Tapped Out: Controlling the internet via selective authorization

Craigslist, Inc. v 3Taps Inc., No. CV 12-03816 CRB. (N.D. Ca. August 16, 2013) is another case in a now long line of cases that establish that in most situations access to even an otherwise publicly accessible website can be controlled via selective authorization.

The 3Taps case is very straightforward.  3Taps scraped Craigslist’s website, and replicated it.  Craigslist sent them a letter revoking all permissions to access the Craigslist site, but 3Taps ignored that and circumvented IP filters and continued accessing the website, and replicating it.  In other words, Craigslist “singled out” 3Taps and told them that they could not access the Craigslist website.  3Taps was singled out because it was copying the entire Craigslist site, in apparent competition with Craigslist.

Note that unlike the Digital Millenium Copyright Act, which requires there to be sufficient technological measures to protect copyrighted content before there would be a finding of circumvention, under the CFAA, no such technological measures are required. 3Taps sought to dismiss the complaint filed by Craigslist, which complaint asserted that 3Taps violated the Computer Fraud and Abuse Act (“CFAA”) which generally prohibits a person from “intentionally accesses[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.”  The essence of 3Taps’ argument was that because the Craigslist website is publicly available, the CFAA does not apply, and therefore, just as anyone else had “authorization” to access and use the website, so did 3Taps.  [Note: this decision did not address copyright issues with 3Taps’ conduct.]

A long line of cases enforce “terms of service ”  either under contract law, under the CFAA, or both – that is, if terms of service authorize access to information on certain conditions, and those conditions are not met, then the access to that information is not authorized and is a violation of the contract and often, the CFAA.  See Register. com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), affirmed on other grounds356 F. 3d 393 (2nd Cir. 2004) and their progeny.

You can now add this case to that list.  This case even more bluntly stands for the proposition that a website owner can, with only the typical “protected class” exceptions, discriminate against a particular user and revoke authorization, while at the same time generally authorize the public to access and use the website.   This right, moreover, does not make the website operator a so-called common carrier, and the website operator does not give up its other important immunities, such as the immunity under the Communications Decency Act (47 USC 230). There may be other limitations on a website’s right to discriminate – for example, there may be first amendment interests in the data being accessed, or there might be an argument that certain provisions in a contract limitation constitute a copyright misuse (and hence might make enforcement of the contract, even under the CFAA, problematic).  However, in the majority of private interest cases like Craigslist (or Twitter, or Facebook or virtually any other social media provider) – the owner of the data is going to have a pretty broad right in the U.S. and under U.S. law to protect access to that data via restrictions either in a terms of service, or more directly as was done in the 3Taps case.

Congress is considering an amendment to the CFAA (Aaron’s law – for background, see this Techdirt article the EFF pages, and what I believe is the current draft here)  that might limit a website platform operator’s use of the CFAA to control its content . . . but that issue has come up in various contexts before and Congress has not seemed to have much appetite for monkeying with the CFAA.  Also, that would not eliminate the breach of contract claim (see the Verio case above).

The 3Taps case has been cited in some online commentary for the proposition that IP proxies or anonymization systems (like Tor) are “illegal.”  That is not what the court held.  There are many legal and pro-privacy reasons to use such systems that would not violate the CFAA.  The simplest example would be use of such a system to avoid being tracked while browsing the web.  In these cases you are not accessing a protected computer without authorization, you are simply sending a false identifier to a computer that is collecting the data on its own volition.  CFAA punishes unauthorized access, not access gained by presenting false location or identification data.  However, under the 3Taps case, apparently a terms of service agreement could be written to withdraw consent to any access of the site if a person is using a location or tracking anonymizer/IP spoofer, and hence, a person using such a service and accessing the site could then be in violation of the CFAA.  That question, however, also raises substantial 1st Amendment issues (right to anonymous speech), which were not present in 3Taps.  Thus, it is not clear at all that a court would hold that the CFAA claim would survive in that instance.

Until Congress modifies the CFAA internet users should be cautious about use of “publicly available” but privately owned information on a website, RSS feed, social media firehose, or other resource, and be careful to read and comply with the terms of service.   [Note:  this blog entry does not address governmental or public information, FOIA or the right (or lack of a right) under a contract or CFAA to “privatize” governmental public data]

For more information contact Mike Oliver

(unless specifically attributed, all links on this page are provided for information purposes only and have not been vetted by, and do not necessarily represent the views of, the author)

In software disputes, don’t send someone armed with Play-doh to a knife fight – GMG Health Systems v Amicas, Inc.

In GMG Health Systems v. Amicas, Inc., 1st Cir April 10, 2012, the court had occasion to address a dispute between a software licensor / developer, and a licensee, in which more typical contractual language was in issue (for example, use of the term “go-live” and the phrase “substantially conform to Documentation” and typical warranty limitations).

