Free Speech

Computer Fraud & Abuse Act Lawsuit for … Posting Reviews That Allegedly Violate Terms of Service

Plastic surgeon David Shifrin is suing commenters who posted negative reviews based on an ex-patient's critical YouTube video. (There are also libel claims in the lawsuit as well.)


Paul Alan Levy of Public Citizen, whose work I trust and admire, posted this at the Consumer Law & Policy blog a week ago; I e-mailed plaintiff's counsel to see if they were willing to pass along their side of the story, but got no response:

Our latest case about the right to speak anonymously is in federal court in Chicago, flowing from a dispute between a prominent vlogger named Cristina Villegas and a plastic surgeon named David Shifrin who, Villegas complained, "botched my nose job." Villegas posted a 23-minute-long YouTube video which recounts the inadequacies that she perceived in the doctor's work ….

Villegas' Instagram account has nearly 500,000 followers, and her YouTube channel has more than 1,600,000 followers; as of today, her "botched nose job" video has had over four million views. Shifrin has taken no action to prevent her from telling her story directly; he has not, for example, sued Villegas claiming that she made any false statements of fact in her vlog….

Instead, he has apparently tried to salvage his reputation by going after what might have been a weak link: members of the public who, incensed by what they saw in the vlog, took to Google and Yelp to side with Villegas and denouncing Dr. Shifrin. Because both Google and Yelp ask reviewers to recount their own personal experiences with businesses, those companies began to remove the reviews or, at least to downgrade them to "not-recommended" status. But that was not enough to satisfy Shifrin, who filed suit in state court against 78 such reviewers, charging them with violation of the federal Computer Fraud and Abuse Act ("CFAA") and a variety of state-law torts, all of which amount to defamation.

The CFAA claim is predicated on the proposition that any violation of the terms of service in accessing a web site amounts to "exceeding authorized access" and hence is a violation of the CFAA, allowing not only a claim for damages but, indeed, a criminal prosecution. The defamation claim is based on the proposition that, [among other things -EV], contrary to what Villegas said on her vlog, Shifrin really cares about his patients, doesn't botch surgeries, and never "bribes" his patients to keep silent….

This lawsuit came to our attention because Shifrin filed a motion for early discovery and then served subpoenas on Yelp and Google. The Illinois state courts have squarely rejected the widely accepted Dendrite standard, which requires a plaintiff to present evidence before he is allowed to use court process to identify defendants claimed to have engaged in wrongful speech.   In rejecting Dendrite, the Illinois Supreme Court said that state procedures provide equivalent protections, but I found that explanation dubious—without a  recognition that First Amendment rights are at issue, would trial courts really be careful to insist that there be a tenable claim against each of the anonymous defendants?

What transpired in the Cook County Circuit Court in this case shows that, as a practical matter, a merely conclusory allegation in a complaint can be sufficient basis in Illinois for stripping anonymous online speakers of their First Amendment right to speak anonymously….

However, because Shifrin included a federal law claim, his state-court lawsuit was subject to removal to federal court for Northern Illinois, where the application of the Dendrite standard remains an open question. Consequently, we have removed the case on behalf of two Yelp reviewers, and we are preparing a motion to quash the subpoena to Yelp.   A motion to quash the subpoena to Google might follow if we hear from a Google reviewer whom we are willing to represent (or, perhaps Google follow Yelp's example by asserting its users' rights?).

In addition to the important question about discovery of anonymous online speakers, this case presents a significant question about the meaning of the CFAA.  Ever since the controversial prosecution of Lori Drew for creating a fake MySpace profile with tragic results, many of us have focused  on the nightmarish implication from the Government's theory in that case: that any violation of a web site's terms of service might make an Internet user susceptible to prosecution under the CFAA. Those hypotheticals are implicated by  Van Buren v. United States, which was recently argued before the Supreme Court; Orin Kerr would say they are at the center of the case.  This case presents an opportunity to secure a clear "no" answer to that question.

NEXT: Today in Supreme Court History: February 23, 1905

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. If any of the reviewers portrayed themselves as his actual customers, then it would seem he has a case for defamation to me. As they are knowingly posting a falsehood (that they were his customer) to harm his reputation. Any lawyers know a reason why he wouldn’t have a defamation case against him?

    1. But how do you distinguish an imposter from a real customer who wants to publish his/her negative review anonymously without making that anonymity moot?

