The Ninth Circuit Holds That Internet Browsing At Work Is Not A Federal Crime

Posted on May 7, 2012

In a decision that should give many employees a sigh of relief, the Ninth Circuit has held that browsing the Internet in contravention of an employer’s use restrictions does not give rise to criminal penalties under the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030. 

In United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151 (April 10, 2012), Nosal — a former employee for the Korn/Ferry executive search firm — was prosecuted for violating the CFAA by convincing fellow employees to use their log-in credentials to download customer information from a confidential database on the company’s computer system and transferring the information to him for his new competing business.  The government prosecuted Nosal under a provision in the CFAA that makes it a federal crime “knowingly and with intent to defraud” to “access[] a protected computer without authorization, or exceed[] authorized access, and by means of such conduct further[] the intended fraud and obtain[] anything of value.”  18 U.S.C. § 1030(a)(4) (emphasis added). 

Nosal moved for dismissal of these charges on the ground that the phrase “exceeds authorized access” means exceeding authorization to access particular data and files, i.e., “hacking” unauthorized files.  The government argued that the language included the situation where an individual has “unrestricted physical access to a computer, but is limited in the use to which he can put the information.”  Nosal at *5.  The Ninth Circuit reversed an April 2011 panel decision in an en banc majority opinion by Chief Judge Kozinksi.  See SWIPLit Ninth Circuit to Revisit Expansive Interpretation of Computer Fraud and Abuse Act (November 2, 2011).  The court held that Nosal had the better argument, in large part because the CFAA was intended to combat hacking rather than to “criminalize any unauthorized use of information obtained from a computer.”  Nosal at *11. 

The Ninth Circuit emphasized that a holding that unauthorized use of information would violate the CFAA would mean that “millions of unsuspecting individuals would find that they are engaging in criminal conduct” by violating their employers’ restrictions on Internet use by “g-chatting with friends, playing games, shopping or watching sports highlights.”  Nosal at *15.  The court also observed that violating the terms of use of an Internet website, e.g., posting an item for sale that is prohibited by Craigslist or misrepresenting one’s personal appearance on a dating website, would violate the CFAA and “earn you a handsome orange jumpsuit.”  Nosal at *21. 

The dissent accused the majority of “knocking down straw men” through “far-fetched hypotheticals.”  The dissent stated that the “case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values.  It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”  Nosal at *27-28.  

The dissent further observed  that it was highly unlikely that employees visiting ESPN.com in contravention of office policies would violate 18 U.S.C. 1030(a)(4) because that section of the CFAA required both criminal intent and specific intent to defraud.  The dissent also accused the majority of engaging in a sleight of hand by concentrating on other provisions of the CFAA not at issue in the case, including 18 U.S.C. 1030(a)(2)(C), which could be read to penalize “unauthorized access” of a computer by individuals lacking any intent to defraud.  “Other sections of the CFAA may or may not be unconstitutionally vague or pose other problems.  We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals.”  Nosal at *35

Posted in CFAA Tagged ,

UPDATE: Supreme Court Revisits Patentable Subject Matter in Mayo Collaborative Services v. Prometheus Laboratories, Inc.

Posted on March 27, 2012

The Supreme Court has addressed the first question of patentability – whether the invention falls within the scope of patentable subject matter – for the second time in three years with its opinion in Mayo Collaborative Services, et al. v. Prometheus Laboratories, Inc., 566 U.S. ___ (2012).

Through unanimous decision, the Supreme Court has provided further guidance concerning the scope of patentable subject matter with respect to claims which cover the application of natural laws.  While laws of nature, natural phenomena, and abstract ideas are not patentable under 35 U.S.C. §101, an application of a law of nature to a known structure or process may be entitled to patent protection.  However, to be entitled to protection, a claim must include additional features that provide assurance that the process is more than an effort to monopolize a law of nature.   In Mayo, the Court reinforced that these additional features must be more than what is well-understood, routine, conventional activity, previously engaged in by those in the field.

In Mayo, the patents at issue concern the use of thiopurine drugs in the treatment of autoimmune diseases.  When a patient ingests a thiopurine drug, the patient’s body metabolizes the drug, causing metabolites to form in his bloodstream.  These metabolites may be measured to determine whether, for a particular patient, a given dose is so low as to be potentially ineffective, or so high as to risk harmful side effects.  The claims of the patents-in-suit claimed a method for optimizing therapeutic efficacy for treatment of an immune-mediated gastrointestinal disorder.  The method recites (1) an “administering” step which instructs a doctor to administer the drug to his patient, (2) a “determining” step, which tells a doctor to measure the resulting metabolite levels in the patient’s bloodstream, and (3) a “wherein” clause, which describes the metabolite concentrations above which there is a likelihood of harmful side-effects and below which it is likely that the drug dosage is ineffective, and states that levels above or below these thresholds indicate a need to decrease or increase the drug dosage.

