Written by Keenan W. Ng
An interesting Computer Fraud
and Abuse Act case was recently filed in Virginia. In AcmeBilling Company v. John Doe, Plaintiff, Acme, who maintains
numerous websites hosted by GoDaddy, alleges cyber criminals in China stole its
domain names. These cyber criminals
stole the domain names by gaining unauthorized access to Acme’s domain
management account and altering the domain registration records for accounts
owned and used by Acme. While Acme was
able to recover some of its domain names by working with GoDaddy, GoDaddy
unfortunately informed Acme the Chinese domain name registrar who had 14 of
their domain names refused to return the websites.
Because Internet domain names
are valuable, they are becoming increasingly susceptible to theft. Generally, a cyber criminal will find a way
into a domain management account and transfer the domain name from its existing
domain name registrar, such as GoDaddy, to another domain name registrar. In
Acme’s case, its domain names were transferred to eName Technology Co., Ltd,
based in China. Because the website is
now hosted on another domain registrar, the victim’s registrar is often
helpless to do anything if the transferee registrar refuses to comply.
The victims of this sort of
crime are often individuals and small businesses and lack the time or resources
to track down the perpetrators and fight to get their domain names back. The problem is further complicated by the
fact that domain names are not considered “property” by many states and thus no
cause of action can often be claimed. Thankfully,
California, domain names are recognized as property.
The Acme case is interesting because it is one of the first times I can
recall framing stolen domain names as CFAA violations. In its complaint, Acme pleads CFAA violations
under three theories, 18 USC §§1030(a)(2)(C), (a)(4), and (a)(5)(C).
On the surface, this seems
like a pretty straightforward CFAA claim.
The protected computers in question here are the GoDaddy servers that
hosted Acme’s websites. Obviously, the bad
actors took control of Acme’s domain names without Acme’s permission so the
actions were done without authorization.
Acme’s efforts to figure out
what happened to their websites, including who took them and working with
GoDaddy and Acme’s lawyers to get their websites back, easily constitute $5,000
in “loss.” Alternatively, there is an
easy argument that the theft of the websites are also a denial of service and
any revenues lost or consequential damages suffered due to loss business
because of a downed website can also be contributed to the $5,000 loss
requirement. Similarly, the denial of
service would also help satisfy the “damage” requirement of section
1030(a)(5)(C).
However, if the defendants
are in China, and it is likely the court will never have jurisdiction over
them, so why file the lawsuit? To get a
judgment and set a precedent?
The Department of Justice
recently faced this situation when it filed charges against Chinese
military hackers who hacked into major American corporations. That indictment seemed more politically
symbolic than substantive; it is unlikely the Chinese government will turn over
the indicted Chinese citizens. The DOJ
likely filed charges in order to gain leverage in another area of
negotiation.
Geopolitical reasons cannot
possibly be the basis for the Acme
lawsuit because there is nothing for Acme to gain. Acme’s posturing gains it nothing because, as
far as I can tell, the return of the websites is the goal. I honestly do not know the endgame here. Nevertheless, it will be interesting to watch
and see if this case blazes a path for other businesses to follow.
