In an effort to avoid that graveyard of litigation, the plaintiff tried the trespass to chattels doctrine. But….um…exactly how does a browser extension trespass any chattel controlled by the retailer? The retailer’s answer (I shit you not, I would not make up shit like this):

superimposing the Price Comparison Tool over other content on the S&S Site trespasses on valuable digital real estate that S&S has expended time, resources, and effort to make aesthetically and functionally appealing to its customers (emphasis added)

Holy mixed metaphors….”digital real estate”!

This lawsuit would be mockable at any time, but its mockability skyrockets in the wake of the Best Carpet Values v. Google decision, which essentially rejected a functionally identical “trespass to web pages” argument.

Sticking closely to the Best Carpet Values decision, the court tells the plaintiff:

the alleged “trespass” is not to any aspect of S&S’s website that is in its possession. Rather, S&S alleges that Defendants’ Price Comparison Tool alters the appearance of S&S’s website in a consumer’s web browser on the consumer’s computer. S&S does not allege that it possesses the consumer’s browser or computer. And S&S cites no authority that it possesses, or has any property interest in, the appearance of its website on a third party consumer’s browser or computer.

The plaintiff tried to obfuscate this issue by arguing that trespass to chattels can apply to intangible property–a slightly true but deeply problematic statement. As I’ve repeatedly explained, if the definition of “chattels” mean intangibles–i.e., the antonym of “chattels”–then trespass to chattels morphs into a doctrine of “trespass to plaintiff’s butthurt feelings,” and the law implodes on itself.

The court doesn’t take this bait. Instead, like the Best Carpet Values decision, the judge observes that by the time the browser extension modifies the retailer’s web page, the digital bits are no longer in the retailer’s “possession.” I would much prefer courts define chattels to categorically preclude debates over its applicability to intangibles, but the court’s logic gets the job done.

There’s nothing left for the retailer to complain about:

Defendants are not alleged to have intercepted and altered S&S’s website transmission such that it was impossible for any consumer to view S&S’s website as S&S intended. Rather, Defendants provided a tool that consumers could decide to use to view S&S’s website in a way chosen by the consumer once the website transmission was in the consumer’s possession. S&S has no property right in the consumer’s internet viewing decisions.

Furthermore, the alleged act of “trespass” identified by S&S is an action taken by the consumer, not by the Defendants. The action S&S alleges constitutes “trespass” is the appearance of Defendants’ Price Comparison Tool superimposed on S&S’s website. But it is the consumer who decides whether to enable the Price Comparison Tool on their computer. To the extent enabling the Price Comparison Tool constitutes a trespass, Defendants aren’t the ones committing it.

In a sense, the court’s ruling is pro-user. The plaintiff is essentially claiming that it alone determines the canonical view of the website. However, websites are viewed on a wide range of devices and browsers, all of which the user chooses, so web pages don’t have any canonical version that the law can recognize. The court’s decision seemingly lets users, not the website, choose which technologies they want to use to access a website.

And yet, this passage also implies that perhaps the retailer could sue the users for trespass to its valuable digital real estate for marring its beautiful and canonical web page. As stupid as that sounds, such a claim would not be materially worse than the claim rejected here.

Case Citation: S&S Activewear LLC v. Promo Hunt, Inc., 2026 U.S. Dist. LEXIS 91156 (N.D. Ill. April 23, 2026). The complaint. Per the complaint, this lawsuit addressed more topics that just trespass to chattels. Still, three lawyers from Sidley & Austin–traditionally, one of the most prestigious law firms in the country–signed off on the phrase “trespasses on valuable digital real estate.” Surely that will be a peak moment of their legal careers. A note about my time at Sidley & Austin.

The post Plaintiffs Are Still Litigating–and Losing–Website Framing Cases (S&S v. Promo Hunt) appeared first on Technology & Marketing Law Blog.

After the Supreme Court’s first and only CFAA decision in Van Buren v. US in 2021, I wrote that the Court “could have done 10% more work here and provided clarity on very key questions….[but SCOTUS] declined the opportunity to do so. In the end, there are remarkably few clear, declarative sentences in this opinion that provide guidance for future cases.”

The Court intentionally left open many key questions. And so it should come as no surprise that there has been an emerging doctrinal divergence related to key concepts with the CFAA. Perhaps most notably, Courts have been applying the concept of “technological harm” in the CFAA differently in different circuits.

In Van Buren, Justice Barrett wrote:

…§1030(a)(2) also gives rise to civil liability, §1030(g), with the statute defining ‘damage’ and ‘loss’ to specify what a plaintiff in a civil suit can recover. ‘[D]amage,’ the statute provides, means ‘any impairment to the integrity or availability of data, a program, a system, or information.’ §1030(e)(8). The term ‘loss’ likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting ‘damage’ and ‘loss’ in this way makes sense in a scheme ‘aimed at preventing the typical consequences of hacking.’ Royal Truck, 974 F. 3d, at 760. The term’s definitions are ill fitted, however, to remediating ‘misuse’ of sensitive information that employees may permissibly access using their computers.

Van Buren v. United States, 141 S. Ct. 1648, 1659–60 (2021) (quoting 18 U.S.C. § 1030(e)(8), § 1030(e)(11)).

Multiple district courts, especially in SDNY and the Northern District of California, began to interpret Van Buren to demand that any CFAA “loss” be tethered to technological harm. Meanwhile, some other district courts read the statute to allow any claim to proceed that included an allegation that a plaintiff had investigated an offense and incurred $5,000 in so doing.

Where this comes up most consistently is in the context of an internal investigation related to alleged unauthorized access. Courts increasingly have disagreed about whether an internal investigation, untethered to “technological harm,” meets the standard for a qualifying loss under §1030(e)(11). While not quite rising to the level of a circuit split, lower courts in the 2d, 3d, and 9th Circuits have increasingly required specific pleading at the motion to dismiss stage to allege that the internal investigation posited as a “loss” was tethered to “harm to computer data, programs, systems, or information services.” In the 5th, 7th, and 11th circuits, courts were much less inclined to require that specific pleading.

—

On Jan. 21, 2026, the Tenth Circuit became the first circuit court to squarely reject the CFAA interpretation that investigations must be tethered to technological harm. It did so with Moxie Pest Control (Utah), LLC v. Nielsen, and it concluded that investigative costs qualify as a CFAA “loss” even when the plaintiff does not show or even allege “technological harm” like corrupted data or damage to systems.

According to the Tenth Circuit, under § 1030(e)(11)’s plain text, any reasonable cost of responding to an offense qualifies.

—

This was the general divide that had emerged around the country pre-Moxie.

The first camp suggests that costs must be tethered to clear evidence of technological harm to qualify as a loss.

The courts in this camp do not reject investigative costs as a category. But conclusory pleadings related to investigations in the absence of technological harm often get dismissed. These courts have demanded specifics about what was done, why the investigation was necessary, how it ties to the intrusion, and evidence that the “loss” was tethered to “harm to computer data, programs, systems, or information services.”

