Using Scraper to Harvest Records Isn’t Fraudulent Access Under CFAA–Fidlar v. LPS
Fidlar works with counties to digitize and index land records. It also makes available a software client (Laredo) that allows end users to access these records. Billing is handled by the counties, and counties have monthly access plans. The counties also provide accounts (and passwords) to end users. The plans are usually time-based but include separate “print fees” so that people who print a record for off-line viewing have to pay additional fees. Fidlar’s EULA did not impose any specific restrictions on use of Laredo. As the court notes, the EULA says a user may “use . . . any portion of the software for any purpose”. [I didn’t double check this but it seems odd for a EULA to contain broadly permissive language like this.]
LPS wanted to aggregate the data underlying the county records, so it built a harvester to mimic the calls Laredo would send to the database. Using this process, while logged in using county-provided passwords, LPS downloaded a massive quantity of county records. (The precise relationship between being logged in and accessing the records is not clear factually.) It then sent these records offshore for processing and extracted the underlying data. A county alerted Fidlar to the fact that LPS was paying fees but not logging any time. It sued LPS under the Computer Fraud and Abuse Act and state anti-hacking law. The district court dismissed Fidlar’s claims at summary judgment. (Blog post on the district court ruling here: “Company That Facilitates Digital Access to Public Records Uses CFAA to Block Scraper”.) The district court case involved a host of issues, including alleged contractual interference by Fidlar (who contacted the counties to try to disrupt LPS’s access), defamation claims, the public records status of the data, and whether Fidlar and the counties could gate the data in this manner consistent with public records statute. These are all interesting issues in their own right, but Fidlar’s appeal only focuses on the CFAA issues.
Fidlar proceeded under section 1030(a)(4), which prohibits the access of a protected computer with the intent to defraud. The court says that no reasonable juror could find that LPS acted with intent to defraud. This subsection of the statute was intended to capture instances of fraud, as distinguished from “mere trespass”. And the court says at the outset that this is not a case of theft: whether LPS had permission to access the records is not at issue (it admittedly did), but Fidlar is complaining about the manner of access. (The access-vs.-use distinction has come up repeatedly in unauthorized access cases.)
Fidlar argued that the circumstances allowed an inference of intent to defraud, because LPS knew it was engaging in conduct that warranted separate charges but, due to the manner of its access, did not pay. In Fidlar’s view, the record supported an inference that LPS knew it was receiving records for free and being under-charged, and its continued access amounted to fraud. The court disagrees, and says LPS’s conduct is consistent with having non-fraudulent intent. It used the web-harvester in counties that did not charge a separate print fee. It also continued to pay unlimited subscriptions for counties, despite not logging any time. If its intent was to escape charges, it would have taken a different approach. The court also notes that LPS did not conceal its use of the harvester. LPS also offered testimony from its employees that supported its view that it did nothing improper. [LPS caught a nice break here by not having any smoking gun emails expressing doubt regarding the legality of its actions.]
The court also points to Fidlar’s own conduct with third parties as supporting LPS’s theory that its access was not fraudulent. Fidlar knew that other companies engaged in harvesting but did nothing to stop them. And internal Fidlar correspondence reflected that the employees believed that they could take simple additional steps to make scraping illegal (but that it currently was not contrary to Fidlar’s contractual terms). The court also points to the fact that the agreements in question did not expressly prohibit LPS’s conduct. Finally, the architecture of Laredo also supported LPS’s view that its actions were permissible—there were no technical limitations on use of a harvester. The calls made by Laredo were not encrypted and could be ascertained by LPS. And the database was accessible by means other than by the Laredo software.
The court also says that Fidlar can’t satisfy the “damage” element. LPS did not cause any sort of interruption in services. Fidlar tries to cobble together some theory of damages, for example, by arguing that LPS caused damage to Laredo by preventing its tracking functionality from functioning normally, but the court says that the “Laredo system” is not even the protected computer that LPS accessed. Fidlar can’t broaden the definition of protected computer to satisfy the damage threshold. At the end, the court says that Fidlar is bringing a trespassory claim, and the damage limitation in the CFAA is intended to ensure that the CFAA only covers access that causes disruption, not any access that lacks permission.
As I mentioned in my blog post on the trial court’s ruling, the facts of this case are vaguely reminiscent of other cases where defendants faced criminal prosecution instead of a civil lawsuit. LPS ended up with a great result. A rare scraping case that ends in a defense win.
The court’s ruling should not be read to approve of scraping. To the contrary, the court cites to the fact that Fidlar could have taken various (and some trivial) steps to expressly prohibit the access that LPS engaged in. These included both contractual and technical measures. In such cases, Fidlar could have a viable CFAA claim, albeit under a separate subsection of the CFAA. (See Judge Breyer’s ruling in the 3taps case, which involved revocation of access to a publicly available website and claims under 18 U.S.C. § 1030(a)(2)(c). Fidlar would still have to satisfy the damage element, which it had trouble doing in this case.) The court’s rejection of Fidlar’s claim as a trespassory claim is nice, but does not resolve the key questions of the proper definition of “unauthorized access” that courts have grappled with repeatedly.
I don’t recall many appellate cases dealing with civil claims arising under this subsection of the CFAA. The court doesn’t quite specify whether it interprets “intent to defraud” in the common law sense or as something broader. It’s hard to see how LPS’s actions were fraudulent in the common law sense of the term. And although the court does not go there, you wonder whether access by an automated device can be fraudulent in the typical sense anyway.
NB: there were two other interesting district court CFAA rulings in the past month, but I’ll save those for another post.
Case citation: Fidlar Techs v. LPS Real Estate Data Solutions, Inc., No. 15-1830 (7th Cir. Jan. 21, 2016) [pdf]