Earlier this month the U.S. Court of Appeals for the Ninth Circuit issued an important decision in Oracle v. Rimini that decreases data aggregators’ potential legal exposure for using software tools such as robots and spiders to scrape information from websites.
Rimini is an independent provider of maintenance services to customers of Oracle software. To provide these maintenance services, Rimini needed to download software updates from Oracle’s website. Oracle sued Rimini for infringing its copyrights as well as violating California and Nevada’s computer abuse statutes. The district court ruled in favor of Oracle on all counts. Rimini appealed, and the Ninth Circuit affirmed the copyright infringement claims but reversed the state computer abuse claims.
The copyright claims turned largely on interpretation of Oracle’s license agreements with its customers and thus do not warrant extended discussion. Oracle’s licenses allowed an independent service organization to download and use an update to provide services to a particular Oracle customer (“direct use”), but not to other current or future customers (“cross use”). Rimini, however, used the same downloaded update for multiple customers. Thus, the Ninth Circuit found that Rimini made reproductions beyond the scope of the license.
The Ninth Circuit’s analysis of the state computer abuse claims has more far-reaching implications. California’s Comprehensive Data Access and Fraud Act (“CDAFA”) imposes liability on a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer….” Similarly, the Nevada Computer Crime Law (“NCCL”) imposes liability on a person who “knowingly, willfully, and without authorization…uses…or obtains or attempts to obtain access to…a computer….”
Hopefully, this decision will have a positive impact on interpretation of the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, which imposes liability on a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from a protected computer.” As with the California and Nevada statutes, so long as a person has the right to access a website, employment of automated tools prohibited by terms of service should not constitute a violation of the CFAA.