GMG is a medical services provider – they typically have several systems to manage their billing, processing and other business functions.  Here, GMG contracted with a third party (Amicas) for its software – which had to interoperate with software from an already existing vendor used by GMG.  Like so many disputes, this one arose because of finger pointing between two vendors as to whose software was causing the error.  As an added twist here, and something we have litigated on at least one occasion here – GMG had decided to leave Amicas and go with another vendor, and was desperately trying to find a way out of the long term agreement.

Normally in such disputes, the licensee (client) makes some effort to produce a viable claim of breach of the agreement by the licensor / software developer.  In this case, however, GMG, which had not negotiated the agreement and signed a pre-printed form provided by the software company, produced a sole witness to fight the motion for summary judgment filed by the software developer.  This witness had no IT or software training, was not a project manager, was not familiar with the function of either of the software systems at issue, and could not provide any details beyond that the “interface did not work.”  GMG feebly tried to argue that the merger clause – a clause that states that all prior agreements including verbal understandings between the parties are “merged” into the agreement, did not apply because it had not negotiated the agreement.  The court dismissed that argument without any discussion.

Without the ability to provide evidence of what the parties intended – the so called “seamless integration” with the other system – GMG was unable to overcome the warranty limitation in the agreement, which stated that Amicas did not promise that the software would work for GMG in its environment.  Not surprisingly, GMG lost on all counts . . . and that loss was affirmed on appeal.

What is the moral of the story?

First, negotiate large scale enterprise resource planning agreements! Yes, the negotiation can be expensive, but far, far less than the litigation costs and potential damages.  For example, in the GMG case, it was forced to pay an additional $700,000 for software it had abandoned, it was subject to an attorney fee award, it lost all kinds of time dedicating resources to fight the case, it had to pay its own lawyers, and it ended up taking 5 times as long to reach it s goal (of an integrated system).

Second, even if you do not want to hire a lawyer to negotiate, at least make sure that the party providing the service has stated clearly in the agreement, the deliverable, what it will do, and what you expect from the service.  We have reviewed too many scenarios to count where a client has signed a pre-printed form that had NO promises or very light ones, like this agreement.  If it is a critical result that software X must interoperate with software Y, state that in the agreement.

Third, consider the remedy.  Many contractual negotiations can get hung up on the representations, warranties, disclaimers and so on – when they can be resolved by thinking in the opposite direction – assuming a performance representation is not met, what is the remedy?  Remedies range from the “nuclear” option (total contract termination), to some form of “notice and cure” to a repair, re-perform remedy.

Fourth, consider the term of the agreement.  In the GMG case, the parties amended their agreement and made it a longer term agreement.  Many vendors will offer more significant fee discounts, or less escalation, if the term is longer.  These can be attractive deals – but consider that as with GMG, you may desire to move away from that solution.  So, my rule of thumb on this point is . . . the longer the fixed term of the contract, the more closely you must negotiate it – and the more you must pay attention to escape hatches and “relief valves” if something changes.  Technology changes very fast – locking into a vendor for 5 years (as was done in GMG) is almost unheard of.  A three year deal presents enough technology-change-risk to be the outer limit of most of these deals.

I could go on, but if you made it this far . . . well, thanks!

For more information, contact Mike Oliver.

Recent court decision in Oracle v Google raises serious copyright questions in certain types of software

In a decision in the Oracle v Google case, the court held that APIs – application program interfaces – small amounts of human readable source code, are not sufficiently original to qualify as copyrights.  This decision can impact API licenses, which most likely are based on copyrights.

What Google did.  Google decided that to construct a mobile platform operating system (ultimately, the Android operating system) it wanted to be able to “interoperate” with java programs – in this way, developers could rapidly publish their programs written in Java, to the mobile platform.  In order to do this, however, Google either needed a license to the Java virtual machine to allow it to “port” it to the mobile hardware, or it needed to emulate that environment.  Google approached Sun (later bought by Oracle) for this license, but the parties never agreed.  Google eventually copied the names of the base classes and methods, and wrote its own original code to implement the particular functions.  So as an example, a Java program would call a function, using the precise identical name of the function, class or method, but the “behind the scenes” black box code in Android that returned a result, was written by Google and not copied from Java.  Google did a few other things (for example, they decompiled some executable code in Java, and used the source code derived from that to test their own software compatibility, and they included verbatim 9 lines of code in a range check function, which the court utterly dismissed as De-minimis copying)

What Oracle claimed.  Faced with having examined 15 million lines of code and discovering that only the structure, sequence and function was copied, Oracle took the position that it had a copyright in that structure, function and sequence.

