An Open Internet Law Casebook

  • Michael Risch (Villanova University School of Law)

This casebook tracks a broad survey of internet law topics. The approach is to silo by subject matter rather than take an exceptionalist view, though all of the material focuses on the internet and cyberlaw generally. But make no mistake that Easterbrook's view is winning here.

8 OIL Casebook Topic VIII: Unauthorized Access 8 OIL Casebook Topic VIII: Unauthorized Access

8.1 OIL Casebook: Trespass to Chattels 8.1 OIL Casebook: Trespass to Chattels

8.1.1 CompuServe v. Cyber Promotions 8.1.1 CompuServe v. Cyber Promotions

United States District Court for the Southern District of Ohio
962 F. Supp. 1015
No. C2-96-1070
1997-02-03

962 F.Supp. 1015

COMPUSERVE INCORPORATED, Plaintiff,
v.
CYBER PROMOTIONS, INC. and Sanford Wallace, Defendants.

No. C2-96-1070.

United States District Court, S.D. Ohio, Eastern Division.

February 3, 1997.

[1017] Robert W. Hamilton, Jones, Day, Reavis & Pogue, Columbus, OH, Kenneth B. Wilson and David H. Kramer, Wilson Sonsini Goodrich & Rosati, Palo Alto, CA, for Plaintiffs.

Alan Charles Witten, McShane, Breitfeller & Witten, Columbus, OH, Ralph A. Jacobs, Hoyle, Morris & Kerr, Philadelphia, PA, for Defendants.

MEMORANDUM OPINION AND ORDER

GRAHAM, District Judge.

This case presents novel issues regarding the commercial use of the Internet, specifically the right of an online computer service to prevent a commercial enterprise from sending unsolicited electronic mail advertising to its subscribers.

Plaintiff CompuServe Incorporated ("CompuServe") is one of the major national commercial online computer services. It operates a computer communication service through a proprietary nationwide computer network. In addition to allowing access to the extensive content available within its own proprietary network, CompuServe also provides its subscribers with a link to the much larger resources of the Internet. This allows its subscribers to send and receive electronic messages, known as "e-mail," by the Internet. Defendants Cyber Promotions, Inc. and its president Sanford Wallace are in the business of sending unsolicited e-mail advertisements on behalf of themselves and their clients to hundreds of thousands of Internet users, many of whom are CompuServe subscribers. CompuServe has notified defendants that they are prohibited from using its computer equipment to process and store the unsolicited e-mail and has requested that they terminate the practice. Instead, defendants have sent an increasing volume of e-mail solicitations to CompuServe subscribers. CompuServe has attempted to employ technological means to block the flow of defendants' e-mail transmissions to its computer equipment, but to no avail.

This matter is before the Court on the application of CompuServe for a preliminary injunction which would extend the duration of the temporary restraining order issued by this Court on October 24, 1996 and which would in addition prevent defendants from sending unsolicited advertisements to CompuServe subscribers.

For the reasons which follow, this Court holds that where defendants engaged in a course of conduct of transmitting a substantial volume of electronic data in the form of unsolicited e-mail to plaintiff's proprietary computer equipment, where defendants continued such practice after repeated demands to cease and desist, and where defendants deliberately evaded plaintiff's affirmative efforts to protect its computer equipment from such use, plaintiff has a viable claim for trespass to personal property and is entitled to injunctive relief to protect its property.

I.

The Court will begin its analysis of the issues by acknowledging, for the purpose of providing a background, certain findings of [1018] fact recently made by another district court in a case involving the Internet:

1. The Internet is not a physical or tangible entity, but rather a giant network which interconnects innumerable smaller groups of linked computer networks. It is thus a network of networks....

2. Some networks are "closed" networks, not linked to other computers or networks. Many networks, however, are connected to other networks, which are in turn connected to other networks in a manner which permits each computer in any network to communicate with computers on any other network in the system. This global Web of linked networks and computers is referred to as the Internet.

3. The nature of the Internet is such that it is very difficult, if not impossible, to determine its size at a given moment. It is indisputable, however, that the Internet has experienced extraordinary growth in recent years.... In all, reasonable estimates are that as many as 40 million people around the world can and do access the enormously flexible communication Internet medium. That figure is expected to grow to 200 million Internet users by the year 1999.

4. Some of the computers and computer networks that make up the network are owned by governmental and public institutions, some are owned by non-profit organizations, and some are privately owned. The resulting whole is a decentralized, global medium of communications — or "cyberspace" — that links people, institutions, corporations, and governments around the world....

....

11. No single entity — academic, corporate, governmental, or non-profit — administers the Internet. It exists and functions as a result of the fact that hundreds of thousands of separate operators of computers and computer networks independently decided to use common data transfer protocols to exchange communications and information with other computers (which in turn exchange communications and information with still other computers). There is no centralized storage location, control point, or communications channel for the Internet, and it would not be technically feasible for a single entity to control all of the information conveyed on the Internet.

American Civil Liberties Union v. Reno, 929 F.Supp. 824, 830-832 (E.D.Pa.1996). In 1994, one commentator noted that "advertisements on the current Internet computer network are not common because of that network's not-for-profit origins." Trotter Hardy, The Proper Legal Regime for "Cyberspace", 55 U.Pitt.L.Rev. 993, 1027 (1994). In 1997, that statement is no longer true.

Internet users often pay a fee for Internet access. However, there is no per-message charge to send electronic messages over the Internet and such messages usually reach their destination within minutes. Thus electronic mail provides an opportunity to reach a wide audience quickly and at almost no cost to the sender. It is not surprising therefore that some companies, like defendant Cyber Promotions, Inc., have begun using the Internet to distribute advertisements by sending the same unsolicited commercial message to hundreds of thousands of Internet users at once. Defendants refer to this as "bulk e-mail," while plaintiff refers to it as "junk e-mail." In the vernacular of the Internet, unsolicited e-mail advertising is sometimes referred to pejoratively as "spam."[1]

CompuServe subscribers use CompuServe's domain name "CompuServe.com" together with their own unique alpha-numeric identifier to form a distinctive e-mail mailing address. That address may be used by the subscriber to exchange electronic mail with any one of tens of millions of other Internet users who have electronic mail capability. E-mail sent to CompuServe subscribers is processed and stored on CompuServe's proprietary computer equipment. Thereafter, it becomes accessible to CompuServe's subscribers, who can access CompuServe's equipment and electronically retrieve those messages.

[1019] Over the past several months, CompuServe has received many complaints from subscribers threatening to discontinue their subscription unless CompuServe prohibits electronic mass mailers from using its equipment to send unsolicited advertisements. CompuServe asserts that the volume of messages generated by such mass mailings places a significant burden on its equipment which has finite processing and storage capacity. CompuServe receives no payment from the mass mailers for processing their unsolicited advertising. However, CompuServe's subscribers pay for their access to CompuServe's services in increments of time and thus the process of accessing, reviewing and discarding unsolicited e-mail costs them money, which is one of the reasons for their complaints. CompuServe has notified defendants that they are prohibited from using its proprietary computer equipment to process and store unsolicited e-mail and has requested them to cease and desist from sending unsolicited e-mail to its subscribers. Nonetheless, defendants have sent an increasing volume of e-mail solicitations to CompuServe subscribers.

In an effort to shield its equipment from defendants' bulk e-mail, CompuServe has implemented software programs designed to screen out the messages and block their receipt. In response, defendants have modified their equipment and the messages they send in such a fashion as to circumvent CompuServe's screening software. Allegedly, defendants have been able to conceal the true origin of their messages by falsifying the point-of-origin information contained in the header of the electronic messages. Defendants have removed the "sender" information in the header of their messages and replaced it with another address. Also, defendants have developed the capability of configuring their computer servers to conceal their true domain name and appear on the Internet as another computer, further concealing the true origin of the messages. By manipulating this data, defendants have been able to continue sending messages to CompuServe's equipment in spite of CompuServe's protests and protective efforts.

Defendants assert that they possess the right to continue to send these communications to CompuServe subscribers. CompuServe contends that, in doing so, the defendants are trespassing upon its personal property.

II.

The grant or denial of a motion for preliminary injunction rests within the discretion of the trial court. Deckert v. Independence Shares Corp., 311 U.S. 282, 61 S.Ct. 229, 85 L.Ed. 189 (1940). In determining whether a motion for preliminary injunction should be granted, a court must consider and balance four factors: (1) the likelihood that the party seeking the preliminary injunction will succeed on the merits of the claim; (2) whether the party seeking the injunction will suffer irreparable harm without the grant of the extraordinary relief; (3) the probability that granting the injunction will cause substantial harm to others; and (4) whether the public interest is advanced by the issuance of the injunction. Washington v. Reno,35 F.3d 1093, 1099 (6th Cir.1994); International Longshoremen's Assoc. v. Norfolk S. Corp., 927 F.2d 900, 903 (6th Cir.1991). None of these individual factors constitute prerequisites that must be met for the issuance of a preliminary injunction, they are instead factors that are to be balanced. In re DeLorean Motor Co., 755 F.2d 1223, 1229 (6th Cir. 1985). A preliminary injunction is customarily granted on the basis of procedures that are less formal and evidence that is less complete than in a full trial on the merits. Indeed, "[a] party ... is not required to prove his case in full at a preliminary injunction hearing." University of Texas v. Camenisch, 451 U.S. 390, 395, 101 S.Ct. 1830, 1834, 68 L.Ed.2d 175 (1981).

III.

This Court shall first address plaintiff's motion as it relates to perpetuating the temporary restraining order filed on October 24, 1996. That order enjoins defendants from:

(i) Using CompuServe accounts or CompuServe's equipment or support services to send or receive electronic mail or messages [1020] or in connection with the sending or receiving of electronic mail or messages;

(ii) Inserting any false reference to a CompuServe account or CompuServe equipment in any electronic message sent by Defendants; and

(iii) Falsely representing or causing their electronic mail or messages to bear the representation that any electronic mail or message sent by Defendants was sent by or originated from CompuServe or a CompuServe account.

(Temporary Restraining Order at 4).

As a general matter, the findings of this Court enunciated in its temporary restraining order are applicable to the request for preliminary injunction now at issue. The behavior described in subsections (ii) and (iii) of the temporary restraining order would be actionable as false representations or descriptions under § 43(a) of the Lanham Act, 15 U.S.C. § 1125(a). Also, the same behavior is actionable under the Ohio Deceptive Trade Practices Act, Ohio Rev.Code § 4165(B) and (D).

Defendants argue that the restrictions in the temporary restraining order are no longer necessary because defendants no longer have a CompuServe account. That being the case, a preliminary injunction perpetuating the proscribed activity articulated in subsection (i) of the temporary restraining order will present no hardship at all to defendants. Next, it does not appear that defendants would need to have a CompuServe account to perpetrate the proscribed acts articulated in subsections (ii) and (iii) of the temporary restraining order. Therefore, the fact that defendants no longer have an account with plaintiff does not vitiate the need which CompuServe has demonstrated for an injunction proscribing the acts set forth in those subsections.

For the foregoing reasons and the reasons articulated in the temporary restraining order issued by this Court, defendants Cyber Promotions, Inc. and its president Sanford Wallace are hereby enjoined from performing any of the acts therein described during the pendency of this litigation.

IV.

This Court will now address the second aspect of plaintiff's motion in which it seeks to enjoin defendants Cyber Promotions, Inc. and its president Sanford Wallace from sending any unsolicited advertisements to any electronic mail address maintained by CompuServe.

CompuServe predicates this aspect of its motion for a preliminary injunction on the common law theory of trespass to personal property or to chattels, asserting that defendants' continued transmission of electronic messages to its computer equipment constitutes an actionable tort.

Trespass to chattels has evolved from its original common law application, concerning primarily the asportation of another's tangible property, to include the unauthorized use of personal property:

Its chief importance now, is that there may be recovery ... for interferences with the possession of chattels which are not sufficiently important to be classed as conversion, and so to compel the defendant to pay the full value of the thing with which he has interfered. Trespass to chattels survives today, in other words, largely as a little brother of conversion.

Prosser & Keeton, Prosser and Keeton on Torts, § 14, 85-86 (1984).

The scope of an action for conversion recognized in Ohio may embrace the facts in the instant case. The Supreme Court of Ohio established the definition of conversion under Ohio law in Baltimore & O.R. Co. v. O'Donnell, 49 Ohio St. 489, 32 N.E. 476, 478 (1892) by stating that:

[I]n order to constitute a conversion, it was not necessary that there should have been an actual appropriation of the property by the defendant to its own use and benefit. It might arise from the exercise of a dominion over it in exclusion of the rights of the owner, or withholding it from his possession under a claim inconsistent with his rights. If one take the property of another, for a temporary purpose only, in disregard of the owner's right, it is a conversion. Either a wrongful taking, an assumption of ownership, an illegal use or [1021] misuse, or a wrongful detention of chattels will constitute a conversion.

Id. at 497-98, 32 N.E. 476; see also Miller v. Uhl, 37 Ohio App. 276, 174 N.E. 591 (1929); Great American Mut. Indem. Co. v. Meyer, 18 Ohio App. 97 (1924); 18 O. Jur.3d, Conversion § 17. While authority under Ohio law respecting an action for trespass to chattels is extremely meager, it appears to be an actionable tort. See State of Ohio v. Herbert,49 Ohio St.2d 88, 119, 358 N.E.2d 1090, 1106 (1976) (dissenting opinion) ("any workable cause of action would appear to be trespass to chattels"); see also Greenwald v. Kearns,104 Ohio App. 473, 145 N.E.2d 462 (1957) (trespass on the rights of plaintiff in personal property is a precursor to an act in conversion); Simmons v. Dimitrouleas Wallcovering, Inc., No. 14804, 1995 WL 19136, at *2 (Ohio App. Jan.18, 1995) (the court of appeals acknowledged that trespass to chattel claims were barred because those claims were dependent upon claimant's ownership of the subject personal property); Klinebriel v. Smith, No. 94CA1641, 1996 WL 57947, at *2 (Ohio App. Feb.6, 1996) (where the court of appeals let stand a jury award on a "trespass against personal property" claim); Springfield Bank v. Caserta, 10 B.R. 57 (Bankr. S.D.Ohio 1981) (common law principles of trespass to chattels in Am.Jur.2d applied as controlling under Ohio law).

Both plaintiff and defendants cite the Restatement (Second) of Torts to support their respective positions. In determining a question unanswered by state law, it is appropriate for this Court to consider such sources as the restatement of the law and decisions of other jurisdictions. Bailey v. V & O Press Co., Inc., 770 F.2d 601, 604-606 (6th Cir. 1985) (where court considered positions expressed in the Restatement (Second) of Torts in interpreting Ohio's principles of comparative negligence) Garrison v. Jervis B. Webb Co., 583 F.2d 258, 262 n. 6 (1978); see also Wright, Miller & Cooper, Federal Practice and Procedure, § 4507 (West 1996).

The Restatement § 217(b) states that a trespass to chattel may be committed by intentionally using or intermeddling with the chattel in possession of another. Restatement § 217, Comment e defines physical "intermeddling" as follows:

... intentionally bringing about a physical contact with the chattel. The actor may commit a trespass by an act which brings him into an intended physical contact with a chattel in the possession of another[.]

Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action. Thrifty-Tel, Inc., v. Bezenek, 46 Cal.App.4th 1559, 1567, 54 Cal.Rptr.2d 468 (1996); State v. McGraw, 480 N.E.2d 552, 554 (Ind.1985) (Indiana Supreme Court recognizing in dicta that a hacker's unauthorized access to a computer was more in the nature of trespass than criminal conversion); and State v. Riley, 121 Wash.2d 22, 846 P.2d 1365 (1993) (computer hacking as the criminal offense of "computer trespass" under Washington law). It is undisputed that plaintiff has a possessory interest in its computer systems. Further, defendants' contact with plaintiff's computers is clearly intentional. Although electronic messages may travel through the Internet over various routes, the messages are affirmatively directed to their destination.

Defendants, citing Restatement (Second) of Torts § 221, which defines "dispossession", assert that not every interference with the personal property of another is actionable and that physical dispossession or substantial interference with the chattel is required. Defendants then argue that they did not, in this case, physically dispossess plaintiff of its equipment or substantially interfere with it. However, the Restatement (Second) of Torts § 218 defines the circumstances under which a trespass to chattels may be actionable:

One who commits a trespass to a chattel is subject to liability to the possessor of the chattel if, but only if,

(a) he dispossesses the other of the chattel, or

(b) the chattel is impaired as to its condition, quality, or value, or

(c) the possessor is deprived of the use of the chattel for a substantial time, or

(d) bodily harm is caused to the possessor, or harm is caused to some person or thing [1022] in which the possessor has a legally protected interest.

Therefore, an interference resulting in physical dispossession is just one circumstance under which a defendant can be found liable. Defendants suggest that "[u]nless an alleged trespasser actually takes physical custody of the property or physically damages it, courts will not find the `substantial interference' required to maintain a trespass to chattel claim." (Defendant's Memorandum at 13). To support this rather broad proposition, defendants cite only two cases which make any reference to the Restatement. In Glidden v. Szybiak, 95 N.H. 318, 63 A.2d 233 (1949), the court simply indicated that an action for trespass to chattels could not be maintained in the absence of some form of damage. The court held that where plaintiff did not contend that defendant's pulling on her pet dog's ears caused any injury, an action in tort could not be maintained. Id. 63 A.2d at 235. In contrast, plaintiff in the present action has alleged that it has suffered several types if injury as a result of defendants' conduct. In Koepnick v. Sears Roebuck & Co., 158 Ariz. 322, 762 P.2d 609 (1988) the court held that a two-minute search of an individual's truck did not amount to a "dispossession" of the truck as defined in Restatement § 221 or a deprivation of the use of the truck for a substantial time. It is clear from a reading of Restatement § 218 that an interference or intermeddling that does not fit the § 221 definition of "dispossession" can nonetheless result in defendants' liability for trespass. The Koepnick court did not discuss any of the other grounds for liability under Restatement § 218.

A plaintiff can sustain an action for trespass to chattels, as opposed to an action for conversion, without showing a substantial interference with its right to possession of that chattel. Thrifty-Tel, Inc., 46 Cal. App.4th at 1567, 54 Cal.Rptr.2d 468 (quoting Zaslow v. Kroenert, 29 Cal.2d 541, 176 P.2d 1 (Cal.1946)). Harm to the personal property or diminution of its quality, condition, or value as a result of defendants' use can also be the predicate for liability. Restatement § 218(b).

An unprivileged use or other intermeddling with a chattel which results in actual impairment of its physical condition, quality or value to the possessor makes the actor liable for the loss thus caused. In the great majority of cases, the actor's intermeddling with the chattel impairs the value of it to the possessor, as distinguished from the mere affront to his dignity as possessor, only by some impairment of the physical condition of the chattel. There may, however, be situations in which the value to the owner of a particular type of chattel may be impaired by dealing with it in a manner that does not affect its physical condition.... In such a case, the intermeddling is actionable even though the physical condition of the chattel is not impaired.

The Restatement (Second) of Torts § 218, comment h. In the present case, any value CompuServe realizes from its computer equipment is wholly derived from the extent to which that equipment can serve its subscriber base. Michael Mangino, a software developer for CompuServe who monitors its mail processing computer equipment, states by affidavit that handling the enormous volume of mass mailings that CompuServe receives places a tremendous burden on its equipment. (Mangino Supp. Dec. at ¶ 12). Defendants' more recent practice of evading CompuServe's filters by disguising the origin of their messages commandeers even more computer resources because CompuServe's computers are forced to store undeliverable e-mail messages and labor in vain to return the messages to an address that does not exist. (Mangino Supp. Dec. at ¶¶ 7-8). To the extent that defendants' multitudinous electronic mailings demand the disk space and drain the processing power of plaintiff's computer equipment, those resources are not available to serve CompuServe subscribers. Therefore, the value of that equipment to CompuServe is diminished even though it is not physically damaged by defendants' conduct.

Next, plaintiff asserts that it has suffered injury aside from the physical impact of defendants' messages on its equipment. Restatement § 218(d) also indicates that recovery may be had for a trespass that causes [1023] harm to something in which the possessor has a legally protected interest. Plaintiff asserts that defendants' messages are largely unwanted by its subscribers, who pay incrementally to access their e-mail, read it, and discard it. Also, the receipt of a bundle of unsolicited messages at once can require the subscriber to sift through, at his expense, all of the messages in order to find the ones he wanted or expected to receive. These inconveniences decrease the utility of CompuServe's e-mail service and are the foremost subject in recent complaints from CompuServe subscribers. Patrick Hole, a customer service manager for plaintiff, states by affidavit that in November 1996 CompuServe received approximately 9,970 e-mail complaints from subscribers about junk e-mail, a figure up from approximately two hundred complaints the previous year. (Hole 2d Supp. Dec. at ¶ 4). Approximately fifty such complaints per day specifically reference defendants. (Hole Supp. Dec. at ¶ 3). Defendants contend that CompuServe subscribers are provided with a simple procedure to remove themselves from the mailing list. However, the removal procedure must be performed by the e-mail recipient at his expense, and some CompuServe subscribers complain that the procedure is inadequate and ineffectual. (See, e.g., Hole Supp. Dec. at ¶ 8).

Many subscribers have terminated their accounts specifically because of the unwanted receipt of bulk e-mail messages. (Hole Supp. Dec. at ¶ 9, Hole 2d Supp. Dec. at ¶ 6). Defendants' intrusions into CompuServe's computer systems, insofar as they harm plaintiff's business reputation and goodwill with its customers, are actionable under Restatement § 218(d).

The reason that the tort of trespass to chattels requires some actual damage as a prima facie element, whereas damage is assumed where there is a trespass to real property, can be explained as follows:

The interest of a possessor of a chattel in its inviolability, unlike the similar interest of a possessor of land, is not given legal protection by an action for nominal damages for harmless intermeddlings with the chattel. In order that an actor who interferes with another's chattel may be liable, his conduct must affect some other and more important interest of the possessor. Therefore, one who intentionally intermeddles with another's chattel is subject to liability only if his intermeddling is harmful to the possessor's materially valuable interest in the physical condition, quality, or value of the chattel, or if the possessor is deprived of the use of the chattel for a substantial time, or some other legally protected interest of the possessor is affected as stated in Clause (c). Sufficient legal protection of the possessor's interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force to protect his possession against even harmless interference.

Restatement (Second) of Torts § 218, Comment e (emphasis added). Plaintiff CompuServe has attempted to exercise this privilege to protect its computer systems. However, defendants' persistent affirmative efforts to evade plaintiff's security measures have circumvented any protection those self-help measures might have provided. In this case CompuServe has alleged and supported by affidavit that it has suffered several types of injury as a result of defendants' conduct. The foregoing discussion simply underscores that the damage sustained by plaintiff is sufficient to sustain an action for trespass to chattels. However, this Court also notes that the implementation of technological means of self-help, to the extent that reasonable measures are effective, is particularly appropriate in this type of situation and should be exhausted before legal action is proper.

Under Restatement § 252, the owner of personal property can create a privilege in the would-be trespasser by granting consent to use the property. A great portion of the utility of CompuServe's e-mail service is that it allows subscribers to receive messages from individuals and entities located anywhere on the Internet. Certainly, then, there is at least a tacit invitation for anyone on the Internet to utilize plaintiff's computer [1024] equipment to send e-mail to its subscribers.[2] Buchanan Marine, Inc. v. McCormack Sand Co., 743 F.Supp. 139 (E.D.N.Y.1990) (whether there is consent to community use is a material issue of fact in an action for trespass to chattels). However, in or around October 1995, CompuServe employee Jon Schmidt specifically told Mr. Wallace that he was "prohibited from using CompuServe's equipment to send his junk e-mail messages." (Schmidt Dec. at ¶ 5). There is apparently some factual dispute as to this point, but it is clear from the record that Mr. Wallace became aware at about this time that plaintiff did not want to receive messages from Cyber Promotions and that plaintiff was taking steps to block receipt of those messages. (Transcript of December 15, 1996 Hearing at 81-86).

Defendants argue that plaintiff made the business decision to connect to the Internet and that therefore it cannot now successfully maintain an action for trespass to chattels. Their argument is analogous to the argument that because an establishment invites the public to enter its property for business purposes, it cannot later restrict or revoke access to that property, a proposition which is erroneous under Ohio law. See, e.g., State v. Carriker, 5 Ohio App.2d 255, 214 N.E.2d 809 (1964) (the law in Ohio is that a business invitee's privilege to remain on the premises of another may be revoked upon the reasonable notification to leave by the owner or his agents); Allstate Ins. Co. v. U.S. Associates Realty, Inc.,11 Ohio App.3d 242, 464 N.E.2d 169 (1983) (notice of express restriction or limitation on invitation turns business invitee into trespasser). On or around October 1995, CompuServe notified defendants that it no longer consented to the use of its proprietary computer equipment. Defendants' continued use thereafter was a trespass. Restatement (Second) of Torts §§ 252 and 892A(5); see also Restatement (Second) of Torts § 217, Comment f ("The actor may commit a new trespass by continuing an intermeddling which he has already begun, with or without the consent of the person in possession. Such intermeddling may persist after the other's consent, originally given, has been terminated."); Restatement (Second) of Torts § 217, Comment g.

Further, CompuServe expressly limits the consent it grants to Internet users to send e-mail to its proprietary computer systems by denying unauthorized parties the use of CompuServe equipment to send unsolicited electronic mail messages. (Kolehmainen Dec. at ¶ 2). This policy statement, posted by CompuServe online, states as follows:

Compuserve is a private online and communications services company. CompuServe does not permit its facilities to be used by unauthorized parties to process and store unsolicited e-mail. If an unauthorized party attempts to send unsolicited messages to e-mail addresses on a CompuServe service, Compuserve will take appropriate action to attempt to prevent those messages from being processed by CompuServe. Violations of CompuServe's policy prohibiting unsolicited e-mail should be reported to....

Id. at ¶¶ 2 and 3. Defendants Cyber Promotions, Inc. and its president Sanford Wallace have used plaintiff's equipment in a fashion that exceeds that consent. The use of personal property exceeding consent is a trespass. City of Amsterdam v. Daniel Goldreyer, Ltd., 882 F.Supp. 1273 (E.D.N.Y. 1995); Restatement (Second) of Torts § 256. It is arguable that CompuServe's policy statement, insofar as it may serve as a limitation upon the scope of its consent to the use of its computer equipment, may be insufficiently communicated to potential third-party users when it is merely posted at some location on the network. However, in the present case the record indicates that defendants were actually notified that they were using CompuServe's equipment in an unacceptable manner. To prove that a would-be trespasser acted with the intent required to support liability in tort it is crucial that defendant be placed on notice that he is trespassing.

