Automated software programs, or “bots,” have been in use since the early days of the internet, perhaps most notably by search engines and online market aggregators to power their services. This type of bot usage has mostly been tolerated because of its synergistic effects, but companies have grown warier of who they allow on their servers as bots have become more numerous and sophisticated. From “scrapers” that trawl LinkedIn user profiles for data to “view-bots” that inflate a Twitch streamer’s viewer count to “Buddies” that automate gameplay and leveling in online games, the taxonomy and proliferation of bots is becoming as extensive as the internet itself.
A slew of recent cases involving IP claims against developers of certain automated software programs, or “bots,” is bringing into question the true reach of IP law and the Computer Fraud and Abuse Act (CFAA). Although these cases involve different kinds of bots serving various purposes, the vast majority have ended in decisions granting plaintiff companies greater control over what kinds of bot activity they allow on their platforms. These suits rely primarily on copyright law (particularly the DMCA) and the CFAA, which criminalizes certain types of unauthorized computer access. The major concern surrounding these bot cases is that they tend to grant companies a property right over what is arguably publicly accessible information. There is also concern over companies’ invocation of the CFAA, a criminal statute originally meant to address hackers with malicious purposes but is now being used to augment IP claims against any type of undesired access.
The courts’ decisions tend to converge with public opinion in cases involving bots that perform a clearly subversive purpose. On March 1, 2017, the live-streaming site Twitch obtained an injunction against seven major bot developers who sold software that artificially boosted streamers’ view counts, followers, and chat room participants. Twitch’s complaint cited the developers’ use of Twitch trademarks in selling their bot services, and it also claimed that the developers had unlawfully circumvented Twitch’s security measures to access its computers in violation of the CFAA. Meanwhile, the massive video game developer Blizzard has been successful in several copyright suits against creators of video game cheat tools. Most recently, Blizzard obtained US jurisdiction over German cheat bot developer Bossland GmbH and has moved for a default judgment for damages of $8.5 million. Blizzard’s complaint accuses Bossland of trafficking in circumvention tools in violation of DMCA §1201(a)(2) along with various secondary infringement claims.
It appears the majority of users are celebrating the outcomes of these cases, understandably so. The bots in these cases serve functions that clearly detract from most users’ enjoyment of Twitch and Blizzard’s respective services. However, it is concerning to see just how effective a copyright or trademark claim can be at obtaining injunction on various types of “undesirable” activity. This concern is most apparent in cases involving “scrapers” or “crawlers,” which monitor and collect data on web pages for various purposes. Scraping performed by Google, other major search engines, and internet archives is tolerated, but litigation tends to arise when scraping encroaches on potentially profitable data sources.
Last summer, LinkedIn initiated a copyright and CFAA action against 100 anonymous defendants in an attempt to stop the proliferation of bots on its site. The bots circumvented various security measures to create fake user profiles and collect data from user profiles, after which they allegedly sold the information to third parties. LinkedIn’s CFAA claim alleges unlawful access based on the violation the access and use restrictions in LinkedIn’s User Agreement. It also makes a DMCA §1201(a)(1) claim, which prohibits circumvention of a technological measure that controls access to a protected work.
At a glance, it would appear that LinkedIn user profiles are a protectable compilation, since the information is selected and arranged in a creative manner unique to LinkedIn’s site. It remains unclear whether the User Agreement violations in the LinkedIn case would convince a court to proceed with the CFAA and copyright claims. The EFF previously argued that the “improper access” in the Craigslist case should not implicate the CFAA, since the information is freely accessible to the public. The LinkedIn data scrapers look to have a tougher case, given that access to other users’ profiles requires signing in and creating one’s own legitimate profile.
Were we to hold otherwise, Blizzard—or any software copyright holder—could designate any disfavored conduct during software use as copyright infringement, by purporting to condition the license on the player’s abstention from the disfavored conduct. The rationale would be that because the conduct occurs while the player’s computer is copying the software code into RAM in order for it to run, the violation is copyright infringement. This would allow software copyright owners far greater rights than Congress has generally conferred on copyright owners.
Perhaps a similar line of reasoning should be applied to CFAA claims. Otherwise, a company such as LinkedIn would be allowed to heavily regulate access and use of its site through its User Agreement, and a violation of the agreement would implicate a criminal statute.