Late last year, Chegg Inc. (“Chegg”), an online learning platform, obtained a preliminary injunction based on allegations that the various operators of the Homeworkify website (“Defendants”) – which allows users to view Chegg’s paywalled solutions without creating an account – violated the Computer Fraud and Abuse Act (CFAA). (Chegg Inc. v. Doe, No. 22-07326 (N.D. Cal. Nov. 7, 2023)). In addition to finding a likelihood of success on relatively novel CFAA claims (at least for a scraping dispute) that involved alleged stolen user credentials and a retaliatory denial-of-service (DDos) attack, the court granted Chegg’s request to transfer the Defendants’ Homeworkify domain to Chegg for a limited time to prevent what the court called Defendants’ “continued harmful conduct.”
The case has taken a new turn. Just days after the court’s November 7th preliminary injunction Chegg apparently discovered that Homeworkify.eu had changed its domain to Homeworkify.st in an effort to frustrate enforcement. As a result, Chegg went back to court in December to seek additional relief. As related in the court’s Case Management Statement, Chegg anticipates that it needs to amend the scope of relief granted as part of the initial injunction to cover all new domains and the relevant registrars. On January 2, 2024, the court granted Chegg’s motion to file an ex parte application for a TRO and preliminary injunction under seal, to “maintain the status quo” and presumably to obtain further relief against the Defendants’ alleged evasive domain name maneuvers. A hearing on further relief is scheduled for February 9, 2024.
The Background
Chegg’s platform provides students with solutions to problems in commonly used textbooks, allowing users to access Chegg’s library of millions of proprietary solutions to homework and study questions. Before viewing these materials, users must create an account, agree to Chegg’s terms of use, and, after a free trial period, pay a subscription fee to see Chegg’s solutions. Chegg alleged that beginning in summer 2022, Defendants created free trial accounts on Chegg and then scraped a large amount of Chegg solutions; it also claimed that Defendants used stolen credentials (e.g., credentials leaked from a prior data breach) to log in to subscriber accounts and access Chegg.com without authorization. Chegg alleges that Defendants posted the “stolen” proprietary content on the Homeworkify website, where students could “view the answers” without the need to pay for a Chegg subscription. Chegg also alleged that Defendants continued to “use bots to scrape Chegg’s content” even after Chegg sent a cease-and-desist letter to Homeworkify. Moreover, according to the complaint, when Chegg tried to stop Defendants from taking its content, Defendants retaliated with a cyberattack that caused an outage on Chegg.com.
Litigation
On November 18, 2022, Chegg brought an action against the Defendants, advancing, among other claims, a CFAA claim (and similar claims under the California computer trespass law), breach of contract and the Lanham Act. (Note: This post focuses on the CFAA claims and as the basis of Chegg’s injunction). The Defendants have not answered the complaint or appeared in the action; though according to Chegg’s filings, at least one of Homeworkify’s operators appears to reside in India and Chegg has since received court authorization to serve process upon him via email. In July 2023, Chegg unsuccessfully sought an injunction ordering Homeworkify’s domain registry to seize its registered domain name and transfer it to Chegg. A California district court denied Chegg’s request, finding that Chegg did not establish a likelihood of success on its CFAA claims.
Following this setback, Chegg amended its complaint and submitted a more developed factual record. It also presented a renewed motion for a preliminary injunction barring Defendant from scraping its site and operating the Homeworkify and related sites and requiring that Homeworkify’s hosting providers seize its domains and transfer them to Chegg. On the renewed motion, On November 7, 2023, the district court found that Chegg did demonstrate a likelihood of success on the merits of its CFAA claim based on allegations that Defendants used stolen credentials to log in to subscriber accounts and that Homeworkify was likely behind the denial-of-service attack Chegg experienced.
As part of its decision on the renewed motion, the court found that, based on the circumstances of this case, the Defendants would likely ignore a domestic court order. The court thus granted Chegg’s request that the court order the third-party domain registries and registrars responsible for maintaining Homeworkify’s domains to transfer those domains to Chegg for 30 days. According to the court, such a remedy would “prevent Defendants from being able to access the Homeworkify sites, and will give Chegg the opportunity to analyze the sites’ traffic and identify the vectors from which the stolen property is being directed to the websites.”
And so here we are…
In many legal disputes in the online world, enforcement can raise unique legal issues. It will be interesting to see whether in this case, with a motivated plaintiff and creative defendants, the plaintiff – Chegg – is able to obtain the full scope of relief that it seeks.