[1025] As a general matter, the public possesses a privilege to reasonably use the facilities of a public utility, Restatement (Second) of Torts § 259, but Internet service providers have been held not to be common carriers. Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F.Supp. 1361 (N.D.Cal.1995). The definition of public utility status under Ohio law was recently articulated in A & B Refuse Disposers, Inc. v. Bd. Of Ravenna Township Trustees, 64 Ohio St.3d 385, 596 N.E.2d 423 (1992). The Ohio Supreme Court held that the determination of whether an entity is a "public utility" requires consideration of several factors relating to the "public service" and "public concern" characteristics of a public utility. Id. 596 N.E.2d at 426. The public service characteristic contemplates an entity which devotes an essential good or service to the general public which the public in turn has a legal right to demand or receive. Id. at 425. CompuServe's network, Internet access and electronic mail services are simply not essential to society. There are many alternative forms of communication which are customarily used for the same purposes. Further, only a minority of society at large has the equipment to send and receive e-mail messages via the Internet, and even fewer actually do. The second characteristic of a public utility contemplates an entity which conducts its operations in such manner as to be a matter of public concern, that is, a public utility normally occupies a monopolistic or ogopolistic position in the relevant marketplace. Id. at 425-426. Defendants estimate that plaintiff serves some five million Internet users worldwide. However, there are a number of major Internet service providers that have very large subscriber bases, and with a relatively minor capital investment, anyone can acquire the computer equipment necessary to provide Internet access services on a smaller scale. Furthermore, Internet users are not a "captive audience" to any single service provider, but can transfer from one service to another until they find one that best suits their needs. Finally, the Ohio Supreme Court made clear that a party asserting public utility status is required to support that assertion with evidence going to the relevant aforementioned factors. Id. 596 N.E.2d at 427. Defendants have not argued that CompuServe is a public utility, much less produced evidence tending to support such a conclusion. Therefore, CompuServe is not a public utility as that status is defined under Ohio law and defendants can not be said to enjoy a special privilege to use CompuServe's proprietary computer systems.

In response to the trespass claim, defendants argue that they have the right to continue to send unsolicited commercial e-mail to plaintiff's computer systems under the First Amendment to the United States Constitution. The First Amendment states that "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press." The United States Supreme Court has recognized that "the constitutional guarantee of free speech is a guarantee only against abridgement by government, federal or state." Hudgens v. NLRB, 424 U.S. 507, 513, 96 S.Ct. 1029, 1033, 47 L.Ed.2d 196 (1976). Indeed, the protection of the First Amendment is not a shield against "merely private conduct." Hurley v. Irish-American Gay Group of Boston, 515 U.S. 557, ___, 115 S.Ct. 2338, 2344, 132 L.Ed.2d 487 (1995) (citation omitted).

Very recently, in an action filed by Cyber Promotions, Inc. against America Online, Inc. ("AOL") the United States District Court for the Eastern District of Pennsylvania held that AOL, a company selling services that are similar to those of CompuServe, is private actor. Cyber Promotions, Inc. v. American Online, Inc., 948 F.Supp. 436, 443-44 (E.D.Pa.1996). That case involved the question of whether Cyber Promotions had the First Amendment right to send unobstructed e-mail to AOL subscribers. The court held that Cyber Promotions had no such right and that, inter alia, AOL was not exercising powers that are traditionally the exclusive prerogative of the state, such as where a private company exercises municipal powers by running a company town. Id. at 442-43; Blum v. Yaretsky, 457 U.S. 991, 1004-05, 102 S.Ct. 2777, 2785-86, 73 L.Ed.2d 534 (1982); Marsh v. Alabama, 326 U.S. 501, 66 S.Ct. 276, 90 L.Ed. 265 (1946). [1026] This Court agrees with the conclusions reached by the United States District Court for the Eastern District of Pennsylvania.

In the present action, CompuServe is a private company. Moreover, the mere judicial enforcement of neutral trespass laws by the private owner of property does not alone render it a state actor. Rotunda & Nowak, Treatise on Constitutional Law § 16.3, 546 (West 1992). Defendants do not argue that CompuServe is anything other than a private actor. Instead, defendants urge that because CompuServe is so intimately involved in this new medium it might be subject to some special form of regulation. Defendants cite Associated Press v. United States, 326 U.S. 1, 65 S.Ct. 1416, 89 L.Ed. 2013 (1945), and Turner Broadcasting Sys., Inc. v. FCC, 512 U.S. 622, 114 S.Ct. 2445, 129 L.Ed.2d 497 (1994), which stand for the proposition that when a private actor has a certain quantum of control over a central avenue of communication, then the First Amendment might not prevent the government from enacting legislation requiring public access to private property. No such legislation yet exists that is applicable to CompuServe. Further, defendants' discussion concerning the extent to which the Internet may be regulated (or should be regulated) is irrelevant because no government entity has undertaken to regulate the Internet in a manner that is applicable to this action. Indeed, if there were some applicable statutory scheme in place this Court would not be required to apply paradigms of common law to the case at hand.

In Lloyd Corp. v. Tanner, 407 U.S. 551, 92 S.Ct. 2219, 33 L.Ed.2d 131 (1972), protestors of the Vietnam War sought to pass out written materials in a private shopping center. Even though the customers of the shopping center were the intended recipients of the communication, the Supreme Court held that allowing the First Amendment to trump private property rights is unwarranted where there are adequate alternative avenues of communication. Id. at 567, 92 S.Ct. at 2228. The Supreme Court stated that:

Although ... the courts properly have shown a special solicitude for the guarantees of the First Amendment, this Court has never held that a trespasser or an uninvited guest may exercise general rights of free speech on property privately owned and used nondiscriminatorily for private purposes only.

Id. at 567-68, 92 S.Ct. at 2228 (emphasis added). Defendants in the present action have adequate alternative means of communication available to them. Not only are they free to send e-mail advertisements to those on the Internet who do not use CompuServe accounts, but they can communicate to CompuServe subscribers as well through online bulletin boards, web page advertisements, or facsimile transmissions, as well as through more conventional means such as the U.S. mail or telemarketing. Defendants' contention, referring to the low cost of the electronic mail medium, that there are no adequate alternative means of communication is unpersuasive. There is no constitutional requirement that the incremental cost of sending massive quantities of unsolicited advertisements must be borne by the recipients. The legal concept in Lloyd that private citizens are entitled to enforce laws of trespass against would-be communicators is applicable to this case.

Defendants assert that CompuServe has assumed the role of a postmaster, to whom all of the strictures of the First Amendment apply, and that to allow it to enjoy a legally protected interest in its computer equipment in this context is to license a form of censorship which violates the First Amendment. However, such an assertion must be accompanied by a showing that CompuServe is a state actor. As earlier mentioned, defendants have neither specifically argued this point nor provided any evidence to support it. CompuServe is entitled to restrict access to its private property.

"The First and Fourteenth Amendments have never been treated as absolutes. Freedom of speech or press does not mean that one can talk or distribute where, when and how one chooses." Breard v. City of Alexandria, 341 U.S. 622, 642, 71 S.Ct. 920, 932, 95 L.Ed. 1233 (1951) (upholding local ordinances banning commercial solicitations over First Amendment objections) (footnote omitted). In Rowan v. U.S. Post Office Dept., 397 U.S. [1027]

728, 90 S.Ct. 1484, 25 L.Ed.2d 736 (1970) the United States Supreme Court held that the First Amendment did not forbid federal legislation that allowed addressees to remove themselves from mailing lists and stop all future mailings. The Court stated that the "mailer's right to communicate must stop at the mailbox of an unreceptive addressee .... [t]o hold less would be to license a form of trespass[.]" Id. at 736-37, 90 S.Ct. at 1490.

In Tillman v. Distribution Sys. Of America, Inc., 224 A.D.2d 79, 648 N.Y.S.2d 630 (1996) the plaintiff complained that the defendant continued to throw newspapers on his property after being warned not to do so. The court held that the defendant newspaper distributor had no First Amendment right to continue to throw newspapers onto the property of the plaintiff. After discussing the Supreme Court cases of Rowan and Breard, supra, the court pointed out that:

The most critical and fundamental distinction between the cases cited above, on the one hand, and the present case, on the other, is based on the fact that here we are not dealing with a government agency which seeks to preempt in some way the ability of a publisher to contact a potential reader; rather, we are dealing with a reader who is familiar with a publisher's product, and who is attempting to prevent the unwanted dumping of this product on his property. None of the cases cited by the defendants stands for the proposition that the Free Speech Clause prohibits such a landowner from resorting to his common-law remedies in order to prevent such unwanted dumping. There is, in our view, nothing in either the Federal or State Constitutions which requires a landowner to tolerate a trespass whenever the trespasser is a speaker, or the distributor of written speech, who is unsatisfied with the fora which may be available on public property, and who thus attempts to carry his message to private property against the will of the owner.

Id. 648 N.Y.S.2d at 635. The court concluded, relying on Lloyd, supra, that the property rights of the private owner could not be overwhelmed by the First Amendment. Id. 648 N.Y.S.2d at 636.

In the present case, plaintiff is physically the recipient of the defendants' messages and is the owner of the property upon which the transgression is occurring. As has been discussed, plaintiff is not a government agency or state actor which seeks to preempt defendants' ability to communicate but is instead a private actor trying to tailor the nuances of its service to provide the maximum utility to its customers.

Defendants' intentional use of plaintiff's proprietary computer equipment exceeds plaintiff's consent and, indeed, continued after repeated demands that defendants cease. Such use is an actionable trespass to plaintiff's chattel. The First Amendment to the United States Constitution provides no defense for such conduct.

Plaintiff has demonstrated a likelihood of success on the merits which is sufficient to warrant the issuance of the preliminary injunction it has requested.

As already discussed at some length, plaintiff has submitted affidavits supporting its contention that it will suffer irreparable harm without the grant of the preliminary injunction. As an initial matter, it is important to point out that the Court may accept affidavits as evidence of irreparable harm. Wounded Knee Legal Defense/Offense Committee v. Federal Bureau of Investigation, 507 F.2d 1281, 1287 (8th Cir.1974); see generally Wright, Miller & Kane, Federal Practice and Procedure § 2949, at 218-220 (West 1995). Defendants suggest that there are other reasons why CompuServe subscribers terminate their accounts, but do not offer any evidence which contradicts plaintiff's affidavits.

Normally, a preliminary injunction is not appropriate where an ultimate award of monetary damages will suffice. Montgomery v. Carr, 848 F.Supp. 770 (S.D.Ohio 1993). However, money damages are only adequate if they can be reasonably computed and collected. Plaintiff has demonstrated that defendants' intrusions into their computer systems harm plaintiff's business reputation and goodwill. This is the sort of injury that warrants the issuance of a preliminary injunction because the actual loss [1028] is impossible to compute. Basicomputer Corp. v. Scott, 973 F.2d 507 (6th Cir.1992); Economou v. Physicians Weight Loss Centers of America, 756 F.Supp. 1024 (N.D.Ohio 1991).

Plaintiff has shown that it will suffer irreparable harm without the grant of the preliminary injunction.

It is improbable that granting the injunction will cause substantial harm to defendant. Even with the grant of this injunction, defendants are free to disseminate their advertisements in other ways not constituting trespass to plaintiff's computer equipment. Further, defendants may continue to send electronic mail messages to the tens of millions of Internet users who are not connected through CompuServe's computer systems.

Finally, the public interest is advanced by the Court's protection of the common law rights of individuals and entities to their personal property. Defendants raise First Amendment concerns and argue that an injunction will adversely impact the public interest. High volumes of junk e-mail devour computer processing and storage capacity, slow down data transfer between computers over the Internet by congesting the electronic paths through which the messages travel, and cause recipients to spend time and money wading through messages that they do not want. It is ironic that if defendants were to prevail on their First Amendment arguments, the viability of electronic mail as an effective means of communication for the rest of society would be put at risk. In light of the foregoing discussion, those arguments are without merit. Further, those subscribing to CompuServe are not injured by the issuance of this injunction. Plaintiff has made a business decision to forbid Cyber Promotions and Mr. Wallace from using its computers to transmit messages to CompuServe subscribers. If CompuServe subscribers are unhappy with that decision, then they may make that known, perhaps by terminating their accounts and transferring to an Internet service provider which accepts unsolicited e-mail advertisements. That is a business risk which plaintiff has assumed.

Having considered the relevant factors, this Court concludes that the preliminary injunction that plaintiff requests is appropriate.

V.

Based on the foregoing, plaintiff's motion for a preliminary injunction is GRANTED. The temporary restraining order filed on October 24, 1996 by this Court is hereby extended in duration until final judgment is entered in this case. Further, defendants Cyber Promotions, Inc. and its president Sanford Wallace are enjoined from sending any unsolicited advertisements to any electronic mail address maintained by plaintiff CompuServe during the pendency of this action.

It is so ORDERED.

[1] This term is derived from a skit performed on the British television show Monty Python's Flying Circus, in which the word "spam" is repeated to the point of absurdity in a restaurant menu.

[2] That consent is apparently subject to express limitations. See Kolehmainen Dec. at ¶ 2 and discussion infra.

8.1.2 eBay, Inc. v. Bidder's Edge, Inc. 8.1.2 eBay, Inc. v. Bidder's Edge, Inc.

United States District Court for the Northern District of California
100 F. Supp. 2d 1058
No. C-99-21200RMW
2000-05-24

100 F.Supp.2d 1058 (2000)

EBAY, INC., Plaintiff,
v.
BIDDER'S EDGE, INC., Defendant.

No. C-99-21200RMW.

United States District Court, N.D. California.

May 24, 2000.

[1059] [1060] Janet L. Cullum, Mark B. Pitchford, Charles A. Schwab, Cooley Godward LLP, Palo Alto, CA, for plaintiff.

David J. Byer, John J. Cotter, Sara Hinchey, Marc E. Betinsky, Sean C. Ploen, Testa Hurwitz & Thibeault LLP, Boston, MA, Timothy C. Hale, Russo & Hale, Palo Alto, CA, for defendant.

ORDER GRANTING PRELIMINARY INJUNCTION

WHYTE, District Judge.

Plaintiff eBay, Inc.'s ("eBay") motion for preliminary injunction was heard by the court on April 14, 2000. The court has read the moving and responding papers[1] and heard the argument of counsel. For the reasons set forth below, the court preliminarily enjoins defendant Bidder's Edge, Inc. ("BE") from accessing eBay's computer systems by use of any automated querying program without eBay's written authorization.

I. BACKGROUND

eBay is an Internet-based, person-to-person trading site. (Jordan Decl. ¶ 3.) eBay offers sellers the ability to list items for sale and prospective buyers the ability to search those listings and bid on items. (Id.) The seller can set the terms and conditions of the auction. (Id.) The item is sold to the highest bidder. (Id.) The transaction is consummated directly between the buyer and seller without eBay's involvement. (Id.) A potential purchaser looking for a particular item can access the eBay site and perform a key word search for relevant auctions and bidding status. (Id.) eBay has also created category listings that identify items in over 2500 categories, such as antiques, computers, and dolls. (Id.) Users may browse these category listing pages to identify items of interest. (Id.)

Users of the eBay site must register and agree to the eBay User Agreement. (Id. ¶ 4.) Users agree to the seven page User Agreement by clicking on an "I Accept" button located at the end of the User Agreement. (Id. Ex. D.) The current version of the User Agreement prohibits the use of "any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission." (Id.) It is not clear that the version of the User Agreement in effect at the time BE began searching the eBay site prohibited such activity, or that BE ever agreed to comply with the User Agreement.

eBay currently has over 7 million registered users. (Jordan Decl. ¶ 4.) Over 400,000 new items are added to the site every day. (Id.) Every minute, 600 bids are placed on almost 3 million items. (Id.) Users currently perform, on average, 10 million searches per day on eBay's database. Bidding for and sales of items are continuously ongoing in millions of separate auctions. (Id.)

A software robot is a computer program which operates across the Internet to perform searching, copying and retrieving functions on the web sites of others.[2] (Maynor Decl. ¶ 3; Johnson-Laird Decl. ¶ 15.) A software robot is capable of executing [1061] thousands of instructions per minute, far in excess of what a human can accomplish. (Maynor Decl. ¶ 3) Robots consume the processing and storage resources of a system, making that portion of the system's capacity unavailable to the system owner or other users. (Id.) Consumption of sufficient system resources will slow the processing of the overall system and can overload the system such that it will malfunction or "crash." (Id.) A severe malfunction can cause a loss of data and an interruption in services. (Id.)

The eBay site employs "robot exclusion headers." (Id. ¶ 5.) A robot exclusion header is a message, sent to computers programmed to detect and respond to such headers, that eBay does not permit unauthorized robotic activity. (Id.) Programmers who wish to comply with the Robot Exclusion Standard design their robots to read a particular data file, "robots.txt," and to comply with the control directives it contains. (Johnson-Laird Decl. ¶ 20.)

To enable computers to communicate with each other over the Internet, each is assigned a unique Internet Protocol ("IP") address. (Maynor Decl. ¶ 6.) When a computer requests information from another computer over the Internet, the requesting computer must offer its IP address to the responding computer in order to allow a response to be sent. (Id.) These IP addresses allow the identification of the source of incoming requests. (Id.) eBay identifies robotic activity on its site by monitoring the number of incoming requests from each particular IP address. (Id. ¶ 7.) Once eBay identifies an IP address believed to be involved in robotic activity, an investigation into the identity, origin and owner of the IP address may be made in order to determine if the activity is legitimate or authorized. (Id. ¶ 8.) If an investigation reveals unauthorized robotic activity, eBay may attempt to ignore ("block") any further requests from that IP address. (Id.) Attempts to block requests from particular IP addresses are not always successful. (Id. ¶ 9; Johnson-Laird Decl. ¶ 27.)

Organizations often install "proxy server" software on their computers. (Johnson-Laird Decl. ¶ 12.) Proxy server software acts as a focal point for outgoing Internet requests. (Id.) Proxy servers conserve system resources by directing all outgoing and incoming data traffic through a centralized portal. (Id.) Typically, organizations limit the use of their proxy servers to local users. (Id.) However, some organizations, either as a public service or because of a failure properly to protect their proxy server through the use of a "firewall," allow their proxy servers to be accessed by remote users. (Id. ¶ 13.) Outgoing requests from remote users can be routed through such unprotected proxy servers and appear to originate from the proxy server. (Id.) Incoming responses are then received by the proxy server and routed to the remote user. (Id.) Information requests sent through such proxy servers cannot easily be traced back to the originating IP address and can be used to circumvent attempts to block queries from the originating IP address. (Id. ¶ 14.) Blocking queries from innocent third party proxy servers is both inefficient, because it creates an endless game of hide-and-seek, and potentially counterproductive, as it runs a substantial risk of blocking requests from legitimate, desirable users who use that proxy server. (Id. ¶ 22.)

BE is a company with 22 employees that was founded in 1997. (Carney Decl. ¶ 2.) The BE web site debuted in November 1998. (Id. ¶ 3.) BE does not host auctions. (Id. ¶ 2.) BE is an auction aggregation site designed to offer on-line auction buyers the ability to search for items across numerous on-line auctions without having to search each host site individually. (Id.) As of March 2000, the BE web site contained information on more that five million items being auctioned on more than one hundred auction sites. (Id. ¶ 3.) BE also provides its users with additional auction-related services and information. (Id. ¶ 2.) The [1062] information available on the BE site is contained in a database of information that BE compiles through access to various auction sites such as eBay. (Id. ¶ 4.) When a user enters a search for a particular item at BE, BE searches its database and generates a list of every item in the database responsive to the search, organized by auction closing date and time. (Id. ¶ 5.) Rather than going to each host auction site one at a time, a user who goes to BE may conduct a single search to obtain information about that item on every auction site tracked by BE. (Id. ¶ 6.) It is important to include information regarding eBay auctions on the BE site because eBay is by far the biggest consumer to consumer on-line auction site. (Id.)

On June 16, 1997, over a year before the BE web site debuted, Peter Leeds[3] wrote an email in response to an email from Kimbo Mundy, co-founder of BE. (Ritchey Decl. Ex 6.) Mundy's email said, "I think the magazines may be overrating sites' ability to block. The early agent experiments, like Arthur Anderson's Bargain-Finder were careful to check the robots.txt file on every site and desist if asked." (Id.) (underline in original). Mundy wrote back: "I believe well-behaved robots are still expected to check the robots.txt file.... Our other concern was also legal. It is one thing for customers to use a tool to check a site and quite another for a single commercial enterprise to do so on a repeated basis and then to distribute that information for profit." (Id.)

In early 1998, eBay gave BE permission to include information regarding eBay-hosted auctions for Beanie Babies and Furbies in the BE database. (Id. ¶ 7.) In early 1999, BE added to the number of person-to-person auction sites it covered and started covering a broader range of items hosted by those sites, including eBay. (Id. ¶ 8.) On April 24, 1999, eBay verbally approved BE crawling the eBay web site for a period of 90 days. (Id.) The parties contemplated that during this period they would reach a formal licensing agreement. (Id.) They were unable to do so.

It appears that the primary dispute was over the method BE uses to search the eBay database. eBay wanted BE to conduct a search of the eBay system only when the BE system was queried by a BE user. (Ploen Decl.Ex. 9.) This reduces the load on the eBay system and increases the accuracy of the BE data. (Id.) BE wanted to recursively crawl the eBay system to compile its own auction database. (Carney Decl. ¶ 18.) This increases the speed of BE searches and allows BE to track the auctions generally and automatically update its users when activity occurs in particular auctions, categories of auctions, or when new items are added. (Id.)

In late August or early September 1999, eBay requested by telephone that BE cease posting eBay auction listings on its site. (Id. ¶ 9; Rock Decl. ¶ 5.) BE agreed to do so. (Rock Decl. ¶ 5.) In October 1999, BE learned that other auction aggregations sites were including information regarding eBay auctions. (Carney Decl. ¶ 12.) On November 2, 1999, BE issued a press release indicating that it had resumed including eBay auction listings on its site. (Rock Decl.Ex. H.) On November 9, 1999, eBay sent BE a letter reasserting that BE's activities were unauthorized, insisting that BE cease accessing the eBay site, alleging that BE's activities constituted a civil trespass and offering to license BE's activities. (Id. Ex. I.) eBay and BE were again unable to agree on licensing terms. As a result, eBay attempted to block BE from accessing the eBay site; by the end of November, 1999, eBay had blocked a total of 169 IP addresses it believed BE was using to query eBay's system. (Maynor Decl. ¶ 12.) BE elected to continue crawling eBay's site by using [1063] proxy servers to evade eBay's IP blocks. (Mundy Depo. at 271:18-19 ("We eventually adopted the rotating proxy servers."))

Approximately 69% of the auction items contained in the BE database are from auctions hosted on eBay. (Carney Decl. ¶ 17.) BE estimates that it would lose one-third of its users if it ceased to cover the eBay auctions. (Id.)

The parties agree that BE accessed the eBay site approximate 100,000 times a day. (Felton Decl. ¶ 33.) eBay alleges that BE activity constituted up to 1.53% of the number of requests received by eBay, and up to 1.10% of the total data transferred by eBay during certain periods in October and November of 1999. (Johnson-Laird Decl. ¶ 64.) BE alleges that BE activity constituted no more than 1.11% of the requests received by eBay, and no more than 0.70% of the data transferred by eBay. (Felton Decl. ¶ 60.) eBay alleges that BE activity had fallen 27%, to 0.74% of requests and 0.61% of data, by February 20, 2000. (Johnson-Laird Decl. ¶¶ 70-71.) eBay alleges damages due to BE's activity totaling between $45,323 and $61,804 for a ten month period including seven months in 1999 and the first three months in 2000. (Meyer Decl. ¶ 28.) However, these calculations appear flawed in that they assume the maximal BE usage of eBay resources continued over all ten months. (Id.) Moreover, the calculations attribute a pro rata share of eBay expenditures to BE activity, rather than attempting to calculate the incremental cost to eBay due to BE activity. (Id.) eBay has not alleged any specific incremental damages due to BE activity. (See Rock Depo., 192:8-10.)[4]

It appears that major Internet search engines, such as Yahoo!, Google, Excite and AltaVista, respect the Robot Exclusion Standard. (Johnson-Laird Decl. ¶¶ 81-85.)[5]

eBay now moves for preliminary injunctive relief preventing BE from accessing the eBay computer system based on nine causes of action: trespass, false advertising, federal and state trademark dilution, computer fraud and abuse, unfair competition, misappropriation, interference with prospective economic advantage and unjust enrichment. However, eBay does not move, either independently or alternatively, for injunctive relief that is limited to restricting how BE can use data taken from the eBay site.[6]

II. LEGAL STANDARD

To obtain preliminary injunctive relief, a movant must demonstrate "either a likelihood of success on the merits and the possibility of irreparable injury, or that serious questions going to the merits were raised and the balance of hardships tips [1064] sharply in its favor." Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510, 1517 (9th Cir.1992) (citations omitted). The alternatives in the above standard represent "extremes of a single continuum," rather than two separate tests. Benda v. Grand Lodge of Int'l Ass'n of Machinists & Aerospace Workers, 584 F.2d 308, 315 (9th Cir. 1978). "The critical element in determining the test to be applied is the relative hardship to the parties. If the balance of harm tips decidedly toward the plaintiff, then the plaintiff need not show as robust a likelihood of success on the merits as when the balance tips less decidedly." Alaska v. Native Village of Venetie, 856 F.2d 1384, 1389 (9th Cir.1988). A "serious question" is one on which the movant has a "fair chance of success on the merits." Sierra On-Line, Inc. v. Phoenix Software, Inc., 739 F.2d 1415, 1421 (9th Cir.1984). Generally, the "balance of harm" evaluation should precede the "likelihood of success analysis" because until the balance of harm has been evaluated the court cannot know how strong and substantial the plaintiff's showing of the likelihood of success must be. See Village of Venetie, 856 F.2d at 1389.

III. ANALYSIS

A. Balance of Harm

eBay asserts that it will suffer four types of irreparable harm if preliminary injunctive relief is not granted: (1) lost capacity of its computer systems resulting from to BE's use of automated agents; (2) damage to eBay's reputation and goodwill caused by BE's misleading postings; (3) dilution of the eBay mark; and (4) BE's unjust enrichment.[7] (Mot. at 23:18-25.) The harm eBay alleges it will suffer can be divided into two categories. The first type of harm is harm that eBay alleges it will suffer as a result of BE's automated query programs burdening eBay's computer system ("system harm"). The second type of harm is harm that eBay alleges it will suffer as a result of BE's misrepresentations regarding the information that BE obtains through the use of these automated query programs ("reputational harm").

As noted above, eBay does not seek an injunction that is tailored to independently address the manner in which BE uses the information it obtains from eBay.[8] Even without accessing eBay's computer systems by robot, BE could inflict reputational harm by misrepresenting the contents of eBay's auction database or by misusing eBay's trademark. Moreover, allowing frequent and complete recursive searching of eBay's database (which would presumably exacerbate the system harm), requiring appropriate disclaimers regarding the accuracy of BE's listings, or limiting BE's use of the eBay mark would all reduce or eliminate the possibility of reputational harm, without requiring the drastic remedy of enjoining BE from accessing eBay's database.[9] Since eBay does not move independently or alternatively for injunctive relief tailored toward the alleged reputational harm, the court does not include the alleged reputational harm in the balance of harm analysis, nor does the court address the merits of the causes of action based on the alleged reputational harm in the likelihood of success analysis.

