Interesting Database Scraping Case Survives Summary Judgment–Snap-On Business Solutions v. O’Neil

[Post by Venkat, with additional comments from Eric below]

Snap-on Business Solutions Inc. v. O’Neil & Assocs., Inc. (N.D. Ohio April 16, 2010) [scribd]

Snap-on is one of those cases that’s great because the court canvasses the various claims that come into play in the increasingly common scenario when someone accesses a computer or network to extract data following termination of (or outside of) a contractual relationship. (The practice of extracting data from a website is commonly known as ‘scraping’.) The court punts based on the existence of factual disputes, but the court’s order is well worth a read just because it lays out the issues and theories.

The background facts are straightforward. Mitsubishi hired Snap-on to build a database of parts data which Mitsubishi dealers could then access online. Mitsubishi provided the underlying documents and images (parts information) to Snap-on, who converted them and built a “searchable database with linked data and images.” At some point, Mitsubishi decided to move the parts database over to O’Neil, instead of Snap-on. When Mitsubishi asked for a copy of the database, Snap-on predictably declined. Snap-on told Mitsubishi that Mitsubishi could have the database, but would have to pay an extra fee. Meanwhile, O’Neil, Mitsubishi’s new vendor suggested that it could extract the data from Snap-on’s servers using O’Neil “scraper tool.” O’Neil ran the scraping program, and used log-ins provided by Mitsubishi in the process of gathering the data. According to testimony from Snap-on, O’Neil’s access of Snap-on’s website caused Snap-on’s website to “crash” in at least one instance.

Snap-on sued O’Neil (and interestingly not Mitsubishi) alleging Computer Fraud and Abuse Act, trespass to chattels, unjust enrichment, breach of contract, copyright infringement, and misappropriation of trade secrets.

Computer Fraud and Abuse Act: The key question on the Computer Fraud and Abuse Act claim was whether O’Neil’s access of the website was “without authorization.” The court held that the underlying agreement between Mitsubishi and Snap-on did not clearly resolve the question of whether Mitsubishi could authorize O’Neil to access Snap-on’s website and servers and, whether even assuming Mitsubishi had this ability, Mitsubishi somehow lost it.

I think the court came to the correct conclusion on whether the access was without authorization. There’s a split of authority in the employment context as to whether an employee’s access to the employer’s servers for the employee’s own purposes constitutes “unauthorized access,” but this case doesn’t implicate that scenario. (Jeff Neuburger covers the 9th Circuit’s recent ruling in LVRC Holdings, LLC v. Brekka, which acknowledges this split.) Here, the parties had an agreement, and the only viable argument by O’Neil on the unauthorized access issue was that Mitsubishi had authorized O’Neil to access Snap-on’s computers and servers. (Since you had to log-in to access the website, O’Neil could not argue that Snap-on impliedly authorized everyone (including search engines) to access its site.) The terms of the agreement between the parties would resolve this issue and the agreement didn’t provide a definitive answer, at least at the summary judgment stage.

Trespass to Chattels: Snap-on also asserted a trespass claim based on damage or temporary deprivation of the ability to use its servers. The court also declined to resolve this issue on summary judgment, finding that Snap-on presented sufficient evidence to find that O’Neil’s unauthorized access caused Snap-on’s servers to crash and “deprived Snap-on of their use for a substantial time.

O’Neil argued that copyright law preempts Snap-on’s trespass claim. The court summarily (and in a conclusory fashion) rejects this argument, finding that Snap-on’s argument seeks to protect the integrity of its computer servers, rather than its “possessory interest in the [software] or accompanying database.”

Unjust Enrichment: The court finds that Snap-on’s unjust enrichment claims were preempted by the Copyright Act since Snap-on failed to provide any evidence as to how the unjust infringement claims were based on rights distinct from Snap-on’s rights as a copyright owner.

Breach of Contract: Snap-on also asserted a claim for a breach of its end user license agreement. The court declined to dismiss this claim based on the existence of factual dispute as to whether the parties entered the EULA and whether O’Neil breached it. Surprisingly, Snap-on’s website required a log-in but only contained a statement that “[the] use of and access to the information on [Snap-on’s] site is subject to the terms and conditions set out in [Snap-on’s] legal statement.” Snap-on did not users to check the box, acknowledging that they read and agreed to the end user terms.

