Fighting Cyber-Attackers with the Law: Uber Files John Doe Law Suit to Identify Hackers

Mar 3, 2015 | Blog

Call it cyber-self-defense or digital jiu-jitsu, but more and more organizations are taking matters into their own hands to combat cyber-attackers. Some utilize “white hat” hackers to “hack back” the network that attacked in order to identify attackers by following digital trails around the world. Uber Technologies, Inc. has taken the next step, adding lawyers to its self-defense arsenal. Uber Technologies, Inc. has led a “John Doe” law suit in the Northern District of California.

Why, one may ask, would Uber bring a law suit where there is no identified defendant, no one to serve with legal process and no one against whom a judgment can be taken? The operative phrase in all of these questions is “not yet.” John Doe law suits have been common in mass tort, civil rights and other forms of litigation for years, where the identities of certain, or all, defendants are not yet known. The law suit begins the process of civil discovery, including the authority to issue subpoenas, which can ferret out the identity of the defendants. The Compliant, the document that commences the law suit, must set forth legal theories, and Uber’s Complaint avers violations of the Computer Fraud and Abuse Act in the unauthorized access to the names and drivers’ license numbers of approximately 50,000 drivers, and violations of California’s Comprehensive Computer Data Access and Fraud Act.

Uber has issued its first subpoena in this suit, seeking IP addresses and other non-text data form GitHub in an attempt to ferret out, through discovery of one or more posts, the user who provided the key that allowed the intrusion into the database.

The suit and subpoena raise a host of exquisitely complex legal issues that are sugarplums in the dreams of litigators.  If the hackers are identified, are they individuals or acting on behalf of an organization with attachable assets? If they are from outside the U.S., can a judgment against them be enforced in their home countries? Can U.S. law enforcement agencies pursue them through the Mutual Legal Assistance Treaty? These John Doe law suits will be utilized with increasing frequency as the pace of breaches accelerates and forceful responses become a business imperative in the age of e-commerce.

If you have questions regarding law suits in self-defense against hackers, please contact Kenneth N. Rashbaum.