Biesenbach v. DOES 1-3

• Court: District Court, N.D. California
• Decided: January 24, 2022
• Docket: 4:21-cv-08091
• Status: Unknown

Opinion

1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 KLAUS BIESENBACH, Case No. 21-cv-08091-DMR

8 Plaintiff, ORDER GRANTING IFP 9 v. APPLICATION AND SCREENING COMPLAINT PURSUANT TO 28 U.S.C. 10 JOHN DOES 1-3, § 1915(E) 11 Defendant. Re: Dkt. Nos. 1, 2, 5

12 Plaintiff Klaus Biesenbach filed a complaint (“Compl.”) and an application for leave to 13 proceed in forma pauperis (“IFP”). [Docket Nos. 1, 2.] He also filed an ex parte application for 14 expedited discovery. [Docket No. 5.] Having considered Biesenbach’s papers, the court grants 15 the IFP application but finds that the complaint fails to state a claim on which relief may be 16 granted pursuant to 28 U.S.C. § 1915(e). In light of this ruling, the court further denies 17 Biesenbach’s application for expedited discovery without prejudice. Plaintiff may file a first 18 amended complaint that addresses the deficiencies identified in this screening order within twenty- 19 one days—i.e., by February 14, 2022.1 20 I. BACKGROUND 21 Biesenbach, a resident of San Francisco, claims that he was the victim of multiple cyber 22 hacking incidents by three anonymous Doe Defendants (“Defendants”). He avers that “each 23 1 Biesenbach has also filed multiple documents without support or explanation that appear to be 24 ISP, Google Workspace, and computer system logs—many of which the clerk has stricken as improperly filed. [Dockets Nos. 11, 12, 17, 18.] The court will not entertain further filings of 25 stand-alone exhibits without providing any justification or explanation to the court of their relevance. All future such filings must be attached to Biesenbach’s first amended complaint 26 and/or to a sworn affidavit that authenticates them—that is, lays foundational evidence establishing Biesenbach’s personal knowledge of these logs, what they are, how he came to 27 retrieve them. See Fed. R. Evid. 901(a) (“To satisfy the requirement of authenticating or 1 Defendant has been seen with a person who Plaintiff has had an incident with before and has his 2 phone number.” Compl. ¶ 5. Biesenbach determined that Defendants are located in this judicial 3 district through geolocation of their Internet Protocol (IP) addresses, Media Access Control 4 (MAC) addresses, and Android device identification number, as well as “having been approached” 5 by them. Id. Biesenbach says that because of their “persistent observed activity,” they are not 6 “transitory or occasional” residents of this district. Id. 7 On April 18, 2021 Biesenbach subscribed to G-Suite Business Plus, a collection of cloud 8 computing products developed by Google, and registered a domain name 9 “Targetedindividualsresource.org.” Id. ¶ 7. G-Suite allows for Mobile Device Management, a 10 security software that allows IT departments to implement policies that secure, monitor, and 11 manage end-user mobile devices. Id. Biesenbach says that this software helps secure networks 12 while allowing users to use their own devices; through it, administrators can monitor if third-party 13 mobile devices have accessed the software user’s data. Id. 14 Biesenbach alleges that on April 21, 2021, Defendants monitored his cellphone 15 communications and multiple encrypted WiFi networks without authorization. Compl. ¶ 8. 16 Defendants then used multiple log-in credentials to access Biesenbach’s G-Suite account using a 17 particular Android device; Biesenbach recorded the unique identification number for the device. 18 Id. Between April 21 and September 1, 2021, Defendants accessed Biesenbach’s account and 19 bypassed Google’s security authentication process. Id. ¶ 10. He claims that they used a program 20 to alter their Android device’s unique identifiers. Id. 21 Around May 23, 2021, Biesenbach generated an “IT admin report”2 showing “two devices 22 using one email address”—presumably those that he alleges accessed his account without 23 authorization. Id. ¶ 11. Biesenbach immediately notified “California Elections” of a breach to his 24 voter file and Google’s G-Suite Support team. Id. The Google team “did not provide [him] 25 assistance with identifying the Google Android user” and instead directed him to their legal 26 department; Biesenbach does not say if he received any response regarding his voter file 27 1 complaint. Id. 2 Biesenbach claims other incidents of unauthorized access to his G-suite account. Around 3 July 20, 2021, Biesenbach tried to register for Google’s Voice-over-Internet-Protocol (“VOIP”) 4 telephone service, but Defendants allegedly prevented his access by “changing the passwords and 5 denying [him] the ability to audit and view stored information sent by phone, texts, [and] emails.” 