Two federal courts have issued important rulings scaling back the use of the Computer Fraud & Abuse Act (“CFAA”), 18 U.S.C. 1030, et seq., for alleged violations of online agreements. These decisions are noteworthy in the trade secret area because employers and businesses have used the CFAA when they believe that a former employee or competitor has improperly accessed their electronic records. In the first decision, EarthCam, Inc. v. OxBlue Corp., et al., 2017 WL 3188453 (11th Cir. Aug. 1, 2017), the U.S. Court of Appeals for the Eleventh Circuit rejected a claim that a competitor’s access of a customer account violated the CFAA (a link to the opinion can be found here). And in the second, hiQ Laboratories, Inc. v. LinkedIn Corp., Case No. 3:17-cv-03301 (EMC) (N.D. California Aug. 14, 2017), Judge Edward Chen of the U.S. District Court for the Northern District of California found that a violation of LinkedIn’s online terms and conditions did not support a CFAA claim. (A link the opinion can be found here). Judge Chen’s opinion is particularly noteworthy because it appears to depart from some of the reasoning of a recent decision by the U.S. Court of Appeals for the Ninth Circuit that allowed Facebook to invoke the CFAA. As explained below, these rulings may signal a growing judicial reluctance to allow the CFAA to be used to limit otherwise publicly-available information.
A Primer on the CFAA: As readers of this blog know, prior to the Defend Trade Secrets Act’s enactment, employers who wanted a federal forum for their trade secrets claims used the CFAA as a jurisdictional proxy. By claiming that the former employee exceeded his/her authorized access or accessed information without authorization–a critical element of a CFAA claim–an employer could claim that an employee’s violations of a computer use policy or agreement qualified as a violation of the CFAA. While several Federal Circuits found these types of claims were permissible under the CFAA, others, including most notably the Ninth Circuit in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), and the Fourth Circuit in WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012), rejected the use of the CFAA for these types of claims; since those rulings, the trend by federal district courts has been to reject CFAA claims proceeding under this theory. However, companies have attempted to use the CFAA for other purposes, such as policing violations of their online agreements, a practice that was effectively sanctioned by the U.S. Court of Appeals for the Ninth Circuit in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016).
The CFAA, which was enacted in 1986 and has been amended multiple times, has been severely criticized by many commentators as being outdated. (For further background, I would recommend anything written by George Washington’s Professor Orin Kerr who has established himself as the preeminent CFAA authority and written some of the best analysis and criticism of the CFAA). In 2013, the CFAA was the subject of withering criticism when the U.S. Attorney for Massachusetts used it to prosecute Internet activist Aaron Swartz for hacking into MIT and JSTOR’s databases and attempting to download 4.8 million academic documents. Swartz committed suicide after a plea deal fell through.
EarthCam v. OxBlue: Let’s start with the Eleventh Circuit’s decision in EarthCam, Inc. (A hat tip to Malone Allen of Berman Fink Van Horn for being the first to write about this case). This trade secret dispute did not fit the typical pattern of “an employee who took trade secrets from his/her employer” dispute. Rather, a marketer of web-based camera systems, EarthCam, sued one of its competitors, OxBlue, and several of OxBlue employees, alleging they had used an EarthCam’s customer username and password to access that customer’s EarthCam account and take screenshots of EarthCam’s webpage and user interface. EarthCam argued that it required its customers to enter into an End User License Agreement (commonly known as an “EULA”) that it claimed prohibited the unauthorized access, display, and copying of EarthCam’s information. EarthCam further argued that because OxBlue was not a party to the EULA, its use of the username and password and access of the account was not authorized and therefore actionable under the CFAA.
In what proved to be an important fact to the Eleventh Circuit, EarthCam’s EULA did not explicitly prohibit its customers from sharing their login credentials with a third party. Although EarthCam was able to show that OxBlue was aware of the terms through other parties’ EULAs, EarthCam was unable to present any evidence that OxBlue was aware of the actual terms of EarthCam’s EULA when it accessed the customer’s account. In addition, although it was not identified as a ground for dismissal, OxBlue contended—and EarthCam did not dispute—that “the information that it gathered was regularly made public by EarthCam, often for marketing purposes.” The district court ultimately granted summary judgment on the CFAA claim, reasoning that the customer’s EULA did not specifically forbid OxBlue from accessing the account.
