A recent dispute between an advertiser AXTS Inc. (“AXTS”) and a video production company GY6vids (“GY6”) produced an interesting issue involving the federal Computer Fraud and Abuse Act (CFAA) – that is, whether an entity that allegedly overloaded another company’s YouTube channel content with a flood of “dislikes” following a contractual dispute is liable under the CFAA for accessing a protected computer “without authorization.” (AXTS Inc. v. GY6vids LLC, No. 18-00821 (D. Ore. Oct. 24, 2018)).

We have been closely monitoring the evolving state of the law regarding CFAA liability for certain commercial web scraping and related practices. The instant case between AXTS and GY6 is a little different in that the claim did not arise from AXTS’s alleged access to video content stored on GY6’s network, but publically-accessible videos stored on a third-party’s (e.g., YouTube) servers.

In the case, AXTS hired GY6 to create a promotional video featuring AXTS’s products on YouTube, with payment calculated based on the number of views. After the video allegedly garnered over a million views the second month (and a hefty bill), AXTS apparently did not pay the invoice and questioned the analytics as well as how the video was classified on YouTube. AXTS asserted that the parties’ agreement was unenforceable, among other things. The parties could not resolve the issue and GY6 began noticing that other videos on its YouTube channel started receiving thousands of “dislikes,” allegedly as part of an anonymous “cyberattack” on its channel that it attributed to AXTS. AXTS eventually filed a breach of contract suit, and in response, GY6 advanced several counterclaims, including breach of contract, intentional interference with economic relations and CFAA claims. AXTS moved to dismiss (note: the court’s consideration of the first two claims are beyond the scope of this post).

In general, when a plaintiff files a civil claim under the CFAA, it alleges that it experienced economic damages when its own computers were accessed “in excess of” or “without authorization.” GY6’s claim varies in that GY6 alleged it was harmed when AXTS accessed a protected computer that was owned by YouTube without authorization. In dismissing the claim, the district court held that GY6 failed to allege AXTS’s access to GY6’s videos was without authorization because AXTS did not need permission to access GY6’s publicly available videos hosted on YouTube’s servers. The court also rejected GY6’s argument that AXTS accessed YouTube’s servers “in excess of authorization” based upon its purported violation of YouTube’s terms of service when it allegedly flooded GY6’s videos with “dislikes.” Citing the Ninth Circuit Power Ventures opinion, the district court stated that a “violation of the terms of use of a website—without more—cannot establish liability under the CFAA” and thus GY6’s claim that AXTS violated YouTube’s terms of use and therefore “exceeded authorization” is not cognizable under the CFAA. While the Oregon district court was bound by Ninth Circuit’s precedent, it is always worth noting when the Power Ventures holding is cited by courts to limit CFAA liability for a mere terms of use violations.

The GY6 case is reminiscent of Bittman v. Fox, 107 F.Supp.3d 896 (N.D. Ill. 2015), where an Illinois district court dismissed CFAA claims against certain defendants who were accused of creating fake Facebook accounts to impersonate the plaintiff in violation of Facebook’s terms of use. There, the court stated that it was unaware of any precedent suggesting the CFAA would provide a cause of action for such behavior, and even if the defendants violated Facebook’s terms by creating fake accounts to impersonate the plaintiff, such conduct “does not constitute access ‘without authorization’ or ‘exceeding authorized access’ as envisioned by the CFAA.”

The GY6 dispute is another in a line of cases that questions whether the CFAA is a means for challenging unwanted access to online content. We still await the Ninth Circuit’s decision in the closely-watched appeal in the hiQ case, where the Ninth Circuit is considering the applicability of the CFAA as a tool against scraping of public websites.