      In other words, the doctor is supposed to have solid evidence that defamation actually happened right up front. In your scenario, the doctor doesn’t know whether defamation happened until after conducting discovery to figure out the reviewer’s identity. If the doctor has unlimited authority to go fishing for identities on the pretext of determining if the review was real, then there is no possibility of anonymity and much of the social value of the review is mooted.

      Now, in the narrower circumstance where the doctor had external evidence that a particular review was fraudulent (such as a review claiming to have had work done on a day that the doc was on the golf course), discovery would be appropriate. But that’s because you have independent evidence that the review was defamatorily false before you confirm that the reviewer’s identity was also false.

  2. A CFAA claim for merely violating a sites TOS has always seemed an exceedingly strained interpretation of the languages of the CFAA.

    That a lawyer responding to this inquiry and apparently spending a significant amount of time to do so didn’t include the terms of the TOS the users were supposed to have violated seems a little shady.

    1. It is currently a Circuit split. I agree, their position is strained, which is charitable.

  3. Google and Yelp have it right. Reviews should be provided by people who have actually bought the product or service. Anything else is lying. Seems like the plastic surgeon at least could have a civil case.

    1. I would think a person with actual knowledge of a particular incident would be qualified to give a review. Especially if a person observed some bad behavior or knew another person who was served poorly.

      Suppose a third person observed an animal being abused?

      Suppose a relative or friend died or was seriously injured as a result of a medical misadventure?

      1. I think there could be some instances where that would be true, but not generally.

        But, this case doesn’t fit your own hypotheticals. People who watched a YouTube video of a mildly famous person, went and gave bad reviews based on her testimony, and only her testimony.

        1. I was mostly commenting on what I read as a categorical requirement that any reviewer be a customer.

      2. They would have to say that. “My Aunt went to Dr. Butterfingers and her nose came out looking like an elephant’s.”

    2. IANAL and don’t know beans about the terms of service angle, but if these really are fake reviews written in the first person as if they were actual customers, then the only reason for bringing the CFAA into the picture is to get the government to spend the money prosecuting them, and get the criminal prosecution machinery into action to identify them through Yelp and Google.

    3. It depends. If the reviewer explicitly said that they were basing their review on third-party evidence (like the youtube video), then they did not lie.

      Google and Yelp would be entirely within their rights to downgrade such third-party reviews and might have a Terms of Service civil case against them. But I don’t see that making the doctor’s case against those reviewers valid.

  4. Not knowing much about the CFAA, how does Shifrin have standing under the Act to sue these third parties? He’s not alleging that they violated his terms of service or illegally accessed one of his protected devices. It seems like any CFAA violation did not cause him to suffer any kind of damages.

    1. So the civil cause of action says that

      “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [subclause] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 1030(g).

      And then (c)(4)(A)(i)(I) says: “loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value.”

      This is limited to economic damages. So I think under the statute if someone is causing you damage by violating the statute the suit is permissible. For instance, if someone made a fake Facebook profile of you and caused you economic damage by ruining your business’s reputation, that is arguably a “loss” to you because they violated the TOS of Facebook.

      I’m not sure I buy this, and I don’t really buy the expansive interpretations of the CFAA for many reasons, but I think the argument is plausible.

      1. “Any person who suffers damage or loss by reason of a violation of this section”

        HE did not suffer damage or loss by reason of a violation of this section — he suffered damage or loss as a result of Cristina Villegas’ claims being publicized. Absent that, he would not have suffered any loss for what they did.

        Conversely, if they’d stood outside his office and handed out fliers about Villegas’ claims, he’d have suffered a greater loss than he hypothetically did.

        And what proof is there that he suffered any loss at all from the 3rd party reviews when four *million* people have seen Villegas’ You-Tube video, and heavens only knows how many more have been told about it. Wouldn’t he have to prove that lost business wasn’t because of this?

        1. Okay. I changed my mind at least as to this case. Looking at the definition of “damage” and “loss” even though it starts out with something general it probably isn’t plausible after all.

          “the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information”

          “the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

          1. The CFAA is an anti-hacking law. It is meant to protect computer owners from hacking. The main part is a criminal provision, but there are civil provisions for owners damaged by hacking.

            I find it hard to see how the Doctor here is within the zone that the statute protects.

            1. Right. I changed my mind on that. Still, I’m not sure that no one could ever bring a CFAA claim against someone for damage done to systems other than one they personally own.

              1. Let’s say I own a business, and I use services in the cloud, such as SaaS. The servers and system are owned by another company, that charges me fees.

