Uber Technologies, Inc. v. Doe I
Filing
20
ORDER by Judge Laurel Beeler granting 16 Ex Parte Application ; granting 17 Administrative Motion to File Under Seal; granting 18 Ex Parte Application ; granting 19 Administrative Motion to File Under Seal. Neither Uber nor GitHub need notify John Doe I of the new GitHub subpoena. The Comcast subpoena is subject to the usual notice terms as expressed in the order. (lblc1S, COURT STAFF) (Filed on 4/27/2015)
<![CDATA[
1
2
3
4
5
6
7
8
UNITED STATES DISTRICT COURT
9
NORTHERN DISTRICT OF CALIFORNIA
10
San Francisco Division
United States District Court
Northern District of California
11
UBER TECHNOLOGIES, INC.,
12
Case No. 15-cv-00908-LB
Plaintiff,
13
v.
ORDER GRANTING EXPEDITEDDISCOVERY & RELATED SEALING
MOTIONS
14
JOHN DOE I,
15
Defendant.
[Re: ECF Nos. 16-19]
16
INTRODUCTION
17
18
Plaintiff Uber Technologies, Inc. claims that defendant John Doe I breached its secure
19
database, stole information from that database, and so violated the federal Computer Fraud and
20
Abuse Act, 18 U.S.C. § 1030 et seq., and the California Comprehensive Computer Data Access
21
and Fraud Act, Cal. Penal Code § 502. (Compl. – ECF No. 1 at 2, ¶ 8.)1 In its continued effort to
22
identify Doe, Uber seeks permission to take expedited discovery from third parties Comcast
23
Business Communications, LLC (ECF No. 16) and GitHub, Inc. (ECF No. 18). Uber seeks to
24
discover (among other things) the names, physical addresses, email addresses, subscription-
25
payment information, and Media Access Control addresses associated with identified Internet
26
Protocol (―IP‖) addresses and a domain name that were likely used to access Uber’s database.
27
1
28
Record citations are to documents in the Electronic Case File (―ECF‖); pinpoint citations are to
the ECF-generated page numbers at the tops of the documents.
ORDER 15-908 LB
1
(The full subpoenas appear at ECF No. 16-1 at 7 and ECF No. 18-1 at 7.) Uber also brings two
2
sealing motions, one related to each discovery motion, to maintain the confidentiality of the IP
3
addresses and the domain name in the subpoenas — the disclosure of which (according to Uber)
4
could help Doe elude its investigation. Finally, Uber asks the court to clarify its previous order
5
(ECF No. 11) to confirm that Uber may ―share information received in discovery in this lawsuit‖
6
with ―third parties such as law enforcement‖ if such sharing is ―in connection with Uber’s claims
7
in this lawsuit.‖ (ECF No. 18 at 7.) For the reasons given and subject to the conditions set out
8
below, the court grants all four of Uber’s motions.
DISCUSSION
10
The court previously granted Uber’s motion to take expedited discovery from GitHub. (ECF
11
United States District Court
Northern District of California
9
No. 11.) Uber’s present motions walk mostly the same ground as its first motion and, insofar as
12
they apply, the court incorporates by reference the factual and legal discussions in its previous
13
order. As the court there found, Uber has shown that: (1) John Doe I is a real person who may be
14
sued in federal court; (2) Uber unsuccessfully tried to identify John Doe I before filing these
15
motions; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a
16
reasonable likelihood that the proposed subpoenas will lead to information identifying John Doe I.
17
The court extends its earlier factual discussion and legal analysis as needed to account for
18
Comcast (who was not involved in the earlier motion) and for events following the issuance of
19
Uber’s first subpoena.
20
I. ECF NO. 16 — COMCAST
21
GitHub produced information in response to Uber’s earlier subpoena. (Snell Decl. – ECF No.
22
16- 1 at 2, ¶ 3.) That information showed that ―someone used an IP address registered to Comcast
23
to access relevant posts on the GitHub site.‖ (See id. at 2, ¶ 4; ECF No. 16 at 3, 5.) (The same
24
person who breached Uber’s database accessed the GitHub posts to which Uber refers. (ECF No.
