Ninth Circuit Allows Data-Mining in Rimini Decision
Earlier this month the U.S. Court of Appeals for the Ninth Circuit issued an important decision in Oracle v. Rimini that decreases data aggregators’ potential legal exposure for using software tools such as robots and spiders to scrape information from websites.
Rimini is an independent provider of maintenance services to customers of Oracle software. To provide these maintenance services, Rimini needed to download software updates from Oracle’s website. Oracle sued Rimini for infringing its copyrights as well as violating California and Nevada’s computer abuse statutes. The district court ruled in favor of Oracle on all counts. Rimini appealed, and the Ninth Circuit affirmed the copyright infringement claims but reversed the state computer abuse claims.
The copyright claims turned largely on interpretation of Oracle’s license agreements with its customers and thus do not warrant extended discussion. Oracle’s licenses allowed an independent service organization to download and use an update to provide services to a particular Oracle customer (“direct use”), but not to other current or future customers (“cross use”). Rimini, however, used the same downloaded update for multiple customers. Thus, the Ninth Circuit found that Rimini made reproductions beyond the scope of the license.
The Ninth Circuit’s analysis of the state computer abuse claims has more far-reaching implications. California’s Comprehensive Data Access and Fraud Act (“CDAFA”) imposes liability on a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer….” Similarly, the Nevada Computer Crime Law (“NCCL”) imposes liability on a person who “knowingly, willfully, and without authorization…uses…or obtains or attempts to obtain access to…a computer….”
The terms of use of Oracle’s website specifically prohibit the use of automated download tools such as robots, spiders, or scrapers. Rimini agreed to the terms of use when it logged on to the website, then employed automated tools to “download full libraries of support documents and files for entire software product lines—each involving hundreds of thousands of different files.”
The Ninth Circuit states that “the central issue here is whether by using automated tools to take data in direct contravention of Oracle’s terms of use, Rimini violated the statutes.” The court then held that “taking data using a method prohibited by the applicable terms of use, when the taking itself is generally permitted, does not violate the CDAFA” or the NCCL. The court stressed that the key to the statutes was whether a defendant was authorized to take and use the information it downloaded. Because it was indisputable that Rimini had such authorization at least in the first instance under Oracle’s licenses with its customers, Rimini did not violate the statutes by employing a method for downloading the information prohibited by the terms of use. Presumably that might be a breach of contract, but not a violation the state statutes.
This ruling is significant because many publicly accessible websites have terms of use that prohibit employment of automated data-gathering tools. The decision means that use of such tools on these websites would not violate California and Nevada’s computer abuse statutes. In this case, dismissal of the state claims reduced Rimini’s damages liability by $20 million.
Hopefully, this decision will have a positive impact on interpretation of the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, which imposes liability on a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from a protected computer.” As with the California and Nevada statutes, so long as a person has the right to access a website, employment of automated tools prohibited by terms of service should not constitute a violation of the CFAA.
