United States District Court, N.D. California, San Francisco Division
ORDER GRANTING EXPEDITED DISCOVERY [ECF No. 4]
LAUREL BEELER, Magistrate Judge.
Plaintiff Uber Technologies, Inc. asserts claims against Defendant John Doe I for violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq. and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. (Compl. - ECF No. 1.) Uber seeks permission to take expedited discovery from the third party GitHub, Inc. to identify John Doe I. (ECF No. 4 at 1.) The court heard this matter on March 12, 2015. (ECF No. 10.)
As discussed below, Uber has demonstrated the following: (1) John Doe I is a real person who may be sued in federal court; (2) it has unsuccessfully attempted to identify John Doe I before filing this motion; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the proposed subpoena will lead to information identifying John Doe I. The court therefore finds that good cause exists to allow Uber to engage in this preliminary discovery. Accordingly, the court GRANTS Uber's ex parte motion for expedited discovery.
Uber is a technology company. (Compl. - ECF No. 1, ¶ 5; ECF No. 4 at 2.) It has developed a smartphone application that connects drivers and riders in cities all over the world. ( Id. ) Uber's smartphone application is available in over 200 cities and has been used by over 100, 000 drivers to receive requests for transportation services. ( Id. ) Uber maintains internal database files with confidential details on the drivers who use its application. (ECF No. 1, ¶ 6; ECF No. 4 at 2.) Those database files can be accessed only by certain Uber employees using a unique security key from Uber's protected computers. (ECF No. 1, ¶ 7; ECF No. 4 at 2.) On or around May 12, 2014, from an Internet protocol ("IP") address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used a unique security key without authorization to access and download Uber's proprietary database files. (ECF No. 1, ¶ ¶ 7, 10, 11; ECF No. 4 at 2.) Uber alleges that John Doe I's unauthorized access has harmed Uber and caused it to expend resources to investigate and to prevent such access from occurring. (ECF No. 1, ¶ 12.) As a result, Uber suffered over $5, 000 in damages. ( Id ; ECF No. 4 at 5.)
Under Local Civil Rule 7-10, Uber certifies that it attempted to identify John Doe I without success. (ECF No. 1, ¶ 12; ECF No. 4 at 4.) Specifically, Uber reviewed the IP addresses that accessed the database and isolated one unrecognized IP address, but could not identify John Doe I. (ECF No. 4 at 4; ECF No. 4-2 at 1) Uber was informed that the person who downloaded the files also visited two pages at the GitHub website that are specified in the subpoena, which requests:
For the GitHub posts
https://gist.githubusercontent.com/hhlin/9556255/raw/2a4fae0e6d443b2982609 6fe043409e2c305bb79/insurance_fun.py[gist.githubusercontent.com] and https://api.github.com/gists/9556255/[api.github.com], please produce all records, including but not limited to transactional or other logs, from March 14, 2014 to September 17, 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as wellas any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts.
This subpoena does not request the contents of any communications.
Please immediately preserve any potentially responsive records in your possession, custody, or control, including by suspending routine deletion proceduresthat might result in the deletion or overwriting of records that may be responsive to tis subpoena.
(ECF No. 4-1 at 7; see ECF No. 4 at 4; ECF No. 4-2 at 2, 3.)
GitHub is a San Francisco-headquartered subscription Internet service where users collaborate in developing open-source-code software. At the hearing, Uber's counsel explained that GitHub hosts portions of Uber's code on the two pages specified in the subpoena. On these GitHub pages, people from Uber can work on the code collaboratively. In response to the court's questions, Uber represented that there should not be many "hits" on these pages. The hits should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download. Uber explained that GitHub may well have user logs that can be accessed easily, that Uber would work with GitHub to address any concerns about the burden that responding to the subpoena would place on GitHub, and that it would be in a better position to evaluate any burden or notification concerns once it sees how GitHub captures the relevant data. To date, Uber has been unable to obtain the information it needs from GitHub through informal investigation. ( Id. ) Uber therefore asks for early discovery under Federal Rule of Civil Procedure 26(d) and leave to serve the Proposed GitHub Subpoena to obtain information that can reasonably be expected to lead to discovering John Doe 1's identity. (ECF No. 4.)
I. LEGAL STANDARD
A court may authorize early discovery before the Rule 26(f) conference for the parties' and witnesses' convenience and in the interests of justice. Fed.R.Civ.P. 26(d). Courts within the Ninth Circuit generally consider whether a plaintiff has shown "good cause" for early discovery. See, e.g., IO Group, Inc. v. Does 1-65, No. C 10-4377 SC, 2010 WL 4055667, at *2 (N.D. Cal. Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron America, Inc., 208 F.R.D. 273, 275-77 (N.D. Cal. 2002); Texas Guaranteed Student Loan Corp. v. Dhindsa, No. C 10-0035, 2010 WL 2353520, at *2 (E.D. Cal. June 9, 2010); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 613-14 (D. Ariz. 2001) (collecting cases and standards).
When the identities of defendants are not known before a complaint is filed, a plaintiff "should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds." Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). In evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery, courts examine whether the plaintiff: (1) identifies the Doe defendant with sufficient specificity that the court can determine that the defendant is a real person who can be sued in federal court; (2) recounts the steps taken to locate and identify the defendant; (3) demonstrates that the action can withstand a motion ...