A Delaware District Court has issued an opinion ruling that an ongoing click fraud scheme led by a Florida-based husband and wife team is technically punishable under the U.S. Computer Fraud And Abuse Act (CFAA), a piece of oft-cited legislation that’s been wielded in lawsuits against web scrapers, IP-blockers, hackers, and all sorts of academics.
In many of those cases — and the current one, which is the result of a lawsuit first filed in 2018 — the heart of the issue is the wording of the CFAA itself; it’s an infamously vague piece of legislation that, on paper, makes it illegal to access a “protected computer” without the “authorization” of the computer-owning party.
According to the victim at the centre of this most recent case, pilfering clicks is a violation of this sort of authorization — and it turns out that Delaware Judge Christopher Burke agreed.
According to the docket, the two players in the suit are Juju, a search engine for job listings, and a second company, called “Native Media,” which was owned and operated by a husband and wife team based out of their home in Florida.
Juju set an agreement with the Native team to send out emails with clickable links that would redirect to one of the job postings on the Juju site — with the more clicks that resulted in a job application, the better. With every click to one of these posts, court records explain, Juju would get the IP address of the clicker involved, and Native would get a payout. These sorts of “pay-per-click” or “PPC” deals are incredibly common in the world of advertising, with recent numbers pointing to digital ad moguls dumping more than $US10 ($14) billion into these sorts of arrangements by the tail end of 2017.
Naturally, where big budgets go, bad actors tend to follow — and because clicks are actually relatively easy to fake, we’ve seen high profile case after high profile case of scammers finding ways to game their click numbers in order to get a bigger payout. The amount of money they’re draining from the ecosystem is a matter of speculation, but some analysts point to figures close to $US4 ($6) billion dollars by the end of this year.
Though Juju didn’t lose billions, they did lose close to $US400,000 ($576,200) dollars, according to the suit. Per Juju, between the end of 2017 through the start of 2018, the links that were being shared through Native’s services were being flooded with what they called “low quality” traffic that didn’t lead to a job application — or a “conversion” on the other end. As the docket explains:
In light of the fact that [Juju] paid Native “per click,” [Juju] had an interest in paying only for clicks borne out of genuine interest in its web content. [Juju] describes this as the “quality” of web traffic that comes to its site. A higher ratio of conversions to clicks signals higher “quality” traffic; a lower ratio of conversions to clicks signals lower “quality” traffic.
Native, as it turns out, was churning out clicks with a pretty low rate of follow-throughs on the other end — roughly three times lower than other services Juju was using at the time, according to the case. Not only that, but many of these clicks appeared to be from Native’s own systems, and followed clicking behaviour that looked anything but natural. All things considered, this low-tier traffic cost Juju a grand total of roughly $US345,000 ($496,973) dollars.
While the husband and wife couple seem to be guilty of swindling Juju out of hundreds of thousands, what’s less cut and dry is whether this swindling falls under the purview of the CFAA, since it technically doesn’t involve “accessing” any of these devices without authorization. But according to Judge Burke, that doesn’t matter.
“In the Third Circuit’s view, a defendant need not ‘hack’ a plaintiff’s server in order to access a plaintiff’s computer ‘without authorization” pursuant to the CFAA,’ he writes. “Instead, if the defendant accesses the plaintiff’s computers and uses information in violation of a contractual agreement with the plaintiff, that could be enough.”
Native had initially signed a contract with Juju to run these ads in a fraud-free way, and, well, they didn’t hold up their end of the bargain — meaning that they’re fully in violation of the CFAA in this Judge’s eyes.