Ebates, Inc. v. Does 1-211, No. 3:2016cv01925 - Document 6 (N.D. Cal. 2016)

Court Description: ORDER GRANTING MOTION TO PERMIT SERVICE OF SUBPOENA by Judge Jon S. Tigar granting 4 Ex Parte Application. (wsn, COURT STAFF) (Filed on 5/3/2016)
Download PDF
Ebates, Inc. v. Does 1-211 Doc. 6 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 EBATES, INC., Case No. 16-cv-01925-JST Plaintiff, 8 v. ORDER GRANTING MOTION TO PERMIT SERVICE OF SUBPOENA 9 10 JOHN DOES 1-211, Re: ECF No. 4 Defendant. United States District Court Northern District of California 11 Before the Court is Plaintiff’s Ex Parte Motion to Permit Service of Subpoena for 12 13 Documents Prior to F.R.C.P. 26(f) Conference. In its motion, Plaintiff seeks to obtain early 14 discovery to determine the identities of the unnamed defendants. The Court will grant the motion. 15 I. 16 BACKGROUND Plaintiff Ebates, Inc. identifies itself as “a pioneer and leader in the field of online cash 17 back shopping.” ECF No. 1 (“Complaint”) ¶ 1. Its complaint alleges that on April 1, 2016, Ebates 18 was the victim of a Distributed Denial of Service (“DDOS”) attack by unknown parties, in which 19 “multiple compromised systems are used to attack a specific target, causing a denial of service for 20 users of that target.” Id. ¶ 8. The attack shut down Ebates’s primary website, Ebates.com, and 21 certain other periphery properties. Id. ¶ 7. 22 Approximately two hours after the attack began, Ebates received a series of demands for 23 ransom via email. Id. ¶ 10. The emails acknowledged responsibility for the attack, demanded 24 payment via Bitcoin, and threatened that if Ebates did not pay, more attacks would follow, and 25 Ebates would “lose customers, money, and reputation,” and threatened “you will lose everything.” 26 Id. ¶ 10-11. 27 28 Ebates alleges that the ransom notes were delivered from a list of approximately 200 e-mail addresses, all of which appear to contain a first name and a random series of 4 to 5 digits. Dockets.Justia.com 1 Id. ¶ 11. It alleges that it did not pay the ransom, and was unable to restore its website for roughly 2 10 hours following the attack. Id. ¶ 12. It alleges it has “suffered monetary harm in the form of 3 lost business in an amount that has not yet been determined, but likely in excess of $100,000.” Id. 4 ¶ 13. Plaintiff brings three claims: (1) Violation of the Computer Fraud and Abuse Act, 18 U.S.C. 5 § 1030 et. seq.; (2) Conversion; and (3) Trespass. Id. ¶¶ 18-27. Plaintiff also requests injunctive 6 relief. Id. ¶ 15. 7 Ebates now brings this motion to serve discovery prior to a Rule 26(f) conference, 8 requesting permission to serve subpoenas on Microsoft Corporation and Yahoo, Inc. to attempt to 9 identify the parties behind the e-mails that sent the ransom letters. 10 United States District Court Northern District of California 11 II. LEGAL STANDARD “As a general rule, discovery proceedings take place only after the defendant has been 12 served; however, in rare cases, courts have made exceptions, permitting limited discovery to ensue 13 after filing of the complaint to permit the plaintiff to learn the identifying facts necessary to permit 14 service on the defendant.” Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 577 (N.D. Cal. 15 1999); see also Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980) (“In such circumstances, 16 the plaintiff should be given an opportunity through discovery to identify the unknown defendants, 17 unless it is clear that discovery would not uncover the identities, or that the complaint would be 18 dismissed on other grounds.”). 19 District courts in this circuit have developed a four-part test for determining when to allow 20 early discovery. Celestial Inc. v. Swarm Sharing Hash 8AB508AB0F9EF8B4CDB14ö248F3 21 C96ö5BEB882 on Dec. 15, 2011, No. CV 12-00132 DDP SSX, 2012 WL 995273, at *2 (C.D. 22 Cal. Mar. 23, 2012). Under the test applied in Columbia Insurance Co. v. seescandy.com, the 23 moving party must: “(1) identify the defendant with enough specificity to allow the Court to 24 determine whether the defendant is a real person or entity who could be sued in federal court; 25 (2) recount the steps taken to locate the defendant; (3) show that its action could survive a motion 26 to dismiss; and (4) file a request for discovery with the Court identifying the persons or entities on 27 whom discovery process might be served and for which there is a reasonable likelihood that the 28 discovery process will lead to identifying information.” SBO Pictures, Inc. v. Does 1-3036, No. 2 1 11-4220 SC, 2011 WL 6002620, at *2 (N.D. Cal. Nov. 30, 2011) (citing to Columbia Ins. Co., 185 2 F.R.D. at 577). 