25
4-2 at 1-2, ¶¶ 2-3.)) It is likely that Comcast ―has subscriber information for the Address, as well
26
as information potentially linking the subscriber to unauthorized access to Uber systems.‖ (ECF
27
No. 16 at 5.) ―Thus,‖ Uber writes, ―information related to‖ the Comcast IP address ―will further
28
ORDER 15-908 LB
2
1
Uber’s investigation regarding the identity of John Doe 1.‖ (Id. at 3.) The subpoena that Uber
2
would now serve accordingly asks Comcast to produce:
3
4
5
6
7
8
9
10
United States District Court
Northern District of California
11
1. The name, address, telephone number, email address, Media Access
Control addresses, and any other identifying information for each subscriber assigned
the Internet Protocol address [REDACTED] (―Subscribers‖) from March 11, 2014
until May 13, 2014.
2. Any logs or other information regarding Subscribers’ access to the
following IP addresses or domains between March 11, 2014 and May 13, 2014: (a)
[REDACTED]; and (b) [REDACTED].
3. Any logs or other information regarding Subscribers’ access to the following IP
addresses or domains on May 12, 2014 on or about 9:47 pm PDT: (a) [REDACTED]; and
(b) [REDACTED].
4. The name, address, telephone number, email address, Media Access
Control address, and any other identifying information for any individual user or
machine on Subscribers’ networks that accessed
12
13
14
15
https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b29826096fe04
3409e2c305bb79/insurance fun.py, https://api.github.com/gists/9556255/, and/or
https://gist.github.com/hhlin/9556255 on or about April 12, 2014.
5. The Subscribers’ means and source of payment (including any credit card or bank
account number).
16
17
18
19
20
21
22
23
24
25
26
27
(ECF No. 17-3 at 1.)
Producing this information should not unduly prejudice Comcast. Comcast is a sophisticated
business that is likely accustomed to responding to subpoenas so that, as Uber contends, it ―will
not be burdened by this straightforward request involving one IP address.‖ (ECF No. 16 at 5.)
More precisely, Uber’s need for the requested discovery outweighs whatever small burden the
subpoena may impose on Comcast. See Semitool, Inc. v. Tokyo Electron Am., Inc., 208 F.R.D.
273, 276 (N.D. Cal. 2002).
The court furthermore deems the requested — and now authorized — subpoena to be issued
―pursuant to a court order‖ within the meaning of 47 U.S.C. § 551(c)(2)(B). The relevant part of
that statute provides:
(c) Disclosure of personally identifiable information
....
28
ORDER 15-908 LB
3
1
(2) A cable operator may disclose such information if the disclosure is —
2
....
3
(B) . . . made pursuant to a court order authorizing such disclosure, if the subscriber
is notified of such order by the person to whom the order is directed.
4
5
6
7
8
9
10
47 U.S.C. § 551(c)(2)(B). This order expressly authorizes such disclosure. To ensure compliance
with this statute, the concluding section of this order provides for Comcast to notify Doe of the
subpoena.
II. ECF NO. 18 — GITHUB
A. The Subpoena
Uber seeks to serve a new subpoena on GitHub. It explains:
The instant request differs from Uber’s prior request to GitHub. The
prior request sought information related to visits to GitHub
webpages over the course of several months and could therefore
involve individuals who have nothing to do with the instant dispute.
This request, however, is narrowly tailored to seek identifying
information for the individual who used the same Address on the
GitHub website on the same day that John Doe I used the Address to
access Uber’s database. . . . [T]his information will likely tie an
individual directly to the breach . . . .
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
For the reasons given in its earlier order (ECF No. 11 at 3-6), the court holds that Uber has shown
good cause for issuing the requested subpoena.
