LAUREL BEELER, Magistrate Judge.
Plaintiff Uber Technologies, Inc. claims that defendant John Doe I breached its secure database, stole information from that database, and so violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., and the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502. (Compl. — ECF No. 1 at 2, ¶ 8.)
The court previously granted Uber's motion to take expedited discovery from GitHub. (ECF No. 11.) Uber's present motions walk mostly the same ground as its first motion and, insofar as they apply, the court incorporates by reference the factual and legal discussions in its previous order. As the court there found, Uber has shown that: (1) John Doe I is a real person who may be sued in federal court; (2) Uber unsuccessfully tried to identify John Doe I before filing these motions; (3) its claims against John Doe I could withstand a motion to dismiss; and (4) there is a reasonable likelihood that the proposed subpoenas will lead to information identifying John Doe I. The court extends its earlier factual discussion and legal analysis as needed to account for Comcast (who was not involved in the earlier motion) and for events following the issuance of Uber's first subpoena.
GitHub produced information in response to Uber's earlier subpoena. (Snell Decl. — ECF No. 16- 1 at 2, ¶ 3.) That information showed that "someone used an IP address registered to Comcast to access relevant posts on the GitHub site." (See id. at 2, ¶ 4; ECF No. 16 at 3, 5.) (The same person who breached Uber's database accessed the GitHub posts to which Uber refers. (ECF No. 4-2 at 1-2, ¶¶ 2-3.)) It is likely that Comcast "has subscriber information for the Address, as well as information potentially linking the subscriber to unauthorized access to Uber systems." (ECF No. 16 at 5.) "Thus," Uber writes, "information related to" the Comcast IP address "will further Uber's investigation regarding the identity of John Doe 1." (Id. at 3.) The subpoena that Uber would now serve accordingly asks Comcast to produce:
(ECF No. 17-3 at 1.)
Producing this information should not unduly prejudice Comcast. Comcast is a sophisticated business that is likely accustomed to responding to subpoenas so that, as Uber contends, it "will not be burdened by this straightforward request involving one IP address." (ECF No. 16 at 5.) More precisely, Uber's need for the requested discovery outweighs whatever small burden the subpoena may impose on Comcast. See Semitool, Inc. v. Tokyo Electron Am., Inc., 208 F.R.D. 273, 276 (N.D. Cal. 2002).
The court furthermore deems the requested — and now authorized — subpoena to be issued "pursuant to a court order" within the meaning of 47 U.S.C. § 551(c)(2)(B). The relevant part of that statute provides:
47 U.S.C. § 551(c)(2)(B). This order expressly authorizes such disclosure. To ensure compliance with this statute, the concluding section of this order provides for Comcast to notify Doe of the subpoena.
Uber seeks to serve a new subpoena on GitHub. It explains:
For the reasons given in its earlier order (ECF No. 11 at 3-6), the court holds that Uber has shown good cause for issuing the requested subpoena.
Uber also asks that, unlike it did with the last GitHub subpoena, the court not direct Uber or (more accurately) GitHub to notify Doe of the subpoena. "[T]here is no notice requirement under the law or GitHub's Terms of Service," Uber reasons. (ECF No. 18 at 6.) The court accepts GitHub's representations about the absence of such a requirement in the law; the court, too, has seen no law affirmatively requiring, in this situation, that someone be notified when their information will be turned over to an adversary in litigation pursuant to a lawful subpoena. And Uber is correct about GitHub's Terms of Service. As Uber recounts, the Terms of Service to which John Doe I must have agreed when he set up a GitHub account provide that, "GitHub may disclose personally identifiable information under special circumstances, such as to comply with subpoenas or when your actions violate the Terms of Service." (See ECF No. 18 at 6.) Uber appears to be equally correct when it writes: "By accessing the GitHub site, John Doe I consented to disclosure of his personal information in connection with an investigation into illegal activities." (Id.) GitHub's privacy policy states: "The information we collected . . . is not shared . .. except to provide products or services you've requested, when we have permission, or under the following circumstances: It is necessary to share information in order to investigate, prevent, or take action regarding illegal activities. . . ." (See id.)
