In continuing its efforts to enforce its terms and policies against developers that engage in unauthorized scraping of user data, this week Facebook brought suit against two marketing analytics firms, BrandTotal Ltd (“BrandTotal”) and Unimania, Inc. (“Unimania”) (collectively, the “Defendants”) (Facebook, Inc. v. BrandTotal Ltd., No. 20Civ04246

In what could be prove to be an important decision within the context of scraping of “public” data, in a recent case the Eleventh Circuit reversed a lower court’s dismissal of trade secret claims relating to the scraping of insurance quotes. (Compulife Software, Inc. v. Newman, No. 18-12004 (11th Cir. May 20, 2020)). The appellate court agreed with the lower court that while Compulife’s insurance quote database was a trade secret, manually accessing life insurance quote information from the plaintiff’s publicly web-accessible database would generally not constitute the improper acquisition of trade secret information.  However, the court disagreed with the lower court in finding that the use of automated techniques to scrape large portions of the database could constitute “improper means” under state trade secret law.  In reversing the lower court’s dismissal of the trade secret claims, the appeals court stressed that “the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor.”   Even though there was no definitive ruling in the case – as the appeals court remanded the case for further proceedings – it is certainly one to watch, as there are very few cases where trade secrets claims are plead following instances of data scraping.

In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials.

On January 7, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In doing so, OCIE identified certain areas of technology-related concern, and in particular, on the issue of alternative data and cybersecurity. [For a more detailed review of OCIE’s

UPDATE: On October 14, 2019, the parties entered into a Joint Stipulation dismissing the case, with prejudice.  It appears from some reports that Stackla’s access to Facebook has been reinstated as part of the settlement.
UPDATE: On September 27, 2019, the California district court issued its written order denying Stackla’s request for a TRO.  In short, the court found that, at this early stage, Stackla only demonstrated “speculative harm” and its “vague statements” did not sufficiently show that restoration of access to Facebook’s API would cure the alleged impending reality of Stackla losing customers and being driven out of business (“The extraordinary relief of a pre-adjudicatory injunction demands more precision with respect to when irreparable harm will occur than ‘soon.’”).  As for weighing whether a TRO would be in the public interest, the court, while understanding Stackla’s predicament, found that issuing a TRO could hamper Facebook’s ability to “decisively police its social-media platforms” and that there was a public interest in allowing a company to police the integrity of its platforms (“Facebook’s enforcement activities would be compromised if judicial review were expected to precede rather than follow its enforcement actions”). [emphasis in original]. This ruling leaves the issue for another day, perhaps during a preliminary injunction hearing, after some additional briefing of the issues.

The ink is barely dry on the landmark Ninth Circuit hiQ Labs decision. Yet, a new dispute has already cropped up testing the bounds of the CFAA and the ability of a platform to enforce terms restricting unauthorized scraping of social media content. (See Stackla, Inc. v. Facebook, Inc., No. 19-5849 (N.D. Cal. filed Sept. 19, 2019)).  This dispute involves Facebook and a social media sentiment tracking company, Stackla, Inc., which, as part of its business, accesses Facebook and Instagram content. This past Wednesday, September 25th, the judge in the case denied Stackla, Inc.’s request for emergency relief restoring its access to Facebook’s platform. While the judge has yet to issue a written ruling, the initial pleadings and memoranda filed in the case are noteworthy and bring up important issues surrounding the hot issue of scraping.

The Stackla dispute has echoes of hiQ v LinkedIn. Both involve the open nature of “public” websites (although the “public” nature of the content at issue appears to be in dispute.)  Both disputes address whether the Computer Fraud and Abuse Act (the “CFAA”) can be used as a tool to prevent the scraping of such sites. Both disputes address how a platform may use its terms of use to prohibit automated scraping or data collection beyond the scope of such terms, although the discussion in hiQ was extremely brief.  And like hiQ, Stackla asserts that if not for the ability to use Facebook and Instagram data, Stackla would be out of business. Thus both disputes address whether a court’s equitable powers should come into play if a platform’s termination of access will result in a particular company’s insolvency.  Given the Ninth Circuit’s opinion in favor of hiQ, it is highly likely that Stackla’s lawyers believed the Ninth Circuit decision was their golden ticket in this case. The judge’s ruling on the request for emergency relief suggests they may be disappointed.

In a ruling that is being hailed as a victory for web scrapers and the open nature of publicly available website data, the Ninth Circuit today issued its long-awaited opinion in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the court was whether once hiQ Labs, Inc. (“hiQ”) received LinkedIn Corp.’s (“LinkedIn”) cease-and-desist letter demanding it stop scraping public LinkedIn profiles, any further scraping of such data was “without authorization” within the meaning of the federal Computer Fraud and Abuse Act (CFAA). The appeals court affirmed the lower court’s order granting a preliminary injunction barring the professional networking platform LinkedIn from blocking hiQ, a data analytics company, from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.

In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court’s hiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.”

In early July, Ticketmaster reached a favorable settlement in its action against a ticket broker that was alleged to have used automated bots to purchase tickets in bulk, thus ending a dispute that produced notable court decisions examining the potential liabilities for unwanted scraping and website access. (Ticketmaster L.L.C. v. Prestige Entertainment West Inc., No. 17-07232 (C.D. Cal. Final Judgment July 8, 2019)).

