Company That Facilitates Digital Access to Public Records Uses CFAA to Block Scraper
[Eric's introduction: this post has been sitting in our tank over a month. I put a hold on it when I was considering using this fact pattern for my Internet Law exam. I decided to go in a different direction, but this post languished in the interim. Better late than never, especially because this case ranks as one of the most interesting of 2013.]
Fidlar Technologies is a company that contracts with governmental entities, such as counties, to make public records available online (“Our company vision is to be the premier provider of technology and services for the management of public information across the United States”) [emphasis added]. It’s unclear how the counties’ data is migrated online, but through Fidlar’s “Laredo” program, end users are charged to view, download and print various land-related records.
LPS is a data analytics company that aggregates data relating to real property. It often collects data from counties directly, via bulk transfer. If this is not feasible, LPS uses a program such as Laredo, i.e., it obtains a subscription to access the county’s data from the county. LPS also has the option of getting the data via microfiche or through field access, but those are less preferable for obvious reasons.
LPS utilized Laredo to develop a web crawler. It downloaded the Laredo software, searched for a public record, and using an HTTP analyzer, determined the traffic and specific locations that were queried to access the record in question. It noticed that searches for documents via Laredo followed a certain protocol. Once it determined this protocol, LPS was able to design a crawler that harvested information directly from the servers in question (some 50% of the counties hosted their own records and the remainder had Fidlar host the records). The court notes that LPS’ harvester “connects to a county’s servers without LPS having to enter its username and password each time.” When LPS initially logged in through Laredo, LPS was assigned a unique identifier, and using this ID LPS was able to connect to the servers directly.
The counties became concerned at LPS’s use of Laredo and contacted Fidlar. Fidlar determined that LPS had subscribed through counties to access Laredo but was essentially circumventing Laredo. No “minutes” of access were logged, meaning no fees were accruing. Fidlar then informed the counties that LPS was engaging in “improper” and “unauthorized” use of Fidlar’s system and had “compromised” the counties’ data. [roughly paraphrased] Fidlar advised the counties that it was considering legal action against LPS, the counties should terminate LPS’s access to Laredo, and the counties should install a software update that would prevent LPS’s bulk access of the data.
Fidlar sued LPS alleging Computer Fraud and Abuse Act and trespass claims. LPS counterclaimed, alleging tortious interference due to the disparaging communications from Fidlar to the counties. It also sought an injunction requiring the counties to restore LPS’s access to the data by reverting to the earlier version of Laredo.
CFAA claims: Fidlar’s CFAA claim was premised on a violation of 1030(a)(5)(A), which covers the transmission of a computer contaminant that causes damage. LPS argued that Fidlar failed to satisfy the damage threshold and failed to allege intent on the part of LPS. The court disagrees. With respect to damage, the court says that the term “damage” should be considered broadly to encompass “any reasonable cost to any victim.” According to the court, Fidlar’s allegations regarding interruptions to its own clients’ access (the counties) and the ameliorative measures it took easily suffices. On the second argument, the court says that LPS clearly acted intentionally. That causing damage was not the focus of LPS’s actions is irrelevant. The court also declines to dismiss the Illinois computer fraud statute claim, finding that Fidler’s allegation that LPS used a computer program to access Fidlar’s servers was sufficient.
Trespass to chattels: The court initially says that LPS’s access to the data in question does not state a trespass claim because data is not something that can be trespassed. On the other hand, LPS’s access to Fidlar’s servers plausibly denigrated the functioning of Fidlar’s servers. It declines to dismiss this claim.
LPS’s request for equitable relief: LPS requested the court to preserve the status quo during the pendency of the lawsuit.
One facet of this request involved trying to force the counties to cease upgrading Laredo or otherwise cooperating with Fidlar in preventing LPS’s access to the data. LPS argued that not only was what LPS doing proper, what the counties were doing contravened Illinois public records statutes. Unfortunately for LPS, the court says that the counties are not a party to the lawsuit, so the court can’t force the counties to do anything. (Cf. a case frequently cited by Eric on this blog in the Section 230 context: Blockowicz.)
The other facet of LPS’s request involved trying to limit Fidlar’s allegedly defamatory statements to the counties regarding the nature of LPS’s activities. Assuming for purposes of argument that Fidlar’s statements (that LPS had gained “unauthorized” access to data, etc.) were potentially defamatory, the court finds that they are shielded by two privileges. The statements fall under the consultant’s privilege. Because the statements are made to government entities, they also fall within the First Amendment privilege to petition the government. In the modern era, this privilege is construed broadly, and Fidlar’s statements to the governmental entities likely fall within this privilege.
Ultimately the court balances the PI factors, and while it expresses some reservations, declines to grant LPS’s request for a PI.
This is a cluster of a case, and it should raise the hackles of anyone who cares about open access issues. While the issue is not sufficiently presented in a procedurally direct fashion, the fact that counties are allowed to erect what is essentially a paywall around public records is deeply disconcerting. The fact that Fidlar seems to overtly promote this as a revenue model to governmental entities is downright crazy. To be clear, the court did not make a definitive determination regarding the public records status of the data LPS was trying to access, but if there is even a whiff of this going on, this warrants a second look.
Fidlar’s CFAA claim raises some interesting legal issues. While the facts don’t seem totally analogous, they are vaguely similar to those in US v. Auernheimer. There the defendant is being prosecuted for accessing data that was not password-protected but that the average person probably could not access. If in this case the precise locations of the public record could be “guessed” with some looking around, should there be a violation of the CFAA because LPS accessed the data in the way it did. (The facts here are not totally clear as to the effect of LPS’s password and whether a total stranger could have accessed the data after obtaining the precise locations of the documents. That’s obviously a key difference.) In any event, for whatever reason, Fidlar pled the case under a different section of the CFAA, and from that perspective it’s a somewhat poor fit. The section at issue appears to target things like worms or computer contaminants—i.e., things that perform functions unbeknownst to the user in question. Here, the program in question queries the server and returns information. Unlike a worm or virus, it doesn’t cause any separate problems with the server.
The court engages in some lengthy discussion about the trespass to chattels. Despite concluding that the underlying data should not necessarily be subject to legal restrictions and the fact that a chunk of the data may be stored on the counties’ servers anyway, the court still lets the claim proceed. Eric has blogged previously about trespass to chattels and how this doctrine is irreparably broken. This case is another data point that supports this.
LPS’s tortious intereference claims are also interesting and reminiscent of the (uncited) Tamburo v. Dworkin. That case involved accusations of theft around scraping, and the court said that given the legal uncertainty around scraping, these types of statements were not actionable. The court here took a very different approach from the court in that case, although it ended up in the same place.
[Eric's comment: I put this lawsuit in the same category as red light cameras and the DoD's licensing of public domain photos. All too often, we see private vendors and government entities conspire with each other to charge public citizens a second time for services the government has already been paid to do.]
Case citation: Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 4:13-cv-4021-SLD-JAG (C.D. Ill. Nov. 8, 2013)