Copyright Infringement: Snap-on knew it had an uphill battle on the copyright claim for a few reasons. First, much of the material (such as the images) is owned by Mitsubishi to begin with. Second, it’s tough for anyone to argue that pricing and parts information is copyrightable. With this in mind, Snap-on argued that the “database structure” is entitled to copyright protection and Snap-on owned the copyrights in the structure.

The court went through the Feist analysis. In Feist, the court held that a “factual compilation is eligible for copyright if it features an original selection or arrangement of facts, but the copyright is limited to the particular selection or arrangement. In no event may copyright extend to the facts themselves.” Lower courts have applied Feist and found that databases containing facts may be copyrightable. O’Neil argued that the “arrangement” or the database structure was obvious and was thus not entitled to copyright protection. The court again agrees with Snap-on that factual disputes preclude summary judgment on copyrightability and ownership.

The court’s conclusion on the copyright issue seemed the most problematic. Even if Snap-on owned some part of the underlying arrangement or database structure, did O’Neil “copy” the structure, or otherwise exercise any rights exclusive to the copyright owner? This is a tough sell. Also, on the ownership issue, I would think Mitsubishi would have a colorable argument that even if it didn’t own the copyright, it should be treated as a joint owner along with Snap-on?

Trade Secrets: Finally, the court also declines to grant summary judgment on Snap-on’s trade secrets claims. I’m not sure what trade secrets Snap-on is using to support its claim, and I’m skeptical that any trade secrets exist here that O’Neil misappropriated. However, given that the court declined to grant summary judgment on the other claims, it wasn’t the end of the world for the court to let this claim go to the jury as well.

__

Apart from canvassing the various legal theories that come into play in this type of a factual scenario, the case also offers a few practice pointers.

First, if someone is hosting or storing data for you, it makes sense to have a provision in the agreement that allows you to get access to the data at the termination of the relationship, regardless of any contractual dispute that may arise between the parties. The party with physical access to the data will have leverage as a practical matter, and this is the type of thing contractual language should address. As a last resort, the party who may be in a position to extract the data should have an unbridled ongoing right to extract the data during the course of the relationship. The agreement should also have a notice and breach provision that would prevent the summary denial or revocation of authorization.

Second, I’m surprised there wasn’t a clear ownership clause in the agreement that said Mitsubishi owns the underlying data, the database structure, and any copyrightable elements in the database. A determination by the court that Snap-on owns some copyrights in the database structure could cause problems down the road for Mitsubishi. There are many reasons why it made sense for Mitsubishi to own the data, and Snap-on doesn’t have much of a business justification for owning the data because it can’t use it at the termination of the relationship. As a last resort, Mitsubishi should have had a broad license to the data.

Third, the agreement should contain terms allowing Mitsubishi to authorize third parties the right to access Snap-on’s servers and any copyrighted material, at least for back-up and archiving purposes.

Fourth, if you are a website that is looking to prevent scraping, ownership of the underlying data and restrictions on access (such as a log-in) help significantly. Professor Goldman’s comments below highlight that scraping is problematic from a legal standpoint. However, two things that bolstered Snap-on’s claims are its ownership of the data and the fact that O’Neil accessed the site through a log-in which it wasn’t clearly authorized to use. This, coupled with the fact that Snap-on was in physical possession of the data at the termination of the relationship, pretty much put it in the driver’s seat.

Finally, Snap-on’s contract formation process could have been cleaner. Where you have a situation involving access of a website for a business purpose (where the person is accessing data that they need) there’s much less risk of people declining to access your website based on additional hurdles in the form of click throughs or check the box. In the consumer setting, websites often weigh certainty of contract formation against customer conversion, but this isn’t really present in Snap-on’s case. I guess what I’m saying in a long-winded way was that Snap-on should have implemented a mandatory, non-leaky, clickthrough, as discussed in Professor Goldman’s post covering Scherillo v. Dun & Bradstreet.

____________________________

Eric’s comments:

This is such a rich and interesting case that both Venkat and I wanted to cover it. I am frequently asked if scraping is legal, and the short answer is that (a) possibly not, but (b) people regularly do it anyway. This case illustrates the difficulty of doing scraping legally, and I highly recommend reading this case to anyone who thinks scraping solves a business problem they are having. If anything, this case was unusually defense-favorable because the replacement vendor (O’Neil) was scraping the customer’s (Mitsubishi’s) data at the customer’s request. Yet, because that data resided on Snap-on’s servers, O’Neil is still staring down the barrel of copyright, contract, CFAA and common law trespass to chattels claims. If I were on the defense team, I’d be whipping out my checkbook and angling for a settlement, because I expect this case will not play well in front of a jury.