3 III. 4 DISCUSSION The Court concludes that Plaintiff has met its burden under Columbia Ins. Co. The first 5 factor requires the Plaintiff to “identify the missing party with sufficient specificity such that the 6 Court can determine that defendant is a real person or entity who could be sued in federal court.” 7 Columbia Ins. Co., 185 F.R.D. at 578. “This requirement is necessary to ensure that federal 8 requirements of jurisdiction and justiciability can be satisfied.” Id. 9 Here, Plaintiff has alleged there is at least one real person or entity that specifically targeted Ebates, which has its principal place of business in California, both through its DDOS 11 United States District Court Northern District of California 10 attack and its ransom demands. Complaint ¶¶ 3-4. This is sufficient for the Court to conclude that 12 the defendants are real people or entities over which the requirements of jurisdiction and 13 justiciability “can be satisfied.” 14 The second factor requires the Plaintiff to “identify all previous steps taken to locate the 15 elusive defendant. Columbia Ins. Co., 185 F.R.D. at 579. “This element is aimed at ensuring that 16 plaintiffs make a good faith effort to comply with the requirements of service of process and 17 specifically identifying defendants.” Id. 18 Ebates has not identified the previous steps taken to locate the unnamed defendants. 19 However, a declaration submitted by a Senior Director at Ebates states that it is “unaware of any 20 way the attackers can be identified using the procedures, tools, and resources available to Ebates 21 because Ebates does not know who owns the email addresses from which the demands for ransom 22 were sent.” ECF No. 4-2 ¶ 5. Indeed, since the e-mail addresses are the only information Ebates 23 has, it appears that obtaining further information based on that information would be the first step 24 in attempting to identify the defendants. The Court concludes that, given these specific 25 circumstances, Plaintiff has made “a good faith effort” to comply with service requirements and to 26 identify the defendants. 27 28 The third factor requires Plaintiff to “establish to the Court's satisfaction that plaintiff's suit against defendant could withstand a motion to dismiss.” Columbia Ins. Co., 185 F.R.D. at 579. 3 1 While “[a] conclusory pleading will never be sufficient to satisfy this element,” id., other courts in 2 this district have held that a prima facie showing of a plausible claim is sufficient, Dallas Buyers 3 Club LLC v. Doe-73.202.228.252, No. 16-CV-00858-PSG, 2016 WL 1138960, at *3 (N.D. Cal. 4 Mar. 23, 2016). 5 The CFAA states that a person violates its provisions when, among other things, he or she: 6 (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; 7 8 9 (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss[.] 11 United States District Court Northern District of California 10 18 U.S.C. § 1030(a)(5). 12 Ebates contends that other courts have held that claims of a DDOS attack are sufficient to 13 plead a CFAA claim, and cites to Tyco Int'l (US) Inc. v. John Does, 1-3, No. 01 CIV.3856-RCC- 14 DF, 2003 WL 23374767, at *4 (S.D.N.Y. Aug. 29, 2003). Courts in this circuit have reached the 15 same conclusion as well. See BHRAC, LLC v. Regency Car Rentals, LLC, No. CV 15-865-GHK 16 MANX, 2015 WL 3561671, at *4 (C.D. Cal. June 4, 2015). At this early stage, the Court need 17 not, and does not, resolve the question of whether Ebates has pleaded a plausible claim under the 18 CFAA. Nevertheless, it concludes that Ebates has made the required prima facie showing. 