Warding Off Evil Spirits
A security manager is informed that an unauthorized user is crawling the company Web site, “scraping” corporate information and using it to make money. Security wants it stopped, but how? The company Web site is open to the world. Anybody with an Internet connection can visit the site with no password required. In fact, corporate executives want members of the public to visit, but security wants human visitors, not automated “spider” programs or “bots” that simply suck out information, place it on someone else’s Web site, and use it to lure visitors away from legitimate sites.
The company might deploy technical defenses to try to stop the intruders. For instance, security could simply locate the spider’s source IP address and block the spider from entering the site. But what if the perpetrator does an end run around the blocking efforts by spoofing or masking the IP address? In these cases, security is not relegated to just sitting back and watching as these avaricious programs devour information. The company can file a lawsuit under the legal theory of trespass and seek a court-ordered injunction prohibiting the spiders and bots and those controlling them from entering and scouring the site. The company can also use the protections of the Computer Fraud and Abuse Act (CFAA) to pursue a civil injunction.
Trespass. Most people are familiar with the law of trespass, which accords property owners the right to keep unwanted visitors off their property. Not surprisingly, cyberspace lawyers have turned to trespass law to protect virtual property from unwanted visitors as well. Specifically, they have relied on a 19th century doctrine known as “trespass to chattels.”
A claim for trespass to chattels arises out of the unauthorized dispossession, use, or interference with the tangible property of another. For example, if you take someone else’s car for a drive without permission, and then return the car, you could be liable for trespass to chattels, even if you returned the car with a full tank of gas, because you prevented the car’s owner from using the car while you were driving it.
An example of how this principle is being applied in cyberspace cases is American Airlines v. FareChase, Inc. (Texas District Court, 67th District, Tarrant County, Texas, 2003). The case involved American Airlines and the travel-related information it makes available on its Web site, AA.com.
In late 2002, American Airlines sued a company called FareChase, Inc., alleging that it was licensing scraper software designed to enter the AA.com Web site and extract pricing and scheduling data for American Airline’s Web fares so that these fares could be sold through channels not authorized by American Airlines. AA.com’s “terms of service” page specifically prohibited this type of spider or “other automatic devices” from copying information from the site.
American wanted to stop the FareChase spider from accessing its Web site and, according to briefs filed in the case, first attempted to do so by blocking the IP address of FareChase and other users of FareChase’s software. These efforts were thwarted by FareChase’s use of proxy servers to mask source IP addresses. American Airlines then sought to enjoin the alleged computer trespass in state court in Fort Worth, Texas, arguing that FareChase’s access to the AA.com site amounted to a trespass to its chattel or personal property. In this case, American Airlines argued that FareChase’s spider program deprived it of the use of some of its computer capacity while the spider was crawling the AA.com Web site and that this deprivation amounted to a trespass to chattels.
For its part, FareChase argued that its program did not damage the American Airlines Web server and that the scraper program’s access to the site caused no noticeable impact on the airline’s computing capacity and thus did not dispossess American Airlines of anything.
In March 2003, a state district court in Fort Worth sided with American Airlines and entered a temporary injunction, specifically finding that FareChase through its Web automation software was accessing the AA.com site without authorization and that such access interfered with the American Airlines computer system. The court then temporarily enjoined FareChase from accessing or scraping the AA.com site, and the parties subsequently settled their dispute out of court.
Other companies like eBay and Register.com have successfully relied on the doctrine of trespass to chattels to combat spiders and bots and keep them from taking information for commercial gain. In eBay, Inc. v. Bidder’s Edge, Inc. (U.S. District Court for the Northern District of California, 2000), eBay sought to prevent Bidder’s Edge, an auction aggregation site, from trolling eBay auctions and then using eBay’s auction information in combination with auction information from other sites for its aggregation service. Similarly, in Register.com, Inc. v. Verio, Inc. (U.S. District Court for the Southern District of New York, 2000), Register.com sought to prevent Internet service provider Verio from using automated software to search Register.com’s publicly available Whois database to obtain a list of individuals and entities who had recently registered domain names. Verio wanted the information so that it could market its Web site hosting services to the newly registered domain-name holders.
