Video Game Streaming Giant Sues Hackers

Aug 28, 2020

By Jack Igoe, Michigan Law 3L
 
On May 25, 2019, a group of individuals launched a coordinated digital attack on Twitch Interactive Inc., Amazon’s newly-acquired video game streaming giant. According to a legal complaint filed by Twitch, the hackers flooded Twitch’s platform with prohibited content including “a video of the March 2019 Christchurch mosque attack, hard core pornography, copyrighted movies and television shows, and racist and misogynistic videos.” Hackers evaded Twitch’s protective measures by using automated computer programs to create new accounts — commonly referred to as bots. Eventually, Twitch temporarily suspended its streaming option for new users and required two-factor authentication for certain accounts.
 
On June 14, 2019, Twitch filed a lawsuit in the Northern District of California against several anonymous defendants alleging four causes of action: one federal trademark infringement claim and three California common law claims. Twitch Interactive, Inc. v. John & Jane Does 1-100, No. 19-3418 (N.D. Cal. June 14, 2019).
 
First, Twitch alleged that the defendants infringed on Twitch’s trademarks by displaying Twitch’s signature marks on websites and Twitter accounts used to coordinate the attack. Second, Twitch alleged that the defendants breached their contract with the streaming service by violating several of the terms and conditions that all users agree to follow, which prohibit users from posting prohibited content and creating fraudulent accounts, among other things. Third, Twitch alleged that the defendants intentionally exceeded the permissible use of the platform, thereby “trespassing” on Twitch’s digital property. Finally, Twitch alleged that defendants committed fraud by agreeing to terms and conditions that they had no intention of following and by disguising their identities during the attack.
 
Despite the publicity of the attack, the identities of the alleged violators largely remain a mystery. In today’s digital era, deciphering a user’s identity can be a time-consuming, sometimes futile process depending on the user’s efforts to remain anonymous. As is clear from Twitch’s case, this extra layer of anonymity adds several litigation considerations that simply do not exist otherwise, namely identifying the defendants before filing suit. In other words, you can’t sue whom you can’t see. Ever since Twitch filed its complaint, its primary goal has been uncovering the identity of the anonymous hackers. Immediately following the May 2019 attack, Twitch launched an internal investigation. The investigation isolated thousands of suspicious IP addresses by examining user activity during the attack. Although useful, IP addresses do not contain identities. Instead, each address provides general information such as the user’s internet service provider.
 
With this information, Twitch applied for several third-party subpoenas. Over the course of several months, Twitch issued subpoenas to Verizon, Comcast, Optimum, Google, Microsoft, and Twitter, among others. These subpoenas sought records related to the several IP addresses uncovered by Twitch’s internal investigation. Although the IP addresses themselves may not contain identifying information, the internet service providers’ records associated with those same IP addresses do.
 
These third-party subpoenas allowed Twitch to identify several of the previously unknown parties. In its amended complaint filed on May 13, 2020, Twitch named Mason Apodaca as an individual defendant alongside the other still-anonymous defendants. Twitch uncovered Mr. Apodaca’s identity by cross-referencing publicly available data and subpoena returns from Mr. Apodaca’s internet service provider.
 
Twitch also identified — and settled with — four individuals between December 2019 and March 2020. Although unclear due to negotiated confidentiality agreements, these users’ identities likely were uncovered in the same manner that Twitch identified Mr. Apodaca. As of this writing, Twitch received an extension on its deadline to serve any possible defendants, giving it until Aug. 25, 2020, to do so.
 
Twitch’s case highlights several concerns for digitally-based entertainment providers. Whereas most plaintiffs have no issue identifying their adversaries before going to court, the same is not true for digital entertainment providers like Twitch. This opaqueness makes it harder for businesses to decide whether to file suit, as uncovering the identity of anonymous users has the potential to significantly delay the proceeding and makes litigation more expensive and recovery less certain from the outset. In most cases, a plaintiff cannot recover a judgment against the defendant without first serving him or her with a complaint. Thus, when potential defendants remain anonymous, the plaintiff cannot recover at all, let alone assess the likelihood of meaningful recovery. Even in cases that do not result in a trial, the amount of legwork required to arrive at a settlement is still significantly heightened due to these same procedural limitations.
 
Given these heightened costs, businesses like Twitch may turn to other avenues of relief. Extra-judicial approaches such as permanently blocking user accounts or removing content may become more popular. However, as Twitch’s case demonstrates, these extra-judicial forms of relief may be inadequate in the face of evolving forms of attack whereby a relatively small number of users can rely on highly-coordinated, automated attacks to evade protective measures.
 
In any event, the digital realm raises significant litigation considerations largely absent from other forms of in-person entertainment. Digital providers must undertake relatively unclear calculations before committing to a formal response. This will force businesses to be deliberate in their litigation decisions, perhaps saving their time and money for cases that have increased signaling significance, more certain recovery, or both.
 
(Editor’s Note: This article also appears in Esports and the Law)


 

Articles in Current Issue