According to eBay, the load on its servers resulting from BE's web crawlers represents between 1.11% and 1.53% of the total load on eBay's listing servers. eBay alleges both economic loss from BE's current activities and potential harm resulting [1065] from the total crawling of BE and others. In alleging economic harm, eBay's argument is that eBay has expended considerable time, effort and money to create its computer system, and that BE should have to pay for the portion of eBay's system BE uses. eBay attributes a pro rata portion of the costs of maintaining its entire system to the BE activity. However, eBay does not indicate that these expenses are incrementally incurred because of BE's activities, nor that any particular service disruption can be attributed to BE's activities.[10] eBay provides no support for the proposition that the pro rata costs of obtaining an item represent the appropriate measure of damages for unauthorized use. In contrast, California law appears settled that the appropriate measure of damages is the actual harm inflicted by the conduct:

Where the conduct complained of does not amount to a substantial interference with possession or the right thereto, but consists of intermeddling with or use of or damages to the personal property, the owner has a cause of action for trespass or case, and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use.

Zaslow v. Kroenert, 29 Cal.2d 541, 551, 176 P.2d 1 (1946). Moreover, even if BE is inflicting incremental maintenance costs on eBay, potentially calculable monetary damages are not generally a proper foundation for a preliminary injunction. See e.g., Sampson v. Murray, 415 U.S. 61, 90, 94 S.Ct. 937, 39 L.Ed.2d 166 (1974). Nor does eBay appear to have made the required showing that this is the type of extraordinary case in which monetary damages may support equitable relief. See In re Estate of Ferdinand Marcos, Human Rights Litigation, 25 F.3d 1467, 1480 (9th Cir.1994) ("a district court has authority to issue a preliminary injunction where the plaintiffs can establish that money damages will be an inadequate remedy due to impending insolvency of the defendant or that defendant has engaged in a pattern of secreting or dissipating assets to avoid judgment.").

eBay's allegations of harm are based, in part, on the argument that BE's activities should be thought of as equivalent to sending in an army of 100,000 robots a day to check the prices in a competitor's store. This analogy, while graphic, appears inappropriate. Although an admittedly formalistic distinction, unauthorized robot intruders into a "brick and mortar"[11] store would be committing a trespass to real property. There does not appear to be any doubt that the appropriate remedy for an ongoing trespass to business premises would be a preliminary injunction. See e.g., State v. Carriker, 5 Ohio App.2d 255, 214 N.E.2d 809, 811-12 (1964) (interpreting Ohio criminal trespass law to cover a business invitee who, with no intention of [1066] making a purchase, uses the business premises of another for his own gain after his invitation has been revoked); General Petroleum Corp. v. Beilby, 213 Cal. 601, 605, 2 P.2d 797 (1931). More importantly, for the analogy to be accurate, the robots would have to make up less than two out of every one-hundred customers in the store, the robots would not interfere with the customers' shopping experience, nor would the robots even be seen by the customers. Under such circumstances, there is a legitimate claim that the robots would not pose any threat of irreparable harm. However, eBay's right to injunctive relief is also based upon a much stronger argument.

If BE's activity is allowed to continue unchecked, it would encourage other auction aggregators to engage in similar recursive searching of the eBay system such that eBay would suffer irreparable harm from reduced system performance, system unavailability, or data losses. (See Spafford Decl. ¶ 32;[12] Parker Decl. ¶ 19;[13] Johnson-Laird Decl. ¶ 85.[14]) BE does not appear to seriously contest that reduced system performance, system unavailability or data loss would inflict irreparable harm on eBay consisting of lost profits and lost customer goodwill. Harm resulting from lost profits and lost customer goodwill is irreparable because it is neither easily calculable, nor easily compensable and is therefore an appropriate basis for injunctive relief. See, e.g., People of California ex rel. Van De Kamp v. Tahoe Reg'l Planning Agency, 766 F.2d 1316, 1319 (9th Cir.1985). Where, as here, the denial of preliminary injunctive relief would encourage an increase in the complained of activity, and such an increase would present a strong likelihood of irreparable harm, the plaintiff has at least established a possibility of irreparable harm.[15]

In the patent infringement context, the Federal Circuit has held that a preliminary injunction may be based, at least in part, on the harm that would occur if a preliminary injunction were denied and infringers were thereby encouraged to infringe a patent during the course of the litigation. See Atlas Powder Co. v. Ireco Chemicals, 773 F.2d 1230, 1233 (Fed.Cir. 1985). In the absence of preliminary injunctive relief, "infringers could become compulsory licensees for as long as the litigation lasts." Id. The Federal Circuit's reasoning is persuasive. "The very nature of the patent right is the right to exclude others.... We hold that where validity and continuing infringement have been clearly established, as in this case, immediate irreparable harm is presumed. To hold otherwise would be contrary to the public policy underlying the patent laws." Smith Int'l, Inc. v. Hughes Tool Co., 718 F.2d 1573, 1581 (Fed.Cir.1983) (footnotes omitted). Similarly fundamental to the concept of ownership of personal property is the right to exclude others. See Kaiser Aetna v. United States, 444 U.S. 164, 176, 100 S.Ct. 383, 62 L.Ed.2d 332 (1979) (characterizing "the right to exclude others" as "one of the most essential sticks in the bundle of rights that are commonly characterized [1067] as property"). If preliminary injunctive relief against an ongoing trespass to chattels were unavailable, a trespasser could take a compulsory license to use another's personal property for as long as the trespasser could perpetuate the litigation.

BE correctly observes that there is a dearth of authority supporting a preliminary injunction based on an ongoing to trespass to chattels. In contrast, it is black letter law in California that an injunction is an appropriate remedy for a continuing trespass to real property. See Allred v. Harris, 14 Cal.App.4th 1386, 1390, 18 Cal.Rptr.2d 530 (1993) (citing 5 B.E. Witkin, Summary of California Law, Torts § 605 (9th ed.1988)). If eBay were a brick and mortar auction house with limited seating capacity, eBay would appear to be entitled to reserve those seats for potential bidders, to refuse entrance to individuals (or robots) with no intention of bidding on any of the items, and to seek preliminary injunctive relief against non-customer trespassers eBay was physically unable to exclude. The analytic difficulty is that a wrongdoer can commit an ongoing trespass of a computer system that is more akin to the traditional notion of a trespass to real property, than the traditional notion of a trespass to chattels, because even though it is ongoing, it will probably never amount to a conversion.[16] The court concludes that under the circumstances present here, BE's ongoing violation of eBay's fundamental property right to exclude others from its computer system potentially causes sufficient irreparable harm to support a preliminary injunction.

BE argues that even if eBay is entitled to a presumption of irreparable harm, the presumption may be rebutted. The presumption may be rebutted by evidence that a party has engaged in a pattern of granting licenses to engage in the complained of activity such that it may be reasonable to expect that invasion of the right can be recompensed with a royalty rather than with an injunction, or by evidence that a party has unduly delayed in bringing suit, thereby negating the idea of irreparability. See Polymer Technologies, Inc. v. Bridwell, 103 F.3d 970, 974 (Fed. Cir.1996) (discussing presumption of irreparable harm in patent infringement context). BE alleges that eBay has both engaged in a pattern of licensing aggregators to crawl its site as well as delayed in seeking relief. For the reasons set forth below, the court finds that neither eBay's limited licensing activities nor its delay in seeking injunctive relief while it attempted to resolve the matter without judicial intervention are sufficient to rebut the possibility of irreparable harm.

If eBay's irreparable harm claim were premised solely on the potential harm caused by BE's current crawling activities, evidence that eBay had licensed others to crawl the eBay site would suggest that BE's activity would not result in irreparable harm to eBay. However, the gravamen of the alleged irreparable harm is that if BE is allowed to continue to crawl the eBay site, it may encourage frequent and unregulated crawling to the point that eBay's system will be irreparably harmed. There is no evidence that eBay has indiscriminately licensed all comers. Rather, it appears that eBay has carefully chosen to permit crawling by a limited number of aggregation sites that agree to abide by the terms of eBay's licensing agreement. "The existence of such a [limited] license, unlike a general license offered to all comers, does not demonstrate a decision to relinquish all control over the distribution of the product [1068] in exchange for a readily computable fee." Ty, Inc. v. GMA Accessories, Inc., 132 F.3d 1167, 1173 (7th Cir.1997) (discussing presumption of irreparable harm in copyright infringement context). eBay's licensing activities appear directed toward limiting the amount and nature of crawling activity on the eBay site. Such licensing does not support the inference that carte blanche crawling of the eBay site would pose no threat of irreparable harm.

eBay first learned of BE in late 1997 or early 1998 when BE sought to retain the same public relations firm used by eBay. (See Ploen Decl.Ex. 1.) This motion was filed on January 18, 2000. An unexplained delay of two years would certainly raise serious doubts as the irreparability of any alleged harm. See Playboy Enters., Inc. v. Netscape Communications Corp., 55 F.Supp.2d 1070, 1090 (C.D.Cal.1999) (noting that delay of as little as 60 days to three months has been held sufficient to rebut the presumption of irreparable harm). Here, the circumstances establish that any delay resulted from eBay's good faith efforts to resolve this dispute without judicial intervention and do not rebut a finding of the possibility of irreparable harm.

In April 1999, eBay agreed to allow BE to crawl the eBay site for 90 days while the parties negotiated a license. In late August or early September 1999, after the parties had failed to negotiate a license, eBay requested that BE stop crawling the eBay site, and BE complied. It was not until November 2, 1999, that BE issued a press release indicating that it had resumed including eBay auction listings on its site. In response, on November 9, 1999, eBay sent BE a letter again informing BE that its activities were unauthorized and again offering to license BE's activities.[17] After eBay and BE were again unable to agree on licensing terms, eBay attempted to block BE from accessing the eBay site. By the end of November 1999, despite blocking more than 150 IP addresses, it became apparent that eBay was unable to prevent BE's crawling of the eBay system via rotating proxy servers. Having failed in its attempt at self-help, eBay filed this suit on December 10, 1999, and filed this motion five weeks later. The fact that eBay's primary concern is the threat from the likely increase in crawling activity that would result if BE is allowed to continue its unauthorized conduct, combined with eBay's repeated attempts to resolve this dispute without judicial intervention, and BE's continuing attempts to thwart eBay's protection of its property, convinces the court that eBay's delay in seeking preliminary relief was justified.

BE argues that even if eBay will be irreparably harmed if a preliminary injunction is not granted, BE will suffer greater irreparable harm if an injunction is granted. According to BE, lack of access to eBay's database will result in a two-thirds decrease in the items listed on BE, and a one-eighth reduction in the value of BE, from $80 million to $70 million. (Sweeny Decl. ¶¶ 42, 43.) Although the potential harm to BE does not appear insignificant, BE does not appear to have suffered any irreparable harm during the period it voluntarily ceased crawling the eBay site. Barring BE from automatically querying eBay's site does not prevent BE from maintaining an aggregation site including information from eBay's site. Any potential economic harm is appropriately addressed through the posting of an adequate bond.

Moreover, it appears that any harm alleged to result from being forced to cease an ongoing trespass may not be legally cognizable. In the copyright infringement context, once a plaintiff has established a strong likelihood of success on the merits, any harm to the defendant [1069] that results from the defendant being preliminarily enjoined from continuing to infringe is legally irrelevant. See Triad Sys. Corp. v. Southeastern Exp. Co., 64 F.3d 1330, 1338 (9th Cir.1995) (defendant "cannot complain of the harm that will befall it when properly forced to desist from its infringing activities."). The Ninth Circuit has held it to be reversible error for a district court to even consider "the fact that an injunction would be devastating to [defendant's] business" once the plaintiff has made a strong showing of likely success on the merits of a copyright infringement claim. Cadence Design Sys., Inc. v. Avant! Corp., 125 F.3d 824, 830 (9th Cir. 1997). The reasoning in these cases appears to be that a defendant who builds a business model based upon a clear violation of the property rights of the plaintiff cannot defeat a preliminary injunction by claiming the business will be harmed if the defendant is forced to respect those property rights. See Concrete Mach. Co., Inc. v. Classic Lawn Ornaments, Inc., 843 F.2d 600, 613 (1st Cir.1988) ("If a strong likelihood of success is demonstrated, then the court should issue the injunction even if the defendant will incur the relatively greater burden; a probable infringer simply should not be allowed to continue to profit from its continuing illegality at the copyright owner's expense."). The Federal Circuit has crafted a similar rule with respect to patent infringement. See Windsurfing Int'l Inc. v. AMF, Inc., 782 F.2d 995, 1003 n. 12 (Fed.Cir.1986) ("One who elects to build a business on a product found to infringe cannot be heard to complain if an injunction against continuing infringement destroys the business so elected."). Accordingly, the court concludes that eBay has demonstrated at least a possibility of suffering irreparable system harm and that BE has not established a balance of hardships weighing in its favor.

B. Likelihood of Success

As noted above, eBay moves for a preliminary injunction on all nine of its causes of action. These nine causes of action correspond to eight legal theories: (1) trespass to chattels, (2) false advertising under the Lanham Act, 15 U.S.C. § 1125(a), (3) federal and state trademark dilution, (4) violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, (5) unfair competition, (6) misappropriation, (7) interference with prospective economic advantage and (8) unjust enrichment. The court finds that eBay has established a sufficient likelihood of prevailing on the trespass claim to support the requested injunctive relief. Since the court finds eBay is entitled to the relief requested based on its trespass claim, the court does not address the merits of the remaining claims or BE's arguments that many of these other state law causes of action are preempted by federal copyright law. The court first addresses the merits of the trespass claim, then BE's arguments regarding copyright preemption of the trespass claim, and finally the public interest.

1. Trespass

Trespass to chattels "lies where an intentional interference with the possession of personal property has proximately cause injury." Thrifty-Tel v. Bezenek, 46 Cal.App.4th 1559, 1566, 54 Cal.Rptr.2d 468 (1996). Trespass to chattels "although seldom employed as a tort theory in California" was recently applied to cover the unauthorized use of long distance telephone lines. Id. Specifically, the court noted "the electronic signals generated by the [defendants'] activities were sufficiently tangible to support a trespass cause of action." Id. at n. 6. Thus, it appears likely that the electronic signals sent by BE to retrieve information from eBay's computer system are also sufficiently tangible to support a trespass cause of action.

In order to prevail on a claim for trespass based on accessing a computer system, the plaintiff must establish: (1) defendant intentionally and without authorization [1070] interfered with plaintiff's possessory interest in the computer system; and (2) defendant's unauthorized use proximately resulted in damage to plaintiff. See Thrifty-Tel, 46 Cal.App.4th at 1566, 54 Cal.Rptr.2d 468; see also Itano v. Colonial Yacht Anchorage, 267 Cal.App.2d 84, 90, 72 Cal.Rptr. 823 (1968) ("When conduct complained of consists of intermeddling with personal property `the owner has a cause of action for trespass or case, and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use.'") (quoting Zaslow v. Kroenert, 29 Cal.2d 541, 550, 176 P.2d 1 (1946)). Here, eBay has presented evidence sufficient to establish a strong likelihood of proving both prongs and ultimately prevailing on the merits of its trespass claim.

a. BE's Unauthorized Interference

eBay argues that BE's use was unauthorized and intentional. eBay is correct. BE does not dispute that it employed an automated computer program to connect with and search eBay's electronic database. BE admits that, because other auction aggregators were including eBay's auctions in their listing, it continued to "crawl" eBay's web site even after eBay demanded BE terminate such activity.

BE argues that it cannot trespass eBay's web site because the site is publicly accessible. BE's argument is unconvincing. eBay's servers are private property, conditional access to which eBay grants the public. eBay does not generally permit the type of automated access made by BE. In fact, eBay explicitly notifies automated visitors that their access is not permitted. "In general, California does recognize a trespass claim where the defendant exceeds the scope of the consent." Baugh v. CBS, Inc., 828 F.Supp. 745, 756 (N.D.Cal. 1993).

Even if BE's web crawlers were authorized to make individual queries of eBay's system, BE's web crawlers exceeded the scope of any such consent when they began acting like robots by making repeated queries. See City of Amsterdam v. Daniel Goldreyer, Ltd., 882 F.Supp. 1273, 1281 (E.D.N.Y.1995) ("One who uses a chattel with the consent of another is subject to liability in trespass for any harm to the chattel which is caused by or occurs in the course of any use exceeding the consent, even though such use is not a conversion."). Moreover, eBay repeatedly and explicitly notified BE that its use of eBay's computer system was unauthorized. The entire reason BE directed its queries through proxy servers was to evade eBay's attempts to stop this unauthorized access. The court concludes that BE's activity is sufficiently outside of the scope of the use permitted by eBay that it is unauthorized for the purposes of establishing a trespass. See Civic Western Corp. v. Zila Industries, Inc., 66 Cal.App.3d 1, 17, 135 Cal. Rptr. 915 (1977) ("It seems clear, however, that a trespass may occur if the party, entering pursuant to a limited consent, ... proceeds to exceed those limits ...") (discussing trespass to real property).

eBay argues that BE interfered with eBay's possessory interest in its computer system. Although eBay appears unlikely to be able to show a substantial interference at this time, such a showing is not required. Conduct that does not amount to a substantial interference with possession, but which consists of intermeddling with or use of another's personal property, is sufficient to establish a cause of action for trespass to chattel. See Thrifty-Tel, 46 Cal.App.4th at 1567, 54 Cal.Rptr.2d 468 (distinguishing the tort from conversion). Although the court admits some uncertainty as to the precise level of possessory interference required to constitute an intermeddling, there does not appear to be any dispute that eBay can show that BE's conduct amounts to use of eBay's computer systems. Accordingly, eBay has made a strong showing that it is likely to prevail on the merits of its assertion that BE's use of eBay's computer system was an unauthorized [1071] and intentional interference with eBay's possessory interest.

b. Damage to eBay's Computer System

A trespasser is liable when the trespass diminishes the condition, quality or value of personal property. See CompuServe, Inc. v. Cyber Promotions, 962 F.Supp. 1015 (S.D.Ohio 1997). The quality or value of personal property may be "diminished even though it is not physically damaged by defendant's conduct." Id. at 1022. The Restatement offers the following explanation for the harm requirement:

The interest of a possessor of a chattel in its inviolability, unlike the similar interest of a possessor of land, is not given legal protection by an action for nominal damages for harmless intermeddlings with the chattel. In order that an actor who interferes with another's chattel may be liable, his conduct must affect some other and more important interest of the possessor. Therefore, one who intentionally intermeddles with another's chattel is subject to liability only if his intermeddling is harmful to the possessor's materially valuable interest in the physical condition, quality, or value of the chattel, or if the possessor is deprived of the use of the chattel for a substantial time, or some other legally protected interest of the possessor is affected.... Sufficient legal protection of the possessor's interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force to protect his possession against even harmless interference.

Restatement (Second) of Torts § 218 cmt. e (1977).

eBay is likely to be able to demonstrate that BE's activities have diminished the quality or value of eBay's computer systems. BE's activities consume at least a portion of plaintiff's bandwidth and server capacity. Although there is some dispute as to the percentage of queries on eBay's site for which BE is responsible, BE admits that it sends some 80,000 to 100,000 requests to plaintiff's computer systems per day. (Ritchey Decl.Ex. 3 at 391:11-12.) Although eBay does not claim that this consumption has led to any physical damage to eBay's computer system, nor does eBay provide any evidence to support the claim that it may have lost revenues or customers based on this use,[18] eBay's claim is that BE's use is appropriating eBay's personal property by using valuable bandwidth and capacity, and necessarily compromising eBay's ability to use that capacity for its own purposes. See CompuServe, 962 F.Supp. at 1022 ("any value [plaintiff] realizes from its computer equipment is wholly derived from the extent to which that equipment can serve its subscriber base.").

BE argues that its searches represent a negligible load on plaintiff's computer systems, and do not rise to the level of impairment to the condition or value of eBay's computer system required to constitute a trespass. However, it is undisputed that eBay's server and its capacity are personal property, and that BE's searches use a portion of this property. Even if, as BE argues, its searches use only a small amount of eBay's computer system capacity, BE has nonetheless deprived eBay of the ability to use that portion of its personal property for its own purposes. The law recognizes no such right to use another's personal property. Accordingly, BE's actions appear to have caused injury to eBay and appear likely to continue to cause injury to eBay. If the court were to hold otherwise, it would likely encourage other auction aggregators to crawl the eBay site, potentially to the point of denying effective access to eBay's customers. If preliminary [1072] injunctive relief were denied, and other aggregators began to crawl the eBay site, there appears to be little doubt that the load on eBay's computer system would qualify as a substantial impairment of condition or value. California law does not require eBay to wait for such a disaster before applying to this court for relief. The court concludes that eBay has made a strong showing that it is likely to prevail on the merits of its trespass claim, and that there is at least a possibility that it will suffer irreparable harm if preliminary injunctive relief is not granted. eBay is therefore entitled to preliminary injunctive relief.

2. Copyright Preemption

BE argues that the trespass claim, along with eBay's other state law causes of action, "is similar to eBay's originally filed but now dismissed copyright infringement claim, and each is based on eBay's assertion that Bidder's Edge copies eBay's auction listings, a right within federal copyright law." Opp'n at 8:10-12. BE is factually incorrect to the extent it argues that the trespass claim arises out of what BE does with the information it gathers by accessing eBay's computer system, rather than the mere fact that BE accesses and uses that system without authorization.

A state law cause of action is preempted by the Copyright Act if, (1) the rights asserted under state law are "equivalent" to those protected by the Copyright Act, and (2) the work involved falls within the "subject matter" of the Copyright Act as set forth in 17 U.S.C. §§ 102 and 103. Kodadek v. MTV Networks, Inc., 152 F.3d 1209, 1212 (9th Cir.1998). "In order not to be equivalent, the right under state law must have an extra element that changes the nature of the action so that it is qualitatively different from a copyright infringement claim." Xerox Corp. v. Apple Computer, Inc., 734 F.Supp. 1542, 1550 (N.D.Cal.1990). Here, eBay asserts a right not to have BE use its computer systems without authorization. The right to exclude others from using physical personal property is not equivalent to any rights protected by copyright and therefore constitutes an extra element that makes trespass qualitatively different from a copyright infringement claim. But see Ticketmaster Corp. v. Tickets.Com, Inc., No. CV-99-7654, 2000 WL 525390 (C.D.Cal. Mar. 27, 2000) (dismissing trespass claim based on unauthorized Internet information aggregation as preempted by copyright law).

3. Public Interest

The traditional equitable criteria for determining whether an injunction should issue include whether the public interest favors granting the injunction. American Motorcyclist Ass'n v. Watt, 714 F.2d 962, 965 (9th Cir.1983). The parties submit a variety of declarations asserting that the Internet will cease to function if, according to eBay, personal and intellectual property rights are not respected, or, according to BE, if information published on the Internet cannot be universally accessed and used. Although the court suspects that the Internet will not only survive, but continue to grow and develop regardless of the outcome of this litigation, the court also recognizes that it is poorly suited to determine what balance between encouraging the exchange of information, and preserving economic incentives to create, will maximize the public good. Particularly on the limited record available at the preliminary injunction stage, the court is unable to determine whether the general public interest factors in favor of or against a preliminary injunction.

BE makes the more specific allegation that granting a preliminary injunction in favor of eBay will harm the public interest because eBay is alleged to have engaged in anticompetitive behavior in violation of federal antitrust law. The Ninth Circuit has noted that in evaluating whether to issue a preliminary injunction, the district court is under no obligation to consider the merits [1073] of any antitrust counterclaims once the plaintiff has demonstrated a likelihood of success on the merits. See Triad Sys. Corp. v. Southeastern Exp. Co., 64 F.3d 1330, 1336 n. 13 (9th Cir.1995) (discussing claim of copyright infringement). Although anticompetitive behavior may be appropriately considered in the context of a preliminary injunction based on trademark infringement, where misuse is an affirmative defense, see Helene Curtis Indus. v. Church & Dwight Co., 560 F.2d 1325 (7th Cir.1977), it does not appear to be appropriately considered here, because there is no equivalent affirmative defense to trespass to chattels. Accordingly, the court concludes the public interest does not weigh against granting a preliminary injunction.

IV. ORDER

Bidder's Edge, its officers, agents, servants, employees, attorneys and those in active concert or participation with them who receive actual notice of this order by personal service or otherwise, are hereby enjoined pending the trial of this matter, from using any automated query program, robot, web crawler or other similar device, without written authorization, to access eBay's computer systems or networks, for the purpose of copying any part of eBay's auction database. As a condition of the preliminary injunction, eBay is ordered to post a bond in the amount of $2,000,000 to secure payment of any damages sustained by defendant if it is later found to have been wrongfully enjoined. This order shall take effect 10 days from the date on which it is filed.

Nothing in this order precludes BE from utilizing information obtained from eBay's site other than by automated query program, robot, web crawler or similar device. The court denies eBay's request for a preliminary injunction barring access to its site based upon BE's alleged trademark infringement, trademark dilution and other claims. This denial is without prejudice to an application for an injunction limiting or conditioning the use of any information obtained on the theory that BE's use violates some protected right of eBay.

[1] On April 21, 2000, defendant Bidder's Edge, Inc. filed an ex parte motion for leave to file a supplemental declaration in order to respond to factual assertions in the reply. Although the court suspects that with reasonable diligence BE could have prepared the declaration at least by the hearing date, the declaration consists merely of the results of four searches performed on major Internet search engines. eBay's opposition did not cite any prejudice that would result from its filing. Accordingly, BE's motion is granted.

[2] Programs that recursively query other computers over the Internet in order to obtain a significant amount of information are referred to in the pleadings by various names, including software robots, robots, spiders and web crawlers.

[3] It is unclear who Peter Leeds is, except that his email address at the time was .

[4] Q: Are you aware of any complaints from eBay users about slowdowns that were caused by aggregators?

A: No.

[5] BE appears to argue that this cannot be the case because searches performed on each of these search engines will return results that include eBay web pages. (Supp. Ploen Decl. ¶¶ 1-9.) However, this does not establish that these sites do not respect robot exclusion headers. There are numerous ways in which search engines can obtain information in compliance with exclusion headers, including; obtaining consent, abiding by the robot.txt file guidelines, or manually searching the sites. BE did not present any evidence of any site ever complaining about the activities of any of these search engines.

[6] The bulk of eBay's moving papers and declarations address the alleged misuse of the eBay mark and the information BE obtains from the eBay computers. The court does not address the facts specific to these claims, nor the merits of these claims. Even if eBay were able to establish a likelihood of success on the merits as to these causes of action, such a showing would only support injunctive relief addressing BE's use of the eBay mark and BE's use of the eBay auction listings (the appropriate relief for which would appear to be a disclaimer regarding the lack of affiliation between eBay and BE and explicitly alerting customers to the limited scope of BE's information). Such a showing would not be sufficient to enjoin BE from accessing eBay's computer systems, which is the only relief eBay appears to request.

[7] eBay does not appear to offer any support for the proposition that unjust enrichment is an independent cause of action, let alone an independently adequate basis for preliminary injunctive relief.

[8] Although, as a practical matter, enjoining BE from accessing eBay's computers or searching eBay's auction database may result in BE's inability to make effective use of information from eBay's auction site.

[9] Thus, eBay's motion appears to be, in part, a tactical effort to increase the strength of its license negotiating position and not just a genuine effort to prevent irreparable harm.

