Anti-Scraping Lawsuit Largely Gutted–Cvent v. Eventbrite
By Eric Goldman
Cvent, Inc. v. Eventbrite, Inc., 2010 U.S. Dist. LEXIS 96354 (E.D. Va. Sept. 14, 2010).
Given the amount of scraping taking place every day all over the web, scraping lawsuits are surprisingly infrequent. In this ruling, a target website has its anti-scraping lawsuit largely gutted, in part due to poor legal preparation by the target website. Because many target websites will deploy better anti-scraping defenses than this one did, I’m not sure how much this ruling will help other scrapers.
Cvent provides a variety of resources to event planners, including web databases of information about event venues and their communities. Eventbrite operates an “event planning, sales and registration” website, which included profile pages for event venues. To help populate these pages, Cvent alleges that Eventbrite retained a third party contractor, Foley, to scrape Cvent’s databases in Fall 2008. Cvent sued 18 months later (why so long?).
This ruling deals with Eventbrite’s partial motion to dismiss multiple causes of action, each of which I discuss below. Among other highlights, the opinion has a rare interpretation of UCITA’s provisions.
Computer Fraud & Abuse Act
The CFAA protects against the unauthorized usage of third party servers that causes the requisite loss. Scraping can violate the CFAA. See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
Eventbrite attacks the CFAA’s “unauthorized use” requirement by arguing that Cvent operated a publicly available website–“public” in the sense that the site was browseable without restriction. Following this line of reasoning, Eventbrite’s usage was no less authorized than a web user who browses the site.
Surprisingly, Cvent doesn’t appear to have alleged a common law trespass to chattels claim. Post-Hamidi/Mummagraphics, it’s doubtful such a claim would be more successful than a CFAA claim. However, given that Cvent alleged so many other causes of action, trespass to chattels would have been a natural one to allege too. I doubt Cvent missed the claim, so I’m wondering why they chose not to pursue it.
Virginia Computer Crimes Act
Cvent also claimed a violation of Virginia’s computer crime statute. This is a logical move; Venkat and I both have been tracking cases interpreting the analogous California Penal Code 502. The court, citing 4th Circuit jurisprudence, says the Copyright Act preempts a claim under the state computer crime law when it “does not require proof of elements beyond those necessary to prove copyright infringement.” This happened here; “Cvent’s claim in this case reduces to nothing more than a copyright infringement allegation, dressed up in VCCA garb,” and therefore is preempted by federal copyright law.
Reverse Passing Off Under the Lanham Act/Dastar
Cvent also alleges that Eventbrite presents Cvent’s copyrighted material as Eventbrite’s own, and this constitutes a Lanham Act reverse passing off. This is exactly the kind of argument I thought Dastar precluded, yet the court does not dismiss the claim, saying that it can proceed as an alternative to the copyright claim. I don’t understand Dastar all that well, but Rebecca is a Dastar expert, and she explains why the court whiffed.
Breach of Contract
Eventbrite tries to dismiss the contract breach claim on three grounds:
1) Copyright preemption. Although courts reach inconsistent results over copyright preemption of contract breaches, normally contract breaches should survive preemption, and it does here.
2) Privity. Eventbrite says Foley was an independent contractor and therefore didn’t bind Eventbrite. The court says that Cvent alleged an agency relationship, and that was good enough to survive a motion to dismiss.
3) Unsuccessful formation. Given that the court held the terms were ineffective for CFAA purposes, we knew the terms would fail the more stringent requirements of contract formation. The court properly treats Cvent’s terms as a “browsewrap” instead of a “clickwrap” and concludes (as it should) that “plaintiff has not pled sufficient facts to plausibly establish that defendants Eventbrite and Foley were on actual or constructive notice of the terms and conditions posted on Cvent’s website.” Tom O’Toole has more to say on this point. From my perspective, this case reminds us of something we already knew: if you want a valid online contract, use a mandatory non-leaky clickthrough agreement.
Being in Virginia, the court then discussed UCITA’s contract formation provisions. I must confess that until the court brought it up, I hadn’t even thought about UCITA’s applicability. Talk about a forgotten (and failed) “model” law. I did a quick Westlaw search for “UCITA” and found 16 case citations to the law, not all of them interpreting its provisions, and no citations since 2008. Given the paucity of UCITA caselaw, the UCITA discussion alone makes the opinion distinctive.