This case is slightly similar to a case from earlier this year that I never got a chance to blog, Edgenet v. Home Depot. In both Edgenet and this case, a big company retained an outsourced vendor to maintain and enhance an obviously unwieldy product catalog, and legal tussles ensued when the customer and vendor divorced. According to this opinion, Mitsubishi thought it had procured the IP rights to Snap-on’s enhanced database, but Snap-on thought otherwise and demanded extra money to get something Mitsubishi thought it had already bought. As Venkat indicates, this reinforces the practice pointer that customers always need to have a clear exit strategy nailed down upfront whenever they enter into an outsourcing relationship.

The case is a little less clear about Mitsubishi’s ability to get interim deliveries of the database pre-termination. (The case suggests that Snap-on tried to charge for this as well). As Venkat also indicates, this violates another rule of outsourcing–without a copy of its database, Mitsubishi was never in control of its fate and continuously vulnerable to Snap-on deciding to play a hold-up game.

When Mitsubishi finally decided to go with Plan B and retain O’Neil as Snap-on’s replacement vendor, a series of poor judgments followed. Mitsubishi decided it was too expensive to have O’Neil replicate the work Snap-on had done, and Mitsubishi apparently decided it was too expensive to pay Snap-on for the one-time delivery from its database. But what did Mitsubishi expect–that Snap-on expected to be paid for delivering the data but would acquiesce to free scraping? Snap-on seems to have made it clear that its business model included payment for getting Mitsubishi data out of Snap-on’s database, so Mitsubishi had to know that any alternative courses of action were dicey.

Then O’Neil, presumably trying to be helpful, offered the scraping option. Any lawyer in the process should have kiboshed the idea on the spot. Instead, Mitsubishi gave O’Neil some login credentials in apparent violation of the Snap-on agreement. This reminded me of the Oracle v. SAP lawsuit, which is not going to end well for SAP.

The scraping process did not go well, either. It appears the scraping tool was misconfigured because it allegedly caused enormous traffic spikes that ultimately crashed the site at least once (and maybe twice). Even if the court follows the more restrictive Hamidi approach to common law trespass to chattels requiring damage to computer system resources, this qualifies. Snap-on blocked the scraper’s IP address, so O’Neil offered to continue using a different IP address (a big no-no in my guide to “legitimate” scraping) but only if Mitsubishi signed an indemnity agreement…which Mitsubishi signed. What??? Are you kidding me??? It’s hard to wave a bigger red flag of problems ahead than to have a vendor say that it will only continue if it gets an indemnity agreement. Fortunately for O’Neil, the indemnity agreement may mean that O’Neil won’t be writing checks when the jury says nyet; unfortunately for O’Neil, the indemnity agreement won’t help if the feds decide to bring a criminal CFAA prosecution. Snap-on blocked the second IP address, O’Neil stopped scraping, and Snap-on decided to sue.

Where were the lawyers in this process? I’m shocked that Mitsubishi’s lawyer didn’t shoot down the initial scraping proposal. Scraping was a classic engineer’s solution to a legal problem. But even if the lawyer never got a chance to speak up then, surely lawyers got involved when O’Neil tendered the indemnity agreement to Mitsubishi. That they didn’t put their foot down then blows my mind. Given Snap-on’s delays, it appears that Snap-on might not have even sued if O’Neil hadn’t reinitiated scraping via a second IP address, so the indemnity agreement should have given Mitsubishi and O’Neil enough time and warning to realize that the engineering solution had failed and it was time to seek a legal solution.

As Venkat recaps, the legal rulings are fairly straightforward given our standard understandings of scraping law. However, they illustrate that despite its ubiquity, scraping may not be legally defensible when challenged in court–even, in this case, when Mitsubishi was trying to retrieve “its own” data.

Finally, this case is a microcosm of the broader IP battles over product catalog and taxonomical data. See my notes from my 2007 talk about IP rights in taxonomies. I don’t have a solution to these IP battles, but I continue to wonder about the social benefits we could obtain if a global product catalog existed that everyone could freely use.