The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Computer Crime Law

Accessing Google Drive, Using Inadvertently Revealed Long URL, Can Violate Computer Fraud & Abuse Act

So holds a federal district court, in a dispute arising from the school policy wars.


From Greenburg v. Wray, decided yesterday by Judge Douglas Rayes (D. Ariz.) (key legal point highlighted):

Amanda Wray manages a 2,000-member Facebook group … "dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies, and anti-Critical Race Theory policies within the Scottsdale Unified School District." … Plaintiff[ Mark Greenburg]'s son serves on … the elected governing body that manages Scottsdale Unified No. 48 School District ….

In response to activities by Defendants [Wray and her husband] and the Facebook Group, Plaintiff began collecting information on them, including photographs, video footage, discussions with third parties concerning them, personal comments and thoughts, and political memes. Plaintiff stored these records on his personal "Google Drive" server. Plaintiff specifically shared server access with three individuals (including Plaintiff's son), who could access the server by signing into their own password-protected Google accounts. Although Plaintiff didn't realize it at the time, the sharing settings on his Google Drive also allowed anyone to access the server by typing in the exact URL.

In 2021, Plaintiff's son was accused of defamation. He responded to his accuser by emailing "13 photographs of public Facebook comments, made by his accuser, some of which were stored on the server." One of the photographs displayed the URL to the Google Drive, and that photograph made its way into Amanda's possession, where she noticed the URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized, renamed, and publicly disclosed contents of the Google Drive.

Plaintiff learned of the access and hired a forensic IT consultant team to conduct a damage assessment. He then sued Defendants under the Computer Fraud and Abuse Act …, alleging a loss of at least $5,000….

To "bring an action successfully under 18 U.S.C. § 1030(g) based on a violation of 18 U.S.C. § 1030(a)(2)," Plaintiff must allege that Defendants:

(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Citing hiQ Labs, Inc. v. LinkedIn Corp. (9th Cir. 2022), Defendants argue that Plaintiff did not allege that Amanda accessed the Google Drive without authorization. In hiQ, a data analytics company, hiQ, was scraping data on public LinkedIn profiles, data indexed by search engines. LinkedIn found out, sent hiQ a cease-and desist-letter, and imposed technical measures to prevent scraping data from public profile. But hiQ didn't stop and instead sought a declaratory judgment that LinkedIn "could not lawfully invoke the CFAA" against it for scraping the data found on public LinkedIn profiles. Id. Ultimately, the Ninth Circuit determined that hiQ's data scraping did not fall within the CFAA because "anyone with a web browser" could access the data.

On review, the Ninth Circuit reasoned that "the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort." Thus, for a website to fall under CFAA protections, it must have erected "limitations on access." And if "anyone with a browser" could access the website, it had no limitations on access.

This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters.

What's more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn't just "anyone with a browser" who could stumble upon the Google Drive on a web search—the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court's eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.

Plaintiff alleges that the disclosure of the URL—the limitation—did not grant Amanda authorization to access the Google Drive. He asserts that the disclosure was inadvertent. As the Ninth Circuit has recognized, inadvertent disclosure of the means around a limitation on access does not per se grant authorization. Plaintiff has sufficiently plead the elements of a violation of 18 U.S.C. § 1030(a)(2).

Defendants next argue that Plaintiff's allegations of $5,000 in damages are too conclusory to state a claim. Not so. Plaintiff alleges that Amanda accessed the Google Drive without authorization, causing changes to the files saved there, and that he had to hire a forensic IT team to determine the scope of the damage, all of which he alleges cost at least $5,000. Plaintiff is not obligated to provide itemized receipts at the pleading stage….