Here, Cvent’s presentation of the terms fails UCITA’s requirements that the term be “available in a manner that ought to call it to the attention of a reasonable person,” … or [that] the website “disclose[s] the availability of the standard terms in a prominent place on the site” and “does not take affirmative acts to prevent printing or storage of the standard terms for archival or review purposes.”
Normally, unjust enrichment is a junk claim, so I’m always disappointed when courts don’t end it early. Further, in this context, it would have been completely appropriate to deem the unjust enrichment claim as preempted by the Copyright Act, because Cvent’s basic argument is that Eventbrite’s enjoyment of Cvent’s data is an unjust enrichment. Nevertheless, the court said the claim survives Copyright Act preemption for material not protected by copyright.
Cvent alleged that Eventbrite’s work with Foley constituted a conspiracy. The court rejects the argument, treating Foley as Eventbrite’s agent which precludes the conspiracy claims.
Eventbrite didn’t try to knock out the copyright claim on a motion to dismiss, but it did seek to moot statutory damages and attorneys’ fees due to Cvent’s untimely registration. Foley swept through the Cvent site in Fall 2008, and Cvent registered its copyrights in April 2010 right before filing suit, so Eventbrite wins this point. Cvent can still get compensatory damages, but losing its claim for statutory damages and attorneys’ fees probably significantly reduces the cash value of this litigation to it.
1) It’s hard to scrape legally. Although this ruling is mostly good news for Eventbrite, it shows how hard it is to legally justify scraping. Scraping implicates lots of overlapping legal doctrines, and the scraper has to succeed on all of them.
2) Outsourcing to Consultants. Websites that want to avoid legal liability for scraping might be tempted to outsource the activity to independent contractors. As this case illustrates, the court can collapse the legal distinctions between the hiring party and the independent contractor.
Meanwhile, independent contractors might choose to tread cautiously after this opinion, as they are equally exposed legally. In this respect, I’m reminded of the Snap-on case from earlier this year, where the scraping contractor demanded an indemnity from the hiring party. Good thinking, but the indemnity is worthless if there is a criminal prosecution.
3) Cvent Didn’t Prepare the Case Well. The case doesn’t mention several anti-scraping techniques that many websites frequently use, including robots.txt/robot exclusion headers, IP address blocks, rate limits (i.e., quantitative caps on the data an IP address can download within a specified time), a more prominent contract, timely copyright registrations and cease & desist letters. Perhaps Cvent did some of these things and the court didn’t mention them, or it may be some of the techniques would have been unavailable (such as IP address blocks or a C&D letter) because Cvent waited so long and perhaps didn’t discover the scrape when it was occurring. This leads to a corollary point: it’s easier to bust a scraper if you catch them in the act, so it can be hard to shut down a one-time scraper.
As part of prepping a future anti-scraping case, I advise clients to set up an API that allows third parties to download appropriate portions of the website’s content subject to reasonable license terms. If the license terms include a mandatory linkback, reuse of the data acts as marketing and SEO for the originating website. From a legal standpoint, this way, the website’s answer isn’t “you can’t have the data” but instead “you can’t have it that way.” This is the basic litigation posture that Facebook is taking with Power.com–Facebook Connect yes, scraping no.
Coverage of Other Scraping Cases
We don’t have a scraping category on the blog (maybe we should) or even a trespass to chattels category. But scraping is a perennial favorite topic, so I thought it would be helpful to provide a bibliography of other posts regarding scraping and highly related matters:
* Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims — Facebook v. Power.com (July 2010). See also EFF Weighs in on Facebook v. Power Ventures — Facebook v. Power Ventures and Facebook’s Anti-Spam Filter Blocks Legitimate Conversations about Power.com
* Taxonomies and Commercial Reputations (Dec. 2007)
* Oracle v. SAP Lawsuit Comments (April 2007). See also SAP Has Bad News in Oracle Lawsuit, But Tries to Bury It
Venkat and I both love scraping cases! Please send us your tips about other scraping rulings as they come down.