ORDER GRANTING EXPEDITED DISCOVERY [ECF No. 4]

LAUREL BEELER, Magistrate Judge.

INTRODUCTION

Plaintiff Uber Technologies, Inc. asserts claims against Defendant John Doe I for violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq. and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. (Compl. — ECF No. 1.)1 Uber seeks permission to take expedited discovery from the third party GitHub, Inc. to identify John Doe I. (ECF No. 4 at 1.) The court heard this matter on March 12, 2015. (ECF No. 10.)

As discussed below, Uber has demonstrated the following: (1) John Doe I is a real person who may be sued in federal court; (2) it has unsuccessfully attempted to identify John Doe I before filing this motion; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the proposed subpoena will lead to information identifying John Doe I. The court therefore finds that good cause exists to allow Uber to engage in this preliminary discovery. Accordingly, the court GRANTS Uber's ex parte motion for expedited discovery.

STATEMENT

Uber is a technology company. (Compl. — ECF No. 1, ¶ 5; ECF No. 4 at 2.) It has developed a smartphone application that connects drivers and riders in cities all over the world. (Id.) Uber's smartphone application is available in over 200 cities and has been used by over 100,000 drivers to receive requests for transportation services. (Id.) Uber maintains internal database files with confidential details on the drivers who use its application. (ECF No. 1, ¶ 6; ECF No. 4 at 2.) Those database files can be accessed only by certain Uber employees using a unique security key from Uber's protected computers. (ECF No. 1, ¶ 7; ECF No. 4 at 2.) On or around May 12, 2014, from an Internet protocol ("IP") address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used a unique security key without authorization to access and download Uber's proprietary database files. (ECF No. 1, ¶ ¶ 7, 10, 11; ECF No. 4 at 2.) Uber alleges that John Doe I's unauthorized access has harmed Uber and caused it to expend resources to investigate and to prevent such access from occurring. (ECF No. 1, ¶ 12.) As a result, Uber suffered over $5,000 in damages. (Id; ECF No. 4 at 5.)

Under Local Civil Rule 7-10, Uber certifies that it attempted to identify John Doe I without success. (ECF No. 1, ¶ 12; ECF No. 4 at 4.) Specifically, Uber reviewed the IP addresses that accessed the database and isolated one unrecognized IP address, but could not identify John Doe I. (ECF No. 4 at 4; ECF No. 4-2 at 1) Uber was informed that the person who downloaded the files also visited two pages at the GitHub website that are specified in the subpoena, which requests:

For the GitHub posts

This subpoena does not request the contents of any communications.

(ECF No. 4-1 at 7; see ECF No. 4 at 4; ECF No. 4-2 at 2, 3.)

GitHub is a San Francisco-headquartered subscription Internet service where users collaborate in developing open-source-code software. At the hearing, Uber's counsel explained that GitHub hosts portions of Uber's code on the two pages specified in the subpoena. On these GitHub pages, people from Uber can work on the code collaboratively. In response to the court's questions, Uber represented that there should not be many "hits" on these pages. The hits should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download. Uber explained that GitHub may well have user logs that can be accessed easily, that Uber would work with GitHub to address any concerns about the burden that responding to the subpoena would place on GitHub, and that it would be in a better position to evaluate any burden or notification concerns once it sees how GitHub captures the relevant data. To date, Uber has been unable to obtain the information it needs from GitHub through informal investigation. (Id.) Uber therefore asks for early discovery under Federal Rule of Civil Procedure 26(d) and leave to serve the Proposed GitHub Subpoena to obtain information that can reasonably be expected to lead to discovering John Doe 1's identity. (ECF No. 4.)

ANALYSIS

I. LEGAL STANDARD

A court may authorize early discovery before the Rule 26(f) conference for the parties' and witnesses' convenience and in the interests of justice. Fed. R. Civ. P. 26(d). Courts within the Ninth Circuit generally consider whether a plaintiff has shown "good cause" for early discovery. See, e.g., IO Group, Inc. v. Does 1-65, No. C 10-4377 S.C. 2010 WL 4055667, at *2 (N.D. Cal. Oct. 15, 2010); Semitool, Inc. v. Tokyo Electron America, Inc., 208 F.R.D. 273, 275-77 (N.D. Cal. 2002); Texas Guaranteed Student Loan Corp. v. Dhindsa, No. C 10-0035, 2010 WL 2353520, at *2 (E.D. Cal. June 9, 2010); Yokohama Tire Corp. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 613-14 (D. Ariz. 2001) (collecting cases and standards).

