Skip to main content

Ninth Circuit Doubles Down: Violating a Website’s Terms of Service Is Not a Crime

DEEPLINKS BLOG
January 10, 2018

Ninth Circuit Doubles Down: Violating a Website’s Terms of Service Is Not a Crime

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes—in this case, California and Nevada—to enforce their computer use preferences.

This decision shores up the good precedent from 2012 and makes clear—if it wasn’t clear already—that violating a corporate computer use policy is not a crime.

Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.

Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict—concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission.

Rimini Street appealed, and we filed an amicus brief last year urging the court to reject Oracle’s position. As we told the court, the district court’s reasoning turns millions of Internet users into criminals on the basis of innocuous and routine online conduct. By making it completely unclear what conduct is criminal at any given time on any given website, the district court’s holding is in violation of the long-held Rule of Lenity—which requires that criminal statutes be interpreted to give clear notice of what conduct is criminal. Not only do people rarely (if ever) read terms of use agreements, but the bounds of criminal law should not be defined by the preferences of website operators. And private companies shouldn’t be using criminal laws meant to target malicious actors as tool to enforce their computer use preferences or to interfere with competitors.

At oral argument in July 2017, Judge Susan Graber pushed back [at around 33:40] on Oracle’s argument that automated scraping was a violation of the computer crime law. And Monday, the 3-judge panel issued a unanimous decision rejecting Oracle’s position. As the court held:

“[T]aking data using a method prohibited by the applicable terms of use”— i.e., scraping — “when the taking itself generally is permitted, does not violate” the state computer crime laws.

The court even refers to our brief:

“As EFF puts it, ‘[n]either statute . . . applies to bare violations of a website’s terms of use—such as when a computer user has permission and authorization to access and use the computer or data at issue, but simply accesses or uses the information in a manner the website owner does not like.’”

We’re happy to see the Ninth Circuit clarify, again, that violating a website’s terms of service is not a crime. And we hope this decision influences another case pending before the court involving an attempt to use a computer crime statute to enforce terms of service and stifle competition, hiQ v. LinkedIn. That case addresses whether using automated tools to access publicly available information on the Internet—information that we are all authorized to access under the Web’s open access norms—is a crime. It’s not, and we hope the court agrees. It will hear oral argument in March in San Francisco.

JavaScript license information