Appeals Court Says Accessing Data In A Way The Host Doesn't Like Doesn't Violate Computer Crime Laws

from the if-access-is-still-permitted,-the-access-process-is-irrelevant dept

Thu, Jan 18th 2018 3:23am — Tim Cushing

The Ninth Circuit Court of Appeals has ruled [PDF] that accessing publicly-accessible info in a way the hosting entity has said isn't permissible isn't a violation of the law. In this case, it's a couple of laws, since Oracle's bid to shut down a competitor involves two different states and two different computer crime laws.

Oracle sued Rimini Street alleging a bunch of computer law-related violations after it continued to harvest data without Oracle's explicit permission. The EFF, which filed a brief in this case backing Rimini Street, breaks down the details of the alleged violation.

Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright.

After ceasing/desisting for about a year, Rimini went back to automated downloading, allowing it to provide faster service for its customers. Oracle's decision to continue to grant access to Rimini Street is what ultimately undoes its case. It tried to use two different states' laws (Nevada and California) to force Rimini to go back to the old, slow, "permissible" downloading protocol. A jury found Rimini in violation of these laws, but the Appeals Court does not agree.

We hold that taking data using a method prohibited by the applicable terms of use, when the taking itself generally is permitted, does not violate the CDAFA. Because the same reasoning applies to the NCCL claim, we reverse the judgment as to both claims.

Oracle obviously disapproved of the method— automated downloading—by which Rimini took Oracle’s proprietary information. But the key to the state statutes is whether Rimini was authorized in the first instance to take and use the information that it downloaded.

That strikes down the violations alleged. It still leaves Oracle with a substantial award on its copyright infringement claims, but it will "only" end up with $22 million in damages instead of the $27 million awarded by the lower court.

This is a good decision that protects automated access of publicly-available information. Plenty of useful web/data tools rely on automation. Allowing companies to undercut competition and discourage innovation with bad applications of worse laws isn't the answer. With very little legislative movement towards rewriting bad laws like the CFAA, it's up to the courts to sort out these conflicts. In the meantime, companies like Oracle will continue to try to thwart competitors with lawsuits and criminal charges, rather than with better products and service.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 9th circuit, cfaa, copyright, data, scraping
Companies: oracle, rimini street

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Yes, I know I'm commenting anonymously, 18 Jan 2018 @ 3:53am

What was Aaron Swartz hounded to death for, again?
Her is a court basically saying his prosecution was illegal.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Jan 2018 @ 4:17am
  
  Re: Aaron Swartz
  His case was slightly different because the data he downloaded was not available for the general public for free.
  [ link to this | view in chronology ]
  - Ninja (profile), 18 Jan 2018 @ 4:43am
    
    Re: Re: Aaron Swartz
    I suspect if he didn't kill himself the verdict would be similar. Not a CFAA violation.
    [ link to this | view in chronology ]
  - Anonymous Coward, 18 Jan 2018 @ 4:51am
    
    Re: Re: Aaron Swartz
    It wasn't available for free, but he was authorized to access it at the time, just not using the method he chose. Nice strawman you were trying to build there.
    [ link to this | view in chronology ]
  - stine, 18 Jan 2018 @ 4:53am
    
    Re: Re: Aaron Swartz
    But he wasn't a member of 'the general public' when he was using automation to download the files.
    [ link to this | view in chronology ]
    - Yes, I know I'm commenting anonymously, 18 Jan 2018 @ 9:21am
      
      Re: Re: Re: Aaron Swartz
      Mr. Swartz did have legal access, just as Rimini had.
      The ruling specifically concerns itself with content you have access to but downloading in a different way than proscribed.
      [ link to this | view in chronology ]
  - Bergman (profile), 18 Jan 2018 @ 9:12pm
    
    Re: Re: Aaron Swartz
    You seem to have misread Swartz's case -- what he downloaded absolutely WAS publicly available for free, he just wrote a program that automated a tedious manual job.
    [ link to this | view in chronology ]
- Anonymous Coward, 18 Jan 2018 @ 1:37pm
  
  Re:
  They court didn't say the prosecution was illegal, i.e., that there was no valid question of law and the prosecucutor should be punished. That might be true if future prosecutors try it. But for this case, the prosecution was legal and it failed.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Jan 2018 @ 5:42am

How does that change anything?
[ link to this | view in chronology ]
Roger Strong (profile), 18 Jan 2018 @ 5:50am

On The Other Hand...
Consider cell phone location tracking. You share that data for emergency services, mapping apps, "find my phone" and whatnot.