Many recent decisions have been pushing in that direction:

• CoStar Group, Inc. v. Leon Capital Group, LLC (D.D.C. 2022) dismissed where the claimed loss was time and money spent “identifying, investigating, and attempting to block and otherwise respond,” but the allegations did not adequately plead cognizable CFAA loss.
• The Phoenix Co., Inc. v. Castro-Badillo (D.P.R. Aug. 9, 2024) dismissed where the plaintiff relied on “investigation” but did not plead what investigative measures were taken and what damage, if any, was actually caused.
• Sylabs Inc. v. Rose (N.D. Cal. Sep. 26, 2024) dismissed where “loss” was pegged to forensic analysis but the allegations were essentially conclusory and failed Rule 12(b)(6) specificity expectations.
• William Gottlieb Mgmt. Co., LLC v. Carlin (S.D.N.Y. Mar. 26, 2024) dismissed where the “investigation” just confirmed what the plaintiff already knew and did not involve analyzing effects on computer systems.
• X Corp. v. Center for Countering Digital Hate (N.D. Cal. 2024) dismissed X Corp.’s CFAA claim at the motion-to-dismiss stage because the court found that X failed to allege technological harm necessary under § 1030’s loss definition, and that internal costs and reputational advertising revenue losses tied to CCDH’s reports and investigations did not allege harm to computer data, systems, or programs as contemplated by the statute. Also, the broader complaint was treated as a SLAPP aimed at punishing criticism rather than bona fide CFAA conduct.

If you read those cases as a group, you find situations where courts are skeptical of internal investigations because they seem pretextual. According to these cases, an alleged investigation is not a blank check to proceed with a CFAA claim. Courts want to see that the investigation was a response to an access violation causing technological harm and not just a litigation prep exercise.

The second camp is more of a magic words approach. If there’s alleged unauthorized access, and you say there was an investigation that cost $5k, the case moves to discovery.

This was pretty much the consensus around the country pre-Van Buren. But lower courts were fairly evenly divided about that concept of loss post-Van Buren.

The Tenth Circuit in Moxie is now a clean appellate-level entry for this camp.

According to Moxie, the CFAA’s definition of “loss” explicitly includes response and damage-assessment costs. So district courts should not treat Van Buren as silently rewriting the civil-remedies threshold into limiting investigations to those tethered to technological harm.

Moxie is now the most prominent post-Van Buren statement on this question, and because it is a circuit court opinion, and not a one-off district court order, it will carry significant weight, and may permanently tip the scales in favor of this camp.

—

The facts of Moxie are as follows:

The plaintiffs were a group of affiliated pest-control companies that alleged employees of their competitor, Aptive Environmental, bribed current and former Moxie representatives to turn over confidential, password-protected sales data (including leaderboards) stored in Moxie’s system, which Aptive then allegedly used to recruit door-to-door sales representatives. Moxie sued Aptive and several individuals under the Computer Fraud and Abuse Act (CFAA), RICO, the Defend Trade Secrets Act (DTSA), and Utah’s Uniform Trade Secrets Act (UTSA).

The district court dismissed Moxie’s CFAA claim for failure to plead a qualifying “loss” post-Van Buren, denied motions to compel broad damages discovery, and granted summary judgment on the other claims for lack of causation. On appeal, the Tenth Circuit reversed the dismissal of the CFAA claim, holding that Moxie’s allegations of over $5,000 in investigative costs incurred in response to unauthorized access plausibly satisfied the CFAA’s “loss” definition even absent technological harm, affirmed the discovery ruling, affirmed summary judgment on RICO, and reversed in part the DTSA/UTSA rulings on remedies and remanded for further proceedings.

—

For practitioners in this space, it isn’t hard to see how Moxie could be problematic.

There is a chicken-or-the-egg conundrum with the statutory language cited by the Tenth Circuit. While § 1030(e)(11)’s definition of loss includes any reasonable cost of responding to an offense, the statute itself does not offer any guidance on what the *offense* must be that provokes the investigation. By the Tenth Circuit’s definition, it doesn’t matter. Any conduct associated with unwanted access will do. And so, activity that does not cause technological harm can give rise to a CFAA claim if a plaintiff investigates it and incurs $5,000 in expenses.

The problem is twofold: (1) It lets plaintiffs convert a whole range of non-technological harms into federal computer crimes, thus seemingly contradicting the guidance of the Supreme Court and the statute itself, which requires harm to computer data, programs, systems, or information services; and (2) The $5,000 threshold becomes nigh-meaningless. Any plaintiff with a lawyer and an incident-response vendor can hit $5,000 by lunchtime. Indeed, a recent case found that a pro se plaintiff spending 25 hours of his own time was sufficient to establish a “loss” under the CFAA. Karcz v. Mezouak, 2026 WL 622679 (D.N.J. March 5, 2026).

In other words, conduct that would not give rise to a CFAA violation because the alleged harm is not technological in nature under the Supreme Court’s definition of a “loss” can easily become a CFAA “loss” as long as a plaintiff alleges that they investigated it.

That’s a deeply circular definition of “loss”. But Moxie didn’t grapple with that deeper circularity head-on.

Making benign integrations and free speech criminal

Let me lay out a couple of different fact patterns where this often plays out.

Even though the defendants here are highly unsympathetic, that’s not always the case. The alleged conduct was plainly wrongful. It involved alleged bribery, misuse of credentials, and copying confidential information from a protected account. But the CFAA should be reserved for technological harms, not merely unauthorized taking of information. That distinction matters. The opinion blurs the line between digital trespass and ordinary misuse of access, even though the real injury alleged was the taking of valuable business information, not damage to the integrity or functioning of the computer system itself. If the system still worked as designed, was not impaired, and suffered no meaningful technological disruption, then this looks much more like a trade secrets or unfair competition case, not a CFAA claim.

That overexpansion matters beyond these bad facts. Once courts allow the CFAA to reach conduct that does not cause technological harm, the statute becomes a much more flexible weapon for private plaintiffs and platforms seeking to recharacterize disfavored access as computer intrusion.  There are countless software integrations whose primary business purpose is to integrate some sort of useful activity within another company’s platform. Lots of companies build these useful layers into and on top of other companies’ software. Most of the time, the purpose of these integrations is to provide something of value to end users, but of course, large platforms are often reluctant to cooperate with third parties.

Created by ChatGPT Dec. 2025

The panel says, almost in passing, that “we need not decide whether the conduct Moxie alleged violates the CFAA. It does,” because Nielsen used a pilfered password, and then goes on to hold that investigative costs alone can satisfy CFAA loss without any technological impairment. The problem is not that the defendants should win. They should not. The problem is that the opinion does nothing to distinguish credential theft from the far more ordinary reality of delegated access and platform integrations, where a user intentionally lets a third-party tool access an account through stored credentials, session continuity, or other account-linked mechanisms. In a world full of CRM plug-ins, analytics layers, scheduling tools, and middleware, courts should be careful not to let “access by someone other than the nominal account holder” plus “investigation” equal a federal crime. The “loss” element needs to be a meaningful filter. If it isn’t, lots of benign conduct becomes illegal.

If investigative expenses are enough, regardless of whether tethered to a technological harm, then a platform that objects to a researcher, watchdog, journalist, or advocacy group can more readily plead its way past dismissal by alleging unauthorized access plus the cost of figuring out what happened. Moxie sits uneasily beside X Corp. v. Center for Countering Digital Hate, where Judge Breyer recognized the basic danger directly, writing that the case was “about punishing the Defendants for their speech” and that X sued “in order to punish CCDH” for publications criticizing the platform.

To be clear, Moxie did not involve public-interest criticism. It involved commercial espionage. But doctrine built in hard cases does not stay in hard cases. Once courts make it easier to plead CFAA claims based on contested access and post hoc investigation costs, that logic can be repurposed by platforms seeking to suppress unfavorable reporting, auditing, or accountability research. The right lesson from Moxie should have been narrow, but instead it was unequivocal and unqualified.