B. GitHub Need Not Notify John Doe
Uber also asks that, unlike it did with the last GitHub subpoena, the court not direct Uber or
(more accurately) GitHub to notify Doe of the subpoena. ―[T]here is no notice requirement under
the law or GitHub’s Terms of Service,‖ Uber reasons. (ECF No. 18 at 6.) The court accepts
GitHub’s representations about the absence of such a requirement in the law; the court, too, has
seen no law affirmatively requiring, in this situation, that someone be notified when their
information will be turned over to an adversary in litigation pursuant to a lawful subpoena. And
Uber is correct about GitHub’s Terms of Service. As Uber recounts, the Terms of Service to which
John Doe I must have agreed when he set up a GitHub account provide that, ―GitHub may
disclose personally identifiable information under special circumstances, such as to comply with
subpoenas or when your actions violate the Terms of Service.‖ (See ECF No. 18 at 6.) Uber
28
ORDER 15-908 LB
4
1
appears to be equally correct when it writes: ―By accessing the GitHub site, John Doe I consented
2
to disclosure of his personal information in connection with an investigation into illegal
3
activities.‖ (Id.) GitHub’s privacy policy states: ―The information we collected . . . is not shared . .
4
. except to provide products or services you’ve requested, when we have permission, or under the
5
following circumstances: It is necessary to share information in order to investigate, prevent, or
6
take action regarding illegal activities . . . .‖ (See id.)2
The case that Uber cites in this area — Sony Music Entm’t Inc. v. Does 1-40, 326 F. Supp. 2d
7
556 (S.D.N.Y. 2004) — does suggest that, in view of their Internet service provider’s (―ISP‖)
9
Terms of Service, Doe defendants had a ―minimal expectation of privacy.‖ Id. at 566. (The ISP in
10
Sony Music did notify the Doe defendants that their identifying information had been subpoenaed.
11
United States District Court
Northern District of California
8
Id. at 559-60. The case does not mention whether this was at a court’s direction or not.) It is one
12
thing, however, to agree that one’s information might be shared; it is another to waive notification
13
of that fact. Notice has its own value. Being told that one’s personal information is being disclosed
14
may prompt one to take perfectly legitimate actions in response, even if a prior agreement bars one
15
from objecting to the disclosure itself.
16
Uber has pointed out that Internet-anonymity cases come in different shades. On one end of
17
the spectrum, anonymous-speech cases can directly implicate the First Amendment. These elicit
18
the most demanding justification for disclosing an otherwise anonymous person’s identity. See
19
generally, e.g., In re Anonymous Online Speakers, 661 F.3d 1168, 1174-77 (9th Cir. 2011).
20
Somewhere in the middle are copyright-infringement suits. See, e.g., Pink Lotus Entm't, LLC v.
21
Doe, 2012 WL 260441, *2- (E.D. Cal. Jan. 23, 2012) (discussing Ninth Circuit good-cause
22
standard) (―Good cause for expedited discovery is frequently found in cases involving claims of
23
infringement . . . .‖). This case lies near the opposite end of the spectrum. Here, Uber alleges that
24
Doe directly breached and stole data from its secure database. On Uber’s apparent view, the
25
defendant in such a case can have little or no expectation that he will be notified, to say nothing of
26
having a legal right to be notified, if an investigation discloses his personally identifying
27
28
2
https://help.github.com/articles/github-privacy-policy/ (last accessed Apr. 22, 2015).
ORDER 15-908 LB
5
1
information.
2
This line of argument prompts two thoughts. The first is that this sort of case (call it one of
3
straightforward hacking and data theft) shares more in common with copyright-infringement suits
4
than with true First Amendment, anonymous-speech cases.3 Infringement suits, too, involve theft;
5
and defendants in such cases almost certainly are tempted ―to destroy or tamper with evidence‖
6
upon learning that an investigator (adversarial litigant or law enforcement) is about to learn their
7
identity. Nor has the court seen anything suggesting that the evidence that Doe may possess here is
8
more ephemeral than the proof that is normally involved in infringement cases of illegal
9
downloading and sharing. Yet infringement decisions have required the notice that Uber asks the
court to excuse. E.g., Digital Sin, Inc. v. Does 1-176, 279 F.R.D. 239, 244 (S.D.N.Y. 2012)
11
United States District Court
Northern District of California
10
(ordering ISP to notify Doe defendant of subpoena); Warner Bros. Record Inc. v. Does 1-14, 555
12
F. Supp. 2d 1, 2 (D.D.C. 2008) (ordering ISP to notify anonymous subscribers ―within five
13
business days‖ of being served with subpoena issued under 47 U.S.C. § 551(c)(2)(B)).