What the court held.  The parties had agreed that the issue of copyright was for the court to decide, with the jury being the arbiter of any infringement or damages.  The court did a very good job of reviewing the history of protection of computer software – which really started in about 1980, with amendments to the Copyright Act that recognized computer software as a literary work.  (this case is very well written and researched, so I can commend it to anyone who wants a crash course in software law)

The trouble with the copyright protection, however, is that copyrights cannot protect ideas – that is the exclusive domain of patent law.  So, whenever a copyright expresses an idea, we often say that the idea is free but the expression of it may not be.  However, where there is only a limited way of expressing the idea – courts hold that the idea then “merges” into the expression, becoming inseparable, and renders that particular expression free from copyright protection.   That is what the court held here – essentially, the court said that if you want to protect the sequence, function and structure of how a software program works, you must use patent, and not copyright, law.  This ended the case for Oracle, as Oracle had lost on patent infringement.

The court summarized the best argument as follows: “Oracle’s best argument, therefore, is that while no single name is copyrightable, Java’s overall system of organized names — covering 37 packages, with over six hundred classes, with over six thousand methods — is a “taxonomy” and, therefore, copyrightable under American Dental Association v. Delta Dental Plans Association, 126 F.3d 977 (7th Cir. 1997).” (emphasis added)

What impact does this case have?   In the abstract, this case follows a fairly well defined line of cases that have denied copyright protection to such things as menu structures and programmatic access to underlying operating systems.   In this regard, the case does not change the law.  However, in a bigger picture view, and with particular reference to the amount of copying here – all of the main class and method calls in Java were replicated verbatim . . . it could be seen as a step toward requiring either very good contracting practice, or patenting, to protect access to a software language system.   The only other way to protect access is under the Digital Millennium Copyright Act – installing and using a sufficient technological measure that must be decrypted in order to access content.

If a software developer desires to restrict access to base operating code, the Oracle v Google case poses a significant barrier to reliance on copyright alone.  As stated above, the developer should consider proper contract language, patenting the system, and use of encryption technology to unlock such access.

For more information contact Mike Oliver.

Perils of overpricing and responding to government RFPs

The article in Networkworld “Cisco network really was $100 million more” is a good example of the danger in responding to governmental requests for proposal (RFP) without considering the publicity downside of significant overpricing.

The article explains that in bidding on a large computer infrastructure project for California State University, Cisco’s bid was over 100 million dollars higher than the closest competitor for the same equivalent products and services.  Cisco’s bid, in fact was more than 5 times the accepted bid price.   While some premium might be attributable to Cisco’s products – superior quality, service or warranty, that difference is not likely to be worth more than 5 times any other manufacturer’s similar bid.

Government RFP responses in most cases become public.  Also, because an RFP is an “apple to apple” response, at least on a unit/performance basis, the only justification for real bid differences normally comes in quality of service (perceived or real), or in product quality distinctions.

With the amount of due diligence that everyone is doing on companies – investors, potential targets, potential joint venture partners, licensees, customers – any business that is responding to an RFP should consider that the response, whether accepted or not, will become publicly available.  The article suggests that Cisco might overprice on RFP responses when it senses it has no ability to win the bid.  Why?  It makes more sense to withdraw from the competitive bidding, than to overprice.

A similar risk presents itself for underpricing.  Many companies ask for “most favored nations” (“MFN”) clauses – clauses that require post contractual price adjustments based on later favorable pricing offered to other customers.  MFN clauses are dangerous for a host of reasons (one significant one is that if written incorrectly, they make literally every customer contract potentially relevant evidence in a dispute), but if a bidder underprices on an RFP response, in the hopes of later recouping the lower cost through add ons or change orders, that initial pricing is now public and can be used against the bidder if they had issued MFNs to other customers.

In short, many considerations must be reviewed in responding to any governmental RFP – not just pricing, units, metrics and services.

For more information, contact Mike Oliver.

From the patenting-the-internet-is-not-a-good-idea department – Ultramercial decision goes back to the CAFC

We have all seen them – the short clips of video advertising we must watch before we are granted access to some other video content.  A company known as Ultramercial claims that the “idea” of putting that short advertising clip in front of content was its novel, non obvious and hence patentable invention.   A lower court disagreed, and invalidated the patent on subject matter grounds.  Last September, however, in Ultramercial v Hulu, the Court of Appeals for the Federal Circuit reversed that decision and remanded the decision for further proceedings (the issue of whether the patent was even valid on novelty or non obvious grounds had not yet been decided).

On May 21, 2012 the Supreme Court of the United States granted certiorari and remanded the case back to the CAFC for further review in light of Mayo Collaborative Services v. Prometheus Laboratories, Inc., a decision in which the process and method of administering certain therapeutic drugs was held to be patent subject matter ineligible.

There has been a distinct level of Supreme Court review of patent cases recently, most of them restricting or limiting the validity and subject matter of patents.  This latest remand indicates that the Supreme Court is expecting the CAFC to use these decisions in the internet area as well, to begin at least reviewing, and most likely holding invalid, many business method type patents that do not meet patent eligible subject matter requirements.

There are thousands of issued patents that cover basic functioning of the internet system (or, at least the commercial part of it) – that will be called into question in light of these recent Supreme Court decisions.

For more information, contact Mike Oliver.