Don’t get it twisted: If self-motivated, sponsored investigations untethered to technological harm qualify as losses under the CFAA, then any integration disfavored by a platform can be made illegal, regardless of how valuable or pro-social it may be. And any “access” that’s disfavored by a platform can be made illegal, too. Regardless of how benign or pro-social it may be.

That’s the legal landscape that Moxie creates.

In the coming months, the Ninth Circuit is likely to revisit this issue with Perplexity AI’s appeal of the preliminary injunction issued by the Northern District of California in its case against Amazon. When that case is decided, we can expect to get a clearer picture of whether there will be a consensus on this issue or a true circuit split.

The post Tenth Circuit Broadens CFAA ‘Loss’ Beyond Technological Harm–Moxie v. Nielsen (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

A recent Northern District of California opinion in Cordova v. Huneault sent another bat-signal to those who follow this area of the law: copyright law in the context of public content is being consumed by the DMCA. [Eric’s note: I blogged the 512(f) angle of this case previously.]

The court let a DMCA section 1201(a) claim survive a motion to dismiss based on allegations that YouTube uses technical measures, including rolling cipher mechanisms, to prevent unauthorized downloading. The court then said the fact that the videos are broadly accessible by the public does not matter. If there are technical measures aimed at stopping downloading, that can be enough to plead an access-control theory.

On the surface, this feels like a modest pleading-stage ruling. Courts often say, sure, the plaintiff alleged a thing, let’s get to discovery. But small decisions like this one are how bad legal interpretations get normalized. This one matters because of what it treats as obvious, and what it does not even try to engage.

Publicly viewable, but with access locked?

Cordova alleged that defendants copied his publicly viewable YouTube videos and reposted them. The complaint described rolling-cipher technology, which encrypts and dynamically alters the video stream’s URL signatures, and asserted that ripping tools and browser extensions can “retrieve and decrypt the obfuscated streaming URLs” to make local copies.

Here is the crux of the issue: The work is publicly accessible for viewing, but the platform uses technical controls that allegedly limit access to a particular version of it, the downloadable file, or a preferred pathway to the content. The opinion treats that distinction as sufficient. Viewing is public. Downloading is gated. Therefore, access is controlled.

That framing is doing a ton of work. It is also a convenient way to turn product design and platform preferences into federal anti-circumvention liability.

In the modern web, nearly everything is delivered through some combination of signed URLs, token rotation, encryption, bot gating, and rate limits. They are default architecture. If courts treat that architecture as an access control for section 1201(a), then a lot of ordinary data collection and analysis starts to look like circumvention by definition.

That is how content protection shifts from the domain of copyright law into a federally enforceable platform-control law without anyone ever announcing the shift.

[Eric’s update: to the same effect, see (Sonv Music Entertainment v. Uncharted Labs, Inc., 2026 WL 1019199 (S.D.N.Y. Apr. 15, 2026)).]

The opinion’s biggest problem is what it does not say

Section 1201 has been controversial for decades for a simple reason. It can be used to punish bypassing a restriction even when the underlying use would not be infringing or fair use, or even when the underlying issue is not copyright at all.

Some courts have confronted that risk head on. Two of the most important opinions are Chamberlain v. Skylink and Storage Technology v. Custom Hardware. They wrestle with the idea that 1201 should not create a new property right where copyright does not already grant one. They also worry about a world where rights holders can wrap non-copyright interests in a thin technical wrapper and then claim the DMCA as a super-powered enforcement mechanism.

While there is a circuit split on this issue, the courts on the other side of it should still appreciate the importance of finding a limiting principle here. They should get their spidey-sense up when section 1201 is being used as a substitute for proving copyright infringement, or as a circumvention mechanism itself to avoid fair use, interoperability, competition, and the basic underlying tenets of the Copyright Act.

The court in Cordova is uninterested in that conversation. It does not ask what prevents a plaintiff from turning any technology speed bump into a federal access-control claim. It does not grapple with the downstream impact on public-facing platforms and automated access. It does not ask whether calling publicly viewable content an access-controlled work just because the platform prefers one mode of access is consistent with what Congress really had in mind back when Clinton was the president.

Why this matters for scraping and the open web

I’ve been over this before, but if 1201 liability attaches whenever a platform can point to a rotating token or interface speed bump to public content and call it a TPM, then this law can lead to cascading consequences pretty quickly.

Cordova is a pleading-stage decision. It may narrow later. But if courts keep treating copyright and fair use considerations as “immaterial” to public-facing section 1201(a) cases, the momentum around this is going to build soon. It will allow platforms to set preferences as enforceable laws, and that will have major downstream market effects throughout the tech industry.

The post This Week in the “DMCA Eating Copyright Law”: Cordova v. Huneault (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

A series of prominent web-scraping lawsuits are revisiting the fundamentals of public data access. And in so doing, with a slight reframing of a relatively settled legal issue, major platforms are challenging the presumption that collecting and using public data at scale is legal.

In September 2019, the Ninth Circuit in hiQ v. LinkedIn wrote:

Although there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position. We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

hiQ Labs, Inc. v. LinkedIn Corporation, 938 F.3d 985, 1004 (9th Cir. 2019) (vacated by SCOTUS, but this language was later re-affirmed verbatim by the Ninth Circuit in 2022).

It’s hard to overstate the importance of this language for the web-scraping industry. For the first time, there was a court taking a public-policy stand in favor of web scraping. This was not just an instance where a court said that scraping did not constitute a crime. This was a circuit court taking a stand on policy grounds that it was in the public interest for public data on private fora to remain publicly available for public consumption. The Ninth Circuit seemed to fully embrace the idea that allowing public use of public data was vital for a functioning digital information ecosystem.

For those that operate in data access, broadly defined, hiQ v. LinkedIn became shorthand for a simple proposition: Scraping publicly accessible web pages was legal. And while the truth was always a bit more nuanced, and hiQ ultimately capitulated in the case and went under, the legality of public data access was never questioned by industry insiders after the decision.

The last six years have been an absolute boon for the web-scraping industry. And it is not hyperbole to say that the AI revolution might not have come, or at least not have come as fast, had it not been for strong policy presumption in favor of legal data access to public content after hiQ Labs.

Fast-forward six years, and data-access questions are more critical than ever. All the world’s information is there for the taking and there is no shortage of people and companies doing the taking.

In just a few years, AI has become an integral component of almost all knowledge work. And it is arguably the single biggest engine driving economic growth right now.

And the fuel that powers that engine is data—usually public data collected at scale. And with that, there are dozens of lawsuits percolating over the legalities of when it is and is not permissible to copy and reuse public data.

But with CFAA questions about publicly available data now largely resolved (except at the margins), and with terms of use often preempted by copyright, those looking to build walled gardens have been angling for new arguments to restrict access to public data.

In a recent wave of disputes over AI and “public data,” a new pattern has emerged. Plaintiffs are trying to rerun the hiQ fact pattern under a different federal statute.

That statute is the Digital Millennium Copyright Act (DMCA), specifically Section 1201.

While hiQ mostly resolved the CFAA-era battle over whether “public” means “authorized,” Section 1201 is the new battlefield over whether antibot tech is a technological measure that “effectively controls access” to a copyrighted work.