When the identities of defendants are not known before a complaint is filed, a plaintiff "should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds." Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). In evaluating whether a plaintiff establishes good cause to learn the identity of Doe defendants through early discovery, courts examine whether the plaintiff: (1) identifies the Doe defendant with sufficient specificity that the court can determine that the defendant is a real person who can be sued in federal court; (2) recounts the steps taken to locate and identify the defendant; (3) demonstrates that the action can withstand a motion to dismiss, and (4) proves that the discovery is likely to lead to identifying information that will permit service of process. Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578-80 (N.D. Cal. 1999).

II. UBER HAS SHOWN GOOD CAUSE TO TAKE EARLY DISCOVERY

Here, Uber has made a sufficient showing under each of the four factors listed above to establish good cause to permit it to engage in early discovery to identify John Doe I.

First, Uber has shown that a real person, John Doe I, may be subject to jurisdiction in this court by showing that the target of his misconduct is California, where Uber is headquartered. (ECF No. 1 at 2, 1; ECF No. 4 at 3, 4.) In this action, Uber alleges that John Doe I accessed Uber's proprietary database files from its protected computers by using a unique security key. (Id; Compl. — ECF No. 1, ¶ 11.) Those specific acts of misconduct can be perpetrated only by actual people, as opposed to a mechanical process. In addition, even if John Doe I is located outside California, the court would still have personal jurisdiction. To establish specific personal jurisdiction in the forum state, the Ninth Circuit applies the following three-prong test:

Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004). "The plaintiff bears the burden of satisfying the first two prongs of [this] test." Id.

Uber has proved that John Doe I intentionally targeted Uber, which is headquartered in California, by accessing its computers and illegally downloading its confidential files. Uber's damages claims arise out of John Doe I's forum-related activities. Given that John Doe I intentionally accessed Uber's proprietary and confidential database without permission, he or she must know his or her acts likely caused harm in California. See Calder v. Jones, 465 U.S. 783, 789 (1984) ("petitioners are not charged with mere untargeted negligence. Rather, their intentional, and allegedly tortious, actions were expressly aimed at California."); Bancroft & Masters, Inc. v. Augusta Nat'l Inc., 223 F.3d 1082, 1087 (9th Cir. 2000) ("the defendant must have . . . caused harm, the brunt of which is suffered and which the defendant knows is likely to be suffered in the forum state."); Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199, 1206-07 (9th Cir. 2006). The court thus finds that it has personal jurisdiction over John Doe I.

Second, Uber has adequately described the steps it took to find and identify John Doe I. Specifically, its efforts include: (1) reviewing the IP address that accessed Uber's internal database; (2) isolating one unrecognized IP address; (3) learning that John Doe I also visited certain pages at the GitHut website; and (4) contacting GitHub to obtain the necessary information through informal investigation. (ECF No. 4 at 4; ECF No. 4-2.)

Third, Uber has pleaded the essential elements to state a claim for violations of the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act. (ECF No. 1 ¶¶ 6-12, 13-17; ECF No. 4 at 4, 5;) see 18 U.S.C. § 1030(a)(2)(C) ("Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer . . . shall be punished. . . ."); Cal. Penal Code § 502(c)(1), (2), (7) ("[A]ny person who commits any of following acts is guilty of a public offense: Knowingly accesses and without permission . . . uses any data, computers . . . in order to wrongfully control or obtain . . . data.").

Fourth, Uber has demonstrated that the proposed subpoena seeks information likely to lead to uncovering John Doe's identity. (ECF No. 4 at 5.) Again, Uber learned that the person who accessed its database also visited pages at the GitHub website; the subpoena specifies these pages. (Id; ECF No. 4-2.) The proposed subpoena directs GitHub to yield information regarding John Doe I's access to the web pages in question. (ECF No. 4-2.) Given the information that is presently available to Uber, before and so without the issuance of the subpoena, obtaining this information from GitHub may be more than "reasonable," see Schwarzenegger, 374 F.3d at 802; it may be the only way that Uber can be expected to identify John Doe I. Additionally, Uber has shown that its need for early discovery outweighs the prejudice to GitHub, as GitHub is an established provider who routinely deals with discovery requests and would suffer little burden from producing the requested information. (ECF No. 4 at 5.)