6 Compl. ¶ 12. Around August 7, 2021, Biesenbach received a call from a phone number that his 7 audit logs later were “changed to anonymous,” which he asserts was an “alteration of a record 8 stored . . . offsite.” Id. ¶ 13. On August 8, 2021, Biesenbach claims that Defendants told him they 9 were members of the Carrillo Cartel from Guadalajara, Mexico—although he does not explain 10 how they communicated with him. Id. ¶ 14. Defendants “threatened [him] and demanded [him] 11 to turn over his computer.” Id. Biesenbach said he recognized that one of the individuals who 12 contacted him was someone he met three years ago named “Manny.” Id. On August 9, 2021, 13 Defendants allegedly accessed Biesenbach’s WiFi and changed his password, which prevented 14 him from accessing his router on multiple occasions. Id. ¶ 15. 15 Biesenbach alleges five claims under various federal statutes prohibiting cyberstalking, 16 wiretapping, and computer fraud. He seeks $2.8 million in damages and a “judgement that the 17 claims . . . were done with the intent to cause irreparable harm.” Compl. ¶ 21. 18 II. LEGAL STANDARD 19 A court may allow a plaintiff to prosecute an action in federal court without prepayment of 20 fees or security if the plaintiff submits an affidavit showing that he or she is unable to pay such 21 fees or provide such security. See 28 U.S.C. § 1915(a). A court is under a continuing duty, 22 however, to dismiss a case filed without the payment of the filing fee whenever it determines that 23 the action “(i) is frivolous or malicious; (ii) fails to state a claim on which relief may be granted; 24 or (iii) seeks monetary relief against a defendant who is immune from such relief.” 28 U.S.C. 25 § 1915(e)(2)(B)(i)-(iii). If the court dismisses a case pursuant to 28 U.S.C. § 1915(e)(2)(B), the 26 plaintiff may still file the same complaint by paying the filing fee. This is because the court’s 27 section 1915(e)(2)(B) dismissal is not on the merits, but rather an exercise of the court’s discretion 1 To make the determination under 28 U.S.C. § 1915(e)(2)(B), courts assess whether there is 2 an arguable factual and legal basis for the asserted wrong, “however inartfully pleaded.” Franklin 3 v. Murphy, 745 F.2d 1221, 1227-28 (9th Cir. 1984). Courts have the authority to dismiss 4 complaints founded on “wholly fanciful” factual allegations for lack of subject matter jurisdiction. 5 Id. at 1228. A court can also dismiss a complaint where it is based solely on conclusory 6 statements, naked assertions without any factual basis, or allegations that are not plausible on their 7 face. Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); see also Erickson v. Pardus, 551 U.S. 89, 8 93-94 (2007) (per curiam). Dismissal is proper where “no cognizable legal theory or an absence of 9 sufficient facts alleged to support a cognizable legal theory.” Shroyer v. New Cingular Wireless 10 Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010). A claim has facial plausibility when a plaintiff 11 “pleads factual content that allows the court to draw the reasonable inference that the defendant is 12 liable for the misconduct alleged.” Iqbal, 556 U.S. at 677-78. 13 Although pro se pleadings are liberally construed and held to a less stringent standard than 14 those drafted by lawyers, see Erickson, 551 U.S. at 94, a complaint, or portion thereof, should be 15 dismissed for failure to state a claim if it fails to set forth “enough facts to state a claim to relief 16 that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 554 (2007); see also Fed. 17 R. Civ. P. 12(b)(6). “[A] district court should not dismiss a pro se complaint without leave to 18 amend unless it is absolutely clear that the deficiencies of the complaint could not be cured by 19 amendment.” Akhtar v. Mesa, 698 F.3d 1202, 1212 (9th Cir. 2012). 