Created by ChatGPT Dec. 2025

But make no mistake, from the data monopolist’s perspective (or oligopolist, if we’re being more precise here), the goal is the exact same as it was in 2019, to restrict data collectors’ access to public data. The largest incumbent platforms such as Google want “free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use.” Companies like Google want to control the data. Many companies (like Reddit, Yahoo, X, and others) want to license the data (even to the extent that the data is generated by their users). But almost all the major platforms are making renewed legal pushes to keep startups off their digital lawns (while at the exact same time gobbling up the same type of content from others).

Section 1201 as an alternative to copyright, the CFAA, and terms of use claims

There are a few different reasons why 1201 is attractive to plaintiffs in scraping and AI-data cases.

First, in some circuits, plaintiffs are trying to use 1201 to avoid (dare I say, circumvent?) the copyright fair use fight. There is a circuit split on the issue, but in the major circuits where this gets litigated (notably, the Second and Ninth), plaintiffs often argue that fair use is no defense to a Section 1201 anti-circumvention claim. In some jurisdictions, defendants may not be able to rely on fair use as a categorical defense to a §1201 claim, because courts treat §1201 as analytically distinct from infringement. And there are many situations where that distinction might be dispositive. Well-designed AI systems that train on large datasets are often going to be deemed fair use because they are highly transformative. Under the DMCA, though, that might not matter.

Second, plaintiffs may be able to avoid the copyright registration prerequisite that constrains many copyright claims. At least as alleged in the recent YouTube-scraping cases, plaintiffs emphasize that DMCA anti-circumvention claims do not depend on copyright registration in the same way copyright infringement claims do.

Third, the DMCA allows plaintiffs to allege that the tech itself is inherently unlawful. 1201(a)(2) lets plaintiffs target the tooling layer (Captcha solvers, challenge tools, proxy services, and other antibot solution tech) as “trafficking” in circumvention tech. Google’s new case leans heavily into that line of argumentation.

Courts have been wary of turning Section 1201 into a general-purpose “keep out” sign, as Eric recently noted in the Ziff-Davis case. But this new line of cases will test those limits once again. Older doctrine around “effective” technological measures and the relationship between circumvention and copyright protection shows up repeatedly in the case law discussions (think Lexmark and Chamberlain). But those were not Second or Ninth Circuit cases. And those cases were not resolved in the modern era of high-volume data access.

Google v. SerpApi and the SearchGuard blueprint (ND Cal, Dec. 2025)

Google’s recent lawsuit against SerpApi is the most on-the-nose “DMCA-first” pleading to date.

Google sued SerpApi in the Northern District of California, alleging SerpApi used massive volumes of fake search requests to bypass Google protections and resell content from search results. Google also publicly framed the suit as targeting “circumventing security measures protecting others’ copyrighted content that appears in Google search results.”

The complaint is explicit. It is a DMCA case from page one, asserting claims for circumvention (17 U.S.C. § 1201(a)(1)(A)) and trafficking in circumvention tech (17 U.S.C. § 1201(a)(2))

And it provides a detailed narrative about the technological measure itself. Google alleges it built SearchGuard, a system designed to block automated access without breaking normal user experience, including a JavaScript “challenge” that automated systems typically cannot solve at scale.

SerpApi’s public response is the classic hiQ-adjacent argument. We provide the same information any person can see in a browser without signing in.

Google’s complaint tries to make that defense irrelevant by focusing on: (1) the presence of licensed copyrighted material in SERPs, and (2) the alleged circumvention of SearchGuard to access it at scale.

That framing matters because it tries to make the “public vs. private” question less central. Instead, the center becomes: “was there an access-control measure, and did defendants circumvent it?”

I’ll give Google’s lawyers credit. They did a good sales job on this.

But don’t get it twisted: Google’s 1201(a) pitch that SearchGuard is a TPM stinks like two-month-old garbage in the Texas summer heat. A TPM, as Congress imagined it, is a lock on access to a copyrighted work, a measure that actually gates entry to protected expression. SearchGuard, by Google’s own framing, is a traffic-cop. It’s a system for managing how you reach pages, at what rate, with which client, under which terms. That’s not controlling access in any meaningful copyright sense; it’s controlling conduct. Conflating those two isn’t a clever reading. It’s a category error dressed up as inevitability. If SearchGuard is a TPM, then literally every site that throws up a speed bump can build an impenetrable copyright perimeter around almost any content whatsoever, and the statute becomes a magic spell. Add friction, say TPM, and now you can replace copyright law with your own proprietary preferences and they become federally enforceable.

That’s the crazy part. Google’s argument doesn’t just misread 1201(a). It turns the anti-circumvention statute into an anti-competition superweapon that will destroy existing copyright protections.

If Google pulls this off, they will have reshaped copyright law as a form of property rights in interfaces, where circumventing a company’s desire is treated like circumventing encryption. That doesn’t protect creators. It protects incumbents. It chills security research, accessibility work, archiving, interoperability, independent auditing, and every weird-but-legitimate tool that makes the internet function like it should rather than merely consumable on platform-approved terms.

Let’s be honest: This isn’t Google vs. circumvention, so much as Google wanting to build a DMCA moat around its own monopoly in search. And if successful, it will provide a handy playbook for any other platform looking to build or defend any online monopoly in any other vertical.

Tech writer Mike Masnick explains the potential consequences:

Google’s argument, if accepted, provides a roadmap for any website operator who wants to lock down their content: slap on a trivial TPM—a CAPTCHA, an IP check, anything—and suddenly you can invoke federal law against anyone who figures out how to get around it, even if their purpose has nothing to do with copyright infringement.

The implications spiral outward quickly. If Google succeeds here, what stops every major website from deciding they want licensing revenue from the largest scrapers? Cloudflare could put bot detection on the huge swath of the internet it serves and demand Google pay up. WordPress could do the same across its massive network. The open web—built on the assumption that published content is publicly accessible for indexing and analysis—becomes a patchwork of licensing requirements, each enforced through 1201 threats.

That doesn’t seem good for the prospects of a continued open web.

This is the “relitigating hiQ” move. If accessing a public page is a CFAA non-starter, then plaintiffs try to win by arguing the defendant defeated a technological control to access the same public page, even if the end use is not infringing.

Nvidia, Ziff-Davis, Reddit, and a host of class-action cases are pursuing similar claims along similar themes.

DMCA 1201 as the new anti-scraping front

If you zoom out, these new complaints share a single strategic philosophical theme.

Plaintiffs allege that it does not matter whether content is public and available to anyone with a web-browser. If antibot tech is designed to make certain content inaccessible at scale to automation, anyone who accesses it at scale through is violating the DMCA.

hiQ mostly put an end to hyper-aggressive CFAA allegations for public web access. But the current litigation wave shows a sophisticated and equally aggressive platform response. Swap the CFAA question (“authorized?”) for the DMCA question (“circumvented?”). That is the simple reframing at the center of the most important fights over public data.

Does this change the underlying public policy concerns described in hiQ Labs? And will those concerns highlighted in hiQ Labs inform the interpretation of the DMCA in this context? Only time will tell.

The post Relitigating hiQ Labs and Scraping Through the Lens of DMCA 1201 Anti-Circumvention (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

Created by ChatGPT Dec. 2025

By guest blogger Kieran McCarthy

If you have ever wondered why big incumbents keep running to the Northern District of Texas the moment someone builds a tool that makes switching easier, comparing prices easier, or generally makes the internet work like the internet, AT&T Services, Inc. v. T-Mobile US Inc. should help you understand why.

On December 18, 2025, Judge Karen Gren Scholer entered a temporary restraining order blocking T-Mobile from implementing the original “Easy Switch” feature in its T-Life app, and blocking “any substantially similar version” that “accesses or obtains” information from AT&T’s “protected computer systems,” unless T-Mobile gets permission of the Court.