Taken together, the court finds that the foregoing factors demonstrate that good cause exists to grant Uber's leave to conduct early discovery. See Semitool, 208 F.R.D. at 276 ("Good cause may be found where the need for expedited discovery . . . outweighs the prejudice to the responding party."). Furthermore, the court finds that early discovery furthers the interests of justice and poses little, if any, inconvenience to GitHub. Permitting Uber to engage in this early discovery is therefore consistent with Rule 26(d).

CONCLUSION

For the reasons stated above, the court GRANTS Uber's Ex Parte Motion for Expedited Discovery. The court orders the following:

1. Uber may immediately serve on GitHub the Proposed Subpoena to obtain the requested information. Uber's proposed subpoena is acceptable. The subpoena shall have a copy of this order attached. To the extent that producing the information sought is burdensome, the parties must meet and confer and comply with the court's discovery procedures in the attached standing order. It may be that an iterative process is the best way to deliver the information about the unauthorized access that entitles Uber to this discovery.

2. GitHub will have 30 days from the date that the subpoena is served upon them to serve John Doe I with a copy of the subpoena and a copy of this order. GitHub may serve John Doe I using any reasonable means, including written notice sent to his or her last known address, transmitted either by first-class mail or via overnight service.

3. John Doe I shall have 30 days from the date of service upon him or her to file any motions in this court contesting the subpoena (including a motion to quash or modify the subpoena). If that 30-day period lapses without John Doe I contesting the subpoena, GitHub shall have 10 days to produce the information responsive to the subpoena to Uber.

4. GitHub shall preserve any subpoenaed information pending the resolution of any timely motion to quash.

5. If GitHub has no information identifying John Doe I, then it need not comply with Paragraphs 2-4, and should immediately produce the information that the subpoena requests.

6. GitHub must confer with Uber and must not assess any charge in advance of providing the information requested in the subpoena. If GitHub elects to charge for the costs of production, it must provide a billing summary and cost reports that serve as a basis for such billing summary and any costs claimed by GitHub.

7. Uber must serve a copy of this order along with the subpoena to all relevant entities.

8. Uber may use the subpoenaed information only in connection with its instant claims under the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act.

This disposes of ECF No. 4.

IT IS SO ORDERED.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN FRANCISCO DIVISION

STANDING ORDER FOR UNITED STATES MAGISTRATE JUDGE LAUREL BEELER (Effective October 21, 2014)

Parties must comply with the procedures in the Federal Rules of Civil and Criminal Procedure, the local rules, the general orders, this standing order, and the Northern District's general standing order for civil cases titled "Contents of Joint Case Management Statement." These rules and a summary of electronic filing requirements (including the procedures for emailing proposed orders to chambers) are available at http://www.cand.uscourts.gov (click "Rules" or "ECF-PACER"). A failure to comply with any of the rules may be a ground for monetary sanctions, dismissal, entry of judgment, or other appropriate sanctions.

A. CALENDAR DATES AND SCHEDULING

1. Motions are heard each Thursday: civil motions at 9:30 a.m. and criminal motions at 10:30 a.m. Case management conferences are every Thursday: criminal cases at 10:30 a.m. and civil cases at 11:00 a.m. Parties must notice motions under the local rules and need not reserve a hearing date in advance if the date is available on the court's calendar (click "Calendars" at http://www.cand.uscourts.gov). Depending on its schedule, the court may reset or vacate hearings. Please call courtroom deputy Lashanda Scott at (415) 522-3140 with scheduling questions.

B. CHAMBERS COPIES

2. Under Civil Local Rule 5-1(b), parties must lodge a paper "Chambers" copy of any filing. The chambers copy must have the ECF header on each page, use exhibit tabs, and be three-hole-punched and two-sided unless another format makes more sense (e.g., for spreadsheets, pictures, or exhibits). Parties need not submit copies of certificates of service, certificates of interested entities or persons, consents or declinations to the court's jurisdiction, stipulations that do not require a court order (see Local Civil Rule 6-1), and notices of appearance or substitution of counsel. Please read Civil Local Rule 79-5 carefully regarding the requirements for filing documents under seal and providing copies.

C. CIVIL DISCOVERY

3. Evidence Preservation. After a party has notice of this order, it must take the steps needed to preserve information relevant to the issues in this action, including suspending any document destruction programs (including destruction programs for electronically-maintained material).

4. Production of Documents In Original Form. When searching for material under Federal Rule of Civil Procedure 26(a)(1) or after a Federal Rule of Civil Procedure 34(a) request, parties (a) must search all locations — electronic and otherwise — where responsive materials might plausibly exist, and (b) to the maximum extent feasible, produce or make available for copying and/or inspection the materials in their original form, sequence, and organization (including, for example, file folders).