[10] This case was filed on December 10, 1999. BE decommissioned a number of its servers in mid-December 1999. (See Mundy Depo. at 75:12-14.) Reformatting the hard drives resulted in the destruction of the server logs that may have indicated the actual duration of access to eBay's system. (See id. at 74:17-24.) eBay argues this should support an adverse inference against BE because eBay is unable to correlate BE's access to eBay's system with service disruptions. BE responds that these actions were a result of hardware failures unrelated to the litigation. The court agrees that these actions may support an inference that the information BE destroyed was prejudicial. However, final resolution of the fact-dependent questions regarding the circumstances under which this information was destroyed requires a more complete record. Accordingly, eBay is not entitled to a conclusive presumption of harm at this juncture in the proceedings, and eBay's motion to strike all evidence submitted by BE relating to a lack of harm is denied.

[11] The phrase "brick and mortar" is often used to designate a traditional business when contrasting it with a predominantly, or entirely, on-line business. The phrase appears to refer to the historical reliance on conducting commerce within the context of a physical space made from materials such as brick and mortar, as opposed to the modern trend toward conducting commerce in a cyberspace made from computer programs.

[12] "If 30 or 40 companies spring into existence using similar business models, what will be the total load and impact on eBay's servers?"

[13] "One crawler may currently use 1% of eBay's resources. What if hundred of users used similar crawlers?"

[14] "Given that Bidder's Edge can be seen to have imposed a load of 1.53% on eBay's listing servers, simple arithmetic and economics reveal how only a few more such companies deploying rude robots [that do not respect the Robot Exclusion Standard] would be required before eBay would be brought to its knees by what would be then a debilitating load."

[15] As discussed below, eBay has a established a strong likelihood of success on the merits of the trespass claim, and is therefore entitled to preliminary injunctive relief because it has established the possibility of irreparable harm. Accordingly, the court does not reach the issue of whether the threat of increased activity would be sufficient to support preliminary injunctive relief where the plaintiff has not made as strong of a showing of likelihood of success on the merits.

[16] As other courts have noted, applying traditional legal principles to the Internet can be troublesome. See ImOn, Inc. v. ImaginOn, Inc., 90 F.Supp.2d 345, 346 (S.D.N.Y.2000) ("Both parties are suppliers of `services or products' on the Internet which, as I recognize and grapple with hereafter, is one of the most fluid, rapidly developing, and virtually daily changing areas of commerce that the law has had to focus upon and endeavor to apply established principles to.")

[17] Because BE was expressly notified that its conduct was unauthorized, it does not matter whether BE ever agreed to a version of the eBay User Agreement that prohibited robotic activity.

[18] Plaintiff believes that it may have experienced system failures and a decrease in system performance during the times that defendant was searching its system, however, it is unable to produce any correlation between its outages and defendant's activities. Plaintiff contends that it would likely be able to produce such a correlation but for defendant's alleged destruction of logs that recorded the details of its robotic search activities.

8.1.3 Intel Corp. v. Hamidi 8.1.3 Intel Corp. v. Hamidi

71 P3d 296
1 Cal.Rptr.3d 32
30 Cal.4th 1342
71 P.3d 296
INTEL CORPORATION, Plaintiff and Respondent,
v.
Kourosh Kenneth HAMIDI, Defendant and Appellant.
No. S103781.
Supreme Court of California.
June 30, 2003.

[1 Cal.Rptr.3d 35]

[30 Cal.4th 1345]

        Philip H. Weber, Placerville; Dechert, William M. McSwain, Richard L. Berkman, F. Gregory Lastowka; Levy, Ram & Olson, Karl Olson, San Francisco, and Erica L. Craven for Defendant and Appellant.

        Mark A. Lemley and Deirdre K. Mulligan for Professors of Intellectual Property and Computer Law as Amicus Curiae on behalf of Defendant and Appellant.

        Lee Tien and Deborah Pierce for Electronic Frontier Foundation as Amicus Curiae on behalf of Defendant and Appellant.

        Jennifer Stisa Granick, San Francisco, for the Stanford Law School Center for Internet and Society as Amicus Curiae on behalf of Defendant and Appellant.

        Ann Brick and Christopher A. Hansen for American Civil Liberties Union Foundation of Northern California, Inc., and American Civil Liberties Union Foundation as Amici Curiae on behalf of Defendant and Appellant.

        Robert M. O'Neil and J. Joshua Wheeler for The Thomas Jefferson Center for the Protection of Free Expression as Amicus Curiae on behalf of Defendant and Appellant.

[30 Cal.4th 1346]

        Atshuler, Berzon, Nussbaum, Rubin & Demain, Stephen P. Berzon, Scott A. Kronland, San Francisco, and Stacey M. Leyton for the Service Employees International Union, AFL CIO as Amicus Curiae on behalf of Defendant and Appellant.

        Morrison & Foerster, Linda E. Shostak, Michael A. Jacobs, San Francisco, Kurt E. Springmann and Paul A. Friedman, San Francisco, for Plaintiff and Respondent.

        Steptoe & Johnson, Stewart A. Baker and W. Chelsea Chen for the U.S. Internet Service Provider Association as Amicus Curiae on behalf of Plaintiff and Respondent.

[1 Cal.Rptr.3d 36]

        Richard A. Epstein for California Employment Law Council, California Manufacturers & Technology Association, eBay, Inc., Information Technology Industry Council, National Association of Manufacturers, Semiconductor Industry Association and Silicon Valley Manufacturing Group as Amici Curiae on behalf of Plaintiff and Respondent.

        Fred J. Hiestand, Sacramento, for the Civil Justice Association of California as Amicus Curiae on behalf of Plaintiff and Respondent.

        Proskauer Rose, Mark Theodore, Arthur F. Silbergeld, Niloofar Nejat Bina and Adam C. Abrahms, Los Angeles, for Labor Policy Association, Inc., United States Chamber of Commerce and California Chamber of Commerce as Amici Curiae on behalf of Plaintiff and Respondent.

        WERDEGAR, J.

        Intel Corporation (Intel) maintains an electronic mail system, connected to the Internet, through which messages between employees and those outside the company can be sent and received, and permits its employees to make reasonable nonbusiness use of this system. On six occasions over almost two years, Kourosh Kenneth Hamidi, a former Intel employee, sent e-mails criticizing Intel's employment practices to numerous current employees on Intel's electronic mail system. Hamidi breached no computer security barriers in order to communicate with Intel employees. He offered to, and did, remove from his mailing list any recipient who so wished. Hamidi's communications to individual Intel employees caused neither physical damage nor functional disruption to the company's computers, nor did they at any time deprive Intel of the use of its computers. The contents of the messages, however, caused discussion among employees and managers.

        On these facts, Intel brought suit, claiming that by communicating with its employees over the company's e-mail system Hamidi committed the tort of

[30 Cal.4th 1347]

trespass to chattels. The trial court granted Intel's motion for summary judgment and enjoined Hamidi from any further mailings. A divided Court of Appeal affirmed.

        After reviewing the decisions analyzing unauthorized electronic contact with computer systems as potential trespasses to chattels, we conclude that under California law the tort does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning. Such an electronic communication does not constitute an actionable trespass to personal property, i.e., the computer system, because it does not interfere with the possessor's use or possession of, or any other legally protected interest in, the personal property itself. (See Zaslow v. Kroenert (1946),29 Cal.2d 541, 176 P.2d 1; Ticketmaster Corp. v. Tickets.com, Inc. (C.D.Cal, Aug. 10, 2000, No. 99CV7654) 2000 WL 1887522, p. *4; Rest.2d Torts, § 218.) The consequential economic damage Intel claims to have suffered, i.e., loss of productivity caused by employees reading and reacting to Hamidi's messages and company efforts to block the messages, is not an injury to the company's interest in its computers— which worked as intended and were unharmed by the communications—any more than the personal distress caused by reading an unpleasant letter would be an injury to the recipient's mailbox, or the loss of privacy caused by an intrusive telephone call would be an injury to the recipient's telephone equipment.

        Our conclusion does not rest on any special immunity for communications by electronic mail; we do not hold that

[1 Cal.Rptr.3d 37]

messages transmitted through the Internet are exempt from the ordinary rules of tort liability. To the contrary, e-mail, like other forms of communication, may in some circumstances cause legally cognizable injury to the recipient or to third parties and may be actionable under various common law or statutory theories. Indeed, on facts somewhat similar to those here, a company or its employees might be able to plead causes of action for interference with prospective economic relations (see Guillory v. Godfrey (1955),134 Cal. App.2d 628, 286 P.2d 474 [defendant berated customers and prospective customers of plaintiffs' cafe with disparaging and racist comments]), interference with contract (see Blender v. Superior Court (1942),55 Cal.App.2d 24, 130 P.2d 179 [defendant made false statements about plaintiff to his employer, resulting in plaintiffs discharge]) or intentional infliction of emotional distress (see Kiseskey v. Carpenters' Trust for So. California (1983) 144 Cal.App.3d 222, 229-230, 192 Cal.Rptr. 492 [agents of defendant union threatened life, health, and family of employer if he did not sign agreement with union].) And, of course, as with any other means of publication, third party subjects of e-mail communications may under appropriate facts make claims for

[30 Cal.4th 1348]

defamation, publication of private facts, or other speechbased torts. (See, e.g., Southridge Capital Management v. Lowry (2002),188 F.Supp.2d 388 [allegedly false statements in e-mail sent to several of plaintiffs clients support actions for defamation and ` interference with contract].) Intel's claim fails not because e-mail transmitted through the Internet enjoys unique immunity, but because the trespass to chattels tort—unlike the causes of action just mentioned—may not, in California, be proved without evidence of an injury to the plaintiffs personal property or legal interest therein.

        Nor does our holding affect the legal remedies of Internet service providers (ISP's) against senders of unsolicited commercial bulk e-mail (UCE), also known as "spam." (See Ferguson v. Friendfinders, Inc. (2002),94 Cal.App.4th 1255, 115 Cal.Rptr.2d 258.) A series of federal district court decisions, beginning with CompuServe, Inc. v. Cyber Promotions, Inc. (1997),962 F.Supp. 1015, has approved the use of trespass to chattels as a theory of spammers' liability to ISP's, based upon evidence that the vast quantities of mail sent by spammers both overburdened the ISP's own computers and made the entire computer system harder to use for recipients, the ISP's customers. (See id. at pp. 1022-1023.) In those cases, discussed in greater detail below, the underlying complaint was that the extraordinary quantity of UCE impaired the computer system's functioning. In the present case, the claimed injury is located in the disruption or distraction caused to recipients by the contents of the e-mail messages, an injury entirely separate from, and not directly affecting, the possession or value of personal property.

FACTUAL AND PROCEDURAL BACKGROUND

        We review a grant of summary judgment de novo; we must decide independently whether the facts not subject to triable dispute warrant judgment for the moving party as a matter of law. (Galanty v. Paul Revere Life Ins. Co. (2000),23 Cal.4th 368, 97 Cal.Rptr.2d 67, 1 P.3d 658; Norgart v. Upjohn Co. (1999),21 Cal.4th 383, 87 Cal.Rptr.2d 453, 981 P.2d 79; Code Civ. Proc, § 437c, subd. (c).) The pertinent undisputed facts are as follows.

        Hamidi, a former Intel engineer, together with others, formed an organization named Former and Current Employees of

[1 Cal.Rptr.3d 38]

Intel (FACE-Intel) to disseminate information and views critical of Intel's employment and personnel policies and practices. FACE-Intel maintained a Web site (which identified Hamidi as Webmaster and as the organization's spokesperson) containing such material. In addition, over a 21-month period Hamidi, on

[30 Cal.4th 1349]

behalf of FACE-Intel, sent six mass e-mails to employee addresses on Intel's electronic mail system. The messages criticized Intel's employment practices, warned employees of the dangers those practices posed to their careers, suggested employees consider moving to other companies, solicited employees' participation in FACE-Intel, and urged employees to inform themselves further by visiting FACE-Intel's Web site. The messages stated that recipients could, by notifying the sender of their wishes, be removed from FACE-Intel's mailing list; Hamidi did not subsequently send messages to anyone who requested removal.

        Each message was sent to thousands of addresses (as many as 35,000 according to FACE-Intel's Web site), though some messages were blocked by Intel before reaching employees. Intel's attempt to block internal transmission of the messages succeeded only in part; Hamidi later admitted he evaded blocking efforts by using different sending computers. When Intel, in March 1998, demanded in writing that Hamidi and FACE-Intel stop sending e-mails to Intel's computer system, Hamidi asserted the organization had a right to communicate with willing Intel employees; he sent a new mass mailing in September 1998.

        The summary judgment record contains no evidence Hamidi breached Intel's computer security in order to obtain the recipient addresses for his messages; indeed, internal Intel memoranda show the company's management concluded no security breach had occurred.1 Hamidi stated he created the recipient address list using an Intel directory on a floppy disk anonymously sent to him. Nor is there any evidence that the receipt or internal distribution of Hamidi's electronic messages damaged Intel's computer system or slowed or impaired its functioning. Intel did present uncontradicted evidence, however, that many employee recipients asked a company official to stop the messages and that staff time was consumed in attempts to block further messages from FACE-Intel. According to the FAC-Intel Web site, moreover, the messages had prompted discussions between "[e]xcited and nervous managers" and the company's human resources department.

        Intel sued Hamidi and FACE-Intel, pleading causes of action for trespass to chattels and nuisance, and seeking both actual damages and an injunction

[30 Cal.4th 1350]

against further e-mail messages. Intel later voluntarily dismissed its nuisance claim and waived its demand for damages. The trial court entered default against FACE-Intel upon that organization's failure to answer. The court then granted Intel's motion for summary judgment, permanently enjoining Hamidi, FACE-Intel, and their agents "from sending unsolicited e-mail to addresses on Intel's computer systems." Hamidi appealed; FACE-Intel did not.2

[1 Cal.Rptr.3d 39]

        The Court of Appeal, with one justice dissenting, affirmed the grant of injunctive relief. The majority took the view that the use of or intermeddling with another's personal property is actionable as a trespass to chattels without proof of any actual injury to the personal property; even if Intel could not show any damages resulting from Hamidi's sending of messages, "it showed he was disrupting its business by using its property and therefore is entitled to injunctive relief based on a theory of trespass to chattels." The dissenting justice warned that the majority's application of the trespass to chattels tort to "unsolicited electronic mail that causes no harm to the private computer system that receives it" would "expand the tort of trespass to chattel in untold ways and to unanticipated circumstances."

        We granted Hamidi's petition for review.3

Discussion

        I. Current California Tort Law

        Dubbed by Prosser the "little brother of conversion," the tort of trespass to chattels allows recovery for interferences with possession of personal property "not sufficiently important to be classed as conversion, and so to compel the defendant to pay the full value of the thing with which he has interfered." (Prosser & Keeton, Torts (5th ed.1984) § 14, pp. 85-86.)

        Though not amounting to conversion, the defendant's interference must, to be actionable, have caused some injury to the chattel or to the plaintiffs rights in it. Under California law, trespass to chattels "lies where an intentional interference with the possession of personal property has proximately

[30 Cal.4th 1351]

caused injury." (Thrifty-Tel, Inc. v. Bezenek (1996),46 Cal. App.4th 1559, 54 Cal.Rptr.2d 468, italics added.) In cases of interference with possession of personal property not amounting to conversion, "the owner has a cause of action for trespass or case, and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use." (Zasloiv v. Kroenert, supra, 29 Cal.2d at p. 551, 176 P.2d 1, italics added; accord, Jordan v. Talbot (1961),55 Cal.2d 597, 12 Cal. Rptr. 488, 361 P.2d 20.) In modern American law generally, "[t]respass remains as an occasional remedy for minor interferences, resulting in some damage, but not sufficiently serious or sufficiently important to amount to the greater tort" of conversion. (Prosser & Keeton, Torts, supra, § 15, p. 90, italics added.)

        The Restatement, too, makes clear that some actual injury must have occurred in order for a trespass to chattels to be actionable. Under section 218 of the Restatement Second of Torts, dispossession alone, without further damages, is actionable (see id., par. (a) & com. d, pp. 420-421), but other forms of interference require some additional harm to the personal property or the possessor's interests

[1 Cal.Rptr.3d 40]

in it. (Id., pars, (b)-(d).) "The interest of a possessor of a chattel in its inviolability, unlike the similar interest of a possessor of land, is not given legal protection by an action for nominal damages for harmless intermeddlings with the chattel. In order that an actor who interferes with another's chattel may be liable, his conduct must affect some other and more important interest of the possessor. Therefore, one who intentionally intermeddles with another's chattel is subject to liability only if his intermeddling is harmful to the possessor's materially valuable interest in the physical condition, quality, or value of the chattel, or if the possessor is deprived of the use of the chattel for a substantial time, or some other legally protected interest of the possessor is affected as stated in Clause (c). Sufficient legal protection of the possessor's interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force to protect his possession against even harmless interference." (Id., com. e, pp. 421-422, italics added.)

        The Court of Appeal (quoting 7 Speiser et al., American Law of Torts (1990) Trespass, § 23:23, p. 667) referred to "`a number of very early cases [showing that] any unlawful interference, however slight, with the enjoyment by another of his personal property, is a trespass.'" But while a harmless use or touching of personal property may be a technical trespass (see Rest.2d Torts, § 217), an interference (not amounting to dispossession) is not actionable, under modern California and broader American law, without a showing of harm. As already discussed, this is the rule embodied in the Restatement (Rest.2d Torts, § 218) and adopted by California law

[30 Cal.4th 1352]

(Zaslow v. Kroenert, supra, 29 Cal.2d at p. 551, 176 P.2d 1; Thrifty-Tel, Inc. v. Bezenek, supra, 46 Cal.App.4th at p. 1566, 54 Cal.Rptr.2d 468).

        In this respect, as Prosser explains, modern day trespass to chattels differs both from the original English writ and from the action for trespass to land: "Another departure from the original rule of the old writ of trespass concerns the necessity of some actual damage to the chattel before the action can be maintained. Where the defendant merely interferes without doing any harm—as where, for example, he merely lays hands upon the plaintiffs horse, or sits in his car—there has been a division of opinion among the writers, and a surprising dearth of authority. By analogy to trespass to land there might be a technical tort in such a case .... Such scanty authority as there is, however, has considered that the dignitary interest in the inviolability of chattels, unlike that as to land, is not sufficiently important to require any greater defense than the privilege of using reasonable force when necessary to protect them. Accordingly it has been held that nominal damages will not be awarded, and that in the absence of any actual damage the action will not lie." (Prosser & Keeton, Torts, supra, § 14, p. 87, italics added, fns. omitted.)

        Intel suggests that the requirement of actual harm does not apply here because it sought only injunctive relief, as protection from future injuries. But as Justice Kolkey, dissenting below, observed, "[t]he fact the relief sought is injunctive does not excuse a showing of injury, whether actual or threatened." Indeed, in order to obtain injunctive relief the plaintiff must ordinarily show that the defendant's wrongful acts threaten to cause irreparable injuries, ones that cannot be adequately compensated in damages. (5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782, p. 239.) Even in an action for trespass to real property, in which damage to the property is not an

[1 Cal.Rptr.3d 41]

element of the cause of action, "the extraordinary remedy of injunction" cannot be invoked without showing the likelihood of irreparable harm. (Mechanics' Foundry v. Ryall (1888),75 Cal. 601, 17 P. 703; see Mendelson v. McCabe (1904),144 Cal. 230, 77 P. 915 [injunction against trespass to land proper where continued trespasses threaten creation of prescriptive right and repetitive suits for damages would be inadequate remedy].) A fortiori, to issue an injunction without a showing of likely irreparable injury in an action for trespass to chattels, in which injury to the personal property or the possessor's interest in it is an element of the action, would make little legal sense.

        The dispositive issue in this case, therefore, is whether the undisputed facts demonstrate Hamidi's actions caused or threatened to cause damage to Intel's computer system, or injury to its rights in that personal property, such as to entitle Intel to judgment as a matter of law. To review, the undisputed

[30 Cal.4th 1353]

evidence revealed no actual or threatened damage to Intel's computer hardware or software and no interference with its ordinary and intended operation. Intel was not dispossessed of its computers, nor did Hamidi's messages prevent Intel from using its computers for any measurable length of time. Intel presented no evidence its system was slowed or otherwise impaired by the burden of delivering Hamidi's electronic messages. Nor was there any evidence transmission of the messages imposed any marginal cost on the operation of Intel's computers. In sum, no evidence suggested that in sending messages through Intel's Internet connections and internal computer system Hamidi used the system in any manner in which it was not intended to function or impaired the system in any way. Nor does the evidence show the request of any employee to be removed from FACE-Intel's mailing list was not honored. The evidence did show, however, that some employees who found the messages unwelcome asked management to stop them and that Intel technical staff spent time and effort attempting to block the messages. A statement on the FACE-Intel Web site, moreover, could be taken as an admission that the messages had caused "[e]xcited and nervous managers" to discuss the matter with Intel's human resources department.

        Relying on a line of decisions, most from federal district courts, applying the tort of trespass to chattels to various types of unwanted electronic contact between computers, Intel contends that, while its computers were not damaged by receiving Hamidi's messages, its interest in the "physical condition, quality or value" (Rest.2d Torts, § 218, com. e, p. 422) of the computers was harmed. We disagree. The cited line of decisions does not persuade us that the mere sending of electronic communications that assertedly cause injury only because of their contents constitutes an actionable trespass to a computer system through which the messages are transmitted. Rather, the decisions finding electronic contact to be a trespass to computer systems have generally involved some actual or threatened interference with the computers' functioning.

        In Thrifty-Tel, Inc. v. Bezenek, supra, 46 Cal.App.4th at pages 1566-1567, 54 Cal. Rptr.2d 468 (Thrifty-Tel), the California Court of Appeal held that evidence of automated searching of a telephone carrier's system for authorization codes supported a cause of action for trespass to chattels. The defendant's automated dialing program "overburdened the [plaintiffs] system, denying some subscribers access to

[1 Cal.Rptr.3d 42]

phone lines" (Id., at p. 1564, 54 Cal.Rptr .2d 468), showing the requisite injury.

        Following Thrifty-Tel, a series of federal district court decisions held that sending UCE through an ISP's equipment may constitute trespass to the ISP's computer system. The lead case, CompuServe, Inc. v. Cyber Promotions, Inc., supra, 962 F.Supp. 1015, 1021-1023 (CompuServe), was followed

[30 Cal.4th 1354]

by Hotmail Corp. v. Van$ Money Pie, Inc. (N.D.Cal., Apr. 16, 1998, No. C 98-20064 JW) 1998 WL 388389, page *7, America Online, Inc. v. IMS (1998),24 F.Supp.2d 548, and America Online, Inc. v. LCGM, Inc. (1998),46 F.Supp.2d 444.

        In each of these spamming cases, the plaintiff showed, or was prepared to show, some interference with the efficient functioning of its computer system. In CompuServe, the plaintiff ISP's mail equipment monitor stated that mass UCE mailings, especially from nonexistent addresses such as those used by the defendant, placed "a tremendous burden" on the ISP's equipment, using "disk space and draining] the processing power," making those resources unavailable to serve subscribers. (Compu-Serve, supra, 962 F.Supp. at p. 1022.) Similarly, in Hotmail Corp. v. Van$ Money Pie, Inc., supra, 1998 WL 388389 at page *7, the court found the evidence supported a finding that the defendant's mailings "fill[ed] up Hotmail's computer storage space and threatened] to damage Hotmail's ability to service its legitimate customers." America Online, Inc. v. IMS, decided on summary judgment, was deemed factually indistinguishable from CompuServe; the court observed that in both cases the plaintiffs "alleged that processing the bulk e-mail cost them time and money and burdened their equipment." (America Online, Inc. v. IMS, supra, 24 F.Supp.2d at p. 550.) The same court, in America Online, Inc. v. LCGM, Inc., supra, 46 F.Supp.2d at page 452, simply followed CompuServe and its earlier America Online decision, quoting the former's explanation that UCE burdened the computer's processing power and memory.

        Building on the spamming cases, in particular CompuServe, three even more recent district court decisions addressed whether unauthorized robotic data collection

4

        In the leading case, eBay, the defendant Bidder's Edge (BE), operating an auction aggregation site, accessed the eBay Web site about 100,000 times

[30 Cal.4th 1355]

per day, accounting for between 1 and 2 percent of the information requests received by eBay

[1 Cal.Rptr.3d 43]

and a slightly smaller percentage of the data transferred by eBay. (eBay, supra, 100 F.Supp.2d at pp. 1061, 1063.) The district court rejected eBay's claim that it was entitled to injunctive relief because of the defendant's unauthorized presence alone, or because of the incremental cost the defendant had imposed on operation of the eBay site (id. at pp. 1065-1066), but found sufficient proof of threatened harm in the potential for others to imitate the defendant's activity: "If BE's activity is allowed to continue unchecked, it would encourage other auction aggregators to engage in similar recursive searching of the eBay system such that eBay would suffer irreparable harm from reduced system performance, system unavailability, or data losses." (Id. at p. 1066.) Again, in addressing the likelihood of eBay's success on its trespass to chattels cause of action, the court held the evidence of injury to eBay's computer system sufficient to support a preliminary injunction: "If the court were to hold otherwise, it would likely encourage other auction aggregators to crawl the eBay site, potentially to the point of denying effective access to eBay's customers. If preliminary injunctive relief were denied, and other aggregators began to crawl the eBay site, there appears to be little doubt that the load on eBay's computer system would qualify as a substantial impairment of condition or value." (Id. at pp. 1071-1072.)

        Another district court followed eBay on similar facts—a domain name registrar's claim against a Web hosting and development site that robotically searched the registrar's database of newly registered domain names in search of business leads—in Register.com, Inc. v. Verio, Inc., supra, 126 F.Supp.2d at pages 249-251. Although the plaintiff was unable to measure the burden the defendant's searching had placed on its system (id. at pp. 249-250), the district court, quoting the declaration of one of the plaintiffs officers, found sufficient evidence of threatened harm to the system in the possibility the defendant's activities would be copied by others: "`I believe that if Verio's searching of Register.com's WHOIS database were determined to be lawful, then every purveyor of Internet-based services would engage in similar conduct.'" (Id. at p. 250.) Like eBay, the court observed, Register.com had a legitimate fear "that its servers will be flooded by search robots." (Id. at p. 251.)

        In the third decision discussing robotic data collection as a trespass, Ticketmaster Corp. v. Tickets.com, Inc., supra, 2000 WL 1887522 (Ticketmaster), the court, distinguishing eBay, found insufficient evidence of harm to the chattel to constitute an actionable trespass: "A basic element of trespass to chattels must be physical harm to the chattel (not present here) or some obstruction of its basic function (in the court's opinion not sufficiently

[30 Cal.4th 1356]

shown here).... The comparative use [by the defendant of the plaintiffs computer system] appears very small and there is no showing that the use interferes to any extent with the regular business of [the plaintiff].... Nor here is the specter of dozens or more parasites joining the fray, the cumulative total of which could affect the operation of [the plaintiffs ] business." (Id. at p. *4, italics added.)

        In the decisions so far reviewed, the defendant's use of the plaintiffs computer system was held sufficient to support an action for trespass when it actually did, or threatened to, interfere with the intended functioning of the system, as by significantly reducing its available memory and processing power. In Ticketmaster, supra, 2000 WL 1887522, the one case where no such effect, actual or threatened, had been demonstrated, the court found insufficient evidence of harm to support a trespass

[1 Cal.Rptr.3d 44]

action. These decisions do not persuade us to Intel's position here, for Intel has demonstrated neither any appreciable effect on the operation of its computer system from Hamidi's messages, nor any likelihood that Hamidi's actions will be replicated by others if found not to constitute a trespass.

