Copying Public Website In Violation of Terms of Use Doesn’t Violate the Computer Fraud and Abuse Act, District Court Holds

The case is Koch Industries, Inc. v. Does, 2011 WL 1775765 (D.Utah 2011), handed down May 9. In this case, a group called “Youth for Climate Truth” copied the Koch Industries website (kochind.com) and created a fake website designed to look just like it at koch-inc.com. The “Youth for Climate Truth” then issued a fake press release designed to look like it was coming from Koch Industries. Koch Industries sued, alleging (among other things) that copying the legitimate Koch Industries website vioalted the Terms of Use of the website and therefore “exceeded authorized access” to the the computer hosting the website in violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The District Court concluded that Section 1030 could not be stretched so far:

To state a plausible claim under 18 U.S.C. § 1030, one must be guilty of gaining “unauthorized access” or “exceeding authorized access” to a protected computer system. But in this case, Defendants created a mockup of Koch’s website using information that Koch made “publicly available on the Internet, without requiring any login, password, or other individualized grant of access.” Cvent, Inc. v. Eventbrite, Inc., 739 F.Supp.2d 927, 2010 WL 3732183, at *3 (E.D.Va.2010). “By definition, therefore, [the defendants] could not have ‘exceeded’ [their] authority to access that data.” Id.

In Cvent, a federal district court recently rejected a similar attempt to stretch the CFAA to the use of publicly available information on a website. There, as here, the plaintiff sought to premise CFAA liability on its website’s Terms of Use, which provided: “No competitors or future competitors are permitted to access our site or information.” Id. But, as with Koch’s website, the defendant took “no affirmative steps” to prevent such access. Id. The website was “not password-protected, nor [were] users of the website required to manifest assent to the Terms of Use, such as by clicking ‘I agree’ before gaining access to the database. Rather, anyone … [could] access and search [the] information at will.” Id. Like Koch’s website, the Terms of Use did “not appear in the body of the first page” of the website; instead “[t]he link to access the Terms [was] buried at the bottom of the first page.” Id. Accordingly, the site was “not protected in any meaningful sense by its Terms of Use or otherwise.” Id.

The Cvent court observed that the plaintiff’s claim was really a claim that a user with authorized access had used the information in an unwanted manner, not a claim of unauthorized access or of exceeding authorized access. Id. A majority of courts have concluded that such claims lie outside the scope of the CFAA. See id.; LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009); Orbit One Communications, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 383 (S.D.N.Y.2010); Lewis–Burke Assocs., LLC v. Widder, –––F.Supp.2d ––––, 2010 WL 2926161, at *5–6 (D.D.C.2010).

Similarly, in this case, Defendants were given unimpeded access to the information on Koch’s public website. Koch’s complaint is not that Defendants obtained the information without authorization, but rather that they ultimately used the information in an unwanted manner. The CFAA addresses only the act of trespassing or breaking into a protected computer system; it does not purport to regulate the various uses to which information may be put.

. . . In addition, “[a]lthough this case arises in a civil context,” the court’s conclusion as to the extent of conduct prohibited by the CFAA “is equally applicable in the criminal context” and must be interpreted consistent with the “rule of lenity,” avoiding “surprising and novel” interpretations that “impose unexpected burdens on defendants.” LVRC Holdings LLC, 581 F.3d 1127, 1134–35 (9th Cir.2009) (applying the rule in a civil CFAA case). If Koch’s legal theory is correct, then any violation of its Terms of Use—that is, any use of its website’s content of which Koch does not approve—could expose a political critic to criminal prosecution. Such a result is clearly beyond Congress’ intent in passing the CFAA.

Quite correct, in my view, and I think it’s correct regardless of whether users have to affirmatively assent to the Terms of Use. Although it’s only a district court decision, I’m glad to see that not every court is accepting extremely broad readings of the CFAA.