This opinion builds on the case law the N.D. Tex has been generating for years in the Southwest Airlines “don’t you dare build a useful layer on top of our website” cases.

The facts of the case are pretty simple. T-Mobile marketed a feature that let customers log into their current carrier account (AT&T or Verizon) and pull information to help them compare plans and switch. Customers made the decision to switch, and T-Mobile, for obvious reasons, automated the process. The horror!

AT&T sued, saying this was not “customer convenience.” It was unauthorized automated access and scraping of data from password-protected AT&T pages, with allegations of repeated bypassing of AT&T’s blocks, and “over 100” fields of customer data per user.

Over 100 fields? Dang! That’s, like, so many fields! And I suppose there are a few different lenses through which one could analyze that fact. One approach might be to say that automating a process with over 100 fields might be precisely the kind of thing that makes the internet useful, and that saves everyone time, money, and mental headaches.

Another way to view this fact is as evidence of “soooooo much computer fraud” even when T-Mobile is simply automating a process that consumers are choosing to automate. But that is how things work in the Northern District of Texas.

By the time the TRO issued, T-Mobile had already changed the tool so AT&T and Verizon customers could upload a bill PDF or manually enter information.

The court found AT&T likely to succeed because the Easy Switch tool, and its iterations before the November 26 change to PDF upload, accessed AT&T’s systems without authorization, pulled “over 100 fields” of customer data, and transmitted the data back to T-Mobile. It also found irreparable harm to AT&T’s control over its systems and data, plus reputation, goodwill and ‘customer privacy,’ without any inclination to grapple with the awkward fact that the customers were the ones asking to move their own information around. How the court concluded that customer privacy was at issue when the customers themselves initiated the switch .

Even though T-Mobile deactivated the challenged version, the court found the threat remained because T-Mobile wanted to retain the ability to use something “very similar” later.

T-Mobile is enjoined from implementing the original version or any “substantially similar” version, and “substantially similar” is defined basically as anything that accesses or obtains information from AT&T’s protected systems.

Perhaps, learned reader, you might be wondering if there was any discussion of user empowerment, lower lock-in costs, increased innovation and competition, added product development, interoperability, improved price discovery, or any other known policy benefits associated with data portability in the policy section of the TRO?

No. There was not. This is the entire policy discussion of the opinion: “This temporary restraining order will serve the public interest. The enforcement of state and federal laws serves the public interest.”

See how easy this judging stuff is?

To be clear, this is not a case where you would expect someone like T-Mobile to prevail in Texas. But the lack of analysis or consideration for the broader issues at stake is always a bit startling. A big incumbent takes a dispute that is at least partly about competition and consumer switching, recasts it as “computer trespass,” and asks a court to shut the product down quickly. And the N.D. Texas always obliges, especially when the plaintiff is a household-name company with a website and Terms of Use, and the defendant is building a tool that rides on top of it.

That posture matters historically because it reflects an early willingness to treat “automation + Terms + notice” as a path into computer-access liability, even when what is being accessed is, functionally, consumer-facing information.

AT&T’s complaint is explicit that this case is “not about competition for customers,” but about “unauthorized” intrusion into its systems, using automated bots “disguised as an AT&T customer,” scraping “over 100 categories” of data, and bypassing AT&T’s security measures. And that is what is what I like to call “bullshit.”

Either way, the N.D. Texas proves once again why it is the preferred venue and forum for those looking to build walled gardens.

* * *

Interestingly, Texas does have a mandatory data portability law, the TDPSA, or the Texas Data Privacy and Security Act. But the reality is that these laws have very little utility for consumers.

A portability right on paper like the TDPSA is little more than a slow and functionally useless export option. The reality is that laws like this don’t help consumers move with their data.

For one, TDPSA only mandates that companies return the “data you provided,” not the data you actually need to switch. Second, the time, frequency, and authentication friction make it useless for “I want to switch today.” Under TDPSA, controllers generally have up to 45 days (plus a possible 45-day extension) to respond. Waiting 45-90 days for data is so unhelpful that most consumers don’t see any value in requesting it. Next, a .pdf copy of data does not equal “interoperable.” Without shared schemas, APIs, and validation rules, the receiving service cannot reliably ingest the data—and certainly not at scale.

In a case like this one, the consumer-facing promise is “we’ll read your bill and account and recommend the right plan fast.” A statutory portability right typically gives you a dataset, not the transformation, normalization, and comparison workflow that makes switching easy. And when a competitor tries to fill that gap by automating access into the incumbent’s systems, you collide with the CFAA, terms of service, and state computer access statutes (exactly what the TRO discusses). Which is why, without meaningful analysis of the real value of automation for consumers in cases like this one, mandatory portability statutes are functionally useless for consumers.

[Eric’s comment: data portability mandates are generally quite popular, at least in academic circles. But I haven’t seen any evidence indicating that the mandates actually improve anything for anyone. I welcome pointers to academic studies on this topic.]

The post AT&T Blocks T-Mobile’s Data Portability Efforts (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

[FN: Last night, I searched Westlaw ALLCASES and came up with 17 hits for “robots.txt” or “robot exclusion,” including some well-known cases like LinkedIn v. hiQ, Field v. Google, and Bidder’s Edge v. eBay, plus some less-heralded cases like Tamburo v. Dwoskin and AP v. Meltwater.]

* * *

This is a lawsuit over OpenAI’s automated scraping to build its ChatGPT model. Ziff Davis deployed a robots.txt file that “allegedly instructed GPTBot not to scrape Ziff Davis’s websites,” but the GPTBot allegedly ignored the instruction. Ziff Davis argued that OpenAI ignoring the robots.txt instruction violated 17 USC 1201(a) (the anti-circumvention restrictions) because OpenAI’s scraper circumvents “a technological measure that effectively controls access to a work.” The court disagrees and dismisses the claim.

The court explains:

Robots.txt files instructing web crawlers to refrain from scraping certain content do not “effectively control” access to that content any more than a sign requesting that visitors “keep off the grass” effectively controls access to a lawn. On Ziff Davis’s own telling, robots.txt directives are merely requests and do not effectively control access to copyrighted works. A web crawler need not “appl[y] . . . information, or a process or a treatment,” in order to gain access to web content on pages that include robots.txt directives; it may access the content without taking any affirmative step other than impertinently disregarding the request embodied in the robots.txt files. The FAC therefore fails to allege that robots.txt files are a “technological measure that effectively controls access” to Ziff Davis’s copyrighted works, and the DMCA section 1201(a) claim fails for this reason.

The court adds that: “At most, Ziff Davis alleges that OpenAI disregarded the instructions that were contained in robots.txt files. This is not ‘circumvention’ under the DMCA.”

* * *

This opinion doesn’t answer the most important questions about robots.txt because it only addresses 1201. Using 1201(a) as an anti-scraping law is not intuitive. Indeed, it feels overreaching to me, such that I doubt the plaintiffs expected the claim to succeed in court.

Created by ChatGPT Dec. 2025

This opinion turns on the specific statutory language of 1201, which limits its applicability to other doctrines. That’s unfortunate, because we could use more clarity about if and when robots.txt can effectively limit access to websites.

