CFAA

Massachusetts Federal Judge Applies the CFAA Narrowly in AMD v. Feldstein

July 31, 2013

This week’s internal report by MIT on its handling of the Aaron Swartz case may be an appropriate time to note that the sound and fury over the Computer Fraud and Abuse Act (the “CFAA”) is not limited to its use in criminal cases like the Swartz prosecution. The controversy extends to the use of this law in civil cases as well.* *The CFAA may be used as either a civil or a criminal law. However, the words of the statute must mean the same thing in each context. As the court noted in the case discussed in this post, “it is not possible to define authorization narrowly for some CFAA violations and broadly for others.” In my July 2nd post on AMD v. Feldstein I noted that the case had given rise to two note-worthy decisions.  The May 15, 2013 decision, discussed in that post, involved the legalities of the former-AMD employees’ alleged solicitation of current AMD employees in violation of  non-solicitation agreements. However, Massachusetts Federal District Court Judge Timothy Hillman issued a second opinion in the case on June 10, 2013, ruling on the defendant-employees’ motion to dismiss  claims of civil liability under the CFAA. Judge Hillman’s June 10th opinion reflects the struggle within the federal courts nationally over how to apply the CFAA.  The controversy focuses on the section of the law that imposes criminal and civil penalties on –…

Read the full article →

California Court Refuses to Dismiss Craiglist’s Data Scraping Case Against 3Taps

May 1, 2013

Yet another “data scraping” case is percolating in the Northern District of  California. Craigslist has sued the online aggregator 3Taps, Inc. (and others), claiming that they illegally copied Craigslist’s classified apartment listings. In effect, 3Taps was attempting to disintermediate Craigslist—to insert itself between Craigslist and its users. 3Taps filed a motion to dismiss the multiple claims asserted in the suit, most of which was denied in the decision linked below. Of particular interest is the court’s refusal to dismiss Craigslist’s claim that 3Taps violated the Computer Fraud and Abuse Act (CFAA), a controversial federal “anti-hacker” statute that has been interpreted in conflicting ways by the federal courts (see an earlier post on this topic here), and which was the law Aaron Schwartz was accused of violating (contributing, many believe, to his suicide earlier this year). The CFAA permits a civil cause of action against any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(c).  Craigslist has alleged that 3Taps’ use of Craigslist’s listings violated a cease and desist letter Craigslist sent to 3Tap prohibiting it from republishing the listings. The court found that 3Taps’ continued use was a potential violation of the CFAA as the Ninth Circuit has interpreted that statute, and denied 3Taps’ motion to dismiss that claim. This ruling is consistent with…

Read the full article →

Sloppy Online Agreements Costs Plaintiff Its Breach of Contract and CFAA Claims

November 16, 2012

Last month I wrote a post titled “Online Agreements – Easy To Get Right, Easy To Get Wrong.” In that post I discussed two cases in which the plaintiff had failed to take appropriate steps to necessary to impose terms and conditions on its customers. A recent case decided by the federal district court for the District of Pennsylvania provides yet another example of how sloppy online contracting can doom a claim based on an online agreement. The case,  CollegeSource, Inc. v. AcademyOne, Inc., (E.D. Pa. October 25, 2012), involves the practice colloquially referred to as “screen scraping” — that is, copying information from displayed webpages, usually in large quantities for commercial use. See, e.g., Ef Cultural Travel Bv v. Explorica , 274 F.3d 577 (1st Cir. 2001) (describing screen scraping). It’s easy — legally and technically — to prevent this by prohibiting it in the site’s online terms and conditions. Doing so allows the site owner to assert not only state-law breach of contract, but the potentially more advantageous federal Computer Fraud and Abuse Act (“CFAA”). However, the site user must agree to the terms and conditions. Unfortunately for CollegeSource, it didn’t get this quite right. Specifically, CollegeSource offered three services.  Two of the services required that the user accept a “browsewrap” subscription agreement that expressly prohibited scraping (“you agree not to . . . scrape or display data from the Content for use…

Read the full article →

Fourth Circuit Weighes in on Computer Fraud and Abuse Act, Sides With Ninth Circuit

