Seventh Circuit: It’s not fraud to circumvent software’s implicit access restrictions

Fidlar Technologies v. LPS Real Estate Data Solutions Inc. illustrates that not every use of a computer system that is against the operator’s wishes, or undermines the operator’s profits, is actionable under the Computer Fraud and Abuse Act (CFAA). Fidlar Technologies developed software allowing county offices to digitize, index, and serve land records to 3rd parties. Fidlar’s software product consists of three components: the county databases, the “Laredo client” (or just “the client”), and the “middle tier.” The county databases store county land records and index data. The “Laredo client” is a user-interface that allows users to remotely access these land records and related data. The “middle tier” facilitates the communication between the Laredo client and a specific county database. The defendant learned the commands needed to retrieve records from Fidlar’s database servers by intercepting the network traffic between a licensed copy of the Laredo client software and the middle tier server. It then developed a program that communicated with the middle tier servers directly (without the need for the Laredo client), allowing it to automate and significantly increase the rate at which it accessed the data contained in county databases. Fidlar claimed that the defendant’s actions violated two provisions of the CFAA. First, it claimed that by circumventing the access limitations imposed by its client software, the defendant defrauded Fidlar in violation of § 1030(a)(4). Second, it claimed that by retrieving records in a way that did not log those retrievals, the defendant made a transmission that caused damage to a protected computer in violation of § 1030(a)(5)(A). Intent to Defraud under the CFAA Fidlar’s theory of fraud is that that the defendant, by using its own version of the Laredo client, was able to avoid certain usage fees. The Larado client lacked functionality for downloading county records, providing printing records as the only means of exporting selected records. Printing records using the Larado client cost an additional fee in some counties. The court rejected a finding of fraudulent intent on behalf of defendant, citing several facts suggesting that that the defendants did not intend to “deceive or cheat” Fidlar out of its printing fees. First, the evidence showed that the defendant did not develop its software in an effort to avoid printing fees, but that it wished to download reports in quantity in order to extract data from them for further processing. Second, there were no technical or contractual restrictions on downloading reports or extracting data from reports by means other than printing—for example, the client software did not prevent taking screenshots of reports. Finally, defendant’s software was used to download reports from all counties, regardless of whether they imposed printing fees. Considering these facts, the court found that defendant, in developing their own software, only intended to engage in bulk downloading and processing of records from the plaintiff’s system. Although defendant’s may have avoided printing fees as a consequence of their software’s design, this was not their specific intent. Causing Unauthorized Damage under the CFAA The CFAA prohibits intentionally damaging a protected computer. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.”[1] Fidlar argued that its systems were damaged by defendant’s software because it “inhibited” their logging systems from recording their usage. When Fidlar’s client software retrieved documents from its servers, it sent two commands: a download command and a command instructing the server to log the download. The defendant’s software sent only the download command, leaving those downloads unlogged by the server. The court rejected Fidlar’s theory of damage, observing that the CFAA—according to Seventh Circuit precedent and the law’s legislative history—limited damage to disruption or impairment of a protected computer. In this case, the defendant neither deleted data from Fidlar’s systems nor limited anyone’s ability to access it. The mere failure to issue a command that would instruct plaintiff’s system to log activity, according to the court, was evidence only that defendant’s software did not play by the “rules” of defendant’s software—it did not constitute “damage” to Fidlar’s system. Conclusion The Fidlar ruling emphasizes that the defendant broke only the implicit rules of Fidlar’s system—there was no contractual or technological barrier preventing access. The case may have turned out very differently had plaintiffs created explicit rules limiting what defendant could do with their system, whether in the form of contractual restrictions or technological access controls. For example, in Craigslist Inc. v. 3Taps Inc., 942 F. Supp. 2d 962, 969 (N.D. Cal. 2013) the defendant was found liable under § 1030(a)(2) of the CFAA because it circumvented Craigslist’s IP blocking using proxy servers. Similarly, in Ticketmaster L.L.C. v. RMG Techs., Inc., 507 F. Supp. 2d 1096, 1102 (C.D. Cal. 2007), automated access similar to that in Fidlar was actionable under § 1030(a)(2) where the terms of service explicitly prohibited such access and a CAPTCHA prompt was intended to technologically limit automated access. Given rulings like these, Fidlar may apply only in the increasingly uncommon circumstance where a system operator makes no attempt to prevent automated access. [1] 18 U.S.C. § 1030(e)(8).]]]]> ]]>

Road to Nowhere

In Liminae: The Road to Nowhere

It takes us about six hours to drive to the rural state jail (that’s owned by two judges) the Feds contracted with to hold our client. Accused of computer crimes, he can’t effectively review evidence in jail – there’s no practical access to computers in the gulag. They’ve seized all his assets claiming they’re the ill-gotten gains of crimes the government can’t identify, and their computer forensics – if you can call them that – have no scientific basis and are full of basic errors and typos. In my decade as a federal criminal defense lawyer doing computer cases across the country, I’ve never come across a case where the government was so completely off.

Read More »

Guilty Until Proven Innocent

A defendant’s view from the trenches of federal criminal court This post is originally published to Substack. You can read and follow us there. https://torekeland.substack.com/p/guilty-until-proven-innocent

Read More »

For media inquiries, please email info@torekeland.com

30 WALL STREET, 8TH FLOOR • NEW YORK, NY 10005

©2022 Tor Ekeland Law, PLLC   •  info@torekeland.com

Attorney Advertising   •   Past results do not guarantee future results   •   Licensed in New York