Gonzales v. Uber Techs., Inc., Case No.17–cv–02264–JSC

• Decision Date: 18 April 2018
• Docket Number: Case No.17–cv–02264–JSC
• Citation: 305 F.Supp.3d 1078
• Court: U.S. District Court — Northern District of California
• Parties: Michael GONZALES, Plaintiff, v. UBER TECHNOLOGIES, INC., et al., Defendants.

305 F.Supp.3d 1078

Michael GONZALES, Plaintiff,

v.UBER TECHNOLOGIES, INC., et al., Defendants.

Case No.17–cv–02264–JSC

United States District Court, N.D. California.

Signed April 18, 2018

Caleb Marker, Zimmerman Reed LLP, Manhattan Beach, CA, Hannah Parke Belknap, Palmer Lombardi & Donohue LLP, Los Angeles, CA, Ling Yue Kuang, Mark Etheredge Burton, Jr., Mark Etheredge Burton, Jr., Michael Andrew McShane, Audet & Partners, LLP, San Francisco, CA, for Plaintiff.

Patrick Leo Oot, Jr., Shook, Hardy and Bacon, LLP, Washington, DC, Elizabeth Anne Lee, John K. Sherk, III, Michael Kevin Underhill, Shook, Hardy Bacon L.L.P., San Francisco, CA, for Defendants.

ORDER RE MOTION TO DISMISS FIRST AMENDED COMPLAINT

JACQUELINE SCOTT CORLEY, United States Magistrate Judge

Plaintiff Michael Gonzales brings this action on his own behalf and as a putative class action for Lyft drivers whose electronic communications and whereabouts were allegedly intercepted, accessed, monitored, and/or transmitted by Defendants Uber Technologies, Inc., Uber USA LLC, and Raiser–CA (together, "Uber"). Now pending before the Court is Defendants' motion to dismiss Plaintiff's First Amended Complaint ("FAC"). (Dkt. No. 38.) Having carefully reviewed the parties' briefing and having had the benefit of oral argument on January 11, 2018, the Court GRANTS Defendants' motion with leave to amend.

FIRST AMENDED COMPLAINT ALLEGATIONS

A. The Lyft App

"Lyft provides technology that operates similar to a taxi company's dispatch system." (Dkt. No. 34 ¶ 3.) "A rider requests a ride using a software application on his or her phone (the ‘Lyft App’)." (Id. ) After a rider logs on to the Lyft App, the App sends a Hypertext Transfer Protocol ("HTTP") request to Lyft's servers. (Id. ¶ 65.) The HTTP request contains the passenger's Lyft ID and GPS coordinates. (Id. ¶ 66.) Lyft's servers respond to the Lyft App's request with a list of nearby drivers who are logged in and who have affirmatively indicated they are available for work; the list includes the drivers' Lyft IDs and GPS coordinates. (Id. ¶ 67.) The list is transmitted to riders through Lyft's servers. (Id. ) "The locations of nearby Lyft drivers are displayed to the rider as dots on a map, along with the estimated price and wait time for arrival once the ride request is submitted." (Id. at ¶ 3.)

"Drivers also use the Lyft App." (Id. ¶ 4.) "When a driver is ready to accept work, the driver swipes a switch on the Lyft App, directing the Lyft App to continuously transmit the driver's geolocation data and his or her willingness to accept work to servers maintained by Lyft." (Id. ) Lyft drivers used the Lyft App to communicate with Lyft servers by transmitting and receiving "packets" of information. (Id. ¶ 55.) "A packet is analogous to a physical letter mailed from one address to the other, and the protocol used to transmit the packet is analogous to the physical envelope that holds the letter." (Id. ) "While traditional envelopes use physical postal addresses, packets use computer Internet Protocol (IP) addresses." (Id. ¶ 70.) The digital letter transmitted from the driver to Lyft's servers in response to a rider's HTTP request includes (1) the driver's unique identifier, (2) the driver's precise geolocation data, (3) the driver's affirmation that the driver is available to provide rides for Lyft users, and (4) an estimated price for the rider's requested ride. (Id. ¶ 72.) Lyft, acting as the driver's agent, forwards a driver's geolocation and willingness to drive to those requesting a ride. (Id. ¶ 4.)

B. Uber's Hell Spyware

Uber offers technology that competes with the Lyft App and operates in the same geographic regions as Lyft. (Id. ¶¶ 5, 6.) Some drivers perform transport services through the two platforms simultaneously. (Id. at ¶ 6.) Lyft's and Uber's systems store the location of every driver, whether on duty or off duty, every few seconds. (Id. ¶¶ 87, 88.) "[N]either Uber nor Lyft ever delete the geolocation data they collect from drivers, at least in part because they consider it valuable to their respective businesses." (Id. ¶ 90.)