        That Intel does not claim the type of functional impact that spammers and robots have been alleged to cause is not surprising in light of the differences between Hamidi's activities and those of a commercial enterprise that uses sheer quantity of messages as its communications strategy. Though Hamidi sent thousands of copies of the same message on six occasions over 21 months, that number is minuscule compared to the amounts of mail sent by commercial operations. The individual advertisers sued in America Online, Inc. v. IMS, supra, 24 F.Supp.2d at page 549, and America Online, Inc. v. LCGM, Inc., supra, 46 F.Supp.2d at page 448, were alleged to have sent more than 60 million messages over 10 months and more than 92 million messages over seven months, respectively. Collectively, UCE has reportedly come to constitute about 45 percent of all e-mail. (Hansell, Internet Is Losing Ground in Battle Against Spam, N.Y. Times (Apr. 22, 2003) p. Al, col. 3.) The functional burden on Intel's computers, or the cost in time to individual recipients, of receiving Hamidi's occasional advocacy messages cannot be compared to the burdens and costs caused ISP's and their customers by the ever-rising deluge of commercial e-mail.

        Intel relies on language in the eBay decision suggesting that unauthorized use of another's chattel is actionable even without any showing of injury: "Even if, as [defendant] BE argues, its searches use only a small amount of eBay's computer system capacity, BE has nonetheless deprived eBay of the ability to use that portion of its personal property for its own purposes. The law recognizes no such right to use another's personal property." (eBay,

[30 Cal.4th 1357]

supra, 100 F.Supp.2d at p. 1071.) But as the eBay court went on immediately to find that the defendant's conduct, if widely replicated, would likely impair the functioning of the plaintiffs system (id. at pp. 1071-1072), we do not read the quoted remarks as expressing the court's complete view of the issue. In isolation, moreover, they would not be a correct statement of California or general American law on this point. While one may have no right temporarily to use another's personal property, such use is actionable as a trespass only if it "has proximately caused injury." (Thrifty-Tel, supra, 46 Cal.App.4th at p. 1566, 54 Cal.Rptr.2d 468.) "[I]n the absence of any actual damage the action will not lie." (Prosser & Keeton, Torts, supra, § 14, p. 87.) Short of dispossession, personal injury, or physical damage (not present here), intermeddling is actionable only if "the chattel is impaired as to its condition, quality, or value, or [¶] ... the possessor is deprived of the use of the chattel for a substantial time." (Rest.2d Torts, § 218, pars, (b), (c).) In particular, an actionable deprivation of use "must be for a time so substantial that it is possible to estimate the loss caused thereby. A mere momentary or theoretical deprivation of use is not sufficient unless there is a dispossession...." (Id., com. i, p. 423.) That Hamidi's messages temporarily used some portion of the Intel computers' processors or storage is, therefore, not enough; Intel must, but does not, demonstrate some measurable loss from the use of its computer system.5

[1 Cal.Rptr.3d 45]

        In addition to impairment of system functionality, CompuServe and its progeny also refer to the ISP's loss of business reputation and customer goodwill, resulting from the inconvenience and cost that spam causes to its members, as harm to the ISP's legally protected interests in its personal property. (See CompuServe, supra, 962 F.Supp. at p. 1023; Hotmail Corp. v. Van$ Money Pie, Inc., supra, 1998 WL 388389 at p. *7; America Online, Inc. v. IMS, supra, 24 F.Supp.2d at p. 550.) Intel argues that its own interest in employee productivity, assertedly disrupted by Hamidi's messages, is a comparable protected interest in its computer system. We disagree.

[30 Cal.4th 1358]

        Whether the economic injuries identified in CompuServe were properly considered injuries to the ISP's possessory interest in its personal property, the type of property interest the tort is primarily intended to protect (see Rest.2d Torts, § 218 & com. e, pp. 421-22; Prosser & Keeton, Torts, supra, § 14, p. 87), has been questioned.6 "[T]he court broke the chain between the trespass and the harm, allowing indirect harms to CompuServe's business interests—reputation, customer goodwill, and employee time—to count as harms to the chattel (the server)." (Quilter, The Continuing Expansion of Cyberspace Trespass to Chattels, supra, 17 Berkeley Tech. L.J. at pp. 429-430.) "[T]his move cuts trespass to chattels free from its moorings of dispossession or the equivalent, allowing the court free reign [sic] to hunt for `impairment.'" (Burk, The Trouble with Trespass (2000) 4 J. Small & Emerging Bus.L. 27, 35.) But even if the loss of goodwill identified in CompuServe were the type of injury that would give rise to a trespass to chattels claim under California law, Intel's position would not follow, for Intel's claimed injury has even less connection to its personal property than did CompuServe's.

        CompuServe's customers were annoyed because the system was inundated with unsolicited commercial messages, making its use for personal communication more difficult and costly. (CompuServe, supra, 962 F.Supp. at p. 1023.) Their complaint, which allegedly led some to cancel their

[1 Cal.Rptr.3d 46]

CompuServe service, was about the functioning of CompuServe's electronic mail service. Intel's workers, in contrast, were allegedly distracted from their work not because of the frequency or quantity of Hamidi's messages, but because of assertions and opinions the messages conveyed. Intel's complaint is thus about the contents of the messages rather than the functioning of the company's e-mail system. Even accepting CompuServe's economic injury rationale, therefore, Intel's position represents a further extension of the trespass to chattels tort, fictionally recharacterizing the allegedly injurious effect of a communication's contents on recipients as an impairment to the device which transmitted the message.

        This theory of "impairment by content" (Burk, The Trouble with Trespass, supra, 4 J. Small & Emerging Bus.L. at p. 37) threatens to stretch trespass

[30 Cal.4th 1359]

law to cover injuries far afield from the harms to possession the tort evolved to protect. Intel's theory would expand the tort of trespass to chattels to cover virtually any unconsented—to communication that, solely because of its content, is unwelcome to the recipient or intermediate transmitter. As the dissenting justice below explained, "`Damage' of this nature—the distraction of reading or listening to an unsolicited communication—is not within the scope of the injury against which the trespass-to-chattel tort protects, and indeed trivializes it. After all, `[t]he property interest protected by the old action of trespass was that of possession; and this has continued to affect the character of the action.' (Prosser & Keeton on Torts, supra, § 14, p. 87.) Reading an e-mail transmitted to equipment designed to receive it, in and of itself, does not affect the possessory interest in the equipment. [11] Indeed, if a chattel's receipt of an electronic communication constitutes a trespass to that chattel, then not only are unsolicited telephone calls and faxes trespasses to chattel, but unwelcome radio waves and television signals also constitute a trespass to chattel every time the viewer inadvertently sees or hears the unwanted program." We agree. While unwelcome communications, electronic or otherwise, can cause a variety of injuries to economic relations, reputation and emotions, those interests are protected by other branches of tort law; in order to address them, we need not create a fiction of injury to the communication system.

        Nor may Intel appropriately assert a property interest in its employees' time. "The Restatement test clearly speaks in the first instance to the impairment of the chattel.... But employees are not chattels (at least not in the legal sense of the term)." (Burk, The Trouble with Trespass, supra, 4 J. Small & Emerging Bus.L. at p. 36.) Whatever interest Intel may have in preventing its employees from receiving disruptive communications, it is not an interest in personal property, and trespass to chattels is therefore not an action that will lie to protect it. Nor, finally, can the fact Intel staff spent time attempting to block Hamidi's messages be bootstrapped into an injury to Intel's possessory interest in its computers. To quote, again, from the dissenting opinion in the Court of Appeal: "[I]t is circular to premise the damage element of a tort solely upon the steps taken to prevent the damage. Injury can only be established by the completed tort's consequences, not by the cost of the steps taken to avoid the injury and prevent the tort; otherwise, we can create injury for every supposed tort."

        Intel connected its e-mail system to the Internet and permitted its employees to make use of this connection both for business and, to a reasonable extent, for their own purposes. In doing so, the company

[1 Cal.Rptr.3d 47]

necessarily contemplated the employees' receipt of unsolicited as well as solicited communications from other companies and individuals. That some communications

[30 Cal.4th 1360]

would, because of their contents, be unwelcome to Intel management was virtually inevitable. Hamidi did nothing but use the e-mail system for its intended purpose—to communicate with employees. The system worked as designed, delivering the messages without any physical or functional harm or disruption. These occasional transmissions cannot reasonably be viewed as impairing the quality or value of Intel's computer system. We conclude, therefore, that Intel has not presented undisputed facts demonstrating an injury to its personal property, or to its legal interest in that property, that support, under California tort law, an action for trespass to chattels.

II. Proposed Extension of California Tort Law

        We next consider whether California common law should be extended to cover, as a trespass to chattels, an otherwise harmless electronic communication whose contents are objectionable. We decline to so expand California law. Intel, of course, was not the recipient of Hamidi's messages, but rather the owner and possessor of computer servers used to relay the messages, and it bases this tort action on that ownership and possession. The property rule proposed is a rigid one, under which the sender of an electronic message would be strictly liable to the owner of equipment through which the communication passes—here, Intel—for any consequential injury flowing from the contents of the communication. The arguments of amici curiae and academic writers on this topic, discussed below, leave us highly doubtful whether creation of such a rigid property rule would be wise.

        Writing on behalf of several industry groups appearing as amici curiae, Professor Richard A. Epstein of the University of Chicago urges us to excuse the required showing of injury to personal property in cases of unauthorized electronic contact between computers, "extending the rules of trespass to real property to all interactive Web sites and servers." The court is thus urged to recognize, for owners of a particular species of personal property, computer servers, the same interest in inviolability as is generally accorded a possessor of land. In effect, Professor Epstein suggests that a company's server should be its castle, upon which any unauthorized intrusion, however harmless, is a trespass.

        Epstein's argument derives, in part, from the familiar metaphor of the Internet as a physical space, reflected in much of the language that has been used to describe it: "cyberspace," "the information superhighway," e-mail "addresses," and the like. Of course, the Internet is also frequently called simply the "Net," a term, Hamidi points out, "evoking a fisherman's chattel." A major component of the Internet is the World Wide "Web," a

[30 Cal.4th 1361]

descriptive term suggesting neither personal nor real property, and "cyberspace" itself has come to be known by the oxymoronic phrase "virtual reality," which would suggest that any real property "located" in "cyberspace" must be "virtually real" property. Metaphor is a two-edged sword.

        Indeed, the metaphorical application of real property rules would not, by itself, transform a physically harmless electronic intrusion on a computer server into a trespass. That is because, under California law, intangible intrusions on land, including electromagnetic transmissions, are not actionable as trespasses (though they may be as nuisances) unless they cause physical damage to the real

[1 Cal.Rptr.3d 48]

property. (San Diego Gas & Electric Co. v. Superior Court (1996),13 Cal.4th 893, 55 Cal.Rptr.2d 724, 920 P.2d 669.) Since Intel does not claim Hamidi's electronically transmitted messages physically damaged its servers, it could not prove a trespass to land even were we to treat the computers as a type of real property. Some further extension of the conceit would be required, under which the electronic signals Hamidi sent would be recast as tangible intruders, perhaps as tiny messengers rushing through the "hallways" of Intel's computers and bursting out of employees' computers to read them Hamidi's missives. But such fictions promise more confusion than clarity in the law. (See eBay, supra, 100 F.Supp.2d at pp. 1065-1066 [rejecting eBay's argument that the defendant's automated data searches "should be thought of as equivalent to sending in an army of 100,000 robots a day to check the prices in a competitor's store"].)

        The plain fact is that computers, even those making up the Internet, are—like such older communications equipment as telephones and fax machines—personal property, not realty. Professor Epstein observes that "[a]though servers may be moved in real space, they cannot be moved in cyberspace," because an Internet server must, to be useful, be accessible at a known address. But the same is true of the telephone: to be useful for incoming communication, the telephone must remain constantly linked to the same number (or, when the number is changed, the system must include some forwarding or notification capability, a qualification that also applies to computer addresses). Does this suggest that an unwelcome message delivered through a telephone or fax machine should be viewed as a trespass to a type of real property? We think not: As already discussed, the contents of a telephone communication may cause a variety of injuries and may be the basis for a variety of tort actions (e.g., defamation, intentional infliction of emotional distress, invasion of privacy), but the injuries are not to an

[30 Cal.4th 1362]

interest in property, much less real property, and the appropriate tort is not trespass.7

        More substantively, Professor Epstein argues that a rule of computer server inviolability will, through the formation or extension of a market in computer-to-computer access, create "the right social result." In most circumstances, he predicts,

[1 Cal.Rptr.3d 49]

companies with computers on the Internet will continue to authorize transmission of information through e-mail, Web site searching, and page linking because they benefit by that open access. When a Web site owner does deny access to a particular sending, searching, or linking computer, a system of "simple one-on-one negotiations" will arise to provide the necessary individual licenses.

        Other scholars are less optimistic about such a complete propertization of the Internet. Professor Mark Lemley of the University of California, Berkeley, writing on behalf of an amici curiae group of professors of intellectual property and computer law, observes that under a property rule of server inviolability, "each of the hundreds of millions of [Internet] users must get permission in advance from anyone with whom they want to communicate and anyone who owns a server through which their message may travel." The consequence for e-mail could be a substantial reduction in the freedom of electronic communication, as the owner of each computer through which an electronic message passes could impose its own limitations on message content or source. As Professor Dan Hunter of the University of Pennsylvania asks rhetorically: "Does this mean that one must read the `Terms of Acceptable Email Usage' of every email system that one emails in the course of an ordinary day? If the University of Pennsylvania had a policy

[30 Cal.4th 1363]

that sending a joke by email would be an unauthorized use of their system, then under the logic of [the lower court decision in this case], you commit 'trespass' if you emailed me a ... cartoon." (Hunter, Cyberspace as Place, and the Tragedy of the Digital Anticommons (2003) 91 Cal. L.Rev. 439, 508-509.)

        Web site linking, Professor Lemley further observes, "would exist at the sufferance of the linked-to party, because a Web user who followed a `disapproved' link would be trespassing on the plaintiffs server, just as sending an e-mail is trespass under the [lower] court's theory." Another writer warns that "[c]yber-trespass theory will curtail the free flow of price and product information on the Internet by allowing website owners to tightly control who and what may enter and make use of the information housed on its Internet site." (Chang, Bidding on Trespass: eBay, Inc. v. Bidder's Edge, Inc. and the Abuse of Trespass Theory in Cyberspace Law (2001) 29 AIPLA Q.J. 445, 459.) A leading scholar of Internet law and policy, Professor Lawrence Lessig of Stanford University, has criticized Professor Epstein's theory of the computer server as quasi-real property, previously put forward in the eBay case (eBay, supra, 100 F.Supp.2d 1058), on the ground that it ignores the costs to society in the loss of network benefits: "eBay benefits greatly from a network that is open and where access is free. It is this general feature of the Net that makes the Net so valuable to users and a source of great innovation. And to the extent that individual sites begin to impose their own rules of exclusion, the value of the network as a network declines. If machines must negotiate before entering any individual site, then the costs of using the network climb." (Lessig, The Future of Ideas: The Fate of the Commons in a Connected World (2001) p. 171; see also Hunter, Cyberspace as Place, and the Tragedy of the Digital Anticommons, supra, 91 Cal. L.Rev. at p. 512 ["If we continue to mark out anticommons claims in cyberspace, not only will we preclude better, more innovative uses of cyberspace resources, but we will lose sight of what might be possible"].)

        We discuss this debate among the amici curiae and academic writers only to note its existence and contours, not to attempt its resolution. Creating an absolute property

[1 Cal.Rptr.3d 50]

right to exclude undesired communications from one's e-mail and Web servers might help force spammers to internalize the costs they impose on ISP's and their customers. But such a property rule might also create substantial new costs, to e-mail and e-commerce users and to society generally, in lost ease and openness of communication and in lost network benefits. In light of the unresolved controversy, we would be acting rashly to adopt a rule treating computer servers as real property for purposes of trespass law.

[30 Cal.4th 1364]

        The Legislature has already adopted detailed regulations governing UCE. (Bus. & Prof.Code, §§ 17538.4, 17538.45; see generally Ferguson v. Friendfinders, Inc., supra, 94 Cal.App.4th 1255, 115 Cal. Rptr.2d 258.) It may see fit in the future also to regulate noncommercial e-mail, such as that sent by Hamidi, or other kinds of unwanted contact between computers on the Internet, such as that alleged in eBay, supra, 100 F.Supp.2d 1058. But we are not persuaded that these perceived problems call at present for judicial creation of a rigid property rule of computer server inviolability. We therefore decline to create an exception, covering Hamidi's unwanted electronic messages to Intel employees, to the general rule that a trespass to chattels is not actionable if it does not involve actual or threatened injury to the personal property or to the possessor's legally protected interest in the personal property. No such injury having been shown on the undisputed facts, Intel was not entitled to summary judgment in its favor.

III. Constitutional Considerations

        Because we conclude no trespass to chattels was shown on the summary judgment record, making the injunction improper on common law grounds, we need not address at length the dissenters' constitutional arguments. A few clarifications are nonetheless in order.

        Justice Mosk asserts that this case involves only "a private entity seeking to enforce private trespass rights." (Dis. opn. of Mosk, J., post, 1 Cal.Rptr.3d at p. 74, 71 P.3d at p. 331.) But the injunction here was issued by a state court. While a private refusal to transmit another's electronic speech generally does not implicate the First Amendment, because no governmental action is involved (see Cyber Promotions, Inc. v. American Online, Inc. (1996),948 F.Supp. 436 [spammer could not force private ISP to carry its messages]), the use of government power, whether in enforcement of a statute or ordinance or by an award of damages or an injunction in a private lawsuit, is state action that must comply with First Amendment limits. (Cohen v. Cowles Media Co. (1991),501 U.S. 663, 111 S.Ct. 2513, 115 L.Ed.2d 586; NAACP v. Claiborne Hardware Co. (1982),458 U.S. 886, fn. 51, 102 S.Ct. 3409, 73 L.Ed.2d 1215; New York Times v. Sullivan (1964),376 U.S. 254, 84 S.Ct. 710, 11 L.Ed.2d 686.) Nor does the nonexistence of a "constitutional right to trespass" (dis. opn. of Mosk, J., post, 1 Cal.Rptr.3d at p. 74, 71 P.3d at p. 331) make an injunction in this case per se valid. Unlike, for example, the trespasser-to-land defendant in Church of Christ in Hollywood v. Superior Court (2002),99 Cal.App.4th 1244, 121 Cal. Rptr.2d 810, Hamidi himself had no tangible presence on Intel property, instead speaking from his own home through his

[30 Cal.4th 1365]

computer. He no more invaded Intel's property than does a protester holding a sign or shouting through a bullhorn outside corporate headquarters, posting a letter through the mail, or telephoning to complain of a corporate practice. (See Madsen v. Women's Health Center (1994) 512 U.S. 753, 765, 114 S.Ct. 2516, 129

[1 Cal.Rptr.3d 51]

L.Ed.2d 593 [injunctions restraining such speakers must "burden no more speech than necessary to serve a significant government interest"].)8

        Justice Brown relies upon a constitutional "right not to listen," rooted in the listener's "personal autonomy" (dis. opn. of Brown, J., post, 1 Cal.Rptr.3d at p. 58, 71 P.3d at p. 318), as compelling a remedy against Hamidi's messages, which she asserts were sent to "unwilling" listeners (id. at p. 54, 71 P.3d at p. 315). Even assuming a corporate entity could under some circumstances claim such a personal right, here the intended and actual recipients of Hamidi's messages were individual Intel employees, rather than Intel itself. The record contains no evidence Hamidi sent messages to any employee who notified him such messages were unwelcome. In any event, such evidence would, under the dissent's rationale of a right not to listen, support only a narrow injunction aimed at protecting individual recipients who gave notice of their rejection. (See Bolger v. Youngs Drug Products Corp. (1983),463 U.S. 60, 103 S.Ct. 2875, 77 L.Ed.2d 469 [government may not act on behalf of all addressees by generally prohibiting mailing of materials related to contraception, where those recipients who may be offended can simply ignore and discard the materials]; Martin v. City of Struthers (1943),319 U.S. 141, 63 S.Ct. 862, 87 L.Ed. 1313 [anti-canvassing ordinance improperly "substitutes the judgment of the community for the judgment of the individual householder"]; cf. Rowan v. U.S. Post Office Dept. (1970) 397 U.S. 728, 736, 90 S.Ct. 1484, 25 L.Ed.2d 736 ["householder" may exercise "individual autonomy" by refusing delivery of offensive mail].) The principle of a right not to listen, founded in personal autonomy, cannot justify the sweeping injunction issued here against all communication to Intel addresses, for such a right, logically, can be exercised only by, or at the behest of, the recipient himself or herself.

[30 Cal.4th 1366]

DlSPOSITION

        The judgment of the Court of Appeal is reversed.

        WE CONCUR: KENNARD, MORENO and PERREN*, JJ.

---------------

Notes:

1. To the extent, therefore, that Justice Mosk suggests Hamidi breached the security of Intel's internal computer network by "circumvent[ing]" Intel's "security measures" and entering the company's "intranet" (dis. opn. of Mosk, J., post, 1 Cal.Rptr.3d at p. 67, 71 P.3d at p. 326), the evidence does not support such an implication. An "intranet" is "a network based on TCP/IP protocols (an internet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees, or others with authorization." (<http://www.webopedia.com/TERM/i/intranet.html [as of June 30, 2003].) Hamidi used only a part of Intel's computer network accessible to outsiders.

2. For the first time, in this court, Intel argues Hamidi's appeal is moot because, as FACE-Intel's agent, Hamidi is bound, whatever the outcome of his own appeal, by the unappealed injunction against FACE-Intel. But as Hamidi points out in response, he could avoid the unappealed injunction simply by resigning from FACE-Intel; his own appeal is therefore not moot.

3. We grant both parties' requests for notice of legislative history materials relating to California laws on spam and on injunctions in labor dispute cases. Hamidi's further request for notice of the "undisputed" fact that "email messages that travel into computer equipment consist of electromagnetic waves" is denied as irrelevant.

4. Data search and collection robots, also known as "Web bots" or "spiders," are programs designed to rapidly search numerous Web pages or sites, collecting, retrieving, and indexing information from these pages. Their uses include creation of searchable databases, Web catalogues and comparison shopping services. (eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000) 100 F.Supp.2d 1058, 1060-1061; O'Rourke, Property Rights and Competition on the Internet: In Search of an Appropriate Analogy (2001) 16 Berkeley Tech. L.J. 561, 570-571; Quilter, The Continuing Expansion of Cyberspace Trespass to Chattels (2002) 17 Berkeley Tech. L.J. 421, 423-424.)

5. In the most recent decision relied upon by Intel, Oyster Software, Inc. v. Forms Processing, Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382, pages *12-*13, a federal magistrate judge incorrectly read eBay as establishing, under California law, that mere unauthorized use of another's computer system constitutes an actionable trespass. The plaintiff accused the defendant, a business competitor, of copying the metatags (code describing the contents of a Web site to a search engine) from the plaintiff's Web site, resulting in diversion of potential customers for the plaintiff's services. (Id. at pp. *1-*2.) With regard to the plaintiff's trespass claim (the plaintiff also pleaded causes of action for, inter alia, misappropriation, copyright and trademark infringement), the magistrate judge concluded that eBay imposed no requirement of actual damage and that the defendant's conduct was sufficient to establish a trespass "simply because [it] amounted to `use' of Plaintiff's computer." (Id. at p. *13.) But as just explained, we do not read eBay, supra, 100 F.Supp.2d 1058, as holding that the actual injury requirement may be dispensed with, and such a suggestion would, in any event, be erroneous as a statement of California law.

6. In support of its reasoning, the CompuServe court cited paragraph (d) of section 218 of the Restatement Second of Torts, which refers to harm "to some person or thing in which the possessor has a legally protected interest." As the comment to this paragraph explains, however, it is intended to cover personal injury to the possessor or another person in whom the possessor has a legal interest, or injury to "other chattel or land" in which the possessor of the chattel subject to the trespass has a legal interest. (Rest.2d Torts, § 218, com. j, p. 423.) No personal injury was claimed either in CompuServe or in the case at bar, and neither the lost goodwill in CompuServe nor the loss of employee efficiency claimed in the present case is chattel or land.

7. The tort law discussion in Justice Brown's dissenting opinion similarly suffers from an overreliance on metaphor and analogy. Attempting to find an actionable trespass, Justice Brown analyzes Intel's e-mail system as comparable to the exterior of an automobile (dis. opn. of Brown, J., post, 1 Cal.Rptr.3d at pp. 52-53, 71 P.3d at pp. 313-314), a plot of land (id. at pp. 60-61, 71 P.3d at pp. 319-320), the interior of an automobile (p. 62, 71 P.3d p. 321), a toothbrush (pp. 64-65, 71 P.3d p. 323), a head of livestock (p. 65, 71 P.3d p. 323), and a mooring buoy (pp. 65-66, 71 P.3d pp. 324-325), while Hamidi is characterized as a vandal damaging a school building (pp. 63-64, 71 P.3d p. 322) or a prankster unplugging and moving employees' computers (p. 65, 71 P.3d p. 324). These colorful analogies tend to obscure the plain fact that this case involves communications equipment, used by defendant to communicate. Intel's e-mail system was equipment designed for speedy communication between employees and the outside world; Hamidi communicated with Intel employees over that system in a manner entirely consistent with its design; and Intel objected not because of an offense against the integrity or dignity of its computers, but because the communications themselves affected employee-recipients in a manner Intel found undesirable. The proposal that we extend trespass to chattels to cover any communication that the owner of the communications equipment considers annoying or distracting raises, moreover, concerns about control over the flow of information and views that would not be presented by, for example, an injunction against chasing another's cattle or sleeping in her car.

8. Justice Brown would distinguish Madsen v. Women's Health Center, supra, on the ground that the operators of the health center in that case would not have been entitled to "drivef] [the protesters] from the public streets," whereas Intel was entitled to block Hamidi's messages as best it could. (Dis. opn. of Brown, J., post, 1 Cal.Rptr.3d at p. 55, fn. 1, 71 P.3d at p. 315, fn. 1.) But the health center operators were entitled to block protesters' messages—as best they could—by closing windows and pulling blinds. That a property owner may take physical measures to prevent the transmission of others' speech into or across the property does not imply that a court order enjoining the speech is not subject to constitutional limitations.

* Associate Justice of the Court of Appeal, Second Appellate District, Division Six, assigned by the Chief Justice pursuant to article VI, section 6 of the California Constitution.

---------------

        Concurring Opinion by KENNARD, J.

        I concur.

        Does a person commit the tort of trespass to chattels by making occasional personal calls to a mobile phone despite the stated objection of the person who owns the mobile phone and pays for the mobile phone service? Does it matter that the calls are not made to the mobile phone's owner, but to another person who ordinarily uses that phone? Does it matter that the person to whom the calls are made has not objected to them? Does it matter that the calls do not damage the mobile phone

[1 Cal.Rptr.3d 52]

or reduce in any significant way its availability or usefulness?