Companies may declare that "accessing that data in a way the host (user) doesn't like doesn't violate computer crime laws."
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 18 Jan 2018 @ 6:39am

How about covering how Susan Wojcicki and the rest of the codswallop at google/youtube just financially sodomized thousands of the smaller channels yesterday? Or are you gonna whitewash that one TOO? In before "it's google/youtube's site, and they're legally entitled to be ingrates of unprecedented scale", etc., etc., etc.,etc..
[ link to this | view in chronology ]
- Wendy Cockcroft, 18 Jan 2018 @ 7:19am
  
  Re: Submit a story
  https://www.techdirt.com/submitstory.php
  
  You're welcome.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jan 2018 @ 10:32pm
    
    Re: Re: Submit a story
    NOBODY trusts that link any more than they trust Mike. That is 0%. Mike is not going to cover these stories, even if submitted, until he finds a way suck off google at the same time so the story will be of none effect.
    [ link to this | view in chronology ]
- Roger Strong (profile), 18 Jan 2018 @ 7:26am
  
  Re:
  Techdirt, 48 hours ago: Media Freaks Out About Facebook Changes; Maybe They Shouldn't Have Become So Reliant On Facebook
  
  In before "Telling others not to use a service because it's a trap and you can't trust them, is still somehow whitewashing their image."
  [ link to this | view in chronology ]
- Anonymous Coward, 18 Jan 2018 @ 7:33am
  
  Re:
  Are you daft?
  [ link to this | view in chronology ]
- Anonymous Coward, 18 Jan 2018 @ 10:56am
  
  Re:
  How bout you start your own blog and cover the things you want covered instead of bitching that this one doesn’t hold up to your oh so refined tastes?
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jan 2018 @ 10:39pm
    
    Re: Re:
    Why would they offer a submit story link if they didn't wan't story ideas? At the same time, everyone knows Mike won't do anything to jeopardize the cash he gets from google so if he does a story about them at all he's going to find some way where he can attempt to sanitize googles bullshit at the same time. Pointing out his goddless hypocrisy is absolutely proper.
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jan 2018 @ 6:47pm
      
      Re: Re: Re:
      Shiva Ayyadurai lost. Get over it.
      [ link to this | view in chronology ]
Richard (profile), 18 Jan 2018 @ 7:19am

The free market and private enterprise
Despite their public protestations to the contrary, private sector companies don't actually like the free market. They spend a large proportion of their energies trying to create or maintain a monopoly for themselves.

The evidence for this is precisely given by this type of case. Oracle don't want to compete and they are prepared to spend quite a lot of money and effort on avoiding the need to.

Of course young start up companies behave differently - but I would contend that this is only because they have no choice. The moment they reach a size or a degree of market dominance that allows it they go straight into full monopolist mode. Often they do this whilst still talking about "the right to innovate". The latter often means (in practice) the right to introduce innovations that actually prevent anyone else from innovating. cf Microsoft in the late 80's and early 90's.
[ link to this | view in chronology ]
Darkhog, 18 Jan 2018 @ 7:47am

The plaintiff seems to suffer from the lack of foresight
Which is especially interesting, considering the name of the plaintiff is Oracle.
[ link to this | view in chronology ]
Large Marge, 18 Jan 2018 @ 9:13am

Not quite right...
"The Ninth Circuit Court of Appeals has ruled [PDF] that accessing publicly-accessible info in a way the hosting entity has said isn't permissible isn't a violation of the law"

That is not what the decision says. It says a method of taking data, which is prohibited by terms of service, to which a defendant otherwise has the right to take, is not a violation of the CFAA. There is nothing in the decision that says a website can't prohibit or place other restrictions on the taking of data, and the decision makes no reference to "publicly-accessible" data at all and there is no indication the downloads in the case were publicly-accessible at all.
[ link to this | view in chronology ]
- Eldakka (profile), 18 Jan 2018 @ 6:31pm
  
  Re: Not quite right...
  How about:
  
  The Ninth Circuit Court of Appeals has ruled [PDF] that accessing information that you are authorized to access but using a method that is not authorized by the hosting entity is not illegal.
  [ link to this | view in chronology ]
- Eldakka (profile), 18 Jan 2018 @ 6:48pm
  
  Re: Not quite right...
  Actually, on second thoughts (to my other reply), those may not be the exact words used by the NCCoA, but they fit within the meaning of the ruling.
  
  By definition, publicly-accessible info is info that anyone is authorized to access.
  
  Therefore that fits in with the "if you are authorized to access it" element of the ruling.
  
  Therefore anyone can access public info, and any method used to access the info (manually, with a robot) is not illegal. (of course, this doesn't protect the accessor against harming the hoster, e.g. if the effect was to cause a DoS then they might still be committing an illegal act)
  
  Therefore the legal precedent set (IANAL) would allow accessing publicly-available information in a manner not authorized by the hoster.
  
  The headline was not a quote from the NCCoA ruling, it is a headline about the ruling, the effect of the ruling, a description of the ruling, one of the consequences of the ruling. So the headline is correct in its description of an effect of the ruling. So the author of the article chose a headline that they felt covered the most important consequence of the ruling for them and for their reader base.
  [ link to this | view in chronology ]
Anonymous Coward, 19 Jan 2018 @ 4:55pm

best news in years!
It's perhaps evidence of just how messed up things have gotten in certain respects that I was worried this could go any other way; but I certainly was. So many horrible paths averted thanks to this decision.
[ link to this | view in chronology ]