The courts continue to wrestle with how to map existing law onto the shifting terrain of computer technology. And, it appears that new controversies are arising faster than judicial consensus can form. One of the latest controversies surrounds "screen scraping," a process by which a software program simulates a user’s interaction with a Web site to access information stored on that site. A screen scraper can not only enter the information a human user would; it can also capture the Web site’s replies. This facility may include the ability to extract substantial portions of data stored on the site — and therein lies the beginning of the controversy.
Many users welcome scrapers. Scrapers can permit a user to enter once certain information, such as usernames and passwords, and with the push of a button, send the scraper software off to access various third- party Web sites to which the user subscribes, automatically input the appropriate information and retrieve the desired information from those sites. This relieves the user from having to endure the tedium of individually accessing each Web site, and manually and serially entering in repetitive information.
Controversy arises, however, when commercial entities use scraping software to collect substantial amounts of information from their competitors’ Web sites, even when the information is provided to the public and is readily obtainable by manual means by individual inquiry. Several courts have addressed a company’s use of related technologies such as "spiders," "robots" and "Web crawlers" to gather information from a competitor’s Web site.
Notably, many of these decisions have relied upon the law of trespass in determining whether such access is actionable. Compare, e.g., Ticketmaster Corp. v. Tickets.Com, Inc., 2000 U.S. Dist. LEXIS 12987, *18 (C.D.Calif. Aug. 10, 2000), aff’d 248 F.3d 1173 (9th Cir. 2001) (finding that a trespass claim based upon Web crawling had "some merit" but not enough to justify the issuance of a preliminary injunction), with eBay, Inc. v. Bidder’s Edge, Inc., 100 F.Supp.2d 1058 (N.D. Calif. 2000) (finding that a Web crawler’s generation of 80,000 to 100,000 requests a day to a Web site constituted a trespass to chattels) and Oyster Software v. Forms Processing, 2001 U.S. Dist. LEXIS 22520 (N.D. Calif. Dec. 6, 2001) (although Web crawlers placed only a "negligible" load on a Web site’s servers, no more than mere "use" of a plaintiff ’s computer system was necessary to establish a trespass claim).
Two recent decisions, one in the U.S. Court of Appeals for the First Circuit and another in a trial court in Texas, squarely address claims against screen scraping activity. However, the issue is presented under different legal theories in each case. The First Circuit analyzes screen scraping under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 (2000), while the Texas court, like those in the cases cited above, rests its decision on the law of trespass.
Computer Fraud and Abuse Act
The first of these recent screen scraping decisions is that of the First Circuit in EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. Jan. 28, 2003) (EF II). (The court’s earlier treatment of the subject appears in the related case, EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir., Dec. 17, 2001) or EF I, as discussed below.
The facts underlying both EF cases involve a dispute between EF Cultural Travel (EF) and defendant Explorica, Inc., competitors in the student travel industry. Importantly, Explorica was founded by several of EF’s former employees. Explorica contracted with Zefer Corporation to design and code a software program that would scrape EF’s pricing information from the EF Web site and download it into an automated spreadsheet. Based on this information, Explorica set off to compete with EF by setting its own prices, on average, 5 percent lower. Altogether, Zefer ran the scraper twice (comprising more than 30,000 interrogations of the EF Web site), to collect 2000 and 2001 tour prices, collecting approximately 60,000 lines of data.
EF sued Zefer and Explorica in federal court, seeking a preliminary injunction on the grounds of copyright infringement and under the Computer Fraud and Abuse Act. The district court refused to grant summary judgment on the copyright claim, but issued a preliminary injunction on the basis of the CFAA, because the scraper software exceeded the "reasonable expectations" of authorized access of ordinary users of the EF Web site.
The district court reasoned that the scraping activities exceeded the defendants’ authorized use of the EF Web site because "access was facilitated by use of confidential information [about certain codes used on the EF Web site that would permit the screen scraper to function more effectively] obtained in violation of the broad confidentiality agreement signed by EF’s former employees." Specifically, the district court relied on 18 U.S.C. §1030(a)(4) which provides:
Whoever … knowingly and with intent to defraud, accesses a protected computer without authorization or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5000 in any 1-year period … shall be punished as provided [below].
"Exceeds authorized access," as defined by the CFAA, means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessing party is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6). The district court concluded that a lack of authorization need not be explicit, and observed that EF’s Web site included not fewer than three warnings that should have put the defendants on notice about reasonable use of the EF Web site — the copyright notice on the EF home page with a link provided to permit contacting the company with user questions; the provision of confidential codes by Explorica to Zefer; and the fact that the Web site functioned to permit typical users to display the information one page at a time.
On appeal, the First Circuit, in its first decision in the case (274 F.3d 577, EF II) addressed only the preliminary injunction as it applied to Explorica (Zefer was by then in bankruptcy proceedings, and its appeal was automatically stayed). The court relied on the broad confidentiality agreement between the former EF employees who now operated Explorica to conclude that their breach of the agreement exceeded "authorized access." Further, the court rejected Explorica’s contention that EF should not be permitted to sustain its private cause of action because EF could not demonstrate that Explorica’s actions had caused the "damage or loss" required by the CFAA.
The court agreed that EF could not meet the CFAA’s standard for "damage," i.e., "impairment to the integrity or availability of data, a program, a system or information that…causes loss aggregating at least $5,000 in value during any one year period to one or more individuals…" 18 U.S.C. §1030(e)(8). However, the court concluded that EF had sustained possibly compensable "losses."
