An email abortion fund supporters received after a cyber attack.
An email abortion fund supporters received after a cyberattack. courtesy of the cair project, 2016

A federal law known as the FACE Act outlaws forcibly interfering with someone walking into an abortion clinic. But what if that interference happens online?

A new lawsuit alleges that when a cyberattacker targeted a national abortion group in 2016, they violated not only computer fraud laws but also the Freedom of Access to Clinic Entrances (or FACE) Act.

The attack affected not only national abortion funds, but Washington and Oregon’s abortion fund too. The National Network of Abortion Funds (NNAF) and local abortion funds around the country help people pay for abortions.

In April 2016, as the NNAF was preparing for its annual bowl-a-thon fundraiser, it was hit with a cyberattack. The group's supporters received racist and anti-choice emails and the NNAF donation site received a flood of fake donations. The attack forced the national group to shut down its fundraising site. Here in Washington, the CAIR Project, which covered Washington, Idaho, and Alaska, saw a significant hit to donations when the site went down. At the time, the bowl-a-thon made up 40 percent of the CAIR Project’s annual budget. The CAIR Project has since merged with Oregon’s fund to form the Northwest Abortion Access Fund (NWAAF). The NWAAF is now plaintiff on the cyberattack lawsuit.

The complaint alleges that the cyberattack directly affected the services abortion funds provide. “By ransacking the single-most important abortion fundraiser of the year, Defendant(s) took away the ability to access abortions from the persons most in need of help,” the complaint says.

The complaint names 15 John Does, most of them not identified. John Doe #1, however, was “primarily responsible.” The complaint alleges Joe Doe #1 is Matthew James Davis, a “religious anti-abortion activist with a background in technology and coding” believed to live in Florida. Davis allegedly owned a since-deleted Twitter account, @matthewjames. Davis did not return a request for comment.

According to the complaint, Davis set up a sham donation form that appeared on the NNAF’s website and was able to use that form to steal the names and contact information of thousands of bowl-a-thon participants and donors as well as 435 credit card numbers. He also allegedly sent racist and anti-choice emails to people who had registered for the bowl-a-thon event.

The complaint outlines the way the chaos unfolded over several days.

According to the complaint, NNAF used a company called Blue Sky Collaborative, which provides online fundraising applications for charities. In early April, someone put “malicious code” in that fundraising application.

Soon, suspicious comments began showing up on the NNAF’s registration page for the bowl-a-thon and someone registered fundraising accounts with names like “adolph hitler”, “Adolph,” and “hitler” [sic].

“The next day the Bowl-a-Thon website began to display the receipt of absurdly large offline donations from registered participant accounts,” the complaint says. “For instance, one of these donations, from user qwerty, was for $999,999,999.00.”

Soon, the @matthewjames Twitter account sent tweets congratulating NNAF on “passing the $830 trillion mark… you’re gunna [sic] make little boys and girls a complete thing of the past!” according to the complaint.

The NNAF site then received $66 billion in fake donations, including some from “Adolph [sic] Hitler,” over several hours. That caused the site to crash, according to the complaint.

Some people who had registered for the bowl-a-thon then received an email from “Adolph Hitler.”

“I believe that the Aryan race is the Master Race; the purest human genetic strain currently available,” the email said, according to the complaint. “Consequently, it tickles me to fund abortions for the lower races, such as the Negroes and the Jews. There is no longer any need to send these parasites to my concentration camps – they willingly slaughter their own young if given enough money to afford the ope [sic] I am indebted to feminism and this new opportunity it has provided to cleanse our future generations. Keep it up, NNAF!”

Some registrants also received an email with a picture of a fetus that said, “I hope I grow up big enough to go bowling someday.”

The interruption to fundraising, offensive emails to the group’s supporters, and security breach meant “efforts and resources were redirected from fundraising to crisis management,” the complaint says. National and local abortion funds “scrambled to find alternate means of accepting donations, acted to protect their donor’s private information, took preventive measures, and triaged their own reputational fallout from being victimized by an attack of this nature.”

Rebounding from the attack took months of work and “had profound and harmful effects” on the relationship between the national fund that organizes the fundraising event and the local funds that depend on the event for big shares of their budgets. In total, the attack cost NNAF $252,000 in legal and security costs, according to the complaint. The complaint says the Northwest Abortion Access Fund saw lower fundraising than in past years due to the attack and seven NWAAF donors had their credit card information stolen.

All of this violates the Computer Fraud and Abuse Act and the FACE Act relating to access to reproductive health services, the complaint alleges.

Because the FACE Act defines reproductive health services to include counseling and referrals, the case argues the abortion funds are covered by that law.

The “hacking and phishing” and “creation and distribution of racist and violent imagery” interfered with the funds’ ability to provide services, the complaint says.

Carrie Goldberg, who is representing the abortion funds, told CNN the FACE Act has not been applied to a hacking case before.

The suit was filed in U.S. District Court in Massachusetts and seeks a jury trial.