August 3, 2012

Yet another federal appeals court has attempted to parse the Computer Fraud and Abuse Act’s (“CFAA”) ambiguous statutory language.  The issue, on which the federal courts cannot agree, is whether an employee who has authorized access to a computer, but uses that access for an illegal purpose — typically to take confidential information in anticipation of resigning to start a competing company or join one — violates the CFAA. The controversy is focused on the words “without authorization” and “exceeds authorized access” in the law: [Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … shall be punished. 18 U.S.C. § 1030(a)(4). Late last year, in a widely noted decision, the 9th Circuit adopted the “narrow” view of the CFAA, holding the law does not extend to an employee who has authorized access but uses that access to make unauthorized use. U.S. v. Nosal (en banc). In late July the Fourth Circuit issued a decision in WEC Carolina Energy Solutions v. Miller, agreeing with Nosal and holding that conduct by an employee that violates the employer’s “use policy” (typically contained in an employee manual, handbook or “computer use policy”) does not give rise to a violation of the CFAA.  As Fourth Circuit stated, “we reject an interpretation of the CFAA that imposes liability…

Read the full article →

Slides From Copyright/Trademark CLE

April 27, 2012

I’ve posted the slides from a CLE talk I gave on Wednesday, April 25th.  Hopefully, the  slides are informative standing alone.  They address the very recent DMCA decisions by the 9th Circuit (Veoh) and 2nd Circuit (Youtube), the copyright “first sale” doctrine as applied to digital files in the Redigi case pending in SDNY, and recent trademark “keyword advertising” cases decided in the 4th and 9th Circuits (Rosetta Stone in the 4th Circuit, Network Automation and Louis Vuitton in the 9th).  There are also some slides devoted to the CFAA, including the 9th Circuit’s en banc decision in the Nosal case. If the embedded Scribd document doesn’t appear on your computer directly below, click here to go directly to Scribd Copyright and Trademark Issues on the Internet

Read the full article →

Runescape Copyright and CFAA Case Fails at Preliminary Injunction Stage, But Runescape is Not Down for the Count: Jagex v. Impulse Software

September 25, 2010

A decision in Jagex v. Impulse Software, issued by Massachusetts U.S. District Court Judge Gorton in August, has some interesting (albeit not nonobvious) lessons for software developers seeking to protect their websites from copying or reverse engineering.  The decision arises in the context of a preliminary injunction – a request by Jagex to provide it with legal relief at the outset of the case, before discovery or trial – so Jagex may yet prevail in this case, particularly since most of the reasons the court denied it relief that this stage can be corrected before the case progresses much further. The plaintiff, Jagex operates an online role-playing game called “Runescape.”  Runescape is a “massively multiplayer online role-playing game” (MMORPG for short, but we’ll just call it “the game”). Impulse offers online cheat tools – software that lets users advance through the levels of the game without actually playing the game.  Moving to higher and more challenging levels is the goal of the game, and the Impulse software allows users to reach those hallowed grounds without investing the time and effort the game expects users to endure.  And, it is possible to invest a great deal of time and effort with this game – Judge Gorton noted that the top three Runescape players averaged about 20,000 hours of playing time.

Read the full article →

Cyberbullying, Website Terms of Use and the CFAA: the Lori Drew Case

December 12, 2008

Suffice it to say, very few people realize that violating the “terms of use”  (aka the small print that no one reads) on a web site may constitute violation of a federal law that has both criminal and civil penalties.  Yet, this was the basis for the prosecution of Lori Drew,  the woman who allegedly created a MySpace account under the name of “Josh Evans.”   Using this account, Drew developed an online relationship with Megan Meier, a 13-year-old girl.  “Josh Evans” said hurtful things to Megan, who took her own life. Pamela Jones lays out the legal issues in this case on Groklaw, here, where she links to many key documents, and embeds the EFF’s amicus brief, in its entirety. I was trying to figure out how to explain to you all that is involved in the case of the U.S. v. Lori Drew, the cyberbullying case that so many lawyers are expressing concerns about. I felt I needed a lawyer to explain it, but where would I find one who felt like doing some unpaid work, and over the Thanksgiving holiday to boot? Then I had a brainstorm. I could show you the amicus brief [PDF] submitted in the case by the Electronic Frontier Foundation, the Center for Democracy and Technology, and Public Citizen, which was also signed by “14 individual faculty members listed in Appendix A who research,…

Read the full article →