Both eBay and Register.com argued that the use of unauthorized automated programs to scrape information from their Web sites amounted to a trespass to chattels because the unwanted data mining caused or might cause eBay and Register.com damage and deprivation of computing resources. Courts in both cases agreed and enjoined Bidder’s Edge and Verio from searching and extracting information from eBay and the Whois database.
Not all trespass-to-chattels cases have been as successful, however. In the much publicized case Intel v. Hamidi (California Supreme Court, 2003), Intel sued a disgruntled former employee named Ken Hamidi after Hamidi sent e-mails to the Intel e-mail addresses of thousands of Intel employees. The e-mails criticized Intel’s employment practices and urged the employees to consider leaving Intel.
The company claimed Hamidi’s e-mails amounted to a trespass to chattels because Intel had specifically told Hamidi that such e-mails were not authorized and that the e-mails used up at least some of Intel’s computing capacity and disrupted Intel’s working environment by causing employees to discuss the e-mails.
Intel won the first round and obtained an injunction from the trial court preventing Hamidi from sending bulk e-mails to Intel employees. Hamidi was undeterred. He continued to deliver e-mails to Intel but took a different approach. Eschewing electronic communication, Hamidi went old school to deliver his e-mail messages. He dressed up as a Pony Express rider, mounted a stick horse, and hand-delivered a floppy disk of e-mails to Intel headquarters.
Hamidi continued his legal battle with equal zeal. He appealed to the California Court of Appeals, and after losing there, he appealed to the California Supreme Court. Hamidi was vindicated last June when the California Supreme Court ruled that his bulk e-mails to Intel employees did not amount to a trespass to chattels because his messages “caused neither physical damage nor functional disruption” of Intel’s computers and did not deprive Intel of the use of its computers or threaten to do so.
The lesson of the Hamidi case for anyone wanting to use trespass law to put a stop to a spider or bot is that to bring a successful claim, the company will need to prove that the unauthorized spider or bot caused some damage or deprivation of computing power or could do so if combined with other spiders and bots. For example, in the eBay case, the court found that the Bidder’s Edge scraper program deprived eBay of some of its computing power and also that eBay was likely to suffer an onslaught of auction aggregator spiders and bots if Bidder’s Edge were allowed to continue to search and extract information from eBay, which would likely result in substantial system slowdowns.
In the Hamidi case, by contrast, the California Supreme Court did not buy Intel’s argument that Hamidi’s e-mails caused any damage because the e-mails did not deprive any Intel employee of the use of any computer and did not have a noticeable impact on Intel’s computing power. In addition, there was no indication that allowing Hamidi to continue to send bulk e-mail to Intel would lead others besides Hamidi to inundate Intel with e-mails and cause system problems.
CFAA. Another legal avenue that companies can pursue is provided by the Computer Fraud and Abuse Act. The CFAA is the federal law that makes computer hacking a crime. Because it criminalizes conduct that undermines the confidentiality, integrity, and availability of data, the CFAA provides powerful tools to companies seeking to protect their online assets from hackers, data miners, and others. The statute also allows anyone who suffers damage or loss to pursue a civil action against the violator to obtain compensatory damages and injunctive relief.
A civil action for a violation of this section may be brought only if the conduct involves one of the factors set forth in the act, such as a loss of $5,000 or more, physical injury, a threat to public health, or damage affecting a computer system used by the government to further justice, national defense, or national security objectives.
Any action brought under this subsection must be started within two years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
The CFAA can be used to stop spiders from data mining if it is clear that the spider’s access to the Web site or database is unauthorized. A common misconception is that access to information is automatically authorized if the information is easily obtained and no technical measures have been deployed to protect it. Purveyors of online information have the right to restrict access to their data and also to limit the legitimate uses that may be made of the data.
