9th Circuits Affirms Judgment Against Corporate Hacker

October 15, 2004. The U.S. Court of Appeals (9thCir) issued its opinion [14 pages in PDF] in Creative Computing v. Getloaded.com, a Section 1030 case in which the Court of Appeals affirmed the District Court judgment against a corporate hacker. In addition, the Court of Appeals affirmed an injunction against visiting the plaintiff's web site.

Creative Computing, the plaintiff below and appellee before the Court of Appeals, developed a website titled "The Internet Truckstop". It matched trucks with loads. It enabled truckers to avoid delivering a load, and then returning with no revenue producing load.

Getloaded, in the Court's words "decided to compete, but not honestly". For example, the Court wrote that "Getloaded’s officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded’s president and vice-president hacked into Creative Computing’s website through the back door that this patch would have locked. Once in, they examined the source code for the tremendously valuable radius-search feature."

In addition, Getloaded "hired away a Creative Computing employee who ... while still working for Creative, accessed confidential information regarding several thousand of Creative’s customers. He downloaded, and sent to his home email account, the confidential address to truckstop.com’s server so that he could access the server from home and retrieve customer lists."

Getloaded also accessed information on Creative Computing's web site by using customer passwords and user IDs. That is, some customers used the same IDs and passwords for both websites.

Creative Computing filed a complaint, which it subsequently amended, in U.S. District Court (DId) against Getloaded alleging copyright infringement, Lanham Act violations, misappropriation of trade secrets under the Idaho Trade Secrets Act, and violation of the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030. Creative Computing sought damages and injunctive relief.

The District Court issued a temporary restraining order (TRO), which Getloaded violated.

The District Court also found that Getloaded's "senior management -- and others under its supervision and with its knowledge -- lied under oath" and "destroyed evidence that showed it had copied source code in violation of the injunction".

The trial jury returned its verdict for Getloaded on the copyright and Lanham Act claims, but for Creative Computing on the trade secrets and Section 1030 claims. It awarded damages of $60,000 for each of three violations of the state trade secrets law, and $150,000 for each of three violations of Section 1030, for a total of $510,000. The District Court then awarded an additional $120,000 in exemplary damages because of Getloaded's willful and malicious conduct, pursuant to state statute, and $300,000 in fees and $42,787.35 in costs "as sanctions to compensate Creative Computing for the expense of figuring out and proving Getloaded's violations of the preliminary injunction and false statements in depositions."

Getloaded, having violated the District Court's injunction, and lied to the District Court under oath, had the audacity to appeal. Judge Andrew Kleinfeld wrote the unanimous opinion for the Court of Appeals, affirming the District Court judgment in full.

Getloaded argued on appeal that the injury to Creative Computing was not "caused" by its computer intrusions because Creative Computing had not installed a software patch made available by Microsoft that would have prevented the hacking technique used by Getloaded. The Appeals Court rejected this argument. It wrote that "A causal chain from the thief to the victim is not broken by a vulnerability that the victim negligently leaves open to the thief."

Getloaded argued on appeal that Section 1030 establishes a $5,000 floor for damages from each unauthorized access, and Creative Computing did not present evidence of this. The Appeals Court held, as a matter of statutory construction, that there is no $5,000 floor for each unauthorized access.

The Court of Appeals added a policy rationale. It wrote that "A court construing a statute attributes a rational purpose to Congress. Getloaded's construction would attribute obvious futility to Congress rather than rationality, because a hacker could evade the statute by setting up thousands of $4,999 (or millions of $4.99) intrusions." (Footnote omitted. Parentheses in original.)

The Court concluded that "The damage floor in the Computer Fraud and Abuse Act contains no ``single act´´ requirement."

Getloaded argued on appeal that damages were excessive, that sanctions should not have been imposed, and that it should not have to pay costs. The Court rejected all of these appeal arguments.

This left one appeal issue -- the injunction. It enjoined Getloaded from copying or storing Creative Computing's source code, using information related to or based on its source code, and using its trade secrets such as by selling its customer lists or contacting its customers. The Court of Appeals upheld this, in part because of Getloaded's false testimony, and violation of the District Court's injunction.

The Court also affirmed the portion of the injunction that enjoined Getloaded's personnel from accessing Creative Computing's web site. This is notable to the extent that the Appeals Court upheld an injunction in a civil case that bars one class of people from accessing certain content on the internet. This runs against the open nature of the internet, and the First Amendment. This sets a precedent that overzealous prosecutors and aggressive litigators, who lack an appreciation of the importance of the free flow of information, may invoke in future cases that do not involve the sort of egregious conduct demonstrated by Getloaded.

This portion of the opinion may turn out to be unfortunate. But then, the Court was faced with dishonest individuals, who lied under oath. These people deserved commitment to a suitable federal penitentiary. Yet, this was a civil case, so the most the Court could do was affirm the District Court judgment.

The Appeals Court did attempt to limit the scope of its holding. It tied its holding to Getloaded's past conduct, and wrote that "Getloaded is in a position analogous to one who has repeatedly shoplifted from a particular store, so the judge prohibits him from entering it again, saving the store's security guards from the burden of having to follow him around whenever he is there."

This case is Creative Computing, dba Internet Truckstop.com v. Getloaded.com, Inc., App. Ct. No. 02-35856, an appeal from the U.S. District Court for the District of Idaho, D.C. No. CV-00-00476-BLW, Judge Lynn Winmill presiding. Judge Andrew Kleinfeld wrote the opinion for the Court of Appeals, in which Judges Dorothy Nelson and Raymond Fisher joined.