtain the personal information at issue. In interpreting the meaning of "access" in the context of this Act the Ninth Circuit has given the word its plain meaning. It has said the word means "to get at" or "gain access to." See United States v. Smith, 155 F.3d 1051, 1058 (9th Cir.1998). Amazon received a voluntary transmission of information from Crowley; it did not access *1272 the information as that term is used in the ECPA. Accordingly, Crowley cannot base his claim for violation of the Stored Communications Act by Amazon on the allegation that Amazon gained unauthorized access to his computer.

Crowley's second argument in support of his unauthorized access claim, which is that Amazon had limited access to its own systems, strains credulity. First, Crowley cites no authority in support of this argument. Second, a very similar argument was rejected by the court in State Wide Photocopy Corp. v. Tokai Financial Services, Inc., 909 F. Supp. 137 (S.D.N.Y. 1995). In that case, the court said that, even assuming that a company's computers, through which it sent and received electronic communications, were "facilit[ies] through which an electronic communication service is provided, the computer could not have limited access to its own facilities." See id. at 145.^[2] Amazon's access to its own systems is not limited under the ECPA.

Amazon's motion to dismiss Crowley's ECPA claim is granted.

The Court now turns to the remaining state claims.

Amazon argues that the Court is prevented from hearing state law claims by the dormant commerce clause. Amazon cites to cases holding state statutes unconstitutional on the grounds that only Congress may enact legislation regarding the Internet. For example, in American Libraries Association v. Pataki, 969 F. Supp. 160 (S.D.N.Y.1997), the court granted a preliminary injunction against a New York statute regulating the communication via computer of certain sexually explicit content to minors. See id. at 163, 183-184. Amazon cites no cases removing commercial activity from the reach of state tort law on dormant commerce clause grounds, and the Court has found none. Indeed, the Third Circuit has expressed doubt as to whether state common law claims could violate the dormant commerce clause. See Buzzard v. Roadrunner Trucking, Inc., 966 F.2d 777, 784, n. 9 (3d Cir.1992); see also Camden County Bd. of Chosen Freeholders v. Beretta U.S.A. Corp., 123 F. Supp. 2d 245, 254 (D.N.J.2000) (noting that typically, dormant commerce clause challenges are made to state legislation, not state common law claims). Accordingly, the Court declines to hold that Crowley's state law claims fail under the dormant commerce clause.

The Court, however, will not exercise supplemental jurisdiction over the remaining state law claims. With the exception of the invasion of privacy and negligence claims as stated against CyberSource, which the Court was forced to reach to determine the viability of Crowley's Wiretap Act claim against CyberSource, the Court dismisses Crowley's state claims without prejudice for lack of jurisdiction.

Section 1367 of Title 28 of the United States Code, provides that district courts may exercise supplemental jurisdiction over all other claims "that are so related to claims in the action within such original jurisdiction that they form part of the same case or controversy under Article III[.]" 28 U.S.C. § 1367(a). The district court may decline to exercise supplemental *1273 jurisdiction over a claim if it has dismissed all claims over which it has original jurisdiction. See id. § 1367(c) (3). In particular, when the federal claims are dismissed at this stage in the litigation, a district court may exercise its discretion to dismiss the state claims. See Gini v. Las Vegas Metro., Police Dep't, 40 F.3d 1041, 1046 (9th Cir.1994).

The decision to dismiss the remaining state claims without prejudice rests on another factor from § 1367(c). Where a state claim "raises a novel or complex issue of State law," the court may decline to exercise jurisdiction over it. The state claims raised here address important issues regarding the transmission of information over the Internet. The papers submitted by the parties reveal, by their numerous references to general principles rather than analogous authority, that the California courts have not had ample opportunity to address the applicability of the California tort law at issue in this case to Internet commerce. It should be left to the California courts to, in the first instance, apply California law to this area. Accordingly, Amazon's motion to dismiss the remaining state claims is granted without prejudice.

Accordingly,

IT IS HEREBY ORDERED that:

1. Amazon's motion to dismiss for improper venue is denied.

2. Amazon's and CyberSource's motions to dismiss Crowley's first cause of action for violation of the Wiretap Act are granted, with leave to amend on or before September 21, 2001.

3. Amazon's motion to dismiss the second cause of action for violation of the ECPA is granted, with leave to amend on or before September 21, 2001.

4. Crowley's remaining state claims for relief are dismissed without prejudice, based on the Court's finding that it should not exercise supplemental jurisdiction over them.

[1] As the ECPA refers to "electronic communication services," and not to "electronic communications systems," the Court will address this allegation as if it used the word "service" rather than "system."

[2] The court also rejected the argument that the fax machines and computers constituted facilities through which an electronic communication service was provided, saying the company "is in the business of financing and ... merely uses fax machines and computers as necessary tools[.]" State Wide Photocopy, 909 F. Supp. at 145.