That issue is central to trespass to chattels claims, including CFAA claims. For example, the Supreme Court indicated in Van Buren that website access could be delimited by whether technological “gates” are up or down (the opinion didn’t clarify if the delimiting occurs when gates are up or gates are down…details…). This 1201 opinion casts a little doubt on robots.txt acting as a technological “gate” for TTC purposes. After all, the court expressly says that robots.txt don’t control access to sites and says they are as technologically effective at preventing access as a “keep off the grass” sign. If I were a scraper, I would cite the decision in favor of treating robots.txt instructions as legally irrelevant.

Case Citation: Ziff Davis v. OpenAI, Inc., 2025 WL 3635559 (S.D.N.Y. Dec. 15, 2025)

UPDATE: On December 18, the judge denied Ziff Davis’ request to amend the complaint to cure the 1201 claim.

The post Are Robots.txt Instructions Legally Binding?–Ziff Davis v. OpenAI appeared first on Technology & Marketing Law Blog.

the software embeds snippets of JavaScript computer code on a website, which then deploys on each website visitor’s internet browser for the purpose of intercepting and recording the website visitor’s electronic communications with the website, including their mouse movements, clicks, keystrokes, URLs of web pages visited, and/or other electronic communications in real-time. The session-replay provider then uses those website communications to recreate website visitors’ entire visit to the website. A business utilizing this technology can then access useful consumer data, including detailed heatmaps of a website that provide information about which elements of a website have high user engagement, how far website users scrolled on the website, and the total clicks within a given area on the website. In essence, session-replay technology helps a business to determine which parts of its website are effective with customers and which are not

Standard product marketing work.

The technology at issue is Microsoft’s Clarity service. It has three settings for capturing personal information during the session: (1) no user text is captured, (2) key items, like passwords, are not captured (this is the default setting), and (3) all user text is captured. The defendant, Pet Supplies Plus, masked the text capture so it did not include the plaintiffs’ street number or zip code.

The plaintiffs’ lawsuit over Clarity’s session replay fails because the plaintiffs lack Article III standing per Spokeo and TransUnion.

To establish Article III standing, the plaintiffs have to show how they suffered a “concrete” injury. This is no small challenge. Tracking and recording a person’s navigation of a website may be unwanted and disquieting, but it typically has no real effects on individual users. See my old paper on data mining.

I highlight this issue when I teach the old Phamtrak case. I ask students: where’s the harm where the system collected highly sensitive PII but the collector never paid attention to it? In Pharmatrak, the plaintiffs couldn’t articulate any theory of how that unexamined collected data harmed them (though the case didn’t turn on Article III standing). Same too here.

To satisfy Spokeo/TransUnion, the plaintiffs’ claims must satisfy the common law requirement that any privacy intrusion be highly offensive. Session replay isn’t that:

Popa does not explain how the tracking of her interactions with the PSP website caused her to experience any kind of harm that is remotely similar to the “highly offensive” interferences or disclosures that were actionable at common law….Popa identifies no embarrassing, invasive, or otherwise private information collected by Clarity. Indeed, the monitoring of Popa’s interactions with PSP’s website seems most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales….

At most, Popa alleges that Clarity gathered her pet-store preferences and her street name. To the extent Microsoft’s tracking software could be offensive in particular circumstances (e.g., involving sensitive medical or financial information), Popa does not plausibly allege the infringement of any such privacy interest.

While I agree with the conclusion, the court’s invocation of an offline analogy to online activities is problematic. I recently dealt with similar analogies in my Segregate-and-Suppress paper, where I claimed there was a significant difference between a physical-space retailer’s inspection of a shopper’s government-issued ID and online age authentication using government-issued ID. I pointed out several key differences, including the fact that the digital mediation (including the encoding, interceptability, and possible storage that could lead to expropriation) creates privacy and security risks that don’t exist with physical world age authentication. Also, a store clerk monitoring a shopper isn’t likely to record any of the shopper’s conversations with other store clerks or patrons, while session replay will. The opinion would have been better without the offline analogy.

In a footnote, the court discounts the identity theft risk:

the complaint identifies potential harms that might be associated with session-replay technology, such as identity theft. But the complaint includes no allegations plausibly linking these potential, generalized harms to the operation of Clarity on PSP’s website vis-à-vis Popa.

The court also discounts the possible trespass to chattels angle:

Popa also mentions trespass as a potential common-law analog twice in her opening brief, without any additional explanation. But she never identifies what possessory interest Microsoft invaded. Indeed, Clarity—at least according to the complaint—appears to operate on PSP’s website rather than on an individual’s computer.

The court also says that statutes (in this case, the Pennsylvania ECPA equivalent) can’t boostrap themselves into creating a concrete injury for Article III standing purposes based on the mere statutory violation.

The obvious question is: could session replay plaintiffs establish Article III standing with better pleadings, or will session replays always lack any cognizable harm? I think the answer is… yes? Recording for session replay is a fundamentally inconsequential act by itself, even though the court intimates that the collection of more sensitive consumer information might be a different story. (That’s a warning to any Clarity or other session replay users who aren’t suppressing recording of user text). However, when the data collection is combined with some other harm, such as an expropriation that leads to actual identity theft, then the plaintiffs may have something. But session replay plaintiffs aren’t likely to have evidence of these additional harms very often, and even more rarely will have that evidence at the time of filing the complaint (i.e., pre-discovery).

Without better facts, the plaintiffs try to manufacture Article III harms by invoking speculative and factually unsupported future possibilities. This court wasn’t receptive to that effort. Accordingly, I think most or all of the session replay cases in the Ninth Circuit won’t survive this ruling.

Case Citation: Popa v. Microsoft Corporation, 2025 WL 2448824 (9th Cir. August 26, 2025)

The post Ninth Circuit Dismisses “Session Replay” Lawsuit–Popa v. Microsoft appeared first on Technology & Marketing Law Blog.

(As usual, there is a lot more going on in this case beyond trespass to chattels, but I’m focusing this blog post just on that claim).

The court summarizes the plaintiffs’ trespass allegations:

Defendants “intentionally used, intermeddled, interfered with, and dispossessed [them] of their computing devices without their consent by placing the fbp, ga, and gid cookies on [their] computing devices,” and that as a result, their devices “are useless for exchanging private communications with Tenet [ ], which substantially impairs the condition, quality, and value of [their] computing devices.”

The court says these allegations aren’t good enough in light of Hamidi.

First, the court says the mere placement of cookies, without more, doesn’t show any actual injury to the plaintiffs. The court distinguishes the In re Meta Healthcare Pixels case, where the plaintiffs adequately alleged that the cookies had slowed down their device. (That is almost certainly not a credible statement, but courts have a limited ability to test the evidence on a motion to dismiss). In contrast, “here Plaintiffs do not allege that the placement of cookies led to a measurable decrease in storage, memory, or any other impairment to their computing devices’ functioning.” Assuming the plaintiffs can satisfy Rule 11, it should be easy enough for them to fix these allegations.

Second, the plaintiffs provided no evidence of “dispossession.” Indeed, they cannot: the meaning of dispossession is (per the Cambridge Dictionary) “the fact of having property, especially buildings or land, taken away from you.” No one took away the plaintiffs’ phones from them. However, even if the court strikes the dispossession allegation, the plaintiffs should be able to proceed with arguments tha tthe cookies “intermeddle” or “interfere” with the device.

Third, the plaintiffs claimed the cookies interfered with their private communications. But this concern doesn’t reflect a technical limitation on the device’s functioning due to the cookies. Instead, it’s the users’ behaviorial countermove to the cookies’ presence. Per Hamidi, users’ behavioral changes aren’t recognizable harms, just like the California Supreme Court disregarded the changes in Intel employees’ behavior in response to Hamidi’s spam. The court cites Doe I v. Google.

