Posted by: Tammy Thibodeau
In 1789, Benjamin Franklin once said, “[N]othing can be certain, except death and taxes.”Some homeowners challenged the notion by flagrantly ignoring rental and lodging tax liabilities. But now some local municipalities are capturing the unpaid rental and lodging tax from private rental homeowners thanks to web-enabled programs for finding homeowners who do not report the property as a vacation rental home. Do the municipalities or software companies that help them have the right to scourer the Internet for non-compliant rental property? Does scraping of vacation rental websites violate a fundamental privacy right for the homeowner? Does the information provided by the websites qualify as fact, or does it qualify for copyright protection? Basically the information scraped by the software company qualifies as factual, and does not violate a fundamental privacy right of the homeowners.
Eye Street Solutions, created a software program, VR Compliance (Vacation Rental Compliance), solely to increase municipalities tax revenue from non-compliant vacation rental property owners. It scrapes databases such as VRBO.com (Vacation Rental By Owners), to compare complaint from non-complaint, non-tax paid vacation rental property. The VR Compliance website states, it “takes property tax listings and compliance information as inputs and uses proprietary algorithms and data sources to determine which properties are suspected of being out of compliance with applicable licensing and lodging tax obligations.” Additionally, VR Compliance will continually monitor existing rental properties and provide updates on new vacation rental listings appearing online to the municipalities. The VR Compliance revenue model directly correlates to the success of identifying non-compliant properties. Local municipalities, such as the city of Aspen, have hired VR Compliance to scan the databases of vacation rental home properties from the Internet for missing tax revenue from private homeowners who fail to pay the localities taxes on room rentals. (Curtis Wackerle, Compliance firm hired by city to uncover vacation rental scoff laws, Aspen Daily News, April 20, 2013, http://www.aspendailynews.com/section/home/157594, (last visisted Oct. 29, 2013)).
HomeAway, Inc., offers the leading online marketplace vacation rental homes in the vacation rental industry with over 775,000 listings. HomeAway, owns and operates VRBO.com, as well as HomeAway.com, and VacationRentals.com; it sued VR Compliance for illegally scraping its vacation property databases. (VRCompliance L.L.C. v. HomeAway, Inc., 715 F.3d 570, 572-73 (4th Cir. 2013)).HomeAway sent VR Compliance two cease-and-desist letters and latter filed a complaint to stop scraping the data. The letters stated VR Compliance and its client municipalities, infringed on copyrights on the advertisements made on Homeaway’s websites by homeowners and violated the websites’ terms and conditions of use, constituting unlawful interference with contractual relations. (Id.).
Copyright protection extends to “original works of authorship fixed in any tangible medium of expression.” (17 U.S.C. § 102(a)). Copyright only protects original creative expression and has two important exceptions; first, if a work lacks originality it will not be protected by copyright and second, non-original elements of a work are not protected. (Feist Publ’n v. Rural Tel. Serv., 499 U.S. 340, 369 (1991)). Thus, a copyrighted book that has non-original elements such as facts and features not created by the author may be freely copied without infringing the copyright. Or put another way, one could freely copy the names of customers or data from a website, just not the creative additions by the author. Because of the vagueness in the originality standard, certain non-original categories of work are barred from registration by the regulation of the Copyright Office. (37 C.F.R. 202.1(d)). For example, these exclusion cover: standard calendars, height and weight charts, tape measures and rules, schedules of sporting events, and lists or tables taken from public documents or other common sources. (Id.). Even if information has great value, unless the requisite of creativity can be shown the Copyright office will not grant a copyright. (Feist, 499 U.S. at 369).
But, the standard for the creativity requirement remains low and most works meet it quite easily. Courts have distinguished creativity from effort, such as in Feist. (Id.). In Feist, a telephone book listings in alphabetical order—did not satisfy the minimal creative requirement because the raw data was not original to Rural and the information existed before Rural ever gathered it and published it. (Id.). Rural could have met the originality requirement if it had selected, arranged or coordinated the data in an original way. (Id.). Rural did not have a copyright in the raw data because it lacked independent creation and the selection/arrangement did not meet a minimal degree of creativity. (Id.). Therefore, anyone could copy Rural’s listings.