5. Privilege Logs. If a party withholds material as privileged, see Fed. R. Civ. P. 26(b)(5) and 45(d)(2)(A), it must produce a privilege log that is sufficiently detailed for the opposing party to assess whether the assertion of privilege is justified. The log must be produced as quickly as possible but no later than fourteen days after its disclosures or discovery responses are due unless the parties stipulate to, or the court sets, another date. Unless the parties agree to a different logging method, privilege logs must contain the following: (a) the title and description of the document, the number of pages, and the Bates-number range; (b) the subject matter or general nature of the document (without disclosing its contents); (c) the identity and position of its author; (d) the date it was communicated (or prepared, if that is the more relevant date); (e) the identity and position of all addressees and recipients of the communication; (f) the document's present location; (g) the specific basis for the assertion that the document is privileged or protection (including a brief summary of any supporting facts); and (h) the steps taken to ensure the confidentiality of the communication, including an affirmation that no unauthorized persons received the communication.

6. Expedited Procedures for Discovery Disputes. The parties may not file formal discovery motions. Instead, and as required by the federal rules and local rules, the parties must meet and confer to try to resolve their disagreements. See Fed. R. Civ. P. 37(a)(1); Civil L. R. 37-1. Counsel may confer initially by email, letter, or telephone to try to narrow their disputes. After trying those means, lead trial counsel then must meet and confer in person to try to resolve the dispute. (If counsel are located outside of the Bay Area and cannot confer in person, lead counsel may meet and confer by telephone.) Either party may demand such a meeting with ten days' notice. If the parties cannot agree on the location, the location for meetings will alternate. Plaintiff's counsel will select the first location, defense counsel will select the second location, and so forth. If the parties do not resolve their disagreements through this procedure, lead counsel must file a joint letter brief no later than five days after lead counsels' in-person meet-and-confer. The letter brief must be filed under the Civil Events category of "Motions and Related Filings > Motions — General > Discovery Letter Brief." It may be no more than six pages (12-point font or greater, margins of no less than one inch) without leave of the court. Lead counsel for both parties must sign the letter and attest that they met and conferred in person. Each issue must be set forth in a separate section that includes (1) a statement of the unresolved issue, (2) a summary of each parties' position (with citations to supporting facts and legal authority), and (3) each party's final proposed compromise. (This process allows a side-by-side, stand-alone analysis of each disputed issue.) If the disagreement concerns specific discovery that a party has propounded, such as interrogatories, requests for production of documents, or answers or objections to such discovery, the parties must reproduce the question/request and the response in full either in the letter or, if the page limits in the letter are not sufficient, in a single joint exhibit. The court then will review the letter brief and determine whether formal briefing or future proceedings are necessary. In emergencies during discovery events such as depositions, the parties may contact the court through the court's courtroom deputy pursuant to Civil Local Rule 37-1(b) but first must send a short joint email describing the nature of the dispute to lbpo@cand.uscourts.gov.

D. CONSENT CASES

7. In cases that are assigned to Judge Beeler for all purposes, the parties must file their written consent or declination of consent to the assignment of a United States Magistrate Judge for all purposes as soon as possible. If a party files a dispositive motion (such as a motion to dismiss or a motion for remand), the moving party must file the consent or declination simultaneously with the motion, and the party opposing the motion must file the consent or declination simultaneously with the opposition.

8. The first joint case management conference statement in a case must contain all of the information in the Northern District's standing order titled "Contents of Joint Case Management Statement." Subsequent statements for further case management conferences must not repeat information contained in an earlier statement and instead should report only progress or changes since the last case management conference and any new recommendations for case management.

E. SUMMARY JUDGMENT MOTIONS

9. The parties may not file separate statements of undisputed facts. See Civil L. R. 56-2. Joint statements of undisputed facts are not required but are helpful. Any joint statement must include — for each undisputed fact — citations to admissible evidence. A joint statement generally must be filed with the opening brief, and the briefs should cite to that statement. A reasonable process for drafting a joint statement is as follows: (1) two weeks before the filing date, the moving party proposes its undisputed facts, and (2) one week later, the responding party replies and the parties meet and confer about any disagreements. For oppositions, a responding party may propose additional undisputed facts to the moving party within seven days after the motion is filed and ask for a response within two business days.

IT IS SO ORDERED.