While it’s nice to see the court push back on plaintiffs’ overclaims of trespass to chattels, we’ll have to see if the plaintiffs can revive the claim by copying the pleading approaches from the Meta Healthcare Pixels case. If it’s that easy for the plaintiffs to correct their complaint, this ruling becomes inconsequential. Instead, my hope is that courts will keep pushing back on the Meta Healthcare Pixels ruling, which made a breathtakingly broad interpretation of the interplay between cookies and trespass to chattels.

Case Citation: Doe v. Tenet Healthcare Corp., 2025 WL 1635956 (E.D. Cal. June 9, 2025)

More Posts on the Pixel Cases

• Clickwrap Formed Even When a Consumer Has Limited Time to Act–Washington v. Flixbus
• Meta Pixels Case Dismissed by Second Circuit–Solomon v. Triller
• Leaky TOS Formation = No TOS Formation–Snyder v. G6
• The VPPA May Be a Dinosaur Statute, But It’s Very Much Alive in the Second Circuit–Salazar v. NBA
• Pixel Case Against Google “Jumps the Shark”–Doe I v. Google (Catch Up Post)
• Think You Understand Online Trespass to Chattels Law? Think Again–In re Meta Healthcare Pixels
• More Chaos in the Law of Online Contract Formation
• Privacy Lawsuit Based on Website Tracking by Service Provider Trimmed

The post Court Rejects Trespass to Chattels Claim Over Placing Cookies–Doe v. Tenet appeared first on Technology & Marketing Law Blog.

With as much scraping as is happening for AI training and enhancement these days, it’s amazing to me that there aren’t more lawsuits happening over scraping. The legal headlines are more of a trickle than the flood I was expected.

But on June 4th, Reddit sued Anthropic in the Superior Court of California for breach of contract, unjust enrichment, trespass to chattels, tortious interference, and unfair competition.

—

The facts are as follows: Anthropic was trained, at least in part, on Reddit data. In fact, in the complaint, they have a quote from Anthropic’s model Claude where Claude admits that it was trained, in part, on Reddit data.

I asked ChatGPT (model o4) the same question. It replied:

—

Yes, ChatGPT has been trained, at least in part, on Reddit data.

OpenAI has utilized Reddit content in multiple ways throughout the development of its language models:

1. Early Training with Reddit-Linked Content: For GPT-2, OpenAI created a dataset called WebText, which consisted of web pages linked from Reddit posts that had received at least 3 upvotes. This approach was intended to gather high-quality and diverse content from the internet.
2. Fine-Tuning with Reddit Data: In 2019, Microsoft Research developed DialoGPT, a conversational AI model fine-tuned on 147 million Reddit conversation exchanges from 2005 to 2017. This fine-tuning aimed to enhance the model’s ability to generate human-like dialogue .
3. Recent Licensing Agreement: In May 2024, OpenAI entered into a formal partnership with Reddit, granting OpenAI access to Reddit’s Data API. This agreement allows OpenAI to use Reddit’s real-time, structured, and unique content to train and improve its AI models, including ChatGPT .

—

And it’s the last part that is why this Reddit-Anthropic legal dispute has arisen. OpenAI and Google have entered into a formal licensing agreement with Reddit. Anthropic has not. OpenAI and Google are paying Reddit to access Reddit content. At least according to the complaint, Anthropic is not.

—

Pay to access our (user-generated) content, or we’ll sue. That’s the rub. And then the legal question is whether Reddit can restrict access to public content that is not proprietary to Reddit, but was created by its users. And according to what legal theories it can restrict that access.

—

One of the things that’s interesting to me here is that the suit has been filed in California Superior Court, rather than in the Northern District of California. Almost all of the major legal scraping precedents happened in the Northern District, and it is definitely unusual that this was filed in state court.

—

I have no idea what Anthropic’s defense to this will be, but if I were counsel for Anthropic, I would start with copyright preemption arguments. This is a content use legal dispute, at its core. And there is a legal regime dedicated to that issue, and it’s called copyright law.

I think there are very strong arguments post ML Genius and related cases that the breach of contract, unjust enrichment, and unfair competition claims should be preempted by copyright.

—

I think Reddit’s strongest argument here is the tortious interference claim, namely that Anthropic’s failure to follow the official protocols with scraping potentially impacts its ability to comply with its own terms of service with its users (to the extent that Anthropic is not following those protocols). That would likely not be preempted by copyright, and if proven, could lead to a successful claim.

—

I hate that we’re still doing trespass to chattels claims in 2025. Reddit’s allegations boil down to this paragraph: “Anthropic’s acts have diminished the server capacity and functioning that Reddit can devote to its legitimate users and thereby injured Reddit by depriving it of the ability to use its personal property.”

More than two decades ago, the Cal. Supreme Court in Hamidi said “The tort does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning.”

This complaint alleges neither damage to the servers nor impaired functioning. Merely “diminished capacity” without any attempt to quantify whether that’s a 20% diminished capacity or a .00002% diminished capacity. De minimis diminished server capacity when you’re probably using AWS shouldn’t be a tort.

We need to go back to Hamidi on that one.

—

Either way, this should be another interesting and important case to follow, assuming Anthropic decides to fight rather than just pay up.

* * *

Eric’s Comments

Reddit’s centerpiece claim against Anthropic is breach of contract. So how did it form a contract with Anthropic?

You’re not going to believe this, but Reddit is trying to enforce a “browsewrap.” The relevant allegations from the complaint:

Reddit prominently displayed a link to the User Agreement on its platform. The use of Reddit’s platform is governed by the User Agreement. The User Agreement states: “By accessing or using [Reddit’s] Services, you agree to be bound by these Terms. If you do not agree to these Terms, you may not access or use our Services.”

Anthropic accepted the terms of the User Agreement every time it or its agents—including ClaudeBot, Dario Amodei, or the other authors who found Reddit data to be of the highest quality and well-suited for fine-tuning AI models—accessed or logged on to Reddit’s platform.

Dafuq? Seriously?

I decided to check out this purported placement (I didn’t see a screenshot in the complaint’s body). I couldn’t immediately find the referenced link on Reddit’s landing page. To find it (I had to do a word search), you have to scroll down and look at the bottom of the third column (under the “popular communities” widget). Here’s what I saw on June 6 in Firefox after scrolling down some:

Do you see the words “user agreement” in the bottom right? That is the foundation of the breach of contract claim. Virtually invisible link. No call to action. No action button. Nothing to ensure that parties have notice or manifest their assent. FFS.

It’s even more shocking because courts recently have been dramatically raising the bar on contract formation expectations. “Sign-in-wrap” formations that historically were just fine are failing with alarming frequency. Yet, Reddit thinks it’s going to win without even so much as a sign-in-wrap???

To put it another way: if Reddit wins the breach of contract claim based on this allegation, it will completely blow up online contract formation law as we currently know it. For more on this, see my slide deck from my May presentation on online contract formation.

Now, Reddit has more arguments it could possibly make to bind Anthropic to contract terms. It could try the Register.com v. Verio/Restatements 69 contract formation workaround. It could argue that Anthropic has publicly admitted that the TOS terms bind it. It could argue that Anthropic employees created Reddit accounts and thus learned about the restrictive terms during the account formation process. It could argue that Anthropic knew about the Robots.txt restrictions and somehow that turned the Robot.txt instructions into a contract. It could argue that Anthropic’s robots clicked on the user agreement link and assented as Anthropic’s legal agents. These are all theoretical arguments because Reddit doesn’t appear to be arguing any of this yet (some of these arguments would require an amended complaint).