14
Second, even if no law affirmatively requires that Doe be given notice in a case like this,
15
notice may still be the better, fairer practice. It has been this court’s standard practice to require
16
notice to parties whose information will be disclosed under a lawful subpoena, even where no law
17
positively requires that; other courts appear to take the same approach. See AF Holdings, LLC v.
18
Doe, 2012 WL 5464577, *4 (E.D. Cal. Nov. 7, 2012); Digital Sin, 279 F.R.D. at 244-45.
19
Having said all that, and weighing seriously Uber’s situation and its sensible reasoning, the
20
court holds that, in this case, GitHub need not notify Doe of the subpoena. This does not mean that
21
notice will be excused in every similar case. The decision here is motivated in significant part by
22
two related facts. First, Doe’s alleged act was an unauthorized intrusion into a secure area; this
23
cannot have been legitimate under any scenario — and is somewhat different from cases that
24
involve the downloading and sharing of material that, at least in principle, can in the first instance
25
be gotten legitimately. Second, Uber seems moved equally to redress crime as to seek recompense
26
27
28
3
The court says ―true‖ First Amendment cases because copyright-infringement defendants have
occasionally claimed that their activity is constitutionally protected speech. See Sony Music, 326
F. Supp. 2d at 562-65.
ORDER 15-908 LB
6
1
through civil remedies. The statutes that it sues under are both criminal. (See Compl. – ECF No. 1
2
at 3.)4 Furthermore, in its request to share the subpoenaed information with third parties (a request
3
that is discussed below), Uber suggests that it may turn over the discovered information to law
4
enforcement. (ECF No. 18 at 7.) Assuming that its allegations are accurate, then, Uber’s lawsuit
5
would benefit wider society as well as benefiting Uber. Finally, if Doe finds something improper
6
in his not being prospectively notified of the disclosure, he will have his opportunity to make those
7
arguments later in this case, and may challenge Uber’s right to use the information gained through
8
the subpoena.
B. Clarification & Information Sharing
9
―Uber also seeks clarification of the Court’s prior Order to confirm that Uber may share
11
United States District Court
Northern District of California
10
information with third parties who may assist Uber in its investigation or in this matter, such as
12
law enforcement, should Uber decide it appropriate to do so.‖ (ECF No. 18 at 7.) The court’s
13
previous order stated that, ―Uber may use the subpoenaed information only in connection with its
14
instant claims under the federal Computer Fraud and Abuse Act, and the California
15
Comprehensive Computer Data Access and Fraud Act.‖ (ECF No. 11 at 7.)
The court agrees that it is consistent with the purposes of these statutes — both of which
16
17
establish data breaches and theft as crimes — that Uber be allowed to turn over material
18
information to law enforcement. To avoid any uncertainty, moreover, and though it is perhaps
19
obvious, Uber may also share the subpoenaed information with third parties that are technically
20
necessary to Uber’s investigation. Like Uber itself, such adjutant third parties must otherwise keep
21
the information confidential.
22
III.
THE SEALING MOTIONS — ECF NOS. 17 AND 19
23
Finally, Uber moves to seal limited parts of the Comcast and GitHub subpoenas. (ECF Nos.
24
17, 19.) Uber would redact two IP addresses and one domain name from the Comcast subpoena
25
(see ECF No. 16-1 at 7) and one IP address from the new GitHub subpoena (see ECF No. 19-4 at
26
27
28
4
See 18 U.S.C. § 1030(c)(4) (establishing imprisonment for certain violations of Computer Fraud
and Abuse Act); Cal. Penal Code §§ 502(c)-(d) (establishing computer-data theft as ―public
offense‖ subject to fines and imprisonment).
ORDER 15-908 LB
7
1
1). In both cases, Uber argues that these items constitute ―sensitive information that, if publicly
2
disclosed, could undermine Uber’s investigation into the data theft at issue in this lawsuit.‖ (ECF
3
Nos. 17 at 2, 19 at 2.) Publicly disclosing the target IP addresses and domain name, Uber says,
4
could ―giv[e] John Doe I insight into the status of Uber’s investigation and thus‖ enable him ―to
5
take steps to further conceal his identity.‖ (Id.)