        The majority concludes, and I agree, that using another's equipment to communicate with a third person who is an authorized user of the equipment and who does not object to the communication is trespass to chattels only if the communications damage the equipment or in some significant way impair its usefulness or availability.

        Intel has my sympathy. Unsolicited and unwanted bulk e-mail, most of it commercial, is a serious annoyance and inconvenience for persons who communicate electronically through the Internet, and bulk e-mail that distracts employees in the workplace can adversely affect overall productivity. But, as the majority persuasively explains, to establish the tort of trespass to chattels in California, the plaintiff must prove either damage to the plaintiffs personal property or actual or threatened impairment of the plaintiffs ability to use that property. Because plaintiff Intel has not shown that defendant Hamidi's occasional bulk e-mail messages to Intel's employees have damaged Intel's computer system or impaired its functioning in any significant way, Intel has not established the tort of trespass to chattels.

        This is not to say that Intel is helpless either practically or legally. As a practical matter, Intel need only instruct its employees to delete messages from Hamidi without reading them and to notify Hamidi to remove their workplace e-mail addresses from his mailing lists. Hamidi's messages promised to remove recipients from the mailing list on request, and there is no

[30 Cal.4th 1367]

evidence that Hamidi has ever failed to do so. From a legal perspective, a tort theory other than trespass to chattels may provide Intel with an effective remedy if Hamidi's messages are defamatory or wrongfully interfere with Intel's economic interests. (See maj. opn., ante, 1 Cal. Rptr.3d at p. 37, 71 P.3d at p. 300.) Additionally, the Legislature continues to study the problems caused by bulk e-mails and other dubious uses of modern communication technologies and may craft legislation that accommodates the competing concerns in these sensitive and highly complex areas.

        Accordingly, I join the majority in reversing the Court of Appeal's judgment.

        Dissenting Opinion of BROWN, J.

        Candidate A finds the vehicles that candidate B has provided for his campaign workers, and A spray paints the water soluble message, "Fight corruption, vote for A" on the bumpers. The majority's reasoning would find that notwithstanding the time it takes the workers to remove the paint and the expense they incur in altering the bumpers to prevent further unwanted messages, candidate B does not deserve an injunction unless the paint is so heavy that it reduces the cars' gas mileage or otherwise depreciates the cars' market value. Furthermore, candidate B has an obligation to permit the paint's display, because the cars are driven by workers and not B personally, because B allows his workers to use the cars to pick up their lunch or retrieve their children from school, or because the bumpers display B's own slogans. I disagree.

        Intel has invested millions of dollars to develop and maintain a computer system. It did this not to act as a public forum but to enhance the productivity of its employees. Kourosh Kenneth Hamidi sent as many as 200,000 e-mail messages to Intel employees. The time required to review and delete Hamidi's messages diverted employees from productive tasks and undermined the utility of the computer system. "There may ... be situations in which the value to the owner of a particular

[1 Cal.Rptr.3d 53]

type of chattel may be impaired by dealing with it in a manner that does not affect its physical condition." (Rest.2d Torts, § 218, com. h, p. 422.) This is such a case.

        The majority repeatedly asserts that Intel objected to the hundreds of thousands of messages solely due to their content, and proposes that Intel seek relief by pleading content-based speech torts. This proposal misses the point that Intel's objection is directed not toward Hamidi's message but his use of Intel's property to display his message. Intel has not sought to prevent Hamidi from expressing his ideas on his Web site, through private mail (paper or electronic) to employees' homes, or through any other means like picketing or billboards. But as counsel for Intel explained during oral

[30 Cal.4th 1368]

argument, the company objects to Hamidi's using Intel's property to advance his message.

        Of course, Intel deserves an injunction even if its objections are based entirely on the e-mail's content. Intel is entitled, for example, to allow employees use of the Internet to check stock market tables or weather forecasts without incurring any concomitant obligation to allow access to pornographic Web sites. (Loving v. Boren (1997),956 F.Supp. 953.) A private property owner may choose to exclude unwanted mail for any reason, including its content. (Rowan v. U.S. Post Office Dept. (1970) 397 U.S. 728, 738, 90 S.Ct. 1484, 25 L.Ed.2d 736 (Rowan); Tillman v. Distribution Systems of America Inc. (1996),224 A.D.2d 79, 648 N.Y.S.2d 630, 635 (Tillman).)

        The majority refuses to protect Intel's interest in maintaining the integrity of its own system, contending that (1) Hamidi's mailings did not physically injure the system; (2) Intel receives many unwanted messages, of which Hamidi's are but a small fraction; (3) Intel must have contemplated that it would receive some unwanted messages; and (4) Hamidi used the email system for its intended purpose, to communicate with employees.

        Other courts have found a protectible interest under very similar circumstances. In Thrifty-Tel v. Bezenek (1996),46 Cal. App.4th 1559, 54 Cal.Rptr.2d 468 (Thrifty-Tel ), the Court of Appeal found a trespass to chattels where the defendants used another party's access code to search for an authorization code with which they could make free calls. The defendants' calls did not damage the company's system in any way; they were a minuscule fraction of the overall communication conducted by the phone network; and the company could have reasonably expected that some individuals would attempt to obtain codes with which to make free calls (just as stores expect shoplifters). Moreover, had the defendants succeeded in making free calls, they would have been using the telephone system as intended. (Id, at p. 1563, 54 Cal.Rptr.2d 468.)

        Because I do not share the majority's antipathy toward property rights and believe the proper balance between expressive activity and property protection can be achieved without distorting the law of trespass, I respectfully dissent.

        THE INSTANT FINDING OF A TRESPASS CONFORMS THE LAW ON ELECTRONIC MAIL TO THAT OF OTHER FORMS OF COMMUNICATION

        The majority endorses the view of the Court of Appeal dissent, and reviews a finding of a trespass in this case as a radical decision that will endanger

[30 Cal.4th 1369]

almost every other form of expression. Contrary to these concerns, the Court of Appeal decision belongs not to a nightmarish future but to an unremarkable past—a long line of cases protecting the right of an

[1 Cal.Rptr.3d 54]

individual not to receive an unwanted message after having expressed that refusal to the speaker. It breaks no new legal ground and follows traditional rules regarding communication.

        It is well settled that the law protects a person's right to decide to whom he will speak, to whom he will listen, and to whom he will not listen. (Martin v. City of Struthers (1943),319 U.S. 141, 63 S.Ct. 862, 87 L.Ed. 1313 (Martin) [noting the "constitutional rights of those desiring to distribute literature and those desiring to receive it, as well as those who choose to exclude such distributors"].) As the United States Supreme Court observed, "we have repeatedly held that individuals are not required to welcome unwanted speech into their homes" (Frisby v. Schultz (1988),487 U.S. 474, 108 S.Ct. 2495, 101 L.Ed.2d 420), whether the unwanted speech comes in the form of a door-to-door solicitor (see Martin, at pp. 147-148, 63 S.Ct. 862), regular "snail" mail (Rowan, supra, 397 U.S. 728, 90 S.Ct. 1484, 25 L.Ed.2d 736), radio waves (FCC v. Pacifica Foundation (1978),438 U.S. 726, 98 S.Ct. 3026, 57 L.Ed.2d 1073), or other forms of amplified sound (Kovacs v. Cooper (1949),336 U.S. 77, 69 S.Ct. 448, 93 L.Ed. 513). (See Frisby v. Schultz, at p. 485, 108 S.Ct. 2495.)

        Of course, speakers have rights too, and thus the result is a balancing: speakers have the right to initiate speech but the listener has the right to refuse to listen or to terminate the conversation. This simple policy thus supports Hamidi's right to send e-mails initially, but not after Intel expressed its objection.

        Watchtower Bible and Tract Society v. Village ofStratton (2002) 536 U.S. 150, 122 S.Ct. 2080, 153 L.Ed.2d 205 does not compel a contrary result. Watchtower follows Martin, supra, 319 U.S. 141, 63 S.Ct. 862, 87 L.Ed. 1313, in holding that the government may not bar a speaker from a homeowner's door, but the homeowner surely may. The Martin court invalidated an ordinance that banned all door-to-door soliciting (in that case the speech was the noncommercial ideas of a religious sect), even at homes where the residents wished to hear the speech. This exclusion "substitute[d] the judgment of the community for the judgment of the individual householder." (Martin, at p. 144, 63 S.Ct. 862.) Instead, the court authorized the property owner to indicate his desire not to be disturbed. "This or any similar regulation leaves the decision as to whether distributers of literature may lawfully call at a home where it belongs—with the homeowner himself." (Id. at p. 148, 63 S.Ct. 862.) A speaker is entitled to speak with willing listeners but not unwilling ones.

[30 Cal.4th 1370]

A city can punish those who call at a home in defiance of the previously expressed will of the occupant ...." (Ibid., italics added.) Watchtower, supra, 536 U.S. 150, 122 S.Ct. 2080, 153 L.Ed.2d 205, reaffirmed the listener's complete autonomy to accept or reject offered speech.

        Martin further recognized that the decisions regarding whether to accept a particular message must be made by a nongovernmental actor, but not necessarily by every single potential listener on an individual level. "No one supposes ... that the First Amendment prohibits a state from preventing the distribution of leaflets in a church against the will of the church authorities." (Martin, supra, 319 U.S. at p. 143, 63 S.Ct. 862, italics added.) Unanimity among the congregation is not required. (See also Church of Christ in Hollywood v. Superior Court (2002),99 Cal.App.4th 1244, 121 Cal.Rptr.2d 810 (Church of Christ).) The Supreme Court reaffirmed this rule in Lloyd Corp. v. Tanner (1972),407 U.S. 551, 92 S.Ct. 2219, 33 L.Ed.2d 131 (Lloyd) and Hudgens v.

[1 Cal.Rptr.3d 55]

NLRB (1976) 424 U.S. 507, 96 S.Ct. 1029, 47 L.Ed.2d 196, where private shopping mall owners validly excluded speakers from their malls. The owners could make this decision, even though they were not the "intended and actual recipients of [the speakers'] messages." (Maj. opn., ante, 1 Cal.Rptr.3d at p. 51, 71 P.3d at p. 312.) The owners had no obligation to obtain the agreement of every individual store within the mall, or of every employee within every store in the mall.1

[30 Cal.4th 1371]

        This rule applies not only to real property but also to chattels like a computer system. In Loving v. Boren, supra, 956 F.Supp. at page 955, the court held that the University of Oklahoma could restrict the use of its computer system to exclude pornographic messages, notwithstanding the contrary preferences of any individual faculty member (or student). Intel may similarly control the use of its own property, regardless of any specific employee's contrary wishes. (See also Bus. & Prof. Code, § 17538.4, subd. (h).) In any event, Hamidi had ample opportunity in his preobjection e-mails to direct employees to his Web site or request the employees' private e-mail addresses. He thus continues to use the internal Intel network to speak to an unreceptive audience.2

[1 Cal.Rptr.3d 56]

        Accordingly, all that matters is that Intel exercised the right recognized in Martin to exclude unwanted speech. The instant case is considerably easier than Lloyd and Hudgens in light of the severe infringement on Intel's autonomy. Whereas the mall owners had been asked merely to allow others to speak, Intel, through its server, must itself actively "participate in the dissemination of an ideological message by displaying it on ... private property in a manner and for the express purpose that it be observed and read...." (Wooley v. Maynard (1977),430 U.S. 705, 97 S.Ct. 1428, 51 L.Ed.2d 752.)

        The principle that a speaker's right to speak to a particular listener exists for only so long as the listener wishes to listen applies also to mail delivery. (Rowan, supra, 397 U.S. 728, 90 S.Ct. 1484, 25 L.Ed.2d 736.) In Bolger v. Youngs Drug Products Corp. (1983),463 U.S. 60, 103 S.Ct. 2875, 77 L.Ed.2d 469 (Bolger), the court struck down a law barring the mailing of information regarding contraception because the government was deciding which messages could be delivered. But Bolger cited Rowan with approval—a case that upheld the procedure by which private parties could refuse to receive specific materials. "[A]

[30 Cal.4th 1372]

Insufficient measure of individual autonomy must survive to permit every householder to exercise control over unwanted mail." (Rowan, supra, 397 U.S. at p. 736, 90 S.Ct. 1484.) Citing Martin, supra, 319 U.S. 141, 63 S.Ct. 862, 87 L.Ed. 1313, Rowan held "a mailer's right to communicate must stop at the mailbox of an unreceptive addressee.... [¶] ... [¶] To hold less would tend to license a form of trespass." (Rowan, at pp. 736-737, 90 S.Ct. 1484, italics added.) Furthermore, Bolger expressly contemplated that some family members would exclude materials on behalf of others; the right to accept or reject speech thus belonged to the household, not each individual member. (Bolger, at p. 73, 103 S.Ct. 2875.)

        The pertinent precedent for an antispam case is Rowan, which involved private action, not Bolger, which involved governmental action. "`[H]ere we are not dealing with a government agency which seeks to preempt in some way the ability of a publisher to contact a potential reader; rather, we are dealing with a reader who is familiar with the publisher's product, and who is attempting to prevent the unwanted dumping of this product on his property.'" (CompuServe, supra, 962 F.Supp. at p. 1027, quoting Tillman, supra, 648 N.Y.S.2d at p. 635.)

        Rowan further held the recipient could reject a message for any subjective reason, including annoyance or discomfort at its content. (Rowan, supra, 397 U.S. at p. 738, 90 S.Ct. 1484.) A private actor thus has no obligation to hear all messages just because he chooses to hear some. A homeowner's desire to receive letters from relatives or friends does not compel him to accept offensive solicitations. It is therefore possibly true but certainly immaterial that Intel might have expected that some unwanted messages would be sent to its employees. A store that opens its doors to the public should reasonably expect some individuals will attempt to shoplift, but the store does not thereby incur an obligation to accept their presence and the disruption they cause.

[1 Cal.Rptr.3d 57]

        If we did create an "accept one, accept all" rule, whereby a party's acceptance of outside mail abrogates the right to exclude any messages, the result would likely be less speech, not more. Courts have recognized the seeming paradox that permitting the exclusion of speech is necessary to safeguard it. "It is ironic that if defendants were to prevail on their First Amendment arguments, the viability of electronic mail as an effective means of communication for the rest of society would be put at risk." (CompuServe, supra, 962 F.Supp. at p. 1028.) The Court of Appeal below likewise observed that employers' tolerance for reasonable personal use of computers "would vanish if they had no way to limit such personal usage of company equipment." (Cf. Miami Herald Publishing Co. v. Tornillo (1974) 418 U.S.

[30 Cal.4th 1373]

241, 256, 94 S.Ct. 2831, 41 L.Ed.2d 730 [compulsory fair reply law would deter newspaper from speaking to avoid forced expression of disagreeable speech].) Furthermore, merely permitting exclusion may be insufficient absent a mechanism for enforcement. If spamming expands to a new volume of activity, "[t]he cost increases that would result from a massive increase in volume could even lead many sites to discontinue supporting standard email altogether. Within a few years, email may no longer be the near-universal method for communicating with people via the Internet that it is today." (Sorkin, Technical and Legal Approaches to Unsolicited Electronic Mail (2001) 35 U.S.F. L.Rev. 325, 338, 339, fn. omitted (Sorkin).)

        The majority expresses its agreement with the dissent below, which found that if the lost productivity of Intel's employees serves as the requisite injury, "then every unsolicited communication that does not further the business's objectives (including telephone calls) interferes with the chattel... [¶] ... [¶] ... Under Intel's theory, even lovers' quarrels could turn into trespass suits by reason of the receipt of unsolicited letters or calls from the jilted lover. Imagine what happens after the angry lover tells her fiance not to call again and violently hangs up the phone. Fifteen minutes later the phone rings. Her fiance wishing to make up? No, trespass to chattel." But just as private citizens may deny access to door-to-door solicitors or mailers, they may also maintain the integrity of their phone system from callers they wish to exclude. A telephone, no less than an envelope, may be an instrument of trespass. (See Thrifty-Tel, Inc., supra, 46 Cal.App.4th at pp. 1566-1567, 54 Cal.Rptr.2d 468.)

        Individuals may not commandeer the communications systems of unwilling listeners, even if the speakers are jilted lovers who wish to reconcile. (People v. Miguez (1990),147 Misc.2d 482, 556 N.Y.S.2d 231.)3 The Miguez defendant repeatedly left messages4 on the complainant's answering machine and pager, "interrupting him in his professional capacity as a doctor." (Id. at p. 232.) It was the disruptive volume (not the specific content) of calls from which the complainant was entitled to relief. Similarly, an individual could not lawfully telephone a police department 28 times in 3 hours and 20 minutes to inquire about a civil matter where the police told him not to call because he was disrupting police operations.

[1 Cal.Rptr.3d 58]

(People v. Smith (1977),89 Misc.2d 789, 392 N.Y.S.2d 968, 969-970.)

        The law on faxes is even stricter. As faxes shift the costs of speech from the speaker to the listener, senders of commercial e-mail must obtain prior

[30 Cal.4th 1374]

consent from the recipient. (47 U.S.C. § 227.) Likewise, the users of automated telephone dialers also must obtain prior consent where they result in costs to the recipient. (47 U.S.C. § 227(b)(1)(A)(iii); Missouri ex rel. Nixon v. American Blast Fax, Inc. (2003),323 F.3d 649 (Blast Fax).) Because e-mail permits mass unwanted communications without the senders having to bear the costs of postage or labor, there is a much greater incentive for sending unwanted e-mail, and thus the potential volume of unwanted email may create even greater problems for recipients than the smaller volume of unwanted faxes. (Whang, supra, 37 San Diego L.Rev. at p. 1216 & fn. 112.) In any event, honoring the wishes of a party who requests the cessation of unwanted telecommunications, whether by phone, fax or e-mail, does nothing more than apply Martin to today's technology. (Shannon, Combating Unsolicited Sales Calls: The "Do-Not-Call" Approach to Solving the Telemarketing Problem (2001) 27 J. Legis. 381, 394.)

        Therefore, before the listener objects, the speaker need not fear he is trespassing. Afterwards, however, the First Amendment principle of respect for personal autonomy compels forbearance. "The Court has traditionally respected the right of a householder to bar, by order or notice, [speakers] from his property. See Martin v. City of Struthers, supra,.... In this case the mailer's right to communicate is circumscribed only by an affirmative act of the addressee giving notice that he wishes no further mailings from that mailer." (Rowan, supra, 397 U.S. at p. 737, 90 S.Ct. 1484, italics added.) Speakers need not obtain affirmative consent before speaking, and thus have no reason to fear unexpected liability for trespass, but they must respect the decisions of listeners once expressed. The First Amendment protects the right not to listen just as it protects the right to speak.

THE TRIAL COURT CORRECTLY ISSUED THE INJUNCTION

        Intel had the right to exclude the unwanted speaker from its property, which Hamidi does not dispute; he does not argue that he has a to right force unwanted messages on Intel. The instant case thus turns on the question of whether Intel deserves a remedy for the continuing violation of its rights. I believe it does, and as numerous cases have demonstrated, an injunction to prevent a trespass to chattels is an appropriate means of enforcement.

        The majority does not find that Hamidi has an affirmative right to have Intel transmit his messages, but denies Intel any remedy. Admittedly, the case would be easier if precise statutory provisions supported relief, but in the rapidly changing world of technology, in which even technologically savvy providers like America Online and CompuServe are one step behind spammers, the Legislature will likely remain three or four steps behind. In

[30 Cal.4th 1375]

any event, the absence of a statutory remedy does not privilege Hamidi's interference with Intel's property. Nor are content-based speech torts adequate for violations of property rights unrelated to the speech's content. In any event, the possibility of another avenue for relief does not preclude an injunction for trespass to chattels.

        The majority denies relief on the theory that Intel has failed to establish the requisite actual injury. As discussed, post, however, the injunction was properly

[1 Cal.Rptr.3d 59]

granted because the rule requiring actual injury pertains to damages, not equitable relief, and thus courts considering comparable intrusions have provided injunctive relief without a showing of actual injury. Furthermore, there was actual injury as (1) Intel suffered economic loss; (2) it is sufficient for the injury to impair the chattel's utility to the owner rather than the chattel's market value; and (3) even in the absence of any injury to the owner's utility, it is nevertheless a trespass where one party expropriates for his own use the resources paid for by another.

        Harmless Trespasses to Chattels May be Prevented

        Defendant Hamidi used Intel's server in violation of the latter's demand to stop. This unlawful use of Intel's system interfered with the use of the system by Intel employees. This misconduct creates a cause of action. "[I]t is a trespass to damage goods or destroy them, to make an unpermitted use of them, or to move them from one place to another." (Prosser & Keeton on Torts (5th ed. 1984) Trespass to Chattels, § 14, p. 85, fns. omitted & italics added.) "[T]he unlawful taking away of another's personal property, the seizure of property upon a wrongful execution, and the appropriation of another's property to one's own use, even for a temporary purpose, constitute trespasses, although a mere removal of property without injuring it is not a trespass when done by one acting rightfully." (7 Speiser et al., American Law of Torts (1990) Trespass, § 23:23, p. 667 (Speiser) fns. omitted & italics added.)

        Regardless of whether property is real or personal, it is beyond dispute that an individual has the right to have his personal property free from interference. There is some division among authorities regarding the available remedy, particularly whether a harmless trespass supports a claim for nominal damages. The North Carolina Court of Appeal has found there is no damage requirement for a trespass to chattel. (See Hawkins v. Hawkins (1991),101 N.CApp. 529, 400 S.E.2d 472, 475.) "A trespass to chattels is actionable per se without any proof of actual damage. Any unauthorized touching or moving of a chattel is actionable at the suit of the possessor of it, even though no harm ensues." (Salmond & Heuston, The Law of Torts

[30 Cal.4th 1376]

(21st ed. 1996) Trespass to Goods, § 6.2, p. 95, fns. omitted.) Several authorities consider a harmless trespass to goods actionable per se only if it is intentional. (Winfield & Jolowicz on Torts (10th ed. 1975) Trespass to Goods, p. 403 (Winfield & Jolowicz); Clerk & Lindsell on Torts (17th ed.1995) ¶ 13-159, p. 703.) The Restatement Second of Torts, section 218, which is less inclined to favor liability, likewise forbids unauthorized use and recognizes the inviolability of personal property. However, the Restatement permits the owner to prevent the injury beforehand, or receive compensation afterward, but not to profit from the trespass through the remedy of damages unrelated to actual harm, which could result in a windfall. (Thrifty-Tel, supra, 46 Cal.App.4th at p. 1569, 54 Cal.Rptr.2d 468; Whang, supra, 37 San Diego L.Rev. at p. 1223.) "The interest of a possessor of a chattel in its inviolability, unlike the similar interest of a possessor of land, is not given legal protection by an action for nominal damages for harmless intermeddlings with the chattel... . . . Sufficient legal protection of the possessor's interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force to protect his possession against even harmless interference." (Rest.2d Torts, § 218, com. e, pp. 421-422, italics added.) Accordingly, the protection of land and chattels may differ on the question of nominal damages unrelated

[1 Cal.Rptr.3d 60]

to actual injury. The authorities agree, however, that (1) the chattel is inviolable, (2) the trespassee need not tolerate even harmless interference, and (3) the possessor may use reasonable force to prevent it. Both California law and the Restatement authorize reasonable force regardless of whether the property in question is real or personal. (Civ.Code, § 51; Rest.2d Torts, § 77.)

        The law's special respect for land ownership supports liability for damages even without actual harm. (Speiser, supra, § 23:1, p. 592.) By contrast, one who suffers interference with a chattel may prevent the interference before or during the fact, or recover actual damages (corresponding to the harm suffered), but at least according to the Restatement, may not recover damages in excess of those suffered. But the Restatement expressly refutes defendant's assertion that only real property is inviolable. From the modest distinction holding that only victims of a trespass to land may profit in the form of damages exceeding actual harm, defendant offers the position that only trespasses to land may be prevented. The law is to the contrary; numerous cases have authorized injunctive relief to safeguard the inviolability of personal property.

        The law favors prevention over posttrespass recovery, as it is permissible to use reasonable force to retain possession of a chattel but not to recover it after possession has been lost. (See 1 Dobbs, The Law of Torts (2001) §§ 76, 81, pp. 170,186; see also Deevy v. Tassi (1942),21 Cal.2d 109

[30 Cal.4th 1377]

P.2d 389.) Notwithstanding the general rule that injunctive relief requires a showing of irreparable injury (5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782, p. 239), Witkin also observes there are exceptions to this rule where injunctive relief is appropriate; these include repetitive trespasses. (Id., § 784, p. 242.) The first case cited in that section, Mendelson v. McCabe (1904),144 Cal. 230, 77 P. 915 (Mendelson), is apposite to our analysis.

        In entering McCabe's property, Mendelson exceeded the scope of the consent he received to do so. McCabe had granted Mendelson the right to pass through his property on condition that Mendelson close the gates properly, which he did not do. (Mendelson, supra, 144 Cal. at pp. 231-232, 77 P. 915.) McCabe "did not allege that any actual damage had been caused by the acts of [Mendelson] ... in leaving the gates open." (Id. at p. 232, 77 P. 915.) After finding that Mendelson planned to continue his conduct over McCabe's objection, we authorized injunctive relief. (Id. at pp. 233-234, 77 P. 915.) Our analysis in Mendelson applies here as well. "The right to an injunction is not always defeated by the mere absence of substantial damage from the acts sought to be enjoined. The acts of the plaintiff in leaving the gates open, if persisted in as he threatened, will constitute a continual invasion of the right of the defendant to maintain the gates.... Moreover, the only remedy, other than that of an injunction, for the injury arising from such continued trespass, would be an action against the plaintiff for damages upon each occasion when he left the gates open. The damage in each case would be very small, probably insufficient to defray the expenses of maintaining the action not recoverable as costs. Such remedy is inadequate and would require numerous petty suits, which it is not the policy of the law to encourage." (Id. at pp. 232-233, 77 P. 915.)

        Our decision thus noted that injunctive relief was proper, regardless of actual injury, (1) if it is necessary to protect the trespassee's right to control his property, or (2) if suits for damages are impractical, because no individual suit would be worthwhile.

[1 Cal.Rptr.3d 61]

Accordingly, we reiterated the rule that "`[a] trespass of a continuing nature, whose constant recurrence renders the remedy at law inadequate, unless by a multiplicity of suits, affords sufficient ground for relief.'" (Mendelson, supra, 144 Cal. at p. 233, 77 P. 915.) Both Mendelson grounds support an injunction here.

        "Injunction is a proper remedy against threatened repeated acts of trespass ... particularly where the probable injury resulting therefrom will be

[30 Cal.4th 1378]

`beyond any method of pecuniary estimation,' and for this reason irreparable."5 (Uptown Enterprises v. Strand (1961),195 Cal.App.2d 45,15 Cal.Rptr. 486; see also ibid, at p. 52, 15 Cal.Rptr. 486 [an otherwise lawful "entry for the purpose of harassing the owner, giving his business a bad reputation ... or unjustifiably interfering with the business relations between him and his patrons is unauthorized, wrongful and actionable"].) Although Mendelson and Uptown Enterprises concerned real property, the principles of safeguarding a party's possessory interest in property and of not encouraging repetitive litigation apply no less to trespasses to chattels. Accordingly, several courts have issued injunctive relief to prevent interference with personal property.

