United States Magistrate Judge Christopher J. Burke of the District of Delaware recently held that “click fraud” violates the federal Computer Fraud and Abuse Act, 18 U.S.C 1030 (“CFAA”). “Click fraud” refers to a phenomenon when an online advertising service enhances its perceived value by inflating the number of users who “click” on the ads. In Juju, Inc. v. Native Media, LLC, No. 19-402-CFC, 2020 WL 3208800 (D. Del., June 15, 2020), the defendants emailed messages with job search results. The contract between the plaintiff and defendants provided that the plaintiff paid defendants a certain sum each time a user clicked a link.
This incentive structure was designed to encourage effective electronic marketing. The clicks gauged user interest. User interest is a precursor to use or “conversion.” Over time, the plaintiff observed that the defendants’ conversion rate was low. In theory, users were interested in the advertised openings. But they were not applying for jobs. This pattern of clicks with no conversions eventually aroused suspicion. Plaintiff analyzed the available data: IP addresses, repeated clicks, click location, and click timing to determine whether the clicks reflected genuine user interest, or phantom users fudging figures. Plaintiff ultimately concluded that the defendants were using automated scripts, or some other technical means, to cloak actual user figures behind a wall of phantom clicks. It was paying for users that were not there.
Plaintiff eventually sued defendants. The Complaint asserted contract and other claims.. It also asserted a rare CFAA claim. To prevail on the CFAA claim, the plaintiff had to prove that defendants had (1) accessed a computer; (2) without, or exceeding, authorization; (3) intentionally and; (4) advanced fraud, obtained value, or both.
The defendants moved to dismiss. They argued that alleged click fraud could not constitute unauthorized access to a computer. Unauthorized access was limited to hacking. The court rejected this argument. It noted that under Third Circuit precedent, accessing plaintiff’s computers in violation of a contractual restriction constituted unauthorized CFAA access. The Third Circuit had held that if prohibited by the parties, otherwise permissible access became unauthorized. Access to plaintiff’s computers and information met the CFAA test. That was precisely what the plaintiff was alleging: that the defendants had violated a contractual provision. In doing so, they had directed a stream of unauthorized clicks at plaintiff’s computers.
This constituted access. Because of the parties’ agreement, it was unauthorized access. For this reason, the court recommended denying the Motion to Dismiss. The assertion of a CFAA claim in the context of a business contractual dispute signals the growing popularity of an old statute. Combined with the CFAA’s upcoming trip to the Supreme Court of the United States, we have not heard the last of this once obscure statute.