California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity – Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).
DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software. To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites. Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers. Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so. Oracle sued DLT under numerous theories, including violations of the CFAA.
Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems. The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.” Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization). That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled. However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s support sites because such a claim is not based upon unauthorized access to a protected computer.
Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity. One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .” 18 U.S.C. § 1030(a)(4). The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b). Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.
The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages. Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement. The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000. That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]” 18 U.S.C. § 1030(a)(4) (emphasis added). The $5,000 threshold is not meant to be a measure of damages, the court held. Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists. In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.
LegalTXTS Lesson: If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge. Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches. Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).
When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA. The Oracle decision follows that rule. Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).
AF Holdings, LLC owns the copyrights to various porn videos. AF Holdings has filed numerous copyright infringement actions against individuals who download and share its videos illegally through BitTorrent, an online peer-to-peer sharing tool. Besides targeting the individuals actively downloading and sharing files—whose identities are often unknown and therefore end up being named as “Doe” defendants—AF Holdings goes after owners of the Internet connections used in the torrent activity (the “Network Defendants”). AF Holdings sued the Network Defendants under a negligence theory. AF Holdings alleged that the Network Defendants breached their duty to secure their Internet connections from third parties who use the connections for unlawful activity. In a pair of similar lawsuits, the courts rejected AF Holding’s negligence claims. See AF Holdings, LLC v. John Doe and Josh Hatfield, 2012 WL 3835102 (N.D. Cal. Sept. 4, 2012); AF Hodlings, LLC v. John Doe and John Botson, 2012 WL 4747170 (N.D. Cal. Oct. 3, 2012)
No legal duty to secure Internet connection to prevent copyright infringement
AF Holdings argued that the Network Defendants owed it a duty to secure their Internet connections to prevent infringement of AF Holdings’ copyrighted works. The duty at issue was one of “non-feasance,” or the failure to take certain steps, as opposed to “misfeasance,” which involves activity putting the plaintiff in a worse position, such as exposing the plaintiff to risk of peril. A duty arises in non-feasance situations when the plaintiff has a special relationship with the defendant. Finding no special relationship between the Network Defendants and AF Holdings, the court concluded that the Network Defendants owed no legal duty to protect AF Holdings against copyright infringement. The courts therefore dismissed the negligence claims.
Copyright Act preempts negligence claims
Part of the Network Defendants’ defense was that the negligence claims are preempted by the Copyright Act of 1976 because they seek protection for the same exclusive rights that the Act protects. A state law claim is preempted by the Act when (1) the work at issue comes within the subject matter of copyright, and (2) the rights granted by state law are equivalent to the exclusive rights of copyright holders under section 106 of the Act. The Network Defendants cleared the first test easily because AF Holdings’ videos clearly are protected by copyright. In analyzing the second issue, most courts determine whether the state law claim contains an “extra element” that is different or in addition to a claim based on the Copyright Act. The only “extra elements” in AF Holdings’ negligence claim were the elements of duty and breach of duty. Since the Network Defendants had no duty to secure their Internet connections to prevent copyright infringement, the negligence claims had no extra elements to be saved from being preempted. Essentially, AF Holdings repackaged its copyright infringement claim into a negligence claim.
CDA immunity applies
The Network Defendants also claimed immunity under the Communications Decency Act (“CDA”). The court in the Hatfield case found it unnecessary to decide the issue given the dismissal of the negligence action on other grounds, but the court in the Botson case ruled that the defendant had immunity. A defendant qualifies for CDA immunity if (1) it is the provider or user of an interactive computer service; (2) the cause of action treat the defendant as a publisher or speaker of information; and (3) the information at issue is provided by another information content provider. Botson met these qualifications, the court found. AF Holdings alleged that Botson was the provider of a computer service (i.e., the Internet connection) to pirate the videos. AF Holdings also treated Botson as a copyright infringer or a participant in the infringement. Finally, the information at issue (the videos) were provided by another content provider, namely the “Doe” defendant.
DMCA safe harbor provision applies to copyright infringement claims brought under state common law — UMG Recordings, Inc. v. Escape Media Group, Inc., 2012 WL 2847859 (N.Y. Sup. Ct. July 10, 2012)
A New York court ruled that the “safe harbor” provisions of the Digital Millennium Copyright Act (DMCA) apply to copyright infringement claims brought under state copyright law. UMG Recordings (UMG), a division of Universal Music Group, sued the owners of the online music service Grooveshark for violation of copyrights in sound recordings created before February 15, 1972. Why that specific date? We’ll find out shortly. According to UMG, Grooveshark allows its users to upload digital copies of songs through its website. Grooveshark then copies the songs to its servers, from which users of the website can retrieve and access the songs by running a search by song title or artist.