Starting in 2014 or earlier and continuing into 2016, Uber secretly used ‘Hell spyware’ to access servers and smartphones owned and operated by Plaintiff, Class Members, and Lyft. (Id. ¶ 52.) The "spyware extracted information from Lyft by posing as Lyft customers in search of rides." (Id. ¶ 7.) These fake Lyft riders sent forged requests to Lyft's servers. (Id. ) When Lyft's servers received "a request from a forged rider account, they believed that the ride requests were coming from actual Lyft riders, not the Hell spyware." (Id. ¶ 77.) As a result, Lyft's servers transmitted a response to Uber's fake Lyft requesters containing the IDs, on duty status, pricing, and exact locations of nearby Lyft drivers. (Id. ) "The data transmitted was provided by Lyft drivers and was only intended to be delivered to actual nearby Lyft riders." (Id. )

Uber used the fraudulently received geolocation data and driver identifiers "to create grid-like detection nets over cities including San Francisco, Los Angeles, and New York." (Id. ¶ 80.) For instance, a forged rider account would transmit a request indicating that the rider was at the Philip Burton Federal Building with specific GPS coordinates. (Id. ) In response, Lyft's servers "would transmit back information for all nearby Lyft drivers." (Id. ) The Hell spyware would simultaneously also send another set of requests indicating that a different fake Lyft rider was a few blocks north on O'Farrell Street with specific geolocation data. (Id. ) This process was repeated with a large number of fake Lyft accounts, "allowing Uber to obtain complete geographic coverage of entire metropolitan areas, and the exact locations of all Lyft drivers and other information." (Id. ) "Uber repeated this process millions of times using the Hell spyware from 2014 through 2016." (Id. ¶ 8.)

Uber used the data collected in conjunction with other databases "to learn personal details about Lyft drivers including, but not limited to, the drivers' full names, their home addresses, when and where they typically work each day and for how many hours, and where they take breaks." (Id. ¶ 83.) "Uber was able to use this data to determine the identities of the drivers' rider customers." (Id. )

"Uber combined the data harvested by Hell [spyware] with Uber's internal records, including historical location data, to identify Lyft drivers who also worked for Uber." (Id. ¶ 9.) "Uber used the information gleaned from Hell to direct more frequent and more profitable trips to Uber drivers who also used the Lyft App." (Id. ¶ 101.) "By inundating these drivers [with] Uber rides, Uber was able to discourage drivers from accepting work on the Lyft platform, reducing the effective supply of available Lyft drivers." (Id. ¶ 101.) "With the supply of Lyft drivers reduced, Lyft customers faced longer wait times." (Id. ¶ 102.) As a result, Lyft riders would cancel the ride requested with Lyft and request a new ride from Uber, and Lyft drivers experienced decreased earnings. (Id. ¶¶ 9, 102.) "Over time, this would reduce the effectiveness of the Lyft App, thus harming drivers such as Plaintiff and absent Class Members." (Id. ¶ 102.)

PROCEDURAL HISTORY

Plaintiff filed an initial complaint seeking injunctive relief and damages based on four claims: (1) Federal Wiretap Act as amended by the Electronic Communications Privacy Act (the "ECPA"), (2) the California Invasion of Privacy Act ("CIPA"), (3) the California Unfair Competition Law (the "UCL"), and (4) common law invasion of privacy. (Dkt. No. 1.) Defendants moved to dismiss all four claims. (Dkt. No. 17.) The Court granted Defendants' motion with leave to amend. (Dkt. Nos. 27.)

Plaintiff then filed a First Amended Complaint seeking the same relief under the same causes of action with two additional claims: (1) the Federal Stored Communication Act (the "SCA") and (2) the California Computer Fraud and Abuse Act (the "CFAA"). (Dkt. No. 34.) Thereafter, Defendants filed the now pending motion to dismiss. (Dkt. No. 38.)

DISCUSSION

I. Federal Claims

A. The Wiretap Act

The Federal Wiretap Act makes it unlawful to "intentionally intercept [ ] ... any wire, oral, or electronic communication." 18 U.S.C. § 2511(1)(a). "Intercept" "means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." 18 U.S.C. § 2510(4). Plaintiff's Wiretap Act claim fails because he has not alleged and cannot allege that Uber "intercepted" the "contents" of a communication.

1. Contents of a Communication

Plaintiff alleges that when he activates the Lyft App he sends Lyft his unique Lyft driver identification, his precise geolocation data, his affirmation that he is willing to provide rides to drivers, and an estimated price for the ride (presumably only when there is a rider request). (FAC ¶ 72.) With the possible exception of the estimated price, this information does not qualify as the "contents" of a communication within the meaning of the Wiretap Act.

The Act defines "contents" as "includ[ing] any information concerning the substance, purport, or meaning of that communication." 18 U.S.C. § 2510(8). " ‘[C]ontents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication." In re Zynga Privacy Litig. , 750 F.3d 1098, 1106 (9th Cir. 2014). Record information includes the "name," "address," and "subscriber number or identity" of a subscriber or customer. Id. (citing 18 U.S.C. § 2702(c)(2) ). For example, data about a telephone call, including the number from which it was made, the time it was made, the number called, and the length of the call does not fall within the Wiretap Act because it is not the content of the communication, it is data about the...