America Online has had similar success under the CFAA. In America Online, Inc. v. LCGM, Inc. (U.S. District Court for the Eastern District of Virginia, 1998), America Online sued a spammer for using automatic software tools to scour various America Online services for e-mail addresses. The court held that LCGM, Inc.’s use of the America Online service was unauthorized because AOL’s terms of service prevented users from deploying automated tools to gather e-mail addresses in order to spam them.
In both of these cases, the terms of service were important in determining whether a spider’s or bot’s access to a Web site was authorized; the terms created the basis for the claim of unauthorized access under the CFAA. Companies concerned about protecting their Web sites from an onslaught of spiders and bots should, therefore, pay particular attention to both the content of their terms of service and the location of the terms of service page within the Web site.
The terms of service should clearly spell out the permissible uses that may be made of the Web site or service and should specifically prohibit automated programs, bots, spiders, and data miners from accessing the site or service or using any information obtained from the Web site or service. The terms of service should also be as conspicuous as possible, because both parties to a contract must mutually agree to be bound for the contract to be enforceable, and courts are more likely to find that a party assented to the terms of service and entered a binding contract if the party had to accept the terms of service to use the site. Courts will be less likely to enforce terms of service that are buried deep within a site and are hard to find.
Before filing a lawsuit against the person or entity behind the spider or bot, it’s a good idea to send a warning letter clearly stating that the use of bots and spiders on the Web site is prohibited and demanding that all such attempts to access the site immediately end. This step ensures that the person controlling the spider or bot has received notice that access is not authorized. If the company is lucky enough to get a response—even a rude one—that response should be kept, as it might be helpful to show that the person received a warning and understood that spiders and bots were not authorized on the site.
Purpose. A computer user’s purpose in accessing or causing a scraper program to access a computer is also important in determining whether the access is authorized for purposes of the CFAA. In Shurgard Storage Centers v. Safeguard Self Storage (U.S. District Court for the Western District of Washington, 2000), the plaintiff combined CFAA claims with theft of trade secret claims to recover damages caused by an employee who used his computer to gain confidential trade information for the purpose of passing that information to a new employer and competitor.
Shurgard and Safeguard were business competitors in the storage industry. Safeguard offered one of Shurgard’s managers a job. Instead of leaving Shurgard immediately, however, the manager began sending Safeguard e-mails containing trade secrets and other proprietary information belonging to Shurgard.
Shurgard sued Safeguard under the CFAA, contending that the manager’s access to Shurgard’s computer system was unauthorized because the manager did not have authority to gather trade secrets from the network to send to Shurgard’s competitor. Safeguard argued that access was authorized since the manager ordinarily had full access to this confidential information. The court ruled that the employee’s authorization ended when he became an agent for Safeguard and that the manager’s access to Shurgard’s computer system was, therefore, not authorized.
Courts are especially likely to find that a scraper program’s access to a Web site is unauthorized if the scraper program was developed by using confidential information obtained from the company that owns the Web site. In EF Cultural Travel BV v. Explorica, Inc. (U.S. Court of Appeals for the First Circuit, 2003), a federal appeals court affirmed an injunction entered under the CFAA in favor of an online travel provider against several of its former employees who had formed a competing travel company and developed a scraper program to obtain pricing information from the travel provider’s Web site. Use of the scraper program on the Web site constituted an unauthorized computer access, ruled the court, because the ex-employees breached their confidentiality agreements with their former employer when they developed the program.
If unwanted bots, spiders, or scraper programs come creeping through the corporate Web site, security professionals should fend them off as best they can technologically. Blocking IP addresses and employing other fixes might do the trick. However, if all else fails, security professionals should remember that sometimes the best defense is a strong offense. If the person or entity behind bots and spiders is on notice that such activity is not allowed on the company site, or if security can document damage or deprivation caused or that will likely be caused by the bots or spiders, an injunction might be the answer to permanently ordering the spiders off their Web.
Reid Wittliff is an attorney with Graves, Dougherty, Hearon & Moody of Austin, Texas. He specializes in technology-related litigation.