The case that Uber cites in this area — Sony Music Entm't Inc. v. Does 1-40, 326 F.Supp.2d 556 (S.D.N.Y. 2004) — does suggest that, in view of their Internet service provider's ("ISP") Terms of Service, Doe defendants had a "minimal expectation of privacy." Id. at 566. (The ISP in Sony Music did notify the Doe defendants that their identifying information had been subpoenaed. Id. at 559-60. The case does not mention whether this was at a court's direction or not.) It is one thing, however, to agree that one's information might be shared; it is another to waive notification of that fact. Notice has its own value. Being told that one's personal information is being disclosed may prompt one to take perfectly legitimate actions in response, even if a prior agreement bars one from objecting to the disclosure itself.
Uber has pointed out that Internet-anonymity cases come in different shades. On one end of the spectrum, anonymous-speech cases can directly implicate the First Amendment. These elicit the most demanding justification for disclosing an otherwise anonymous person's identity. See generally, e.g., In re Anonymous Online Speakers, 661 F.3d 1168, 1174-77 (9th Cir. 2011). Somewhere in the middle are copyright-infringement suits. See, e.g., Pink Lotus Entm't, LLC v. Doe, 2012 WL 260441, *2- (E.D. Cal. Jan. 23, 2012) (discussing Ninth Circuit good-cause standard) ("Good cause for expedited discovery is frequently found in cases involving claims of infringement. . . ."). This case lies near the opposite end of the spectrum. Here, Uber alleges that Doe directly breached and stole data from its secure database. On Uber's apparent view, the defendant in such a case can have little or no expectation that he will be notified, to say nothing of having a legal right to be notified, if an investigation discloses his personally identifying information.
This line of argument prompts two thoughts. The first is that this sort of case (call it one of straightforward hacking and data theft) shares more in common with copyright-infringement suits than with true First Amendment, anonymous-speech cases.
Second, even if no law affirmatively requires that Doe be given notice in a case like this, notice may still be the better, fairer practice. It has been this court's standard practice to require notice to parties whose information will be disclosed under a lawful subpoena, even where no law positively requires that; other courts appear to take the same approach. See AF Holdings, LLC v. Doe, 2012 WL 5464577, *4 (E.D. Cal. Nov. 7, 2012); Digital Sin, 279 F.R.D. at 244-45.
Having said all that, and weighing seriously Uber's situation and its sensible reasoning, the court holds that, in this case, GitHub need not notify Doe of the subpoena. This does not mean that notice will be excused in every similar case. The decision here is motivated in significant part by two related facts. First, Doe's alleged act was an unauthorized intrusion into a secure area; this cannot have been legitimate under any scenario — and is somewhat different from cases that involve the downloading and sharing of material that, at least in principle, can in the first instance be gotten legitimately. Second, Uber seems moved equally to redress crime as to seek recompense through civil remedies. The statutes that it sues under are both criminal. (See Compl. — ECF No. 1 at 3.)
"Uber also seeks clarification of the Court's prior Order to confirm that Uber may share information with third parties who may assist Uber in its investigation or in this matter, such as law enforcement, should Uber decide it appropriate to do so." (ECF No. 18 at 7.) The court's previous order stated that, "Uber may use the subpoenaed information only in connection with its instant claims under the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act." (ECF No. 11 at 7.)
The court agrees that it is consistent with the purposes of these statutes — both of which establish data breaches and theft as crimes — that Uber be allowed to turn over material information to law enforcement. To avoid any uncertainty, moreover, and though it is perhaps obvious, Uber may also share the subpoenaed information with third parties that are technically necessary to Uber's investigation. Like Uber itself, such adjutant third parties must otherwise keep the information confidential.