On appeal, the Eleventh Circuit affirmed, relying primarily on two undisputed facts. First, EarthCam’s EULA did not prohibit its customers from sharing their login credentials with third parties; second, because the EULA was not presented to the user at the time of each log in, it could not be shown that OxBlue was aware of the terms of the EULA when it accessed its customer’s EarthCam account. Interestingly, the Eleventh Circuit rejected EarthCam’s request that the court should infer that OxBlue was familiar with the terms of the EULA because OxBlue personnel had accessed the website multiple times for other parties during the same time period and had viewed and accepted those EULA restrictions during those visits. In other words, it turned a blind eye to the fact that OxBlue was very likely familiar with the EULA that governed the customer relationship at issue.
HiQ v. LinkedIn: hiQ is what known as a data-scrapper, a company which harvests publicly-available websites for data that it then provides to potential customers. hiQ’s business involved providing information to businesses about their workforces based on information from LinkedIn users’ publicly available profiles. Earlier this year, LinkedIn demanded that hiQ immediately stop using software to scrape data from LinkedIn’s public profiles. LinkedIn claimed hiQ was violating the terms of its User Agreement with LinkedIn, which prohibited various methods of data collection from LinkedIn’s website, and that any further effort to access that information in the future would be without LinkedIn’s permission and authorization. After LinkedIn said it would implement technical measures to block hiQ from accessing LinkedIn’s site, hiQ filed a lawsuit and requested an injunction to prohibit LinkedIn from blocking hiQ from scraping LinkedIn’s site.
hiQ’s biggest obstacle was overcoming the Ninth Circuit’s recent decision in Facebook, Inc. v. Power Ventures. In that case (which Power Ventures is now attempting to appeal to the U.S. Supreme Court), the Ninth Circuit held that “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly.” Power Ventures had circumvented IP barriers put up by Facebook after having been told by Facebook that it was forbidden from accessing password-protected Facebook member profiles. However, Judge Chen found that the case was distinguishable because unlike the data in that case, hiQ was seeking to access and use public data. Judge Chen looked to the historical context of the CFAA and the Congressional intent behind its enactment, which he emphasized was intended to address hacking or trespass onto private, often password-protected mainframe computers. Noting that the Internet did not exist in 1984, and that Congress could not have possibly intended to police traffic to publicly available websites on the Internet, Judge Chen was troubled by the use of the CFAA to forbid the review of publicly-available information.
At the end of the day, Judge Chen’s biggest concern was the impact on the flow and availability of information over the Internet that might follow if he adopted LinkedIn’s position. For that reason, he relied on the analogy that Orin Kerr has espoused, that trespass laws are the key for understanding the appropriate scope of the terms “without authorization” that have so bedeviled other federal courts. It also bears mentioning that, since this was a request for an injunction, the issue of irreparable injury figured prominently in this decision. hiQ’s claim that it would go out of business if the injunction was not granted clearly presented Judge Chen with another good reason for granting the injunction until the complex issues presented by this case could be further developed.
Takeaways: Both holdings are rooted in findings that the information was publicly available. Indeed, in the hiQ v. LinkedIn opinion, that very fact allowed the court to sidestep a precedential and binding holding from the Ninth Circuit; it also heavily influenced Judge Chen, as he embraced the analogy that the Web should be viewed as “inherently open” and once information is made available to the public, it should not be restricted or conditioned by online terms not subject to negotiation. Similarly, although it was not emphasized in its reasoning in the EarthCam decision, the Eleventh Circuit noted that it was undisputed that the information that was accessed was regularly made public. There is an another unspoken undercurrent to both of these decisions: to the extent that online information is publicly-available, it cannot be proprietary, and therefore, by extension, should not be the subject of a federal claim that seeks to limit access to that information.
And don’t underestimate the antipathy that courts may feel towards these “take it or leave it” online agreements. The EarthCam ruling made clear that any ambiguities or technicalities in those online agreements would be effectively construed against the website provider. Consequently, to the extent that an internet service provider wants to enforce its terms in the future, it would be wise to review those provisions for any potential loopholes or problems.