20 III. 28 U.S.C. § 1915(E) SCREENING 21 Having evaluated Biesenbach’s financial affidavit, the court finds that he has satisfied the 22 economic eligibility requirement of 28 U.S.C. § 1915(a) and grants the application to proceed IFP. 23 The court’s grant of Biesenbach’s application to proceed IFP, however, does not mean that he may 24 continue to prosecute the complaint. 25 Biesenbach’s complaint is unclear and hard to follow. It contains citations to various laws. 26 See Compl. ¶¶ 16-21. Liberally construed, the complaint appears to allege violations of laws 27 prohibiting interstate stalking and domestic violence, 18 U.S.C. § 2261A; the Wiretap Act, 18 1 Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5). None of Biesenbach’s allegations, 2 however, state a cognizable legal claim. 3 A. Cyberstalking 4 First, Biesenbach alleges a violation of 22 U.S.C. § 2266(2). See Compl. ¶ 16. That 5 provision simply sets forth the definition of “Course of conduct” as used in the relevant code 6 chapter as “a pattern of conduct composed of 2 or more acts, evidencing a continuity of purpose.” 7 As the definitions section alone does not create a legal violation, the court liberally construes 8 Biesenbach’s claim as arising under the relevant statute, 22 U.S.C. § 2261A. That law creates a 9 federal criminal offense for cyberstalking, including “harassing and intimidating conduct.” See 10 United States v. Osinger, 753 F.3d 939, 944 (9th Cir. 2014). “Case law is . . . unanimous that no 11 private right of action is available under § 2261A.” Cain v. Christine Valmy Int’l Sch., 216 F. 12 Supp. 3d 328, 335 (S.D.N.Y. 2016) (citing cases); accord Kruska v. Perverted Justice Foundation, 13 Inc., No. 08-cv-0054, 2009 WL 321146, at *4 (D. Ariz. Feb. 6, 2009) (“The act creates no private 14 right of recovery.”). Rather, the law is a “bare criminal statute[.]” Cain, 216 F. Supp. 3d at 335. 15 Because 22 U.S.C. § 2261A does not create a civil offense, this allegation does not state a claim 16 for relief. 17 B. Wiretap Act 18 Second, Biesenbach alleges claims under the Wiretap Act, 18 U.S.C. §§ 2511(1)(d), 19 2520(a). Compl. ¶ 17, 20.3 “The Wiretap Act prohibits the unauthorized ‘interception’ of an 20 ‘electronic communication.’” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606 21 (9th Cir. 2020), cert. denied sub nom. Facebook, Inc. v. Davis, 141 S. Ct. 1684 (2021) (quoting 18 22 U.S.C. § 2511(1)(a)-(e)). 18 U.S.C. § 2511(1)(d) imposes liability against anyone who 23 “intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic 24 communication, knowing or having reason to know that the information was obtained through the 25 interception of a wire, oral, or electronic communication.” Although § 2511 is a criminal 26 provision, “[t]he civil damages provision of the federal [W]iretap [A]ct . . . provides a private right 27 1 of action to ‘any person whose wire . . . communication is intercepted, disclosed, or intentionally 2 used in violation of this chapter.’” Noel v. Hall, 568 F.3d 743, 747 (9th Cir. 2009) (quoting 18 3 U.S.C. § 2520) (second alteration in original)); Dish Network L.L.C. v. Gonzalez, No. 1:13-CV- 4 00107-LJO, 2013 WL 2991040, at *3 (E.D. Cal. June 14, 2013) (“Although Section 2511 is a 5 criminal provision which does not itself provide a private right of action, 18 U.S.C. § 2520(a) does 6 provide a private cause of action” (quotations omitted)). “[A] plaintiff may bring a civil action 7 under § 2520 whether or not the defendant had been subject to criminal prosecution and 8 conviction.” DIRECTV, Inc. v. EQ Stuff, Inc., 207 F. Supp. 2d 1077, 1084 (C.D. Cal. 2002) 9 (quotation omitted). The court therefore construes Biesenbach’s complaint as alleging civil 10 liability against Defendants for a violation of 18 U.S.C. § 2511(1)(d). 11 “The Wiretap Act defines ‘intercept’ to mean ‘the aural or other acquisition of 12 the contents of any wire, electronic, or oral communication through the use of any electronic, 13 mechanical, or other device.’” Satchell v. Sonic Notify, Inc., 234 F. Supp. 3d 996, 1005 (N.D. Cal. 14 2017) (quoting 18 U.S.C. § 2510(4)). “The term ‘acquisition’ is not defined in the statute, but the 15 Ninth Circuit, looking at the term’s ‘ordinary meaning’ has defined it as the ‘act of acquiring, or 16 coming into possession of.’” In re Carrier IQ, Inc., 78 F. Supp. 3d 1051 (N.D. Cal. 2015) 17 (quoting United States v. Smith, 155 F.3d 1051, 1055 n.7 (9th Cir. 1998)). “It has further held that 18 ‘such acquisition occurs when the contents of a wire communication are captured or redirected in 19 any way.’” Id. (quoting Noel, 568 F.3d at 749). 