Finally, Uber moves to seal limited parts of the Comcast and GitHub subpoenas. (ECF Nos. 17, 19.) Uber would redact two IP addresses and one domain name from the Comcast subpoena (see ECF No. 16-1 at 7) and one IP address from the new GitHub subpoena (see ECF No. 19-4 at 1). In both cases, Uber argues that these items constitute "sensitive information that, if publicly disclosed, could undermine Uber's investigation into the data theft at issue in this lawsuit." (ECF Nos. 17 at 2, 19 at 2.) Publicly disclosing the target IP addresses and domain name, Uber says, could "giv[e] John Doe I insight into the status of Uber's investigation and thus" enable him "to take steps to further conceal his identity." (Id.)
Because the material in question relates to a non-dispositive motion, Uber must show only that there is "good cause" to seal it. E.g., Pintos v. Pac. Creditors Ass'n, 565 F.3d 1106, 1116 (9th Cir. 2009) opinion amended and superseded on denial of reh'g, 605 F.3d 665 (9th Cir. 2010); Kamakana v. City & County of Honolulu, 447 F.3d 1172, 1179-80 (9th Cir. 2006). Largely for the reasons that Uber states (ECF Nos. 17 at 2-3, 19 at 2-3), the court holds that Uber has shown "good cause" for sealing the IP addresses and domain name. The court accepts Uber's assertion that revealing the information in question could prompt Doe to elude detection, and thus thwart Uber's case at the outset, before the court can assess the merits of Uber's claims. Equally important, sealing two IP addresses and one domain name will in no significant way diminish the public's ability to "keep a watchful eye on the workings of" the court. See Kamakana, 447 F.3d at 1178-80. Furthermore, Uber has "narrowly tailored" its redactions to remove from the public record a minimum of information and only such information as is properly "sealable." See Civ. L.R. 79-5(b); Dish Network, LLC, Sonicview USA, Inc., 2009 WL 2224596 (July 23, 2009) (sealing records in satellite-television-piracy case partly because revealing investigators' identities would "jeopardize the success of [the plaintiff's] investigations").
The court grants both Uber's sealing motions. The court grants Uber's motion to serve its proposed subpoena (see ECF No. 18-1 at 4-7 (redacted)) on GitHub. Neither Uber nor GitHub is required to give Doe notice of the subpoena or that GitHub is producing personally identifying information. The court grants Uber's motion to serve its proposed subpoena (see ECF No. 16-1 at 4-7 (redacted)) on Comcast. Under 47 U.S.C. § 551(c)(2)(B), and consistent with the court's usual practice, the Comcast subpoena (but not the GitHub subpoena) is subject to the following directions:
1. Uber may immediately serve the proposed subpoena on GitHub. The subpoena shall have a copy of this order attached. To the extent that producing the information sought is burdensome, the parties must meet and confer and comply with the discovery procedures in the court's standing order.
2. GitHub will have five business days from the date that the subpoena is served upon it to serve John Doe I with a copy of the subpoena and a copy of this order. GitHub may serve John Doe I using any reasonable means, including written notice sent to his or her last known address, transmitted either by first-class mail or via overnight service.
3. John Doe I shall have 30 days from the date of service upon him or her to file any motions in this court contesting the subpoena (including a motion to quash or modify the subpoena). If that 30-day period lapses without John Doe I contesting the subpoena, GitHub shall have 10 days to produce the information responsive to the subpoena to Uber.
4. GitHub shall preserve any subpoenaed information pending the resolution of any timely motion to quash.
5. GitHub must confer with Uber and must not assess any charge in advance of providing the information requested in the subpoena. If GitHub elects to charge for the costs of production, it must provide a billing summary and cost reports that serve as a basis for such billing summary and any costs claimed by GitHub.
6. Uber may use the subpoenaed information only in connection with its instant claims under the federal Computer Fraud and Abuse Act, and the California Comprehensive Computer Data Access and Fraud Act — as that use has been clarified by this order.
This disposes of ECF Nos. 16, 17, 18, and 19.