Seventh Circuit: It’s not fraud to circumvent software’s implicit access restrictions

Fidlar Technologies v. LPS Real Estate Data Solutions Inc. illustrates that not every use of a computer system that is against the operator’s wishes, or undermines the operator’s profits, is actionable under the Computer Fraud and Abuse Act (CFAA). Fidlar Technologies developed software allowing county offices to digitize, index, and serve land records to 3^rd parties. Fidlar’s software product consists of three components: the county databases, the “Laredo client” (or just “the client”), and the “middle tier.” The county databases store county land records and index data. The “Laredo client” is a user-interface that allows users to remotely access these land records and related data. The “middle tier” facilitates the communication between the Laredo client and a specific county database. The defendant learned the commands needed to retrieve records from Fidlar’s database servers by intercepting the network traffic between a licensed copy of the Laredo client software and the middle tier server. It then developed a program that communicated with the middle tier servers directly (without the need for the Laredo client), allowing it to automate and significantly increase the rate at which it accessed the data contained in county databases. Fidlar claimed that the defendant’s actions violated two provisions of the CFAA. First, it claimed that by circumventing the access limitations imposed by its client software, the defendant defrauded Fidlar in violation of § 1030(a)(4). Second, it claimed that by retrieving records in a way that did not log those retrievals, the defendant made a transmission that caused damage to a protected computer in violation of § 1030(a)(5)(A). Intent to Defraud under the CFAA Fidlar’s theory of fraud is that that the defendant, by using its own version of the Laredo client, was able to avoid certain usage fees. The Larado client lacked functionality for downloading county records, providing printing records as the only means of exporting selected records. Printing records using the Larado client cost an additional fee in some counties. The court rejected a finding of fraudulent intent on behalf of defendant, citing several facts suggesting that that the defendants did not intend to “deceive or cheat” Fidlar out of its printing fees. First, the evidence showed that the defendant did not develop its software in an effort to avoid printing fees, but that it wished to download reports in quantity in order to extract data from them for further processing. Second, there were no technical or contractual restrictions on downloading reports or extracting data from reports by means other than printing—for example, the client software did not prevent taking screenshots of reports. Finally, defendant’s software was used to download reports from all counties, regardless of whether they imposed printing fees. Considering these facts, the court found that defendant, in developing their own software, only intended to engage in bulk downloading and processing of records from the plaintiff’s system. Although defendant’s may have avoided printing fees as a consequence of their software’s design, this was not their specific intent. Causing Unauthorized Damage under the CFAA The CFAA prohibits intentionally damaging a protected computer. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.”[1] Fidlar argued that its systems were damaged by defendant’s software because it “inhibited” their logging systems from recording their usage. When Fidlar’s client software retrieved documents from its servers, it sent two commands: a download command and a command instructing the server to log the download. The defendant’s software sent only the download command, leaving those downloads unlogged by the server. The court rejected Fidlar’s theory of damage, observing that the CFAA—according to Seventh Circuit precedent and the law’s legislative history—limited damage to disruption or impairment of a protected computer. In this case, the defendant neither deleted data from Fidlar’s systems nor limited anyone’s ability to access it. The mere failure to issue a command that would instruct plaintiff’s system to log activity, according to the court, was evidence only that defendant’s software did not play by the “rules” of defendant’s software—it did not constitute “damage” to Fidlar’s system. Conclusion The Fidlar ruling emphasizes that the defendant broke only the implicit rules of Fidlar’s system—there was no contractual or technological barrier preventing access. The case may have turned out very differently had plaintiffs created explicit rules limiting what defendant could do with their system, whether in the form of contractual restrictions or technological access controls. For example, in Craigslist Inc. v. 3Taps Inc., 942 F. Supp. 2d 962, 969 (N.D. Cal. 2013) the defendant was found liable under § 1030(a)(2) of the CFAA because it circumvented Craigslist’s IP blocking using proxy servers. Similarly, in Ticketmaster L.L.C. v. RMG Techs., Inc., 507 F. Supp. 2d 1096, 1102 (C.D. Cal. 2007), automated access similar to that in Fidlar was actionable under § 1030(a)(2) where the terms of service explicitly prohibited such access and a CAPTCHA prompt was intended to technologically limit automated access. Given rulings like these, Fidlar may apply only in the increasingly uncommon circumstance where a system operator makes no attempt to prevent automated access. [1] 18 U.S.C. § 1030(e)(8).]]]]> ]]>