20 Also, the Wiretap Act defines “contents” as “any information concerning the substance, 21 purport, or meaning of that communication.” 18 U.S.C. § 2510(8). The Ninth Circuit has held 22 that “the term ‘contents’ refers to the intended message conveyed by the communication, and does 23 not include record information regarding the characteristics of the message that is generated in the 24 course of the communication.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). 25 While communications such as text messages and URLs containing search terms constitute 26 protected “contents,” user names, contact information, geographic information, PIN numbers, and 27 passwords do not. Carrier, 78 F. Supp. 3d at 1082-83 (surveying cases). 1 phone, WiFi, and router, he has not plausibly pleaded any of the elements necessary for a Wiretap 2 Act claim. First, Biesenbach only alleges that Defendants accessed his accounts or devices. See, 3 e.g., Compl. ¶¶ 8, 10, 15. He fails to allege that Defendants acquired, i.e., captured or redirected, 4 the contents of any communications in those accounts or devices. Nor did he plead that 5 Defendants actually used those communications for any purpose. See Satchell, 234 F. Supp. 3d at 6 1008-09 (dismissing allegations under 18 U.S.C. § 2511(1)(d) against smartphone application 7 developers where no facts alleged “to show that the contents of [plaintiff’s] communications . . . 8 were used to send her targeted advertising.”). 9 Relatedly, Biesenbach fails to allege that Defendants intercepted particular “contents” of 10 his communications that are protected under the Wiretap Act. His complaint only refers to 11 incidents in which Defendants accessed his accounts “chang[ed] the passwords” to his G-Suite and 12 Wifi without authorization. See Compl. ¶¶ 12, 15; Carrier, 78 F. Supp. 3d at 1084 (while 13 passwords are “may be a prerequisite to engaging in communications . . . the credentials 14 themselves do not reveal the substance, purport, or meaning of any communication”). Biesenbach 15 does not describe if Defendants in fact seized any of his actual communications, such as emails or 16 text messages. Accordingly, Biesenbach failed to state a claim under 18 U.S.C. § 2511(1)(d). 17 C. Stored Communications Act 18 Third, Biesenbach alleges violations of the Stored Communications Act (“SCA”), 18 19 U.S.C § 2701(a)(1). The SCA “covers access to electronic information stored in third party 20 computers.” Zynga, 750 F.3d at 1104. “The [SCA] provides a private right of action against 21 anyone who: ‘(1) intentionally accesses without authorization a facility through which an 22 electronic communication service is provided; or (2) initially exceeds an authorization to access 23 that facility . . . while it is in electronic storage in such system.’” Lopez v. Apple, Inc., 519 F. 24 Supp. 3d 672, 685 (N.D. Cal. 2021) (quoting 18 U.S.C. § 2701(a)). A plaintiff must plead that the 25 defendant “(1) gained unauthorized access to a ‘facility’ where it (2) accessed an electronic 26 communication in ‘electronic storage.’” Facebook, 956 F.3d at 608. 27 The SCA defines “electronic communication” as “any transfer of signs, signals, writing, 1 electromagnetic, photoelectronic or photooptical system that affects interstate or foreign 2 commerce.” 18 U.S.C. § 2510(12); see id. § 2711(1). The SCA further defines “electronic 3 storage” as “any temporary, intermediate storage of a wire or electronic communication incidental 4 to the electronic transmission thereof” and “any storage of such communication by an electronic 5 communication service for purposes of backup protection of such communication.” Id. 6 § 2510(17)). 7 “The SCA does not provide a statutory definition of facility.” Calhoun v. Google, LLC, 8 546 F. Supp. 3d 605, 626 (N.D. Cal. 2021); see Facebook, 956 F.3d at 609 n.10 (declining to 9 address whether personal computers, web browsers, and browser managed files are “facilities”). 