Copyright protection, also, does not extend to anything in the work of authorship that constitutes an “idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.” (17 U.S.C. 102(b)). In Utopia, the court held templates designed for use by emergency room physicians in capturing pertinent patient information were not entitled to copyright protection. Utopia Provider Sys., Inc. v. Pro-Med Clinical Sys., L.L.C., 596 F.3d 1313, 1320-22 (11th Cir. 2010)). The Court referred to the templates as “blank forms” and found “the selection and arrangement of the terms does not convey information, and not sufficiently original.” (Id.) The description used on the forms only conveyed information, and did not covey anything out of the ordinary, thus Utopia failed to correlate the pertinent information used within the medical community as original authorship. (Id. at 1323)
If the ordering of a telephone book represents the same analogy as a database, then the likely application of Feist suggests a database cannot be a creative selection or arrangement of information. So if a court held that HomeAway’s listings lack even the minimal creativity required for copyright, then VR Compliance did not infringe on HomeAway’s listings or advertisements. HomeAway has no copyright over facts such as the physical location and facts provided by the homeowner because Homeway cannot be the original author and did not create the listings. The homeowners did. HomeAway did add creative elements to the listings in its layout, but here, VR Compliance did not copy or scrape those elements of HomeAway’s website.
Similar to Utopia, HomeAway provided a blank form that captured important information about the property. Basically, Homeaway’s website acts as a template a template that the homeowner completes and lacks the originality needed for copyright protection. HomeAway did add creativity to the individual listings by the layout of the information or fields a user can choose to display the property, and added creativity in selecting, arranging, or coordinating the information on the website. However, the information contained in HomeAway’s database comprised mainly of blank fields, authored by different individuals and contained only facts, which means none of the information qualifies for a copyright protection. Even if, HomeAway could show they invested considerable resources, like Rural’s work that went into gathering the information of the telephone-listing book, HomeAway still cannot win protection under copyright law. Because HomeAway lacked independent creation in the selection and arrangement, which did not meet a minimal degree of creativity
On the other hand, copyrights in databases would incentivize people to collect valuable information, just as copyright gives an incentive to authors to create original works. But the Feist court held that copyright protection in both the copyright statute and the Constitution requires creativity. (Feist, 499 U.S. at 362.) Congress could grant exclusive rights in databases under another provision of the Constitution, such as the Commerce Clause. (Malla Pollack, The Right to Know?: Delimiting Database Protection at the Juncture of the Commerce Clause, the Intellectual Property Clause, and the First Amendment, 17 Cardozo Arts & Ent. L.J. 47, 55 (1999)). But until Congress creates these rights for databases and websites, owners must use contracts to impose conditions of use with their customers and third party users. (Id.). While tort law may protect website owners against wrongful access to the information through contractual interference claims, but the facts themselves are not copyrightable and not subject to an infringement claim. (Id.)
Accordingly, HomeAway cannot assert, ownership of facts in advertisements drafted by individual users who own and control the information of the vacation rental, and placed it into the public domain via HomeAway. HomeAway has no exclusive rights to this information, and thus, no copyright has been infringed when the facts are used regarding rental properties. Admittedly, VR Compliance scrapes and compares the data available to the public in the form of tax records and other pertinent public information, to the rental property websites. The service provided by VR Compliance adds value to the local municipalities in the form of uncollected rental and lodging taxes.
Even though HomeAway’s claim of copyright infringement will probably be dismissed, Homeaway has a cause of action under the Computer Fraud and Abuse Act (CFAA) based on the previous cease-and-desist letters sent to VR Compliance for violation of HomeAway’s terms and conditions of use. Does the CFAA applies to HomeAway’s imposed restrictions of access to otherwise public website and information when VR Compliance knew further access was without authorization. Yes, Homeaway might have a valid claim under the CFAA based upon sending VR Compliance two cease-and-desist letters, revoking permission to use the website.