        In 1996, the Appellate Division of the New York Supreme Court considered the claim of plaintiff Tillman, who sought to enjoin the unwanted delivery of a newspaper onto his property. (Tillman, supra, 224 A.D.2d 79, 648 N.Y.S.2d 630.) He offered no specific critique of the newspaper's content, observing only "`[t]here is no reason that we have to clean up [defendant's] mess.'" (Id. at p. 632.) Citing Rowan, Martin, and Lloyd, the court rejected the defendants' argument "that there is nothing a homeowner can do to stop the dumping on his or her property of pamphlets or newspapers, no matter how offensive they might be," and instead upheld Tillman's right to prevent the mail's delivery, regardless of whether his objection was due to the quantity (volume) or quality (content) of the messages. (Tillman, at p. 636.) In authorizing injunctive relief, the Tillman court found no need to quantify the actual damage created by the delivery; it merely noted that the homeowner should not be forced either "to allow such unwanted newspapers to accumulate, or to expend the time and energy necessary to gather and to dispose of them." (Ibid.) Subsequent courts have extended this policy to the delivery of e-mail as well.

        The CompuServe court followed Tillman in authorizing an injunction to prevent the delivery of unwanted e-mail messages. (CompuServe, supra, 962 F.Supp. 1015.) The majority summarily distinguishes CompuServe and its progeny by noting there the "plaintiff showed, or was prepared to show, some interference with the efficient functioning of its computer system." (Maj. opn., ante, 1 Cal.Rptr.3d at p. 42, 71 P.3d at p. 304.) But although CompuServe did note the impairment imposed by the defendant's unsolicited email, this was not part of its

[30 Cal.4th 1379]

holding. Just before beginning its analysis, the court summarized its ruling without mentioning impairment. "[T]his Court holds

[1 Cal.Rptr.3d 62]

that where defendants engaged in a course of conduct of transmitting a substantial volume of electronic data in the form of unsolicited e-mail to plaintiffs proprietary computer equipment, where defendants continued such practice after repeated demands to cease and desist, and where defendants deliberately evaded plaintiffs affirmative efforts to protect its computer equipment from such use, plaintiff has a viable claim for trespass to personal property and is entitled to injunctive relief to protect its property." (CompuServe, supra, 962 F.Supp. at p. 1017.) The cited criteria apply fully to Hamidi's conduct. Likewise, the conclusion of CompuServe's analysis fully applies here: "Defendants' intentional use of plaintiffs proprietary computer equipment exceeds plaintiffs consent and, indeed, continued after repeated demands that defendants cease. Such use is an actionable trespass to plaintiffs chattel." (Id. at p. 1027.)

        Post-CompuServe case law has emphasized that unauthorized use of another's property establishes a trespass, even without a showing of physical damage. "Although eBay appears unlikely to be able to show a substantial interference at this time, such a showing is not required. Conduct that does not amount to a substantial interference with possession, but which consists of intermeddling with or use of another's personal property, is sufficient to establish a cause of action for trespass to chattel." (eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000) 100 F.Supp.2d 1058, 1070.)6 "While the eBay decision could be read to require an interference that was more than negligible, ... this Court concludes that eBay, in fact, imposes no such requirement. Ultimately, the court in that case concluded that the defendant's conduct was sufficient to establish a cause of action for trespass not because the interference was `substantial' but simply because the defendant's conduct amounted to `use' of Plaintiffs computer." (Oyster Software, Inc. v. Forms Processing, Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382 at *13.) An intruder is not entitled to sleep in his neighbor's car, even if he does not chip the paint.

        Hamidi concedes Intel's legal entitlement to block the unwanted messages. The problem is that although Intel has resorted to the cyberspace version of reasonable force, it has so far been unsuccessful in determining how to resist the unwanted use of its system. Thus, while Intel has the legal

[30 Cal.4th 1380]

right to exclude Hamidi from its system, it does not have the physical ability. It may forbid Hamidi's use, but it cannot prevent it.

        To the majority, Hamidi's ability to outwit Intel's cyber defenses justifies denial of Intel's claim to exclusive use of its property. Under this reasoning, it is not right but might that determines the extent of a party's possessory interest. Although the world often works this way, the legal system should not.

        Intel Suffered Injury

        Even if CompuServe and its progeny deem injury a prerequisite for injunctive relief, such injury occurred here. Intel suffered not merely an affront to its dignitary interest in ownership but tangible economic loss. Furthermore, notwithstanding

[1 Cal.Rptr.3d 63]

the calendar's doubts, it is entirely consistent with the Restatement and case law to recognize a property interest in the subjective utility of one's property. Finally, case law further recognizes as actionable the loss that occurs when one party maintains property for its own use and another party uses it, even if the property does not suffer damage as a result.

        Intel suffered economic loss

        Courts have recognized the tangible costs imposed by the receipt of unsolicited bulk e-mail (UBE).7 Approximately 10 percent of the cost of Internet access arises from the delivery of UBE, because networks must expand to ensure their functioning will not be disturbed by the unwanted messages and must design software to reduce the flood of spam. (Whang, supra, 37 San Diego L.Rev. at pp. 1203 & fn. 10, 1207 & fn. 37.) Especially where bulk e-mailers mask the true content of their messages in the "header" (as Hamidi did), there is a shift in costs from sender to recipient that resembles "`sending junk mail with postage due or making telemarketing calls to someone's pay-perminute cellular phone.'" (Ferguson v. Friendfinders (2002),94 Cal.App.4th 1255, 115 Cal.Rptr.2d 258 (Ferguson), quoting State v. Heckel (2001),143 Wash.2d 824, 24 P.3d 404, 410 (Heckel).) E-mail may be cheaper and more efficient than

[30 Cal.4th 1381]

other means of communication, but "[t]here is no constitutional requirement that the incremental cost of sending massive quantities of unsolicited [messages] must be borne by the recipients." (CompuServe, supra, 962 F.Supp. at p. 1026.)

        The Ferguson court noted the tangible economic loss to employers created by unwanted e-mail. "Individuals who receive UCE can experience increased Internet access fees because of the time required to sort, read, discard, and attempt to prevent future sending of UCE. If the individual undertakes this process at work, his or her employer suffers the financial consequences of the ivasted time." (Ferguson, supra, 94 Cal.App.4th at p. 1267, 115 Cal. Rptr.2d 258, italics added.) CompuServe likewise observed the recipient of unwanted e-mail must "sift through, at his expense, all of the messages in order to find the ones he wanted or expected to receive." (CompuServe, supra, 962 F.Supp. at p. 123, italics added.) Unwanted messages also drain the equipment's processing power, and slow down the transfers of electronic data. (Id. at pp. 1022, 1028.)

        The economic costs of unwanted e-mail exist even if Intel employees, unlike CompuServe subscribers, do not pay directly for the time they spend on the Internet. No such direct costs appear here, only the opportunity costs of lost time. But for Intel, "time is money" nonetheless. One justification for the strict rule against unsolicited faxes is that they "shift costs to the recipients who are forced to contribute ink, paper, wear on their fax machines, as well as personnel time." (Blast Fax, supra, 323 F.3d at p. 652, italics added.) (In re Johnny M. (2002),100 Cal.App.4th 1128, 123 Cal.Rptr.2d 316 [vandalism that diverted salaried employees from ordinary

[1 Cal.Rptr.3d 64]

duties caused economic loss through lost work product].)

        Courts have also recognized the harm produced by unwanted paper mail. Mail sent in violation of a request to stop creates the "burdens of scrutinizing the mail for objectionable material and possible harassment." (Rowan, supra, 397 U.S. at p. 735, 90 S.Ct. 1484, italics added.) The Tillman court thus held a newspaper could not compel unwilling recipients "to spend their own time or money unwillingly participating in the distribution process by which a newspaper travels from the printing press to its ultimate destination, i.e., disposal." (Tillman, supra, 648 N.Y.S.2d at p. 636, italics added.)8

        Although Hamidi claims he sent only six e-mails, he sent them to between 8,000 and 35,000 employees, thus sending from 48,000 to 210,000 messages. Since it is the effect on Intel that is determinative, it is the number of

[30 Cal.4th 1382]

messages received, not sent, that matters. In any event, Hamidi sent between 48,000 and 210,000 messages; the "six" refers only to the number of distinct texts Hamidi sent. Even if it takes little time to determine the author of a message and then delete it, this process, multiplied hundreds of thousands of times, amounts to a substantial loss of employee time, and thus work product. If Intel received 200,000 messages, and each one could be skimmed and deleted in six seconds, it would take approximately 333 hours, or 42 business days, to delete them all. In other words, if Intel hired an employee to remove all unwanted mail, it would take that individual two entire months to finish. (Cf. Tubbs v. Delk (1996),932 S.W.2d 454 (Tubbs) [deprivation of access to chattel for "`less than five minutes'" constitutes actionable trespass, although found justified there].)

        Intel's injury is properly related to the chattel

        The majority does not dispute that Intel suffered a loss of work product as a matter of fact, so much as it denies that this loss may constitute the requisite injury as a matter of law. According to the majority, the reduced utility of the chattel to the owner does not constitute a sufficiently cognizable injury, which exists only where the chattel itself suffers injury, i.e., its "market value" falls. The Restatement and related case law are to the contrary.

        The Restatement recognizes that the measure of impairment may be subjective; a cognizable injury may occur not only when the trespass reduces the chattel's market value but also when the trespass affects its value to the owner. "In the great majority of cases, the actor's intermeddling with the chattel impairs the value of it to the possessor, as distinguished from the mere affront to his dignity as possessor, only by some impairment of the physical condition of the chattel. There may, however, be situations in which the value to the owner of a particular type of chattel may be impaired by dealing with it in a manner that does not affect its physical condition." (Rest.2d Torts, § 218, com. h, p. 422.)

        The Restatement goes on to explain that A's using B's toothbrush could extinguish its value to B. The brushing constitutes a trespass by impairing the brush's subjective value to the owner rather than its objective market value. (Rest.2d Torts,

[1 Cal.Rptr.3d 65]

§ 218, com. h, p. 422.) Moreover, there can be a trespass even though the chattel is used as intended—to brush teeth—if it is used by an unwanted party.

        As the Court of Appeal's opinion below indicated, interference with an owner's ability to use the chattel supports a trespass. The opinion recalled

[30 Cal.4th 1383]

the rule, which dates back almost 400 years, holding that chasing an owner's animal amounts to a trespass to chattels. (See, e.g., Farmer v. Hunt (1610),123 Eng. Rep. 766; Winfield & Jolowicz, supra, Trespass to Goods, p. 403.) These authorities do not require injury or damage to the animal; the interference with the owner's use of the animal suffices to create a trespass. (Winfield & Jolowicz, p. 40.) Interference is actionable if it "deprives the possessor of the use of that chattel." (Fleming, The Law of Torts (9th ed. 1998) Trespass, § 4.1, p. 598.) Moreover, such interference need not permanently deny the owner the ability to use the chattel—mere delay is enough. (See Tubbs, supra, 932 S.W.2d at p. 456.)

        A contemporary version of this interference would occur if a trespasser unplugged the computers of the entire Intel staff and moved them to a high shelf in each employee's office or cubicle. The computers themselves would suffer no damage, but all 35,000 employees would need to take the time to retrieve their computers and restart them. This would reduce the computers' utility to Intel, for, like the chased animals, they would not be available for immediate use. If the chasing of a few animals supports a trespass, then so does even minimal interference with a system used by 35,000 individuals.

        CompuServe is in accord, as it observed how a bundle of unwanted messages decreased the utility of the server. (Compu-Serve, supra, 962 F.Supp. at p. 1023.) Here, Intel maintains a possessory interest in the efficient and productive use of its system—which it spends millions of dollars to acquire and maintain. Hamidi's conduct has impaired the system's optimal functioning for Intel's business purposes. As the Restatement supports liability where "harm is caused to ... some ... thing in which the possessor has a legally protected interest" (Rest.2d Torts, § 218, subd. (d)), Hamidi has trespassed upon Intel's chattel.

        The unlawful use of another's property is a trespass, regardless of its effect on the property's utility to the owner

        Finally, even if Hamidi's interference did not affect the server's utility to Intel, it would still amount to a trespass. Intel has poured millions of dollars into a resource that Hamidi has now appropriated for his own use. As noted above, "the appropriation of another's property to one's own use, even for a temporary purpose, constitute[s][a] trespass[ ]." (Speiser, supra, § 23:23, p. 667, fn. omitted.) The use by one party of property whose costs have been paid by another amounts to an unlawful taking of those resources—even if there is no unjust enrichment by the trespassing party.

        In Buchanan Marine Inc. v. McCormack Sand Co. (1990),743 F.Supp. 139 (Buchanan), the plaintiff built and maintained mooring buoys

[30 Cal.4th 1384]

for use by its own tugboats. Defendants' barges used the buoy over plaintiffs objection. (Id. at pp. 140-141.) The federal district court found such unlawful use could constitute a trespass to chattels (if the facts were proved), and thus denied the defendants' motion for summary judgment. "[Defendants' meddling with [the buoy] is either a trespass to a chattel or perhaps a conversion for which [plaintiff] may seek relief in the form of damages and an injunction." (Id. at pp. 141-142.) There

[1 Cal.Rptr.3d 66]

was an allegation of damage (to plaintiffs barge, not the buoy itself), which could support a claim for damages, but this was not a prerequisite for injunctive relief. Even if defendants did not injure the buoys in any way, they still had no right to expropriate plaintiffs property for their own advantage.

        The instant case involves a similar taking. Intel has paid for thousands of computers, as well as the costs of maintaining a server.9 Like the Buchanan defendants, Hamidi has likewise acted as a free rider in enjoying the use of not only Intel's computer system but the extra storage capacity needed to accommodate his messages. Furthermore, Intel's claim, which does not object to Hamidi's speaking independently,10 only to his use of Intel's property, resembles that of the Buchanan plaintiff who "has not sought to prevent others from placing their own mooring buoys in the Harbor," but only the use of the plaintiffs property.11 (Buchanan, supra, 743 F.Supp. at p. 142.) Hamidi has thus unlawfully shifted the costs of his speaking to Intel. (Ferguson, supra, 94 Cal.App.4th at p. 1268, 115 Cal.Rptr.2d 258; Blast Fax, supra, 323 F.3d at p. 652; Heckel, supra, 24 P.3d at p. 410.)

        Moreover, even such free ridership is not necessary to establish a trespass to chattels. Had the Thrifty-Tel defendants succeeded in making free telephone calls without authorization, they would stand in the same position as the Buchanan defendants. But the record does not show they ever succeeded in making calls for which another subscriber (or the phone company itself) would have to pay. Thus, neither injury to the trespassee nor benefit to the

[30 Cal.4th 1385]

trespasser is an element of trespass to chattel. "[T]respass to chattel has evolved considerably from its original common law application—concerning the asportation of another's tangible property—to include even the unauthorized use of personal property." (Thrifty-Tel, supra, 46 Cal. App.4th at p. 1566, 54 Cal.Rptr.2d 468.)

        As in those cases in which courts have granted injunctions to prevent the delivery of unwanted mail, paper or electronic, Intel is not attempting to profit from its trespass action by receiving nominal damages. Rather, it seeks an injunction to prevent further trespass. Moreover, Intel suffered the requisite injury by losing a great deal of work product, a harm properly related to the property itself, as well as the money it spent in maintaining the system, which Hamidi wrongfully expropriated.

CONCLUSION

        Those who have contempt for grubby commerce and reverence for the rarified

[1 Cal.Rptr.3d 67]

heights of intellectual discourse may applaud today's decision, but even the flow of ideas will be curtailed if the right to exclude is denied. As the Napster controversy revealed, creative individuals will be less inclined to develop intellectual property if they cannot limit the terms of its transmission. Similarly, if online newspapers cannot charge for access, they will be unable to pay the journalists and editorialists who generate ideas for public consumption.

        This connection between the property right to objects and the property right to ideas and speech is not novel. James Madison observed, "a man's land, or merchandize, or money is called his property." (Madison, Property, Nat. Gazette (Mar. 27, 1792), reprinted in The Papers of James Madison (Robert A. Rutland et al. edits.1983) p. 266, quoted in McGinnis, The Once and Future Property-Based Vision of the First Amendment (1996) 63 U.Chi. L.Rev. 49, 65.) Likewise, "a man has a property in his opinions and the free communication of them." (Ibid.) Accordingly, "freedom of speech and property rights were seen simply as different aspects of an indivisible concept of liberty." (Id. at p. 63.)

        The principles of both personal liberty and social utility should counsel us to usher the common law of property into the digital age.

---------------

Notes:

1. The majority distinguishes Church of Christ on its facts, by asserting that a former church member could be barred from church property because she had a "tangible presence" on the church's property. (Maj. opn., ante, 1 Cal.Rptr.3d at p. 50, 71 P.3d at p. 311.) But the majority does not refute the legal point that "the mere judicial enforcement of neutral trespass laws by the private owner of property does not alone render it a state actor." (CompuServe, Inc. v. Cyber Promotions, Inc. (1997),962 F.Supp. 1015 (CompuServe).)

        The First Amendment does not shield Hamidi's speech, and the majority's authorities do not suggest it does. On the contrary, the high court recognized that the First Amendment does not preclude generally applicable laws, even where they incidentally restrict speech. (Cohen v. Cowles Media Co. (1991),501 U.S. 663, 111 S.Ct. 2513, 115 L.Ed.2d 586.) There is thus no right to intrude upon privately owned property simply to generate speech. (Ibid.)

        The majority cites New York Times Co. v. Sullivan (1964),376 U.S. 254, 84 S.Ct. 710, 11 L.Ed.2d 686, as well as N.A.A.C.P. v. Claiborne Hardware Co. (1982),458 U.S. 886, 102 S.Ct. 3409, 73 L.Ed.2d 1215, and Madsen v. Women's Health Center, Inc. (1994) 512 U.S. 753, 114 S.Ct. 2516, 129 L.Ed.2d 593, none of which is apposite. In these cases, speakers enjoyed First Amendment protection when they spoke to the public through a newspaper advertisement (with the newspaper's consent) or a protest on a public street, a traditional public forum. (Schneider v. State (1939),308 U.S. 147, 60 S.Ct. 146, 84 L.Ed. 155.) If Hamidi had similarly expressed his anti-Intel feelings in a newspaper advertisement or from a public street, these authorities would be on point. By contrast, nothing in New York Times entitles a computer hacker to alter an online newspaper's content so that it expresses the hacker's opinions against the paper's wishes.

        Intel's right to use reasonable force (see maj. opn., ante, 1 Cal.Rptr.3d at p. 40, 71 P.3d at p. 303), to prevent interference with its property distinguishes this case from the majority's United States Supreme Court precedents. Whereas Intel could attempt to block the unwanted messages, Sullivan, who claimed to have been libeled by the newspaper, could not have burned the newspapers to prevent their publication, nor could the targets of the public protesters in Claiborne Hardware or Madsen have driven them from the public streets where they were speaking. Contrariwise, Intel, as the majority does not dispute, would have been allowed to suppress Hamidi's messages if it had been able to do so.

2. Hamidi required employees to take affirmative steps to remove themselves from the mailing list. Not only might some employees have declined to do so because such removal might involve a greater burden than simply deleting the unwanted message, but they also might reasonably have assumed that such requests could be counterproductive. (Whang, An Analysis of California's Common and Statutory Law Dealing with Unsolicited Commercial Electronic Mail: An Argument for Revision (2000) 37 San Diego L.Rev. 1201, 1205-1206 (Whang).) "`Don't respond [to spam]! Don't ask them to "take you off a list." People who respond—even negatively—are viewed as Grade A targets. You will probably get more junk than ever.'" (Id. at p. 1206 & fn. 24, quoting Campbell, Waging War on Internet Spammers, Toronto Star (Aug. 26, 1999) p. L5.)

3. New York further proscribes such conduct as criminal. (People v. Miguez, supra, 147 Misc.2d 482, 556 N.Y.S.2d 231.)

4. Some of the messages reflected a desire to reconcile: "`"Please don't hurt me anymore. You've hurt me enough, I still love you."'" A later call stated, "`"Eddie I want to give you my number; even if you don't call me I want you to have it."'" (People v. Miguez, supra, 556 N.Y.S.2d at p. 232.)

5. The majority asserts Intel was not deprived of its computers "for any measurable length of time" (maj. opn., ante, 1 Cal.Rptr.3d at p. 41, 71 P.3d at p. 303), which supposedly fits this case within the rule that a "`mere momentary or theoretical'" deprivation is insufficient to establish a trespass to chattel (maj. opn., ante, at p. 44, 71 P.3d at p. 306). There is a chasm between the two descriptions. The time needed to identify and delete 200,000 email messages is not capable of precise estimation, but it is hardly theoretical or momentary. Most people have no idea of how many words they spoke yesterday, but that does not render the figure de minimis.

6. The majority asserts eBay does require impairment, because the opinion noted that the wide replication of the defendant's conduct would likely impair the functioning of the plaintiff's system. (Maj. opn., ante, 1 Cal. Rptr.3d at pp. 42-43, 71 P.3d at pp. 305-306.) Of course, the "wide replication" of Hamidi's conduct would likely impair Intel's operating system. Accordingly, a diluted "likely impairment through wide replication" standard would favor Intel, not Hamidi.

7. There is considerable debate regarding whether "spam" encompasses only unsolicited commercial e-mail (UCE) or all UBE, regardless of its commercial nature. (Sorkin, supra, 35 U.S.F. L.Rev. at pp. 333-335.) Because parties object to spam due to its volume rather than the sender's motivation, UBE is a preferable definition. (Id. at p. 335.) Moreover, as our decision in Kasky v. Nike, Inc. (2002),27 Cal.4th 939, 119 Cal.Rptr.2d 296, 45 P.3d 243 made plain, there is no brightline distinction between commercial and noncommercial speech. (See also City of Cincinnati v. Discovery Network, Inc. (1993),507 U.S. 410, 113 S.Ct. 1505, 123 L.Ed.2d 99.)

8. Citing to Bolger, supra, 463 U.S. at page 72, 103 S.Ct. 2875, for the proposition that the Constitution imposes on recipients the burden of disposing of unwanted mail, is inapposite because, as explained in part I, ante, Bolger involved the government's objections to the delivery, not the objection of a nongovernmental actor like Intel, which, under Rowan, supra, 397 U.S at pages 736-738, 90 S.Ct. 1484, may exclude unwanted mail.

9. In fact, Intel pays to maintain a high capacity to ensure that the system does not crash (or slow down); if Intel had not preempted such harm, there is no dispute that Hamidi would be liable for damages. As Professor Epstein cogently observes, Intel is thus being penalized for engaging in preemptive selfhelp. According to the majority, Intel would do better by saving its money and collecting damages after a crash/slowdown.

10. Intel does not object to Hamidi's transmitting the same message through his Web site, e-mail to employees' home computers, snail mail to their homes, distribution of materials from outside the company's gates, or any other communication that does not conscript Intel's property into Hamidi's service. Intel does object to the use of its property, regardless of its message. Although Intel objected that Hamidi sent antagonistic messages, Intel would presumably also object if Hamidi sent "blank" messages that slowed down both the Intel system and the employees who use it.

11. As with the hypothetical toothbrush, the Buchanan defendants used the buoy for its intended use. (Buchanan, supra, 743 F.Supp. at p. 140.)

---------------

        Dissenting Opinion by MOSK, J.*

        The majority hold that the California tort of trespass to chattels does not encompass the use of expressly unwanted

[30 Cal.4th 1386]

electronic mail that causes no physical damage or impairment to the recipient's computer system. They also conclude that because a computer system is not like real property, the rules of trespass to real property are also inapplicable to the circumstances in this case. Finally, they suggest that an injunction to preclude mass, noncommercial, unwelcome e-mails may offend the interests of free communication.

        I respectfully disagree and would affirm the trial court's decision. In my view, the repeated transmission of bulk e-mails by appellant Kourosh Kenneth Hamidi (Hamidi) to the employees of Intel Corporation (Intel) on its proprietary confidential email lists, despite Intel's demand that he cease such activities, constituted an actionable trespass to chattels. The majority fail to distinguish open communication in the public "commons" of the Internet from unauthorized intermeddling on a private, proprietary intranet. Hamidi is not communicating in the equivalent of a town square or of an unsolicited "junk" mailing through the United States Postal Service. His action, in crossing from the public Internet into a private intranet, is more like intruding into a private office mailroom, commandeering the mail cart, and dropping off unwanted broadsides on 30,000 desks. Because Intel's security measures have been circumvented by Hamidi, the majority leave Intel, which has exercised all reasonable self-help efforts, with no recourse unless he causes a malfunction or systems "crash." Hamidi's repeated intrusions did more than merely "promptf ] discussions between `[e]xcited and nervous managers' and the company's human resource department" (maj. opn., ante, 1 Cal. Rptr.3d at p. 38, 71 P.3d at p. 301); they also constituted a misappropriation of Intel's private computer system contrary to its intended use and against Intel's wishes.

        The law of trespass to chattels has not universally been limited to physical dam-Chief Justice pursuant to article VI, section 6 of the California Constitution.

[1 Cal.Rptr.3d 68]

age. I believe it is entirely consistent to apply that legal theory to these circumstances—that is, when a proprietary computer system is being used contrary to its owner's purposes and expressed desires, and self-help has been ineffective. Intel correctly expects protection from an intruder who misuses its proprietary system, its nonpublic directories, and its supposedly controlled connection to the Internet to achieve his bulk mailing objectives—incidentally, without even having to pay postage.

I

        Intel maintains an intranet—a proprietary computer network—as a tool for transacting and managing its business, both internally and for external

[30 Cal.4th 1387]

business communications.1 The network and its servers constitute a tangible entity that has value in terms of the costs of its components and its function in enabling and enhancing the productivity and efficiency of Intel's business operations. Intel has established costly security measures to protect the integrity of its system, including policies about use, proprietary internal e-mail addresses that it does not release to the public for use outside of company business, and a gateway for blocking unwanted electronic mail—a socalled firewall.

        The Intel computer usage guidelines, which are promulgated for its employees, state that the computer system is to be "used as a resource in conducting business. Reasonable personal use is permitted, but employees are reminded that these resources are the property of Intel and all information on these resources is also the property of Intel." Examples of personal use that would not be considered reasonable expressly include "use that adversely affects productivity." Employee e-mail communications are neither private nor confidential.

        Hamidi, a former Intel employee who had sued Intel and created an organization to disseminate negative information about its employment practices, sent bulk electronic mail on six occasions to as many as 35,000 Intel employees on its proprietary computer system, using Intel's confidential employee e-mail lists and adopting a series of different origination addresses and encoding strategies to elude Intel's blocking efforts. He refused to stop when requested by Intel to do so, asserting that he would ignore its demands: "I don't care. I have grown deaf." Intel sought injunctive relief, alleging that the disruptive effect of the bulk electronic mail, including expenses from administrative and management personnel, damaged its interest in the proprietary nature of its network.

