Three John Doe plaintiffs who were paying customers of AshleyMadison.com have sued Amazon Web Services, GoDaddy, and unnamed John Roe web site owners/operators who created sites allowing people to search for individuals who might be in the database.
In a complaint filed in Arizona federal court, the plaintiffs – one from California, one from New Jersey, and one from Maryland – allege that AWS and GoDaddy hosted stolen data for the other John Roe defendants (the owners/operators of ashleymadisonpowersearch.com, adulterysearch.com, ashleymadisoninvestigations.com, and greyhatpro.com).
All of the John Roe sites allegedly attempted to monetize use of the stolen data.
The complaint alleges, for all defendants (ISP and web site owners/operators):
- violation of California Penal Code §496 (Receipt of stolen property)
- violation of California Business & Professions Code §17200 (Unfair competition)
- Negligent Infliction of Emotional Distress
- Violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030
And additionally, for John Roe web site owner/operators:
- Intentional Infliction of Emotional Distress
The plaintiffs are represented by Kronenberger Rosenfeld, LLP, a San Francisco law firm. The plaintiffs seek $3 million and a jury trial.
But here’s the thing: do the plaintiffs have standing? Yes, information about them may have been stolen and sites may have then used that stolen information, but do they have standing to sue the defendants for receipt of stolen property when it wasn’t their property that was stolen? Do they have standing to make any CFAA claims if it was not their database that was hacked or stolen or exposed? And doesn’t Section 230 of the Communications Decency Act immunize Amazon Web Services and GoDaddy for this type of situation?
And even though the plaintiffs might potentially have standing for the emotional distress claims, the complaint does not allege any particularized concrete harm or imminent harm. The complaint asserts that information on all three plaintiffs was in the data dump, but is silent on the nature of the information for each plaintiff. It then claims:
Like most users, Plaintiffs have suffered damages, including severe emotion distress, due to the ability of Plaintiffs’ spouses, children, family members, community connections, business associates, and the public at large to identify Plaintiffs as Users of of Ashley Madison. By this action, Plaintiffs seek compensatory damages in an amount to be proven at trial, but not less than three million dollars ($3,000,000).
So they’re not claiming that others have already identified them through these sites or that they have experienced any consequences at all of such identification. This seems to be about what might happen and the worry customers have about what might happen. Is this enough to survive a challenge to standing? I wouldn’t think so, but then, I am not a lawyer.
There’s a lot about this complaint that puzzles me, and I will be watching for updates.
Great thanks to Alexander J. Martin for providing this site with a copy of the complaint.