EF Cultural Travel BV, et al. v. Zefer Corporation
318 F.3d 58 (1st Cir., January 28, 2003)
First Circuit holds that prohibitions found in a website's Terms of Use can be used to establish that a visitor to that site exceeded his authorized use thereof for the purposes of establishing a violation of the Computer Fraud and Abuse Act ("CFAA"). While prohibitions on authorized usage can also be established by reliance on such things as password protected access, the First Circuit rejected the notion that courts should look to the "reasonable expectations" of the parties to determine if a particular usage was in fact authorized. The court affirmed a preliminary injunction enjoining defendant Zefer Corporation ("Zefer") from utilizing a "scrapper" tool it designed to obtain pricing information from plaintiff's website on the ground that Zefer was doing so to assist defendant Explorica, Inc. ("Explorica"), which was itself enjoined from such activity by virtue of its improper use of confidential information obtained from plaintiff to aid it in gathering this information.
Plaintiff EF Cultural Travel BV ("EF") and defendant Explorica are competitors in the student travel business. Explorica was founded by former employees of EF, who had executed confidentiality agreements in favor of EF. Explorica hired Zefer to create a "scraper" tool, which would obtain from EF's website relevant price information about travel packages EF offered. Explorica then used this information to price its own offerings, typically at a price 5% less than EF.
When EF learned of this practice, it commenced suit against both Explorica and Zefer, arguing that their conduct constituted a violation of 18 U.S.C. §1030(a)(4) of the CFAA. This statute provides, in applicable part:
Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period . . . shall be punished as provided in subsection (c) of this section.
"The statute defines 'exceed authorized access' as 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' Id. § 1030(e)(6)."
The District Court issued a preliminary injunction enjoining Explorica from continuing to use the scrapper tool. This decision was affirmed by the First Circuit in a separate opinion on the ground that Explorica had used confidential information obtained from EF to assist in obtaining this pricing information in violation of confidentially agreements executed by former EF employees now working for Explorica.
On this appeal, the First Circuit addressed the propriety of the district court's issuance of an injunction against Zefer. The First Circuit held that, in determining for purposes of the CFAA whether a party exceeded its authorized usage of a website, the courts should look to the uses permitted under the site's Terms of Use. "A lack of authorization could be established by an explicit statement on the website restricting access. . . . Many webpages contain lengthy limiting conditions, including limitations on the use of scrappers."
While restrictions on authorized use can also be implied from the presence of such things as password protected access, the First Circuit rejected the district court's notion that the question of usage should be answered by looking to the "reasonable expectations" of the parties. Said the court:
We think that the public website provider can easily spell out explicitly what is forbidden and, consonantly, that nothing justifies putting users at the mercy of a highly imprecise, litigation-spawning standard like "reasonable expectations." If EF wants to ban scrapers, let it say so on the webpage or a link clearly marked as containing restrictions.
Because EF did not prohibit the use of scrappers in its Terms of Use at the time of the acts in question, the court declined to affirm the injunction on the basis of Zefer's own violation of the CFAA. In this regard, it also cast doubt on EF's ability to satisfy the statute's requirement that the challenged usage was effected "with an intent to defraud," another perquisite to a claim under § 1030(a)(4).
The court nevertheless affirmed the grant of injunctive relief against Zefer, on the ground that Zefer was aiding the activities of Explorica, which itself had been properly enjoined from use of the scrapper. Said the court:
Under the applicable rules and case law, an injunction properly issued against a named party means that anyone else with notice is precluded from acting to assist the enjoined party from violating the decree or from doing so on behalf of that party.