Appeals Court Says Accessing Data In A Way The Host Doesn't Like Doesn't Violate Computer Crime Laws

from the if-access-is-still-permitted,-the-access-process-is-irrelevant dept

The Ninth Circuit Court of Appeals has ruled [PDF] that accessing publicly-accessible info in a way the hosting entity has said isn't permissible isn't a violation of the law. In this case, it's a couple of laws, since Oracle's bid to shut down a competitor involves two different states and two different computer crime laws.

Oracle sued Rimini Street alleging a bunch of computer law-related violations after it continued to harvest data without Oracle's explicit permission. The EFF, which filed a brief in this case backing Rimini Street, breaks down the details of the alleged violation.

Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright.

After ceasing/desisting for about a year, Rimini went back to automated downloading, allowing it to provide faster service for its customers. Oracle's decision to continue to grant access to Rimini Street is what ultimately undoes its case. It tried to use two different states' laws (Nevada and California) to force Rimini to go back to the old, slow, "permissible" downloading protocol. A jury found Rimini in violation of these laws, but the Appeals Court does not agree.

We hold that taking data using a method prohibited by the applicable terms of use, when the taking itself generally is permitted, does not violate the CDAFA. Because the same reasoning applies to the NCCL claim, we reverse the judgment as to both claims.

Oracle obviously disapproved of the method— automated downloading—by which Rimini took Oracle’s proprietary information. But the key to the state statutes is whether Rimini was authorized in the first instance to take and use the information that it downloaded.

That strikes down the violations alleged. It still leaves Oracle with a substantial award on its copyright infringement claims, but it will "only" end up with $22 million in damages instead of the $27 million awarded by the lower court.

This is a good decision that protects automated access of publicly-available information. Plenty of useful web/data tools rely on automation. Allowing companies to undercut competition and discourage innovation with bad applications of worse laws isn't the answer. With very little legislative movement towards rewriting bad laws like the CFAA, it's up to the courts to sort out these conflicts. In the meantime, companies like Oracle will continue to try to thwart competitors with lawsuits and criminal charges, rather than with better products and service.

Filed Under: 9th circuit, cfaa, copyright, data, scraping
Companies: oracle, rimini street