In the litigation, Ticketmaster alleged that the defendant-ticket broker, Prestige, used bots and dummy accounts to navigate Ticketmaster’s website and mobile app to purchase large quantities of tickets to popular events to resell for higher prices on the secondary market. Under the terms of the settlement, Prestige is permanently enjoined from using ticket bot software to search for, reserve or purchase tickets on Ticketmaster’s site or app (at rates faster than human users can do using standard web browsers or mobile apps) or circumventing any CAPTCHA or other access control measure on Ticketmaster’s sites that enforce ticket purchasing limits and purchasing order rules.  Prestige is also barred from violating Ticketmaster’s terms of use or conspiring with anyone else to violate the terms, or engage in any other prohibited activity.

Two recent web scraping disputes highlight some important issues regarding whether a website owner may successfully allege a breach of contract action against a commercial party that has scraped website content contrary to “clickwrap” and “browsewrap” website terms of use.

In Southwest Airlines Co. v. Roundpipe, LLC, No. 18-0033 (N.D. Tex. Mar. 22, 2019), a Texas district court declined to dismiss Southwest Airlines Co.’s (“Southwest”) breach of contract claim against an entity that scraped airfare data from Southwest’s site in violation of the website terms of use. Southwest brought multiple claims against Roundpipe, LLC (“Roundpipe”) after it discovered that Roundpipe had created a website, SWMonkey.com, that, using scraping, sent consumers notifications if their Southwest ticket prices decreased after purchase (which would presumably allow them to exchange the original ticket for a lower-priced ticket).

Southwest’s website terms prohibited scraping or the use of any automated tools to access its fares or other content. Soon after the launch of SWMonkey, Southwest sent a cease and desist letter stating that Roundpipe was obtaining Southwest’s data in violation of the website terms, among other reasons, and demanded that the site be taken down.  After negotiations and additional correspondence from Southwest, Roundpipe shut down the website and disabled its scraping and fare tracking functionality.

This month, an Illinois district court considered another in the series of web scraping disputes that have been working their way through our courts.  In this dispute, CouponCabin, Inc. v. PriceTrace, LLC, No. 18-7525 (N.D. Ill. Apr. 11, 2019), CouponCabin alleged that a competitor, PriceTrace, scraped coupon codes from CouponCabin’s website without authorization and displayed them on its own website.

After discovering PriceTrace’s scraping activities, CouponCabin sent PriceTrace a cease and desist letter demanding that PriceTrace stop scraping data from CouponCabin’s website.  CouponCabin alleged that PriceTrace continued to access and scrape data from CouponCabin’s website even after the C&D letter was sent. As a result, CouponCabin brought several causes of action against PriceTrace, including claims under the Computer Fraud and Abuse Act (CFAA), tortious interference and breach of contract.

The court found that CouponCabin’s C&D letter had revoked PriceTrace’s access to its site and that PriceTrace’s alleged continued access to the website plausibly stated a violation of the CFAA’s “unauthorized access” provision (18 U.S.C. §1030(a)(2)(C)).  Ultimately, however, the court dismissed the CFAA claims with leave to amend, due to plaintiff’s failure to plead the requisite amount of damage or loss as required to maintain a civil action under the CFAA.

“CouponCabin is simply alleging that PriceTrace was able to circumvent CouponCabin’s website security, with no allegation that such evasion impairs or harm the website. Absent allegation of impairment, CouponCabin has merely alleged that PriceTrace accessed CouponCabin’s website without authorization.”

UPDATE: On November 1, 2018, the court dismissed the plaintiff’s amended complaint (which apparently dropped the CFAA claim and asserted Lanham Act and DMCA claims).  Specifically, the plaintiff asserted, among other things, that defendant removed the copyright management information (CMI) from plaintiff’s listings and website source code. The court ruled that plaintiff failed to show that the generic copyright notice at the footer of each web page covered the listings and images that the defendant allegedly scraped, noting that “websites generally do not claim ownership or authorship over an image just because the image appears on the website.” With no evidence that the defendant removed or altered any CMI from the listings it allegedly scraped, the court held that the DMCA claim failed. Following the filing of a second amended complaint, the court, on March 22, 2019, dismissed the action, with prejudice. Regarding the DMCA claim, the court stated that it was “simply not reasonable to expect a viewer of the website to understand that each photograph was subject to protection when there is nothing near the photographs indicating who owns them. Had Alan Ross intended to assert copyright protection for the photographs it owned, it should have included a watermark or other mark on or near the listings, rather than a general copyright notice at the bottom of the page that does not indicate to what it refers.” The court ruled that a general copyright notice on the bottom of a webpage is not CMI “conveyed in connection with” photographs and listings contained on those webpages. Lastly, the court held that the link to plaintiff’s website terms was also not CMI “conveyed in connection with the work” because the terms were located on a separate page than the listings that were allegedly scraped and did not expressly state ownership of the images and listings, merely that unauthorized copying is prohibited.  Following the dismissal, the plaintiff filed a notice of appeal to the Seventh Circuit.

This past week, an Illinois district court dismissed, with leave to amend, claims relating to a competitor’s alleged scraping of sales listings from a company’s website for use on its own site. (Alan Ross Machinery Corp. v. Machinio Corp., No. 17-3569 (N.D. Ill. July 9, 2018)).

The court dismissed a federal Computer Fraud and Abuse Act (CFAA) claim that the defendant accessed the plaintiff’s servers “without authorization,” finding that the plaintiff failed to plead with specificity any damage or loss related to the scraping and did not allege that the unlawful access resulted in monetary damages of $5,000 or more as required to maintain a civil action under the CFAA.  In the court’s view, the “mere copying of electronic information from a computer system is not enough to satisfy the CFAA’s damage requirement.”  The court also dismissed plaintiff’s breach of contract claims, concluding that defendant did not have notice of the plaintiff’s website terms and conditions based upon an unenforceable browsewrap agreement.