Tuesday, November 4, 2014

Company Seeks To Regain Stolen Domain Names Using CFAA

Written by Keenan W.  Ng

An interesting Computer Fraud and Abuse Act case was recently filed in Virginia.  In AcmeBilling Company v. John Doe, Plaintiff, Acme, who maintains numerous websites hosted by GoDaddy, alleges cyber criminals in China stole its domain names.  These cyber criminals stole the domain names by gaining unauthorized access to Acme’s domain management account and altering the domain registration records for accounts owned and used by Acme.  While Acme was able to recover some of its domain names by working with GoDaddy, GoDaddy unfortunately informed Acme the Chinese domain name registrar who had 14 of their domain names refused to return the websites.

Because Internet domain names are valuable, they are becoming increasingly susceptible to theft.  Generally, a cyber criminal will find a way into a domain management account and transfer the domain name from its existing domain name registrar, such as GoDaddy, to another domain name registrar. In Acme’s case, its domain names were transferred to eName Technology Co., Ltd, based in China.  Because the website is now hosted on another domain registrar, the victim’s registrar is often helpless to do anything if the transferee registrar refuses to comply.

The victims of this sort of crime are often individuals and small businesses and lack the time or resources to track down the perpetrators and fight to get their domain names back.  The problem is further complicated by the fact that domain names are not considered “property” by many states and thus no cause of action can often be claimed.  Thankfully, California, domain names are recognized as property.

The Acme case is interesting because it is one of the first times I can recall framing stolen domain names as CFAA violations.  In its complaint, Acme pleads CFAA violations under three theories, 18 USC §§1030(a)(2)(C), (a)(4), and (a)(5)(C).

On the surface, this seems like a pretty straightforward CFAA claim.  The protected computers in question here are the GoDaddy servers that hosted Acme’s websites.  Obviously, the bad actors took control of Acme’s domain names without Acme’s permission so the actions were done without authorization. 

Acme’s efforts to figure out what happened to their websites, including who took them and working with GoDaddy and Acme’s lawyers to get their websites back, easily constitute $5,000 in “loss.”  Alternatively, there is an easy argument that the theft of the websites are also a denial of service and any revenues lost or consequential damages suffered due to loss business because of a downed website can also be contributed to the $5,000 loss requirement.  Similarly, the denial of service would also help satisfy the “damage” requirement of section 1030(a)(5)(C).

However, if the defendants are in China, and it is likely the court will never have jurisdiction over them, so why file the lawsuit?  To get a judgment and set a precedent?

The Department of Justice recently faced this situation when it filed charges against Chinese military hackers who hacked into major American corporations.  That indictment seemed more politically symbolic than substantive; it is unlikely the Chinese government will turn over the indicted Chinese citizens.  The DOJ likely filed charges in order to gain leverage in another area of negotiation. 

Geopolitical reasons cannot possibly be the basis for the Acme lawsuit because there is nothing for Acme to gain.  Acme’s posturing gains it nothing because, as far as I can tell, the return of the websites is the goal.  I honestly do not know the endgame here.  Nevertheless, it will be interesting to watch and see if this case blazes a path for other businesses to follow. 

   

No comments:

Post a Comment