Respondent, Prometheus Laboratories, Inc. (“Prometheus”) is the exclusive licensee of the patents-in-suit.  Mayo Clinic Rochester and Mayo Collaborative Services (“Mayo”) developed a diagnostic test designed to measure the levels of metabolites in a patient’s bloodstream to determine toxicity for purposes of thiopurine dosage.  Prometheus brought an action for patent infringement.  The District Court granted summary judgment in favor of Mayo on Section 101 grounds.  On appeal, the Federal Circuit reversed, relying on the machine or transformation test.  Mayo filed a petition for certiorari, and the case was remanded to the Federal Circuit for further proceedings in light of this Court’s decision in Bilski v. Kappos, 561 U.S. ___, ___ (2010) which clarified that the “machine or transformation test” is not a definitive test of patent eligibility, but only an important and useful guidepost.  On remand, the Federal Circuit reaffirmed its earlier conclusion.  Mayo again filed a petition for certiorari, which the Court granted.

To analyze the patentability of the claims, the Supreme Court turned to Diamond v. Diehr, 450 U.S. 175, 185 (1981) and Parker v. Flook, 437 U.S. 584, 590 (1978), among other cases.  The Court stated that while a process is not unpatentable simply because it makes use of a law of nature or mathematical algorithm, the application of the natural law must do more than simply provide instructions for its application.  Slip. op. at 2-3.  Furthermore, the Court’s precedents warn against interpreting patent statutes in ways that make patent eligibility depend simply on the particular drafting of a claim, and against upholding patents that claim processes too broadly, so as to preempt the use of a natural law.  Flook, 437 U.S. at 593; O’Reilly v. Morse, 15 How. 62, 112-120 (1854); Gottshalk v. Benson, 409 U.S. 63, 71-72 (1972).  It is also insufficient to limit the use of a formula or natural law to a particular technological environment.  Diehr, 450 U.S. at 191-92.  Instead, the precedent instructs that a process that focuses upon the use of a natural law should also contain other elements or a combination of elements, sometimes referred to as an “inventive concept,” sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the natural law itself.  Flook, at 594; Bilski, slip. op., at 14.

The Court found that the claims at issue in Mayo do not contain additional elements sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the natural law itself.  Specifically, the Court noted that beyond picking out the relevant audience, namely those who administer doses of thiopurine drugs, the claim simply tells doctors to: (1) measure (in a conventional manner) the current level of the relevant metabolite, (2) use particular (unpatentable) laws of nature (which the claim sets forth) to calculate the current toxicity/inefficacy limits, and (3) reconsider the drug dosage in light of the natural law.  These instructions add nothing specific to the laws of nature other than what is well-understood, routine, conventional activity, previously engaged in by those in the field.  Accordingly, the Court found that these additional steps are insufficient to overcome the risk of disproportionately tying up the use of the underlying natural laws and otherwise inhibiting the use of the natural law to make future discoveries.  Appending conventional steps to laws of nature is insufficient to make the mere application of the natural laws patentable. 

The Mayo decision further reinforces a tool available to defendants in patent infringement suits.  If the claims at issue involve the application of natural laws, and the application offers little more than instruction to use well known methods in conjunction with the natural law, Mayo provides an argument that the claim may be found unpatentable.  This defense should be considered whenever the claims at issue involve natural laws, mental processes, or abstract ideas with little more than the application of those laws, processes, or ideas by conventional methods.

Posted in Patent Litigation Tagged ,

District of Arizona Rejects Early Discovery to Learn Identities of Many Doe Defendants

Posted on March 9, 2012

The movie and recording industries often resort to litigation in an effort to combat unauthorized distribution of copyrighted content on peer-to-peer networks.  A federal district court in the District of Arizona has joined an increasing number of courts that reject efforts to group large numbers of unrelated defendants in a single case. 

In Third Degree Films, Inc. v. Does 1-131, No. 12-108-PHX-JAT, 2012 U.S. Dist. LEXIS 26617 (D. Ariz. Mar. 1, 2012), the Court rejected the attempt by a copyright holder to obtain discovery to learn the identities of 131 defendants joined in a single case.  The plaintiff, who owns the copyright to an unspecified “adult movie,” alleged that 131 computers downloaded the movie through a file-sharing network without paying for it, which violated plaintiff’s copyright.  As alleged in the complaint, these defendants were part of a specific “swarm” of users that downloaded the movie, and the defendants in this case were associated with IP addresses that were traceable to Arizona.  The plaintiff sought leave to issue subpoenas to the Internet service providers associated with these IP addresses in order to learn their true identities. 