                Someone hacks into their system and shuts it down for a week. My business is negatively affected. Do I have a claim?

                Don’t know, would make interesting research.

                1. Maybe. How much time effort and money do you have to spend to get everything back to normal? Over $5000? Might be possible.

                2. Someone hacks into their system and shuts it down for a week. My business is negatively affected. Do I have a claim?


                  Otherwise, my thought would be that your claim would be against SaaS for loss of service, with them having to sue the hacker. IANAL.

                  1. Subrogation is when an insurer steps into the shoes of the plaintiff to assert the claim. So if the business had some insurance against hacking the insurance company would face the same standing issues.

                    You might be thinking of impleading. Let’s say the business sues the SaaS for loss of service. The SaaS in turn brings the hacker in as a third party defendant because they caused the loss.

                3. Do you have a claim generally? Yes.
                  Do you have a claim against the hacker under CFAA? I’d say no.

                  You do, however, have a claim against your SaaS provider and they have direct claims against the hacker.
                  You could probably (with the vendor’s cooperation) go for a subrogation of the vendor’s claims against the hacker – but that would be a very different scenario than what is described in the case above.

      2. Hey, this is a new angle for the CFAA being a terrible law, in addition to it possibly being interpreted as criminalizing TOS violations.

        You’d think that the party that could sue a hacker for breaking into a computer would be the person/company that owns that computer. But no, if someone hacks into YouTube’s computers and takes the service down, anyone who didn’t get to enjoy their cat videos that day can independently sue the hacker. (Well, maybe not if we’re limited to economic damages, but the general principle still seems crazy.)

    2. Exactly, and wouldn’t any defamation claim have to be made against Cristina Villegas as all everyone else is doing is repeating her statements.

      Now is he then going to claim defamation against those whom he sued when they go tell people that he sued them?

  5. Thanks. I understand the argument based on the statutory language you posted. But is Shifrin’s damage caused “by reason of a violation of” the statute or by the alleged falsity of the comments? In other words, imagine the exact same comments being posted on a blog or in a newspaper. Wouldn’t his damages, if any, be the exact same? The damages would be suffered “by reason of” the falsity of the statements made and not “by reason of” an alleged violation of Google or Yelp’s TOS.

    I realize I’m now mixing standing and the elements of the claim to some extent, but I think the statute is doing some of that work for me in this instance.

  6. What computers did these defendants supposedly access improperly (i.e., in violation of the TOS)? The good Dr.’s, or Google and Yelp’s? It sounds like the latter. (My quick review of the Complaint confirms that.)

    In which case, he lacks standing to bring a CFAA claim. If Google and Yelp want to complain about his invading their websites, they can do so.

  7. In Van Buren v United States, the government argued that CFAA applies only when defendant obtains information in an unauthorized fashion. Other kinds of unauthorized uses are not CFAA violations.

    The following from SCOTUS blog:
    “In his argument for Van Buren, Fisher maintained that “so” refers back to the earlier clause of the statute’s definition, “access a computer with authorization,” so that a defendant does not have authority “so” to obtain or alter the information if he does not have authority to obtain or alter it for any purpose. In other words, under Fisher’s reading, a defendant violates the statute if he logs on to a computer with authorization, but then obtains information that he was not “so” – with that method of access – entitled to obtain. ‘

  8. Patients who find doctors on the internet are less than desirable. Bad doctor reviews are protective from these.

    1. Not everyone finds them on the internet. Someone can be recommended to you, and you still use the internet to check what others think about that doctor.

  9. Other question is what incremental damage did these anonymous posters cause beyond that caused by Villegas, whose posts were seen by millions, and whom he is not suing?

    If a big celebrity tells the world you are a quack, and millions listen, hard to see how some anonymous poster saying the same thing puts you in a worse position.

  10. When I watched her video, I saw nothing wrong with her nose, even after her lecture. I may have been distracted. 

  11. Separate from the First Amendment issue, what is his legal claim? On what basis does he claim a right of action against people who are allegedly violating somebody else’s terms of service?

    1. OK, I get it. Any person who suffers damage or loss because of a violation can sue the violater, with no limitation, e.g. requirement that rhe person suffering damage or loss own the computers accessed. So that leaves the construction of the CFAA.

  12. Assuming the defendant really was a customer of the doctor, I wonder if an anti-SLAPP law could be used to dismiss the case.

Please to post comments