Recently, a Craigslist opinion addressed whether the definition of “without authorization” should include a website user, who knowingly accessed the website after revocation of permission under the CFAA.(Craigslist, Inc. v. 3Taps Inc., CV 12-03816 CRB, 2013 WL 4447520, 4 (N.D. Cal. Aug. 16, 2013)). Craigslist sued 3Taps for on-going scrapping of apartment rental listings after Craigslist notified 3Taps with a cease-and-desist letter prohibiting access and revoking permission to the website. (Id.) The linchpin for the Court centered on the fact that Craigslist notified 3Taps several times prohibiting the unauthorized scraping. (Id.). The court cited Brekka, a recent holding in an employment case where an employee logged into his work computer with valid credentials provided by his employer and emailed valuable documents from the employer’s computer to the employee’s personal email address for use in his own competing business.(Craigslist, Inc. v. 3Taps Inc., CV 12-03816 CRB, 2013 WL 4447520, 4 (N.D. Cal. Aug. 16, 2013)(citing LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127, 1129-34 (9th Cir. 2009)). The “ordinary, contemporary, common meaning” of the word “authorization” is “permission or power granted by an authority.” (Id. at 1132-33). Thus, as the ordinary, contemporary, common meaning of the word indicates, and as Brekka expressly held, authorization turns on the decision of the “authority” that grants or prohibits access. (Id. at 1133-34). Likewise in Southwest Airlines, Southwest sued Farechase for scraping the fare and schedule information from its website. (Sw. Airlines Co., v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Texas, 2004)). As well, Southwest established that Fairchase had unauthorized access to the website based on Southwest’s repeated warnings and requests to Farechase to stop scraping the data. (Id.). The court held that Southwest made a sufficient showing for a cause of action under the CFAA. (Id.).
By extension, Southwest Airlines sued BoardFirst for accessing its website without permission, sending BoardFirst two cease-and-desist letters. (Sw. Airlines Co. v. BoardFirst, L.L.C., 3:06-CV-0891-B, 2007 WL 4823761, 1-2 (N.D. Tex. Sept. 12, 2007)). BoardFirst provided purchasers of airfare a method of obtaining an “A” boarding pass for a fee. (Id.). The court noted “access of the Southwest website is not at odds with the site’s intended function” because the users can get a boarding pass online. (Id. at 13). Further the court stated, “[i]n no sense can BoardFirst be considered an ‘outside hacker[ ] who break[s] into a computer’ given that southwest.com is a publicly available website that anyone can access and use.” (Id. at 15). In Boardfirst the court defined ‘access’ as “while not defined by the CFAA, ordinarily means the ‘freedom or ability to … make use of’ something.” (Id.). BoardFirst or any other computer user obviously has the ability to make use of a publicly available website, southwest.com, given the fact that the website which does not have any sort of protected password. (Id.). The court found no agreement between Southwest’s use of the words “without authorization” or “exceeds authorization” in the motion for summary judgment and further held even if Southwest could reconcile these terms that Southwest has yet to make a showing that BoardFirst accessed a “protected computer” and not proven unauthorized access costs pursuant to the CFAA. (Id. at 16).
Here, under both the Craigslist and Farechase interpretation VR Compliance proceeded “without authorization” when it continued to pull data off of HomeAway’s website after HomeAway revoked its authorization to access the website; even if, HomeAway gave everyone authorization to access the public information on its public website. Since HomeAway, as the owner and authority of the website, rescinded permission to VR Compliance to access HomeAway’s websites, further access by VR Compliance after that rescission literally meant “without authorization” and in violation of the CFAA. Nevertheless, as in Cvent and Boardfirst, a court could interpret VR Compliance scraping did not violate the CFAA because HomeAway’s has a non-password protected website allowing VR Compliance to access it and that VR Compliance function is not at odds with HomeAway’s intended function.
Ultimately, the court’s interpretation of permission and authorization will decide whether VR Compliance violated the CFAA. However, companies like VR Compliance need to understand the broad breadth of the CFAA since the statute gives expansive interpretation to the judicial system and does not square the kind of access or use that would violate the CFAA. Further, the CFAA enforcement builds on permission or revocation of access which reduces the opportunities to benefit from innovative ideas and grants a monopoly on facts to the website owner. Overall, courts need to narrow the interpretation of the CFAA to the original intended purpose—liability for “hacking” activities.