As the Court noted, many district courts have faced similar requests for early discovery to learn the identity of alleged infringers grouped in one case.  Some courts dismiss all defendants except for the first-named defendant on the ground of improper joinder, while others defer resolution of this issue and allow the action (and early discovery) to proceed.  In this case, the Court decided to reach the merits of the complaint and determined that the plaintiff had improperly grouped the 131 defendants together.  In particular, the “swarm” of users that downloaded the movie lasted for many months, included users from different states, and potentially implicated different sources.  As a result, it could not be considered part of the same transaction or occurrence, or even the same series of transactions and occurrences. 

To resolve the problem of improper joinder of unrelated defendants, the Court dismissed all defendants from the case without prejudice except for the first-named defendant.  In making this decision, the Court considered the practical difficulties in allowing a case with 131 different defendants to proceed, many of whom would have unrelated defenses and would likely be representing themselves.  In addition, as the Court explained, it would have to undertake separate trials for each of the defendants to avoid potential prejudice to unrelated defendants.

Having dismissed all but a single defendant, the Court allowed discovery to proceed to allow the plaintiff to discover the identity of the remaining defendant.  The Court noted that some courts deny this type of discovery request because the person associated with the IP address may not necessarily be the person who downloaded the copyrighted movie, but that the plaintiff had no other means to determine the identity of the alleged infringer.

Posted in Copyright Litigation, Internet and Domain Name Litigation

Supreme Court Denies Certiorari in Expansive Ninth Circuit Personal Jurisdiction Case

Posted on January 30, 2012

Last summer, we reported that the Ninth Circuit expanded the “effects test” of personal jurisdiction against foreign copyright infringers in Mavrix Photo v. Brand Technologies.  As we noted then, the Mavrix Photo decision represented an expansion of the Ninth Circuit’s (seemingly ever-changing) willingness to permit its district courts to exercise jurisdiction over out-of-state defendants, holding that an Ohio-based celebrity gossip website is subject to personal jurisdiction in California by virtue of that website’s “exploitation of the California market for its own commercial gain.”

This month, the Supreme Court denied the defendants’ petition for certiorari, leaving the Ninth Circuit’s ruling in place.  At least until the next time the Ninth Circuit takes up the issue of personal jurisdiction, litigants will have an easier time bringing out-of-state defendants into western district courts.

Posted in Internet and Domain Name Litigation

Ninth Circuit Bolsters Internet Service Providers’ Defense Against Copyright Infringement Claims

Posted on January 27, 2012

The Ninth Circuit recently bolstered the legal defenses available to Internet service providers in copyright infringement claims based upon users loading copyrighted material on the service provider’s website, in UMG Recordings, Inc. v. Shelter Capital Partners LLC, No. 09-55902, decided on December 20, 2011.  The court rejected the plaintiff’s argument that an Internet service provider is liable for copyright infringement if the service provider uses software processes on its website to facilitate access to the copyrighted material.  The plaintiff attempted to get the court to read the applicable provisions of the copyright statute to limit a statutory safe harbor provision to circumstances where the copyright infringement was based on the service provider’s storage of the infringing material.  Normally, the reason that material is stored on an Internet website is so that it can be accessed via the Internet.  Limiting the statutory safe harbor provisions to only infringement resulting from storage would have resulted in the safe harbor provision being useless for most service providers.

If this decision had gone the other way, it would have had the effect of chilling innovation relating to the variety and quality of services on the Internet.  That is exactly what Congress sought to avoid when it enacted the safe harbor provisions for Internet service providers that were at issue in this case.

In this case, the defendant operates a website that enables users to share videos with other users, and makes money from advertising that appears on the website.  The accused copyright infringer employed various technologies to automatically prevent users from uploading videos containing material that infringed the plaintiff’s copyrights. Whenever the service provider disabled access to a video accused of infringing someone’s copyright, hash filtering software was used to identify identical videos and automatically block any duplicates subsequently submitted by a user.  In addition, audio fingerprints from video files were compared to a database of copyrighted content provided by copyright holders.  If a user attempts to upload a video that matches a fingerprint in the database, the video never becomes available for viewing on the website.  Users have to agree that they will not upload any videos that infringe a copyright before the user is allowed to use the system. A warning message appears on a user’s screen each time the user begins to upload a video stating, “Do not upload videos that infringe copyright.”

The copyright owner argued that the language in the statute should be interpreted to have the same meaning as similar language in the RICO Act.  However, the court pointed out that the RICO statute was interpreted as having a particular meaning based on its particular legislative history, and the Congressional intent underlying the legislation, none of which applied to the copyright statute in question.  In addition, adopting the interpretation urged by the copyright owners would create internal contradictions in the copyright statute.

Posted in Copyright Litigation, Internet and Domain Name Litigation, IP and Technology Litigation