What Reddit cannot do is successfully argue that its home page link to “user agreement” creates a binding contract. Browsewraps without a call-to-action are not a contract. Claiming otherwise puts Reddit–and its very capable and expensive lawyers–at risk of massive and unrelenting public and judicial derision.

Reddit’s trespass to chattels claim isn’t much better. Here’s how Reddit pleads Anthropic’s knowledge of the server delimitations: “Anthropic knowingly exceeded the permission granted by Reddit to access Reddit’s personal property, including its technological infrastructure and servers.” This is a threadbare allegation of knowledge without specifying any supporting facts. The complaint’s recitation of facts only marginally improve this. Further, as Kieran notes, the TTC harm statement is also pretty weak in light of the Hamidi standard.

__

Two other noteworthy points about this lawsuit.

A real party-in-interest to this lawsuit is OpenAI. Now that OpenAI is paying a license fee to Reddit, they need all of their rivals to bear the same costs. If Reddit can’t impose license fees on Anthropic, assume that OpenAI will look for other ways to jack up Anthropic’s cost structure to more closely mirror OpenAI’s. I explain this dynamic in my Generative AI is Doomed paper.

Also, Reddit frames itself as the champion of its users’ interests, but Reddit is walking a fine (and awkward) line. Sure, it’s nominally defending its users from rapacious scraping malefactors. But in practice, even Reddit’s values have a price tag. Reddit isn’t opposed to third parties profiting from its users’ content; it just needs its vig.

* * *

Kieran’s Supplement

Following up on Eric’s comments.

Under any reasonable current interpretation of California law, the breach of contract claim should be gone. There’s no evidence of actual or constructive knowledge of the online agreement in the complaint. There is case law in other jurisdictions that says that a sophisticated business may be held liable for breach of contract even when there is no proof of actual notice in the record (CouponCabin LLC v. Savings.com, Inc., 2017 WL 83337 (N.D. Ind. Jan. 10, 2017); Int’l Council of Shopping Ctrs., Inc. v. Info Quarter, LLC, No. 17-5526 (S.D.N.Y. May 7, 2019)), and when a business also has an online agreement that is similar to the one that is being enforced. DHI Group, Inc. v. Kent, No. 16-1670 (S.D. Tex. Oct. 26, 2017). But that reasoning has never been applied in California.

Perhaps Reddit might argue in a reply that the semi-omniscient “bots” have or should have knowledge of the terms and that knowledge should be imputed to Anthropic. But that argument is without precedent in California, either. If Reddit’s allegations pass muster for “actual or constructive knowledge,” then this would be a complete evisceration of the current standard for knowledge of actual or constructive knowledge of an online agreement for a sophisticated business in California.

The post Reddit Challenges Anthropic’s Scraping to Create Generative AI Models (Guest Blog Post) appeared first on Technology & Marketing Law Blog.

This summer, I wrote that the jury trial between Ryanair and Booking Holdings ended in the strangest way possible. The jury returned a verdict that Booking Holdings had caused exactly $5,000 in legally cognizable “loss” to Ryanair under the CFAA—the statutory minimum to establish a CFAA claim.

Of course, there’s no way that the actual damages caused by one company to another under the CFAA would match the statutory loss threshold to the cent. What really happened was that the judge gave a jury instruction that confused the hell out of the jury, and so the jury returned a meaningless and indefensible verdict, one that was certain to be appealed.

And so it comes as no surprise that there were some post-trial fireworks in this case. On January 22, Booking.com’s renewed motion for judgment as a matter of law (“JMOL”) was granted. That indefensible jury verdict was overturned.

The JMOL had two primary conclusions:

First, that the CFAA has extraterritorial application, and therefore it was appropriate for this court to apply the CFAA here. This is an incredibly controversial holding. By the time trial rolled around, this case involved only an Irish plaintiff (Ryanair) and a Dutch defendant (Booking.com B.V.).

Now, one might reasonably think that an American court has no business adjudicating a business dispute between two European companies, when that case might result in an extraterritorial injunction that directly conflicts with European laws in their home countries. But this court says, not so. The court’s reasoning was that because the definition of “protected computer” includes computers located outside of the United States, that this is a clear, affirmative indication of the CFAA’s extraterritorial application, even though the statute itself does not say that it has extraterritorial application. And, of course, the statute itself was drafted long before the Internet was in ubiquitous use, so the drafters could never have contemplated this situation. That holding has enormous potential ramifications for companies around the world, but it didn’t end up being dispositive to the parties in this dispute.

Second, and more importantly for the parties in this dispute, the court found that Ryanair did not meet its burden of proving at least $5,000 of “loss” attributable to Booking.com (or, in the alternative, obtaining $5,000 in value from alleged fraud). The judge determined that certain costs, such as customer service agent expenses, did not qualify as a loss, and determined that only $2,457.72 from Ryanair’s antibot technology “Shield” were attributable as losses under the CFAA. Because Ryanair did not meet the $5,000 CFAA loss threshold after the judge’s re-evaluation of the facts in the case, the judge threw out the adverse jury verdict under the CFAA.

And so, four and a half years after the initial complaint was filed, the case ended with no finding of liability for either party.

In the end, two parties paid many millions in legal fees to determine whether one party had caused another $5,000 in “loss” under the CFAA. They engaged in this absurd legal dance because Ryanair wanted injunctive relief. It wanted a worldwide, enforceable court order to get Booking and its affiliates to stop reselling Ryanair flights. I do not think that’s what the drafters of the CFAA had in mind.

I blame this result on this court’s definition of technological harm. Here’s what happened:

After being provided the CFAA definition of “loss,” the jury was instructed that “the cost of responding to an offense may be considered a loss even if no actual technological harm has occurred, as long as the response is directed at technological harm, such as preventing an impending unauthorized access or investigating the method by which an offender accessed the computer, rather than business or other harms, such as investigating how the offender used the access for commercial gain.” Dkt. No. 453 at 5. The jury was further instructed that they “should not offset any losses by any profits Ryanair may have received as a result of Booking.com’s actions,” and that “[l]osses do not include any costs that are not borne by Ryanair.” Id.

JMOL at 16.

This is equal parts nonsensical and confusing.

According to the Supreme Court in Van Buren, the definition of loss under the CFAA “focus[es] on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren v. United States, 593 U.S. 374, 392 (2021). But according to this court, a party can establish technological harm “even if no actual technological harm has occurred,” as long as they investigate non-harm in a technological way.

Huh? Got that?

This standard is confusing, easy to manipulate, and seems to contradict the direct language of the Supreme Court and the statute itself. It also is at odds with any sort of common-sense understanding of what constitutes technological harm. And because it allows plaintiffs to bootstrap a definition of technological harm in the absence of actual harm, it incentivizes companies to pursue business grievances through the CFAA. And apparently now companies can do this regardless of whether they have any connection to the United States, assuming they operate online and some of their business is transacted here.

If this is what passes as technological harm, then more CFAA absurdity is certain to come in the near future.

Case Citation: Ryanair DAC v. Booking.com BV, 1:20-cv-01191-WCB (D. Del. Jan. 22, 2025).

The post Court Overturns a Bad Jury Verdict Against Scraping–Ryanair v Booking (Guest Blog Post) appeared first on Technology & Marketing Law Blog.