Editor’s Note: Sara is the newest member of the powerful TCPAWorld team. Licensed in three states and with a decade of complex litigation experience under her belt our new Marcioness is really an incredible addition. We’re happy to have her.
I have to warn you, what you’re about to read is pretty disturbing. It’s a story of a plaintiff’s lawyer trolling around websites and deploying technology to net new clients and obtain sensitive (but public) information from a targeted company in order to handsomely line his own pockets with a series of massive suits. And, in the end, the court lets the lawyer get away with it.
This is the twisted story of the Dawson case decided earlier this week. See Dawson v. Porch.com, Inc., Cause No. 2:20-cv-00604, 2021 U.S. Dist. LEXIS 155139 (W.D. Wash. Aug. 17, 2021).
So, in Dawson, there’s this plaintiff’s lawyer. Pretty clever guy. Good with technology.
In early 2019, this plaintiff’s lawyer develops an app that allows consumers to report spam messages directly to his law firm so that they can launch an investigation or a lawsuit. Pretty crafty way of discovering TCPA claims, amirite?
Through this app he receives complaints about a company called GoSmith. Evidently, GoSmith is sending hundreds of spam text messages to promote its platform. So the lawyer investigates. His investigation includes creating a fake account on GoSmith’s website and tinkering with URL addresses to access the accounts of other members online—that is, not the same folks who had initially complained to our plaintiff’s lawyer.
Apparently these URLs were sequentially named and therefore allowed access to other user accounts with the simple sequential modification of a part of the URL address. None of these accounts were password protected, no sign-in or authentication was required, and the users (as well as our not-so-friendly plaintiff’s attorney) could use the URL links to go directly into GoSmith’s website and any other user’s profile page without having an account.
And here is where it gets really interesting.
Next, the clever lawyer uses the data he ripped from the users’ profiles to create targeted social media campaigns to solicit plaintiffs for his lawsuit. Hundreds of individuals respond to the ads. He then files multiple suits against GoSmith (and Porch.com, GoSmith’s successor company) in various jurisdictions, seeking $10 billion in damages.
Pinky to the lips and all that.
Introducing: TCPAWorld’s very own little Dr. Evil.
Let’s pause for a moment and admire Dr. Evil’s handiwork here. This guy has turned the defendant’s own website against it using the publicly-available information he discovered on the site. He then uses this same data to not only serve as evidence of his eventual clients’ claims but also to solicit even more would-be clients to join the suit. Wow.
Porch was, understandably, disturbed by these events and moved to dismiss the case arguing, among other things, that “Dr. Evil”’s conduct—for clarity’s sake, that is not his real name— was sanctionable misconduct of the highest order.
The Court, however, disagreed. In fact, the Court had no trouble with plaintiff’s counsel filing a number of little individual suits instead of one class action. The court also had no issue with plaintiff’s capture of GoSmith profiles. After all, the profiles had been accessed through the links that were sent to some of counsel’s clients; there was no evidence of reverse engineering or hacking or breaking and entering. It was all right there for the taking (more on that in a second).
Only one thing in this story—the lawyer’s creation of a fake account—seemed to bother the Court. But since the creation of that account was wholly unrelated to the merits of the class action, sanctions were not appropriate.
Ultimately, the Court found that it was “not prepared” to accept Porch’s argument that the texts were totally legal under the TCPA because they weren’t automated. For the Court, it was enough that plaintiffs’ claims did not appear to be wholly frivolous.
So there you have it. The Court rules no sanctions were appropriate against our crafty plaintiff’s lawyer. Not only that, “Dr. Evil”—still not his real name—gets to keep all the data he took from defendants, and he gets to keep his lawsuit. At least for now.
That is, his suit for TEN BILLION DOLLARS. Mwahahaha.
Seriously though, and all kidding aside, there is a pretty critical lesson here. First and foremost, make sure your website does not contain a bunch of publicly-available profiles and other data elements that permit reverse-engineering of number source and consent/arbitration status of users. That might seem obvious but… at least in this case, it was not.
From a certain perspective, Dawson is more a cautionary tale about data security and website access. Had GoSmith had better protections in place this never would have happened.
But from another—more TCPAWorld applicable—perspective, Dawson demonstrates just how high the stakes are out there. Porch’s CEO and other officers are named PERSONALLY in this suit—meaning that “Dr. Evil” isn’t just seeking billions from Porch, he is looking to clean out their personal lockers as well. And the dollars here are so incredibly high that plaintiff’s lawyers are willing to invest months/years of work and investment into these cases using extraordinarily sophisticated techniques to net themselves a big win.
As the Czar said the other day, there are monsters in these woods.
We’ll keep an eye on this story.