19 The fourth and final factor requires the Plaintiff to “file a request for discovery with the 20 Court, along with a statement of reasons justifying the specific discovery requested as well as 21 identification of a limited number of persons or entities on whom discovery process might be 22 served and for which there is a reasonable likelihood that the discovery process will lead to 23 identifying information about defendant that would make service of process possible.” Columbia 24 Ins. Co., 185 F.R.D. at 580. In ordering discovery to identify unnamed defendants, especially in 25 an online context, “the need to provide injured parties with a[] forum in which they may seek 26 redress for grievances . . . must be balanced against the legitimate and valuable right to participate 27 in online forums anonymously or pseudonymously.” Id. at 578. 28 Ebates has submitted its desired subpoenas as exhibits to its motion. ECF No. 4-3. It 4 requests that Microsoft and Yahoo provide “[a]ll [d]ocuments referring or relating to the identity 2 of the users” of the e-mail addresses identified in its complaint, “including but not limited to 3 documents that provide names, mailing addresses, phone numbers, billing information, date of 4 account creation, account information and all other identifying information, including any related 5 metadata, associated with the email addresses under any and all names, aliases, identities or 6 designations related to the email address.” Id. at 8, 16. It also requests all documents that 7 “provide IP logs, IP address information at the tune of registration, and also between the dates 8 March 15, 2016 and April 12, 2016, computer usage logs, or other means of recording information 9 concerning the email or Internet usage of the email addresses,” and documents of any policies or 10 procedures that Microsoft and Yahoo have used to authenticate the identity of the persons behind 11 United States District Court Northern District of California 1 the e-mail addresses. Id. 12 Ebates does not discuss each specific request for information, but contends that the request 13 is “specific, targeted, and very limited,” and “requests information designed to help identify the 14 relevant individuals, such as the IP addresses and other identifying information associated with the 15 relevant accounts.” ECF No. 4 at 6. The Court concludes there is a “reasonable likelihood” that 16 much of the information requested will lead to identifying information about the unnamed 17 defendants. Some of the information, however, is probably unnecessary. Ebates does not explain 18 why the phone numbers and billing information attached to the e-mail addresses are needed. See 19 Indigital Sols., LLC v. Mohammed, No. CIV.A. H-12-2428, 2012 WL 5825824, at *3 (S.D. Tex. 20 Nov. 15, 2012) (rejecting an early discovery request for the same information “[d]ue to the 21 sensitive nature of this information.”). 22 Thus, to ensure that Plaintiff’s discovery does not unnecessarily reveal the private 23 information of any parties, the Court will grant Plaintiff’s request for early discovery subject to the 24 following limitations. 25 1. 26 produced. 27 2. Ebates’s subpoenas may not require telephone numbers or billing information to be 28 By separate order, the Court shall issue this district’s model protective order for standard litigation in this case. Until further instruction by the Court, all information obtained 5 1 from these discovery requests shall be designated confidential by Plaintiff upon its receipt. See 2 Indigital Sols., 2012 WL 5825824, at *5. 3 3. Until further instruction by the Court, any filing that cites, refers to, or attaches 4 information obtained through these discovery requests shall be filed as the subject of a motion to 5 seal. The motion to seal shall specifically identify this order as the basis for the request to seal, 6 and shall comply with all aspects of this Court’s standing order on motions to seal. CONCLUSION 7 8 9 10 United States District Court Northern District of California 11 12 13 The ex parte motion for early discovery is granted. Subject to the conditions described above, Plaintiff may serve its proposed subpoenas on Microsoft, Inc. and Yahoo, Inc. IT IS SO ORDERED. Dated: May 3, 2016 ______________________________________ JON S. TIGAR United States District Judge 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 6