10 However, multiple circuit and district courts, including in this district, have ruled that “a user’s 11 personal device is not a facility under the SCA.” Calhoun, 546 F. Supp. 3d at 628; see, e.g., id. 12 (Google’s Chrome web browser not a covered facility); Lopez, 519 F. Supp. 3d at 686 (Apple’s 13 Siri software not covered); In re Google Assistant Privacy Litig., 457 F. Supp. 3d 797, 822 (N.D. 14 Cal. 2020) (Google Assistant Enabled devices not covered); In re iPhone Application Litig., 844 15 F. Supp. 2d 1040, 1058 (N.D. Cal. 2012) (Apple iPhone not covered). “Ultimately, the SCA is 16 meant to protect information held by centralized communication providers[; it] is not meant to 17 provide a catch-all to protect the privacy of stored internet communications.” Lopez, 519 F. Supp. 18 3d at 686 (internal citations omitted); see also Facebook, 956 F.3d at 609 (“[T]he SCA has 19 typically only been found to apply in cases involving a centralized data-management entity; for 20 instance, to protect servers that stored emails for significant periods of time between their being 21 sent and their recipients’ reading them.”). 22 Biesenbach claims that “Defendants used log-in credentials with the intent to bypass G 23 Suites[’] security software gaining access to plaintiff’s organizational data hosted on a server.” 24 Compl. ¶ 18. He claims he has a right to damages because he is a “licensee of Google’s VOIP 25 telephone service.” Id.4 Biesenbach’s SCA allegation fails for three reasons. First, Biesenbach 26 does not explain what he refers to as his “organizational data.” Without more detail, the court 27 1 cannot conclude that this data plausibly constitutes protected “electronic communications” within 2 the Act. Second, Biesenbach refers to his VOIP service in this claim and to his G-Suite Account, 3 cell phone, WiFi, and router elsewhere in the complaint. He has not plausibly alleged, however, 4 that these accounts or devices constitute protected “facilities.” At least three of the devices—his 5 cell phone, WiFi, and router—are or are likely to be the types of personal devices that other courts 6 have held fall outside the purview of the SCA. While information on his G-Suite Account that is 7 allegedly “hosted on a server,” Compl. ¶ 18, may fall within electronic storage in third-party 8 facilities, Biesenbach has not fully described the nature of the communications, the server in 9 question, and why it falls within the purview of “electronic storage,” see Facebook, 956 F.3d at 10 609; Theofel v. Farey-Jones, 359 F.3d 1066, 1077 (9th Cir. 2004) (holding that e-mail messages 11 held on an ISP’s server were in electronic storage). Absent further factual allegations, Biesenbach 12 does not plausibly state a SCA claim. 13 D. Computer Fraud and Abuse Act 14 Finally, Biesenbach alleges claims under the Computer Fraud and Abuse Act (“CFAA”), 15 18 U.S.C. § 1030(a)(5)(A), (C). Compl. ¶¶ 18-19.5 18 U.S.C. § 1030(a)(5)(A) establishes 16 criminal liability for anyone who “knowingly causes the transmission of a program, information, 17 code, or command, and as a result of such conduct, intentionally causes damage without 18 authorization, to a protected computer.” Section 1030(a)(5)(C) also establishes criminal liability 19 for anyone who “intentionally accesses a protected computer without authorization, and as a result 20 of such conduct, causes damage and loss.” 21 “The CFAA prohibits a number of different computer crimes, the majority of which 22 involve accessing computers without authorization or in excess of authorization, and then taking 23 specified forbidden actions, ranging from obtaining information to damaging a computer or 24 computer data.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009). A 25 protected computer is defined as “‘an electronic. . . or other high speed data processing device 26

27 5 Again, Biesenbach mis-cites to “18 U.S.C. § 1030(a)(2)(C)” but quotes § 1030(a)(5)(A) in his 1 performing logical, arithmetic, or storage functions’ that ‘is used in or affecting interstate or 2 foreign commerce or communication.’” In re Apple Inc. Device Performance Litig., 347 F. Supp. 3 3d 434, 451 (N.D. Cal. 2018) (quoting 18 U.S.C. § 1030(e)(1)-(2)) (holding cellular phones are 4 protected). “This definition captures any device that makes use of a[n] electronic data processor, 5 examples of which are legion.” United States v. Kramer, 631 F.3d 900, 902 (8th Cir. 2011) 6 Plaintiffs may file a civil action for damages and equitable relief violations of the CFAA 7 pursuant to 18 U.S.C. § 1030(g). Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021); LVRC 8 Holdings, 581 F.3d at 1132. Section 1030(g) section provides:

9 Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain 10 compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the 11 conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). 12 “Thus, a private plaintiff must prove that the defendant violated one of the provisions of § 13 1030(a)(1)-(7), and that the violation involved one of the factors listed in § 1030[(c)(4)(A)(i)].” 14 LVRC Holdings, 581 F.3d at 1132. Those factors are: 15 (I) loss to 1 or more persons during any 1-year period (and, for 16 purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course 17 of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; 18 (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care 19 of 1 or more individuals; (III) physical injury to any person; 20 (IV) a threat to public health or safety; or (V) damage affecting a computer system used by or for an entity of 21 the United States Government in furtherance of the administration of justice, national defense, or national security[.] 22 18 U.S.C. § 1030(c)(4)(A)(i). 23 The CFAA defines a “loss” as “any reasonable cost to any victim, including the cost of 24 responding to an offense, conducting a damage assessment, and restoring the data, program, 25 system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or 26 other consequential damages incurred because of interruption of service.” Facebook, Inc. v. 27 Power Ventures, Inc., 844 F.3d 1058, 1066 (9th Cir. 2016) (quoting 18 U.S.C. § 1030(e)(11)). 1 The CFAA defines “damage” as “any impairment to the integrity or availability of data, a 2 program, a system, or information.” 18 U.S.C. § 1030(e)(8). “Thus, while ‘damage’ covers harm 3 to data and information, ‘loss’ refers to monetary harms sustained by the plaintiff.” NovelPoster 4 v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 961 (N.D. Cal. 2014). The Ninth Circuit has held 5 that the statute maintains a “narrow conception of ‘loss,’” and that its definition, “with its 6 references to damage assessments, data restoration, and interruption of service—clearly limits its 7 focus to harms caused by computer intrusions, not general injuries unrelated to the hacking itself.” 8 Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1262-63 (9th Cir. 2019). “[A]ny theory of loss 9 must conform to the limited parameters of the CFAA’s definition.” Id. at 1263. 10 Biesenbach plausibly alleged that Defendants accessed his cell phone, WiFi network, and 11 router without authorization in contravention of 18 U.S.C. § 1030(a)(5)(C). Compl. ¶¶ 8, 15. 12 Biesenbach also appears to have plausibly alleged that Defendants “caused the transmission of a 13 program . . . or command” that resulted in changing his passwords and access to his VOIP and 14 router in contravention of § 1030(a)(5)(A). Compl. ¶¶ 12, 15. However, Biesenbach does not 15 plead any that he suffered a monetary loss or damage of at least $5,000 as required under § 16 1030(c)(4)(A)(i)(I).6 He does not, for instance, plead that he incurred any costs in responding to 17 Defendants’ alleged hacking or that he lost income or revenue because of an interruption in access 18 to his accounts. See Andrews, 932 F.3d at 1263 (holding that plaintiff lacked cognizable injury 19 under CFAA where he “does not—and cannot—argue that his allegedly lost revenue occurred 20 because of an interruption of service.”) Biesenbach’s conclusory request for an award of $2.8 21 million is insufficient given the CFAA’s narrow definition of loss. Accordingly, the complaint 22 fails to state a claim under the CFAA. 23 IV. EX PARTE APPLICATION FOR EARLY DISCOVERY 24 Biesenbach also filed an ex parte application for early discovery to identify the identities of 25 the three Doe Defendants. [Docket No. 5.] In the Ninth Circuit, “exceptions to the general rule” 26 that discovery may not be initiated prior to the Federal Rule of Civil Procedure 26(f) conference 27 1 are “generally disfavored.” Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 577 (N.D. Cal. 2 1999) (citing Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). However, a court may 3 authorize earlier discovery “for the parties’ and witnesses’ convenience and in the interests of 4 justice.” Fed. R. Civ. P. 26(d)(3). Courts have permitted “limited discovery . . . after [the] filing 5 of the complaint to permit the plaintiff to learn the identifying facts necessary to permit service on 6 the defendant.” Columbia, 185 F.R.D. at 577. The plaintiff must show good cause 7 for early discovery. Semitool, Inc. v. Tokyo Electron Am., Inc., 208 F.R.D. 273, 276 (N.D. Cal. 8 2002). “Good cause may be found where the need for expedited discovery, in consideration of the 9 administration of justice, outweighs the prejudice to the responding party.” Id. 10 In evaluating whether a plaintiff establishes good cause to learn the identity of Doe 11 defendants through early discovery, courts employ safeguards to ensure that such discovery “will 12 only be employed in cases where the plaintiff has in good faith exhausted traditional avenues for 13 identifying a civil defendant pre-service, and will prevent use of [early discovery] to harass or 14 intimidate.” Columbia, 185 F.R.D. at 578. Courts examine whether the plaintiff (1) has 15 “identif[ied] the missing party with sufficient specificity such that the Court can determine that the 16 defendant is a real person or entity who can be sued in federal court,” (2) recounted “all previous 17 steps taken to locate the elusive defendant,” (3) established that the action can withstand a motion 18 to dismiss, and (4) demonstrated a “reasonable likelihood that the discovery process will lead to 19 identifying information about [the] defendant that would make service of process possible.” Id. at 20 578-80. “Generally, ex parte applications for early discovery are accompanied by declarations 21 which explain the party’s efforts to determine the individual’s identity and why the plaintiff 22 believes that subpoenas to particular service providers would yield information regarding a 23 defendant’s identity.” Bellwether Coffee Co. v. Does 1-5, No. 21-03612-JSC, 2021 WL 2333848, 24 at *1 (N.D. Cal. June 8, 2021); see Columbia, 185 F.R.D. at 580 (calling for “a statement of 25 reasons justifying the specific discovery requested as well as identification of a limited number of 26 persons or entities on whom discovery process might be served”). 27 In light of the court’s ruling that Biesenbach’s complaint could not withstand a motion to 1 court also notes that Biesenbach’s application fails to satisfy the other required Columbia factors, 2 || including facts recounting his previous attempts to identify Defendants, and why his requested 3 || discovery is likely to lead to identification of Defendants. 4 || V. CONCLUSION 5 For the reasons above, the court grants Biesenbach’s application to proceed IFP but finds 6 that the complaint fails to state a claim pursuant to 28 U.S.C. § 1915(e). Biesenbach must file a 7 || first amended complaint addressing the deficiencies identified in this order within 21 days—te., 8 || by February 14, 2022. If he does not file a timely first amended complaint, the court will 9 || recommend dismissal of his action. 10 Should Biesenbach also seek leave again to take early discovery, he must include a sworn 11 declaration sworn under penalty of perjury establishing facts to support arguments for each a 12 Columbia element. As discussed above, Biesenbach also must not file documents without

13 properly authenticating them and establishing their relevance. Finally, Biesenbach is instructed

v 14 || not to contact the court regarding the status of his case. © 15 The court refers Biesenbach to the section “Representing Yourself” on the Court’s website, GQ 16 || located at https://cand.uscourts.gov/pro-se-litigants/, as well as the Court’s Legal Help Centers for

= 17 unrepresented parties. Parties may schedule an appointment by calling 415-782-8982 or emailing

18 fedpro@ sfbar.org. qED DISTRIOS aD 19 © ky 20 IT IS SO ORDERED. IS 50 ORDERED | □□ 21 |] Dated: January 24, 2022 Ss □ > □□ 22 ry Lbs 5 Rv 23 O\ | Caen ak ad Statoes@reTstrate Judge Ry □□□ 24 DS CY OY 25 VDISTRICS © 26 27 28