Appeals Court Says Accessing Data In A Way The Host Doesn't Like Doesn't Violate Computer Crime Laws
from the if-access-is-still-permitted,-the-access-process-is-irrelevant dept
The Ninth Circuit Court of Appeals has ruled [PDF] that accessing publicly-accessible info in a way the hosting entity has said isn’t permissible isn’t a violation of the law. In this case, it’s a couple of laws, since Oracle’s bid to shut down a competitor involves two different states and two different computer crime laws.
Oracle sued Rimini Street alleging a bunch of computer law-related violations after it continued to harvest data without Oracle’s explicit permission. The EFF, which filed a brief in this case backing Rimini Street, breaks down the details of the alleged violation.
Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright.
After ceasing/desisting for about a year, Rimini went back to automated downloading, allowing it to provide faster service for its customers. Oracle’s decision to continue to grant access to Rimini Street is what ultimately undoes its case. It tried to use two different states’ laws (Nevada and California) to force Rimini to go back to the old, slow, “permissible” downloading protocol. A jury found Rimini in violation of these laws, but the Appeals Court does not agree.
We hold that taking data using a method prohibited by the applicable terms of use, when the taking itself generally is permitted, does not violate the CDAFA. Because the same reasoning applies to the NCCL claim, we reverse the judgment as to both claims.
Oracle obviously disapproved of the method— automated downloading—by which Rimini took Oracle’s proprietary information. But the key to the state statutes is whether Rimini was authorized in the first instance to take and use the information that it downloaded.
That strikes down the violations alleged. It still leaves Oracle with a substantial award on its copyright infringement claims, but it will “only” end up with $22 million in damages instead of the $27 million awarded by the lower court.
This is a good decision that protects automated access of publicly-available information. Plenty of useful web/data tools rely on automation. Allowing companies to undercut competition and discourage innovation with bad applications of worse laws isn’t the answer. With very little legislative movement towards rewriting bad laws like the CFAA, it’s up to the courts to sort out these conflicts. In the meantime, companies like Oracle will continue to try to thwart competitors with lawsuits and criminal charges, rather than with better products and service.
Filed Under: 9th circuit, cfaa, copyright, data, scraping
Companies: oracle, rimini street
Comments on “Appeals Court Says Accessing Data In A Way The Host Doesn't Like Doesn't Violate Computer Crime Laws”
What was Aaron Swartz hounded to death for, again?
Her is a court basically saying his prosecution was illegal.
Re: Aaron Swartz
His case was slightly different because the data he downloaded was not available for the general public for free.
Re: Re: Aaron Swartz
I suspect if he didn’t kill himself the verdict would be similar. Not a CFAA violation.
Re: Re: Aaron Swartz
It wasn’t available for free, but he was authorized to access it at the time, just not using the method he chose. Nice strawman you were trying to build there.
Re: Re: Aaron Swartz
But he wasn’t a member of ‘the general public’ when he was using automation to download the files.
Re: Re: Re: Aaron Swartz
Mr. Swartz did have legal access, just as Rimini had.
The ruling specifically concerns itself with content you have access to but downloading in a different way than proscribed.
Re: Re: Aaron Swartz
You seem to have misread Swartz’s case — what he downloaded absolutely WAS publicly available for free, he just wrote a program that automated a tedious manual job.
Re: Re:
They court didn’t say the prosecution was illegal, i.e., that there was no valid question of law and the prosecucutor should be punished. That might be true if future prosecutors try it. But for this case, the prosecution was legal and it failed.
How does that change anything?
On The Other Hand...
Consider cell phone location tracking. You share that data for emergency services, mapping apps, “find my phone” and whatnot.
Companies may declare that “accessing that data in a way the host (user) doesn’t like doesn’t violate computer crime laws.”
How about covering how Susan Wojcicki and the rest of the codswallop at google/youtube just financially sodomized thousands of the smaller channels yesterday? Or are you gonna whitewash that one TOO? In before “it’s google/youtube’s site, and they’re legally entitled to be ingrates of unprecedented scale”, etc., etc., etc.,etc..
