The case of the day is Asiacell Communications PJSC v. Doe (N.D. Cal. 2018). Asiacell alleged that unknown defendants had put up its purloined trade secrets and customer information for sale on a website, www.CheckupIQ.com. At first, Asiacell negotiated with the website operators via email, but the website operators’ email accounts began refusing to accept emails, indicating that the email accounts no longer worked. The www.CheckupIQ.com website itself also stopped working. Asiacell then brought an action for violations of the Computer Fraud and Abuse Act and other statutes.
Asiacell served subpoenas on Cloudflare, GoDaddy, and Domains By Proxy. These are three Internet infrastructure firms. GoDaddy provides servers; Cloudflare is a reverse proxy that “sits between” a website’s server and the public; and Domains By Proxy is (I assume, as the name is unfamiliar to me) a domain name registrar. The idea of the subpoenas was to get contact information for the John Does behind the fraudulent website that could be used for serving process. The service providers responded with names, partial physical addresses, none of which were “complete enough” to attempt service, and email addresses. Asiacell then moved for leave to serve process by email under FRCP 4(f)(3).
The court denied the motion. The judge reasoned that Asiacell hadn’t shown sufficiently that emails sent to the email addresses would reach the defendants. If the physical addresses were no good, he reasoned, how could one trust the email addresses? Indeed, two of the email addresses the third parties had provided were among those that Asiacell knew were no longer working.
The decision seems defensible even if not beyond dispute. One point worth noting, though, is the judge’s view that the email addresses could not be trusted because the physical addresses were no good. When someone creates an account with an online service provider, typically the account information is verified by sending a confirmation email to the email address the account holder provided. But typically there is no verification of the street address. So I think there is much better reason to believe that email addresses in the files of such companies are valid than there is to believe that physical address in those files are valid. In this case, such considerations were not enough, though, because some of the email addresses were no longer working and the website itself had been taken down.
A larger question: the defendants apparently might have been in Iraq, Hungary, Jordan, Turkey, or India. The offending website was gone. What are the realistic chances that Asiacell will get a meaningful remedy in a case such as this in a US court, even assuming it can effect service of process?