Although "loss" is not defined by the statute, the court noted that a reasonable definition of "loss" could include lost business, loss of goodwill, and the cost of diagnostic and remedial measures taken by EF after it discovered the scraping. The court held that "[EF] unquestionably suffered a detriment and a disadvantage…. Congress’ use of the disjunctive ‘damage or loss,’ confirms that it anticipated recovery in cases involving other than purely physical damage."
The appeals court in EF I concluded that EF would likely succeed on the merits on its CFAA claim, and upheld the district court’s injunction. The court did not, however, address related arguments concerning whether mere use of scraper software constituted unauthorized access under the statute.
Upon lifting of the automatic stay resulting from its bankruptcy proceedings, Zefer appealed the validity of the injunction as applied to it. The First Circuit, after reviewing the findings of its earlier decision, noted that the evidence before it concerning Zefer’s knowledge of the confidential nature of the information provided by Explorica was inconclusive and that, in any event, the same information could have been obtained by Zefer through a manual examination of the EF Web site. The court focused once more on whether the use of the scraper software had exceeded authorized access under the CFAA.
However, the court rejected the district court’s "reasonable expectations" standard for determining what conduct constituted "unauthorized access" under the CFAA where no express limits on access exist. Instead, the court observed, "…we think that the public website provider can easily spell out explicitly what is forbidden and, consonantly, that nothing justifies putting users at the mercy of a highly imprecise, litigationspawning standard like ‘reasonable expectations.’ If EF wants to ban scrapers, let it say so…."
The court concluded with some cogent advice for Web site operators: "[W]ith rare exceptions, public website providers ought to say just what nonpassword protected access they purport to forbid." The opinion strongly suggests, although it does not hold, that a clear statement by a Web site provider that scraping is unauthorized will give rise to a cause of action under the CFAA.
In contrast with the approach taken by the First Circuit in the EF decisions, a recent Texas court relied on a finding of NEW YORK LAW JOURNAL MONDAY, JUNE 9, 2003 trespass in issuing a temporary injunction against screen scraping by a commercial party. Like the First Circuit, the Texas court focused on the existence of Web site terms and conditions, but in this case prohibited such use.
In American Airlines, Inc. v. Farechase, Inc., No. 167-194022-02 (67th District Court, Texas March 8, 2003) the district court issued a temporary injunction against Farechase, Inc. (Farechase) prohibiting it from the sale or distribution of its Web automation software. (A copy of the injunction is available at http://www.eff.org/Cases/AA_v_Farechase/ 20030310_prelim_inj.pdf.) The software, also a type of screen scraper, was designed to access American Airlines’ Web site (AA.com), and automatically seek out and aggregate American Airlines’ flight, seat availability and pricing information, including fares available only through AA.com and not generally available for commercial purposes. Farechase had marketed the software to commercial users, travel distribution centers and travel agents.
American Airlines (AA) repeatedly notified Farechase to cease and desist from scraping AA.com and distributing software designed to access and scrape data from AA.com. In response, rather than ceasing its scraping activities, Farechase revised its software to include a "masking" feature that permitted the software to disguise itself to prevent detection by AA.
AA argued that Farechase violated AA.com’s terms of services by accessing the fare and flight information for commercial purposes, thus, as the court noted, "frustrating American’s objectives and efforts in developing and maintaining AA.com." The court classified Farechase’s actions as "intentional," "without authorization" and interfering with AA’s possessory interest in its computer system.
The court concluded, "Farechase’s conduct intermeddles with and interferes with American’s personal property. Such conduct constitutes a trespass" that substantially interfered with the airline’s "efforts to reduce the cost of distribution of its airline tickets." Interestingly, the court also found that the unauthorized access "may be a violation" of §33.02 of the Texas Penal Code (criminalizing a breach of computer security).
In its decision, the court held that Farechase’s actions had directly harmed AA, causing it to endure losses with respect to the capacity and operation of its computer systems, lost or reduced customer goodwill and lost opportunities for gaining and increasing customer goodwill through the reduced fares available via the AA.com site. In addition, the court found that Farechase’s scraping activities increased AA’s expenses and "adversely affect[ed] and harm[ed] American and the condition, quality and value of American’s property." Finally, the court observed, Farechase had announced plans for wider distribution of the software, which the court said "imminently threatens to adversely impact and harm the performance of AA.com and to place additional burdens on American’s website infrastructure." Based on its findings, the courts enjoined Farechase from its scraping activities.
Although these are early scraping decisions, and the theories of liability are not uniform, it is difficult to ignore a pattern emerging that the courts are prepared to protect proprietary content on commercial Web sites from uses which are undesirable to the owners of such sites. However, the degree of protection for such content is not settled, and will depend on the type of access made by the scraper, the amount of information accessed and copied, the degree to which the access adversely affects the Web site owner’s system and the types and manner of prohibitions on such conduct.
Donald R. Ballman, an associate in the firm’s Hartford, Conn., office, assisted in the preparation of this article.
This article is reprinted with permission from the June 9, 2003 edition of the NEW YORK LAW JOURNAL. © 2003 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited. For information contact, American Lawyer Media, Reprint Department at 800-888-8300 x6111. #070-06-03-0009