Re: Submit a story
https://www.techdirt.com/submitstory.php
You’re welcome.
Re: Re: Submit a story
NOBODY trusts that link any more than they trust Mike. That is 0%. Mike is not going to cover these stories, even if submitted, until he finds a way suck off google at the same time so the story will be of none effect.
Re: Re:
Techdirt, 48 hours ago: Media Freaks Out About Facebook Changes; Maybe They Shouldn’t Have Become So Reliant On Facebook
In before "Telling others not to use a service because it’s a trap and you can’t trust them, is still somehow whitewashing their image."
Re: Re:
Are you daft?
Re: Re:
How bout you start your own blog and cover the things you want covered instead of bitching that this one doesn’t hold up to your oh so refined tastes?
Re: Re: Re:
Why would they offer a submit story link if they didn’t wan’t story ideas? At the same time, everyone knows Mike won’t do anything to jeopardize the cash he gets from google so if he does a story about them at all he’s going to find some way where he can attempt to sanitize googles bullshit at the same time. Pointing out his goddless hypocrisy is absolutely proper.
Re: Re: Re: Re:
Shiva Ayyadurai lost. Get over it.
The free market and private enterprise
Despite their public protestations to the contrary, private sector companies don’t actually like the free market. They spend a large proportion of their energies trying to create or maintain a monopoly for themselves.
The evidence for this is precisely given by this type of case. Oracle don’t want to compete and they are prepared to spend quite a lot of money and effort on avoiding the need to.
Of course young start up companies behave differently – but I would contend that this is only because they have no choice. The moment they reach a size or a degree of market dominance that allows it they go straight into full monopolist mode. Often they do this whilst still talking about “the right to innovate”. The latter often means (in practice) the right to introduce innovations that actually prevent anyone else from innovating. cf Microsoft in the late 80’s and early 90’s.
The plaintiff seems to suffer from the lack of foresight
Which is especially interesting, considering the name of the plaintiff is Oracle.
Not quite right...
“The Ninth Circuit Court of Appeals has ruled [PDF] that accessing publicly-accessible info in a way the hosting entity has said isn’t permissible isn’t a violation of the law”
That is not what the decision says. It says a method of taking data, which is prohibited by terms of service, to which a defendant otherwise has the right to take, is not a violation of the CFAA. There is nothing in the decision that says a website can’t prohibit or place other restrictions on the taking of data, and the decision makes no reference to “publicly-accessible” data at all and there is no indication the downloads in the case were publicly-accessible at all.
Re: Not quite right...
How about:
The Ninth Circuit Court of Appeals has ruled [PDF] that accessing information that you are authorized to access but using a method that is not authorized by the hosting entity is not illegal.
Re: Not quite right...
Actually, on second thoughts (to my other reply), those may not be the exact words used by the NCCoA, but they fit within the meaning of the ruling.
By definition, publicly-accessible info is info that anyone is authorized to access.
Therefore that fits in with the "if you are authorized to access it" element of the ruling.
Therefore anyone can access public info, and any method used to access the info (manually, with a robot) is not illegal. (of course, this doesn’t protect the accessor against harming the hoster, e.g. if the effect was to cause a DoS then they might still be committing an illegal act)
Therefore the legal precedent set (IANAL) would allow accessing publicly-available information in a manner not authorized by the hoster.
The headline was not a quote from the NCCoA ruling, it is a headline about the ruling, the effect of the ruling, a description of the ruling, one of the consequences of the ruling. So the headline is correct in its description of an effect of the ruling. So the author of the article chose a headline that they felt covered the most important consequence of the ruling for them and for their reader base.
best news in years!
It’s perhaps evidence of just how messed up things have gotten in certain respects that I was worried this could go any other way; but I certainly was. So many horrible paths averted thanks to this decision.