Grooveshark argued that it qualified for the “safe harbor” provision of the DMCA that protects a service provider from copyright infringement claims based on its storage of the offending materials at the direction of a user. UMG countered that the safe harbor applies only to copyrights created under and protected by the U.S. Copyright Act. The claims at issue, however, were based on New York State common law, not the federal Copyright Act. And while the Copyright Act preempts state law in certain instances, common law copyrights created before February 15, 1972 are not federally preempted until 2067.
The court doesn’t buy UMG’s argument. The court found no indication in the text of the DMCA that Congress intended to limit the applicability of the safe harbors to just recordings made after February 15, 1972. The terms “copyright owner” and “infringing” in the DMCA safe harbor provisions were no less applicable to common law copyright than to statutory copyright. Therefore, the court refused to dismiss the safe harbor defense.
Court refuses to order stop of automated process for delivering digital music tracks to music company — Appalseed Productions, Inc. v. MediaNet Digital, Inc., 2012 WL 2700383 (S.D.N.Y. July 6, 2012)
This case is a good reminder of the different types of copyright licenses it takes to run an online music service and what happens when there’s a failure to keep track of the licenses obtained for each song.
MediaNet provides content from its song catalog to third-party Internet music services like MOG and iMesh. End-users of the third-party services can access songs in different ways depending on their subscription — via full download, “limited” download (music downloaded to a device or hard drive can be played as long as the user remains a subscriber), or on-demand streaming. MediaNet works with record labels and other copyright holders to obtain the necessary licenses for each song, which vary depending on the delivery method used by the end-user. For limited downloads, a mechanical license is needed to copy and distribute the musical works embodied in the sound recordings. For songs that are streamed on-demand, a mechanical license and a performance license are needed for the musical works.
The record labels deliver digital music tracks to MediaNet through an automated process called “ingestion.” During ingestion, a record label delivers metadata about each track, including the delivery methods MediaNet is allowed to use with the track (streamed or downloaded). The record labels regularly use the ingestion process to add new digital music tracks to MediaNet’s servers or to refresh the metadata for tracks.
MediaNet allegedly distributed songs — in which the plaintiffs (including Larry Weiss of Rhinestone Cowboy fame) owned the copyrights — to third-party music services for limited downloading and streaming without obtaining the necessary licenses. The metadata indicating that the songs were not available for limited downloading or streaming apparently did not get transmitted to MediaNet during ingestion. When MediaNet learned this, it blocked access to the tracks to end-users. However, subsequent ingestions by the record labels reactivated access to the tracks. MediaNet then manually removed the songs from its catalog and adopted measures to guard against inadvertent reactivation.
Skeptical that illegal access to the tracks had stopped for good, the plaintiffs asked for a preliminary injunction to stop MediaNet from using an automated process to add content to its catalog and from distributing its catalog to customers. The court ultimately denied the injunction because the plaintiffs couldn’t show “irreparable harm,” a key requirement for an injunction. Irreparable harm refers to injury that cannot be remedied with monetary compensation. The plaintiffs basically argued that, without an injunction, they would have the burden of proving lost sales due to infringement. That was not irreparable injury in the court’s view. There was also evidence that MediaNet tracks the number of times songs are delivered via limited download and/or streaming. It also wasn’t enough to argue that the allegedly infringing conduct would likely continue without the injunction. The plaintiff’s still needed to prove irreparable harm, and they couldn’t do so. It didn’t help either that the plaintiffs waited about two and a half years after learning about the alleged infringement before seeking an injunction.
LegalTXT Lesson: The obvious legal lesson is that if you’re in the digital music business, make sure you have all the necessary licenses lined up for each song. There’s a technical lesson here too. Automated systems are only as good as their programming. MediaNet struggled with filtering the offending songs out of their catalog because of variations in the spelling and punctuation used in the track titles of the songs. MediaNet finally had to resort to a periodic manual search for the offending tracks. While that might be the most effective way of preventing infringement, it’s not all that efficient.
Here’s a fun news bite for today. CNET reports that English rock band Def Leppard couldn’t come to terms with Universal Music on how much revenue the band can get from digital downloads of its songs, so it’s recording identical “covers” of its songs. Def Leppard would own the masters of the “covers” and therefore control the financial terms of its distribution, including through digital downloads. Clever, no?
Under U.S. copyright law, a musician may cover a song and distribute the recording so long as he gets a license (called a mechanical license) and pays a standard royalty fee to the song’s publisher. The mechanical license can’t be denied. The fee is 9.1 cents per song distributed for songs under five minutes and 1.75 cents per minute or fraction thereof over five minutes. It’s not a bad price to pay for gaining control over rights to distribute a song. Whether fans will think the covers are up to snuff is another matter.