6
Because the material in question relates to a non-dispositive motion, Uber must show only that
7
there is ―good cause‖ to seal it. E.g., Pintos v. Pac. Creditors Ass'n, 565 F.3d 1106, 1116 (9th Cir.
8
2009) opinion amended and superseded on denial of reh'g, 605 F.3d 665 (9th Cir. 2010);
9
Kamakana v. City & County of Honolulu, 447 F.3d 1172, 1179-80 (9th Cir. 2006). Largely for the
reasons that Uber states (ECF Nos. 17 at 2-3, 19 at 2-3), the court holds that Uber has shown
11
United States District Court
Northern District of California
10
―good cause‖ for sealing the IP addresses and domain name. The court accepts Uber’s assertion
12
that revealing the information in question could prompt Doe to elude detection, and thus thwart
13
Uber’s case at the outset, before the court can assess the merits of Uber’s claims. Equally
14
important, sealing two IP addresses and one domain name will in no significant way diminish the
15
public’s ability to ―keep a watchful eye on the workings of‖ the court. See Kamakana, 447 F.3d at
16
1178-80. Furthermore, Uber has ―narrowly tailored‖ its redactions to remove from the public
17
record a minimum of information and only such information as is properly ―sealable.‖ See Civ.
18
L.R. 79-5(b); Dish Network, LLC, Sonicview USA, Inc., 2009 WL 2224596 (July 23, 2009)
19
(sealing records in satellite-television-piracy case partly because revealing investigators’ identities
20
would ―jeopardize the success of [the plaintiff’s] investigations‖).
CONCLUSION
21
22
The court grants both Uber’s sealing motions. The court grants Uber’s motion to serve its
23
proposed subpoena (see ECF No. 18-1 at 4-7 (redacted)) on GitHub. Neither Uber nor GitHub is
24
required to give Doe notice of the subpoena or that GitHub is producing personally identifying
25
information. The court grants Uber’s motion to serve its proposed subpoena (see ECF No. 16-1 at
26
4-7 (redacted)) on Comcast. Under 47 U.S.C. § 551(c)(2)(B), and consistent with the court’s usual
27
practice, the Comcast subpoena (but not the GitHub subpoena) is subject to the following
28
ORDER 15-908 LB
8
1
2
directions:
1. Uber may immediately serve the proposed subpoena on GitHub. The subpoena shall have a
3
copy of this order attached. To the extent that producing the information sought is burdensome,
4
the parties must meet and confer and comply with the discovery procedures in the court’s standing
5
order.
6
2. GitHub will have five business days from the date that the subpoena is served upon it to
7
serve John Doe I with a copy of the subpoena and a copy of this order. GitHub may serve John
8
Doe I using any reasonable means, including written notice sent to his or her last known address,
9
transmitted either by first-class mail or via overnight service.
10
3. John Doe I shall have 30 days from the date of service upon him or her to file any motions
United States District Court
Northern District of California
11
in this court contesting the subpoena (including a motion to quash or modify the subpoena). If that
12
30-day period lapses without John Doe I contesting the subpoena, GitHub shall have 10 days to
13
produce the information responsive to the subpoena to Uber.
14
15
16
4. GitHub shall preserve any subpoenaed information pending the resolution of any timely
motion to quash.
5. GitHub must confer with Uber and must not assess any charge in advance of providing the
17
information requested in the subpoena. If GitHub elects to charge for the costs of production, it
18
must provide a billing summary and cost reports that serve as a basis for such billing summary and
19
any costs claimed by GitHub.
20
6. Uber may use the subpoenaed information only in connection with its instant claims under
21
the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data
22
Access and Fraud Act — as that use has been clarified by this order.
23
24
25
This disposes of ECF Nos. 16, 17, 18, and 19.
IT IS SO ORDERED.
Dated: April 27, 2015
______________________________________
LAUREL BEELER
United States Magistrate Judge
26
27
28
ORDER 15-908 LB
9
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