        The trial court, in its order granting summary judgment and a permanent injunction, made the following pertinent findings regarding Hamidi's transmission of bulk electronic mail: "Intel has requested that Hamidi stop sending the messages, but Hamidi has refused, and has employed

[1 Cal.Rptr.3d 69]

surreptitious means to circumvent Intel's efforts to block entry of his messages into

[30 Cal.4th 1388]

lntel's system.... [¶] ... The e-mail system is dedicated for use in conducting business, including communications between Intel employees and its customers and vendors. Employee e-mail addresses are not published for use outside company business.... [¶] The intrusion by Hamidi into the Intel e-mail system has resulted in the expenditure of company resources to seek to block his mailings and to address employee concerns about the mailings. Given Hamidi's evasive techniques to avoid blocking, the self help remedy available to Intel is ineffective." The trial court concluded that "the evidence establishes (without dispute) that Intel has been injured by diminished employee productivity and in devoting company resources to blocking efforts and to addressing employees about Hamidi's e-mails." The trial court further found that the "massive" intrusions "impaired the value to Intel of its e-mail system."

        The majority agree that an impairment of Intel's system would result in an action for trespass to chattels, but find that Intel suffered no injury. As did the trial court, I conclude that the undisputed evidence establishes that Intel was substantially harmed by the costs of efforts to block the messages and diminished employee productivity. Additionally, the injunction did not affect Hamidi's ability to communicate with Intel employees by other means; he apparently continues to maintain a Web site to publicize his messages concerning the company. Furthermore, I believe that the trial court and the Court of Appeal correctly determined that the tort of trespass to chattels applies in these circumstances.

        The Restatement Second of Torts explains that a trespass to a chattel occurs if "the chattel is impaired as to its condition, quality, or value" or if "harm is caused to some ... thing in which the possessor has a legally protected interest." (Rest.2d Torts, § 218, subds. (b) & (d), p. 420, italics added.) As to this tort, a current prominent treatise on the law of torts explains that "[t]he defendant may interfere with the chattel by interfering with the plaintiffs access or use" and observes that the tort has been applied so as "to protect computer systems from electronic invasions by way of unsolicited email or the like." (1 Dobbs, The Law of Torts (2001) § 60, pp. 122, 123.) Moreover, "[t]he harm necessary to trigger liability for trespass to chattels can be ... harm to something other than the chattel itself." (Id., pp. 124-125; see also 1 Harper et al., The Law of Torts (3d ed.1996 & 2003 supp.) § 2.3, pp. 2:14-2:18.) The Restatement points out that, unlike a possessor of land, a possessor of a chattel is not given legal protection from harmless invasion, but "the actor" may be liable if the conduct affects "some other and more important interest of the possessor." (Rest.2d Torts, § 218, com. (e), p. 421, italics added.)

        The Restatement explains that the rationale for requiring harm for trespass to a chattel but not for trespass to land is the availability and effectiveness of

[30 Cal.4th 1389]

self-help in the case of trespass to a chattel. "Sufficient legal protection of the possessor's interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force to protect his possession against even harmless interference." (Rest.2d Torts, § 218, com. (e), p. 422.) Obviously, "force" is not available to prevent electronic trespasses. As shown by Intel's inability to prevent Hamidi's intrusions, self-help is not an adequate alternative to injunctive relief.

        The common law tort of trespass to chattels does not require physical disruption to the chattel. It also may apply

[1 Cal.Rptr.3d 70]

when there is impairment to the "quality" or "value" of the chattel. (Rest.2d Torts, § 218, subd. (b), p. 420; see also id., com. (e), pp. 421-22 [liability if "intermeddling is harmful to the possessor's materially valuable interest in the physical condition, quality, or value of the chattel"].) Moreover, as we held in Zaslow v. Kroenert (1946),29 Cal.2d 541, 176 P.2d 1, it also applies "[w]here the conduct complained of does not amount to a substantial interference with possession or the right thereto, but consists of intermeddling with or use of or damages to the personal property."2

        Here, Hamidi's deliberate and continued intermeddling, and threatened intermeddling, with Intel's proprietary computer system for his own purposes that were hostile to Intel, certainly impaired the quality and value of the system as an internal business device for Intel and forced Intel to incur costs to try to maintain the security and integrity of its server—efforts that proved ineffective. These included costs incurred to mitigate injuries that had already occurred. It is not a matter of "bootstrapp[ing]" (maj. opn., ante, 1 Cal.Rptr.3d at p. 46, 71 P.3d at p. 308) to consider those costs a damage to Intel. Indeed, part of the value of the proprietary computer system is the ability to exclude intermeddlers from entering it for significant uses that are disruptive to its owner's business operations.

        If Intel, a large business with thousands of former employees, is unable to prevent Hamidi from continued intermeddling, it is not unlikely that other outsiders who obtain access to its proprietary electronic mail addresses would engage in similar conduct, further reducing the value of, and perhaps debilitating, the computer system as a business productivity mechanism. Employees understand that a firewall is in place and expect that the messages they receive are from senders permitted by the corporation. Violation

[30 Cal.4th 1390]

of this expectation increases the internal disruption caused by messages that circumvent the company's attempt to exclude them. The time that each employee must spend to evaluate, delete or respond to the message, when added up, constitutes an amount of compensated time that translates to quantifiable financial damage.3

[1 Cal.Rptr.3d 71]

        All of these costs to protect the integrity of the computer system and to deal with the disruptive effects of the transmissions and the expenditures attributable to employee time, constitute damages sufficient to establish the existence of a trespass to chattels, even if the computer system was not overburdened to the point of a "crash" by the bulk electronic mail.

        The several courts that have applied the tort of trespass to chattels to deliberate intermeddling with proprietary computer systems have, for the most part, used a similar analysis. Thus, the court in CompuServe Inc. v. Cyber Promotions, Inc. (1997),962 F.Supp. 1015, applied the Restatement to conclude that mass mailings and evasion of the server's filters diminished the value of the mail processing computer equipment to Compu-Serve "even though it is not physically damaged by defendant's conduct." The inconvenience to users of the system as a result of the mass messages "decreasefd] the utility of CompuServe's e-mail service" and was actionable as a trespass to chattels. (Id. at p. 1023.)

        The court in America Online, Inc. v. IMS (1998),24 F.Supp.2d 548, on facts similar to those in the present case, also applied the Restatement in a trespass to chattels claim. There, defendant sent unauthorized e-mails to America Online's computer system, persisting after receiving notice to desist and causing the company "to spend technical resources and

[30 Cal.4th 1391]

staff time to `defend' its computer system and its membership" against the unwanted messages. (Id. at p. 549.) The company was not required to show that its computer system was overwhelmed or suffered a diminution in performance; mere use of the system by the defendant was sufficient to allow the plaintiff to prevail on the trespass to chattels claim.

        Similarly, the court in eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000) 100 F.Supp.2d 1058 determined that there was a trespass to chattels when the quality or value of a computer system was diminished by unauthorized "web crawlers,"4 despite the fact that eBay had not alleged any "particular service disruption" (id. at p. 1065) or "specific incremental damages" (id. at p. 1063) to the computer system. Intermeddling with eBay's private property was sufficient to establish a cause of action: "A trespasser is liable when the trespass diminishes the condition, quality or value of personal property"; "[e]ven if [defendant's intrusions] use only a small amount of eBay's computer ... capacity, [defendant] has nonetheless deprived eBay of the ability to use that portion of its personal property for its own purposes. The law recognizes no such right to use another's personal property." (Id. at p. 1071; see also, e.g., Oyster Software, Inc. v. Forms Processing, Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382 at *12-*13 [trespass to chattels claim did not require company to demonstrate physical damage]; accord, Register.com, Inc. v. Verio, Inc. (2000),126 F.Supp.2d 238; cf. Thrifty-Tel, Inc. v. Bezenek (1996),46 Cal.App.4th 1559, 54 Cal.Rptr.2d 468 [unconsented electronic access to a computer system constituted a trespass to chattels].)

        These cases stand for the simple proposition that owners of computer systems, like owners of other private property, have

[1 Cal.Rptr.3d 72]

a right to prevent others from using their property against their interests. That principle applies equally in this case. By his repeated intermeddling, Hamidi converted Intel's private employee e-mail system into a tool for harming productivity and disrupting Intel's workplace. Intel attempted to put a stop to Hamidi's intrusions by increasing its electronic screening measures and by requesting that he desist. Only when self-help proved futile, devolving into a potentially endless joust between attempted prevention and circumvention, did Intel request and obtain equitable relief in the form of an injunction to prevent further threatened injury.

        The majority suggest that Intel is not entitled to injunctive relief because it chose to allow its employees access to email through the Internet and

[30 Cal.4th 1392]

because Hamidi has apparently told employees that he will remove them from his mailing list if they so request. They overlook the proprietary nature of Intel's intranet system; Intel's system is not merely a conduit for messages to its employees. As the owner of the computer system, it is Intel's request that Hamidi stop that must be respected. The fact that, like most large businesses, Intel's intranet includes external e-mail access for essential business purposes does not logically mean, as the majority suggest, that Intel has forfeited the right to determine who has access to its system. Its intranet is not the equivalent of a common carrier or public communications licensee that would be subject to requirements to provide service and access. Just as Intel can, and does, regulate the use of its computer system by its employees, it should be entitled to control its use by outsiders and to seek injunctive relief when self-help fails.

        The majority also propose that Intel has sufficient avenues for legal relief outside of trespass to chattels, such as interference with prospective economic relations, interference with contract, intentional infliction of emotional distress, and defamation; Hamidi urges that an action for nuisance is more appropriate. Although other causes of action may under certain circumstances also apply to Hamidi's conduct, the remedy based on trespass to chattels is the most efficient and appropriate. It simply requires Hamidi to stop the unauthorized use of property without regard to the content of the transmissions. Unlike trespass to chattels, the other potential causes of action suggested by the majority and Hamidi would require an evaluation of the transmissions' content and, in the case of a nuisance action, for example, would involve questions of degree and value judgments based on competing interests. (See Hellman v. La Cumbre Golf & Country Club (1992),6 Cal.App.4th 1224, 8 Cal.Rptr.2d 293; 11 Witkin, Summary of Cal. Law (9th ed. 1990) Equity, § 153, p. 833; Rest.2d Torts, § 840D).

II

        As discussed above, I believe that existing legal principles are adequate to support Intel's request for injunctive relief. But even if the injunction in this case amounts to an extension of the traditional tort of trespass to chattels, this is one of those cases in which, as Justice Cardozo suggested, "[t]he creative element in the judicial process finds its opportunity and power" in the development of the law. (Cardozo, Nature of the Judicial Process (1921) p. 165.)5

        The law has evolved to meet economic, social, and scientific changes in society. The industrial revolution, mass production,

[1 Cal.Rptr.3d 73]

and new transportation

[30 Cal.4th 1393]

and communication systems all required the adaptation and evolution of legal doctrines.

        The age of computer technology and cyberspace poses new challenges to legal principles. As this court has said, "the socalled Internet revolution has spawned a host of new legal issues as courts have struggled to apply traditional legal frameworks to this new communication medium." (Pavlovich v. Superior Court (2002),29 Cal.4th 262, 127 Cal.Rptr.2d 329, 58 P.3d 2.) The court must now grapple with proprietary interests, privacy, and expression arising out of computer-related disputes. Thus, in this case the court is faced with "that balancing of judgment, that testing and sorting of considerations of analogy and logic and utility and fairness" that Justice Cardozo said he had "been trying to describe." (Cardozo, Nature of the Judicial Process, supra, pp. 165-166.) Additionally, this is a case in which equitable relief is sought. As Bernard Witkin has written, "equitable relief is flexible and expanding, and the theory that `for every wrong there is a remedy' [Civ.Code, § 3523] may be invoked by equity courts to justify the invention of new methods of relief for new types of wrongs." (11 Witkin, Summary of Cal. Law, supra, Equity, § 3, p. 681.) That the Legislature has dealt with some aspects of commercial unsolicited bulk e-mail (Bus. & Prof.Code, §§ 17538.4, 17538.45; see maj. opn., ante, 1 Cal.Rptr.3d at p. 50, 71 P.3d at p. 311) should not inhibit the application of common law tort principles to deal with e-mail transgressions not covered by the legislation. (Cf. California Assn. of Health Facilities v. Department of Health Services (1997),16 Cal.4th 284, 65 Cal.Rptr.2d 872, 940 P.2d 323; I.E. Associates v. Safeco Title Ins. Co. (1985),39 Cal.3d 281, 216 Cal.Rptr. 438, 702 P.2d 596.)

        Before the computer, a person could not easily cause significant disruption to another's business or personal affairs through methods of communication without significant cost. With the computer, by a mass mailing, one person can at no cost disrupt, damage, and interfere with another's property, business, and personal interests. Here, the law should allow Intel to protect its computer-related property from the unauthorized, harmful, free use by intruders.

Ill

        As the Court of Appeal observed, connecting one's driveway to the general system of roads does not invite demonstrators to use the property as a public forum. Not mindful of this precept, the majority blur the distinction between public and private computer networks in the interest of "ease and openness of communication." (Maj. opn., ante, 1 Cal.Rptr.3d at p. 50, 71 P.3d at p. 311.) By upholding Intel's right to exercise self-help to restrict Hamidi's bulk e-mails, they

[30 Cal.4th 1394]

concede that he did not have a right to send them through Intel's proprietary system. Yet they conclude that injunctive relief is unavailable to Intel because it connected its e-mail system to the Internet and thus, "necessarily contemplated" unsolicited communications to its employees. (Maj. opn., ante, at p. 47, 71 P.3d at p. 308.) Their exposition promotes unpredictability in a manner that could be as harmful to open communication as it is to property rights. It permits Intel to block Hamidi's e-mails entirely, but offers no recourse if he succeeds in breaking through its security barriers, unless he physically or functionally degrades the system.

        By making more concrete damages a requirement for a remedy, the majority has rendered speech interests dependent on the impact of the e-mails. The sender will never know when or if the mass e-mails

[1 Cal.Rptr.3d 74]

sent by him (and perhaps others) will use up too much space or cause a crash in the recipient system, so as to fulfill the majority's requirement of damages. Thus, the sender is exposed to the risk of liability because of the possibility of damages. If, as the majority suggest, such a risk will deter "ease and openness of communication" (maj. opn., ante, 1 Cal. Rptr.3d at p. 50, 71 P.3d at p. 311), the majority's formulation does not eliminate such deterrence. Under the majority's position, the lost freedom of communication still exists. In addition, a business could never reliably invest in a private network that can only be kept private by constant vigilance and inventiveness, or by simply shutting off the Internet, thus limiting rather than expanding the flow of information.6 Moreover, Intel would have less incentive to allow employees reasonable use of its equipment to send and receive personal e-mails if such allowance is justification for preventing restrictions on unwanted intrusions into its computer system. I believe the best approach is to clearly delineate private from public networks and identify as a trespass to chattels the kind of intermeddling involved here.

        The views of the amici curiae group of intellectual property professors that a ruling in favor of Intel will interfere with communication are similarly misplaced because here, Intel, contrary to most users, expressly informed Hamidi that it did not want him sending messages through its system. Moreover, as noted above, all of the problems referred to will exist under the apparently accepted law that there is a cause of action if there is some actionable damage.

        Hamidi and other amici curiae raise, for the first time on appeal, certain labor law issues, including the matter of protected labor-related communications. Even assuming that these issues are properly before this court (see

[30 Cal.4th 1395]

Cal. Rules of Court, rule 28(c)(1)), to the extent the laws allow what would otherwise be trespasses for some labor-related communications, my position does not exclude that here too. But there has been no showing that the communications are labor-law protected.7

        Finally, with regard to alleged constitutional free speech concerns raised by Hamidi and others, this case involves a private entity seeking to enforce private rights against trespass. Unlike the majority, I have concluded that Hamidi did invade Intel's property. His actions constituted a trespass—in this case a trespass to chattels. There is no federal or state constitutional right to trespass. (Adderley v. Florida (1966),385 U.S. 39, 87 S.Ct. 242, 17 L.Ed.2d 149 ["Nothing in the Constitution of the United States prevents Florida from even-handed enforcement of its general trespass statute...."]; Church of Christ in Hollywood v. Superior Court (2002),99 Cal.App.4th 1244, 121 Cal.Rptr.2d 810 [affirming a restraining order preventing former church member from entering church property: "[the United States Supreme Court] has never held that a trespasser or an uninvited guest may exercise general rights of free speech on property privately owned"]; see also CompuServe Inc. v. Cyber Promotions,

[1 Cal.Rptr.3d 75]

Inc., supra, 962 F.Supp. at p. 1026 ["the mere judicial enforcement of neutral trespass laws by the private owner of property does not alone render it a state actor"]; Cyber Promotions, Inc. v. American Online, Inc. (1996),948 F.Supp. 436 ["a private company such as Cyber simply does not have the unfettered right under the First Amendment to invade AOL's private property...."].) Accordingly, the cases cited by the majority regarding restrictions on speech, not trespass, are not applicable. Nor does the connection of Intel's e-mail system to the Internet transform it into a public forum any more than any connection between private and public properties. Moreover, as noted above, Hamidi had adequate alternative means for communicating with Intel employees so that an injunction would not, under any theory, constitute a free speech violation. (Lloyd Corp. v. Tanner (1972),407 U.S. 551, 92 S.Ct. 2219, 33 L.Ed.2d 131.)

IV

        The trial court granted an injunction to prevent threatened injury to Intel. That is the purpose of an injunction. (Ernst & Ernst v. Carlson (1966),247 Cal.App.2d 125, 55 Cal.Rptr. 626.) Intel should not be helpless in the face of repeated and threatened abuse and contamination of its private computer system. The undisputed facts, in my view, rendered Hamidi's

[30 Cal.4th 1396]

conduct legally actionable. Thus, the trial court's decision to grant a permanent injunction was not "a clear abuse of discretion" that may be "disturbed on appeal." (Shapiro v. San Diego City Council (2002),96 Cal.App.4th 904, 117 Cal.Rptr.2d 631; see also City of Vernon v. Central Basin Mun. Water Dist. (1999),69 Cal. App.4th 508, 81 Cal.Rptr.2d 650 [in an appeal of summary judgment, the trial court's decision to deny a permanent injunction was "governed by the abuse of discretion standard of review"].)

        The injunction issued by the trial court simply required Hamidi to refrain from further trespassory conduct, drawing no distinction based on the content of his emails. Hamidi remains free to communicate with Intel employees and others outside the walls—both physical and electronic—of the company.

        For these reasons, I respectfully dissent.

        I CONCUR: GEORGE, C.J.

---------------

Notes:

* Associate Justice, Court of Appeal, Second Appellate District, Division Five, assigned by the

1. The Oxford English Dictionary defines an intranet as "A local or restricted computer network; spec, a private or corporate network that uses Internet protocols. An intranet may (but need not) be connected to the Internet and be accessible externally to authorized users." (OED Online, new ed., draft entry, Mar. 2003, <http://dictionary.oed.com/> [as of June 30, 2003]; see also Kokka, Property Rights on an Intranet, 3 Spring 1998 J. Tech.L. & Policy 3, WL 3 UFLJTLP 3 at *3, *6 [defining an intranet as "an internal network of computers, servers, routers and browser software designed to organize, secure, distribute and collect information within an organization," which in large organizations generally includes a wide range of services, including e-mail].) Contrary to the majority's assertion, there is nothing incorrect about characterizing Hamidi's unauthorized bulk e-mails as intrusions onto Intel's intranet.

2. In Zaslow, we observed that when the trespass involves "intermeddling with or use of" another's property, the owner "may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use." (Zaslow v. Kroenert, supra, 29 Cal.2d at p. 551, 176 P.2d 1.) We did not state that such damages were a requirement for a cause of action; nor did we address the availability of injunctive relief.

3. As the recent spate of articles on "spam"— unsolicited bulk e-mail—suggests, the effects on business of such unwanted intrusions are not trivial. "Spam is not just a nuisance. It absorbs bandwidth and overwhelms Internet service providers. Corporate tech staffs labor to deploy filtering technology to protect their networks. The cost is now widely estimated (though all such estimates are largely guesswork) at billions of dollars a year. The social costs are immeasurable.... [¶] `Spam has become the organized crime of the Internet.' ... `[M]ore and more it's becoming a systems and engineering and networking problem.' (Gleick, Tangled Up in Spam, N.Y. Times (Feb. 9, 2003) magazine p. 1 <http://www.nytimes.com/2003/02/09/> [as of June 30, 2003]; see also Cooper & Shogren, U.S., States Turn Focus to Curbing Spam, L.A. Times (May 1, 2003) p. A21, col. 2 ["Businesses are losing money with every moment that employees spend deleting"]; Turley, Congress Must Send Spammers a Message, L.A. Times (Apr. 21, 2003) p. B13, col. 5 ["Spam now costs American businesses about $9 billion a year in lost productivity and screening"]; Taylor, Spam's Big Bang! (June 16, 2003) Time, p. 51 ["The time we spend deleting or defeating spam costs an estimated $8.9 billion a year in lost productivity"].) But the occasional spam addressed to particular employees does not pose nearly the same threat of impaired value as the concerted bulk mailings into one e-mail system at issue here, which mailings were sent to thousands of employees with the express purpose of disrupting business as usual. information from the websites of others. (eBay, Inc. v. Bidder's Edge, supra, 100 F.Supp.2d at p. 1061, fn. 2.)

4. A "web crawler" is a computer program that operates across the Internet to obtain

5. "It is revolting to have no better reason for a rule of law than that so it was laid down in the time of Henry IV." (Holmes, The Path of the Law (1897) 10 Harv.L.Rev. 457, 469.)

6. Thus, the majority's approach creates the perverse incentive for companies to invest less in computer capacity in order to protect its property. In the view of the majority, Hamidi's massive e-mails would be actionable only if Intel had insufficient server or storage capacity to manage them.

7. The bulk e-mail messages from Hamidi, a nonemployee, did not purport to spur employees into any collective action; he has conceded that "[t]his is not a drive to unionize." Nor was his disruptive conduct part of any bona fide labor dispute.

---------------

8.1.4 Ticketmaster Corp. v. Tickets.Com, Inc. 8.1.4 Ticketmaster Corp. v. Tickets.Com, Inc.

This brief note considers the trespass to chattels in ticket price scraping

2003 Corp.L.Dec. ¶ 28,607

TICKETMASTER CORP. et al., Plaintiff
v.
TICKETS.COM, INC. et al., Defendants.

No. CV997654HLHVBKX.

United States District Court, C.D. California.

March 7, 2003.

Steven E. Sletten, Robert E. Cooper, Robert H. Platt and Mark S. Lee, New York, New York, for Plaintiffs.

William Taylor, New York, New York, for Defendants.

TICKETS.COM'S NOTICE OF MOTION AND MOTION FOR SUMMARY JUDGMENT ON CONTRACT, TRESPASS AND COPYRIGHT CLAIMS

HUPP, J.

ORDER

[1] This motion by defendant Tickets.com, Inc. (hereafter TX) for summary judgment on plaintiffs Ticketmaster Corporation and Ticket Online–CitySearch, Inc. (hereafter collectively TM), intellectual property issues is denied as to the contract claim of TM and granted as to the copyright and trespass to chattels claims, which are dismissed by this minute order.

At this point in the case, both parties have narrowed their claims. TM, the original plaintiff, has narrowed its intellectual property claims to a contract theory, a copyright theory, and a trespass to chattels theory. The court finds triable issues of fact on the contract theory and finds no triable issues of fact and grants summary judgment on the copyright and trespass to chattels claims.

Many of the factual items are not contested, although the legal result of applying the law to the uncontested facts is heavily contested. Among the uncontested facts are the following: Both TM and TX are in the business of selling tickets to all kinds of "events" (sports, concerts, plays, etc.) to the public. They are in heavy competition with one another, but operate in distinctive ways. TM is the largest company in the industry. It sells tickets by the four methods of ticket selling–venue box office, retail outlets, by telephone, and over the internet. Telephone and internet sales require the customer to establish credit with the ticket seller (usually by credit card). Internet sales have been the fastest growing segment of the industry. TX at the time of the events considered in this motion was primarily (but not exclusively) an internet seller. Both TM and TX maintain a web page reachable by anyone with an internet connection. Each of their web pages has many subsidiary (or interior) web pages which describe one event each and provide such basic information as to location, date, time, description of the event, and ticket prices. The TM interior web pages each have a separate electronic address or Uniform Resource Locator ("URL") which, if possessed by the internet user, allows the user to reach the web page for any particular event by by-passing the "home" web page and proceeding past the index to reach the interior web page for the event in question. The TM interior web pages provide telephone numbers for customers or allow the customer to order tickets to the event by interactive computer use. A charge is made for the TM service.

TM principally does business by exclusive contracts with the event providers or their producers, and its web pages only list the events for which TM is the exclusive ticket seller. TX also sells tickets to a number of events for which it is the ticket seller. At one point, its web pages attempted to list all events for which tickets were available whether or not TX sold the tickets. Its interior web pages also listed the event, the date, time, ticket prices, and provided for internet purchase if TX could sell the tickets. When TX could not sell the tickets, it listed ticket brokers who sold at premium prices. In early 2000, TX discontinued this practice of listing events with tickets sold by other ticket brokers. Until early 2000, in situations where TM was the only source of tickets, TX provided a "deep link" by which the customer would be transferred to the interior web page of TM's web site, where the customer could purchase the ticket from TM. This process of "deep linking" is the subject of TM's complaint in this action, of which there is now left the contract, copyright, and trespass theories.

[2] Starting in 1998 and continuing to July 2001, when it stopped the practice, TX employed an electronic program called a "spider" or "crawler" to review the internal web pages (available to the public) of TM. The "spider" "crawled" through the internal web pages to TM and electronically extracted the electronic information from which the web page is shown on the user's computer. The spider temporarily loaded this electronic information into the Random Access Memory ("RAM") of TX's computers for a period of from 10–15 seconds. TX then extracted the factual information (event, date, time, tickets prices, and URL) and discarded the rest (which consisted of TM identification, logos, ads, and other information which TX did not intend to use; much of this discarded material was protected by copyright). The factual information was then organized in the TX format to be displayed on the TX internal web page. The TX internal web page carried no TM identification and had only the factual information about the event on it which was taken from TM's interior web page but rearranged in TX format plus any information or advertisement added by TX. From March 1998, to early 2000, the TX user was provided the deep linking option described above to go directly from the TX web site to the relevant TM interior web page. This option stopped (or was stopped by TM) in early 2000. For an unknown period afterward, the TX customer was given the option of linking to the TM home page, from which the customer could work his way to the interior web page in which he was interested. (The record does not reveal whether this practice still exists or whether TM objects to it.) Thus, the intellectual property issues in this case appear to be limited to events which occurred between November 1998, when spidering started, and July 2001, when it stopped. The "deep linking" aspect of the case is relevant only from March 1998, to early 2000, when it stopped.

The contract aspect of the case derives from a notice placed on the home page of the TM web site which states that anyone going beyond that point into the interior web pages of the web site accepts certain conditions, which include, relevant to this case, that all information obtained from the website is for the personal use of the user and may not be used for commercial purposes. Earlier in this case (and at the time of the motion for preliminary injunction) the notice was placed at the bottom of the home page of the TM web site, so that a user without an especially large screen would have to scroll down the page to read the conditions of use. Since then, TM has placed in a prominent place on the home page the warning that proceeding further binds the user to the conditions of use. As one TX executive put it, it could not be missed. At the time of the preliminary injunction motion, the court commented that there was no evidence that the conditions of use were known to TX. Since then, there has been developed evidence that TX was fully familiar with the conditions TM claimed to impose on users, including a letter from TM to TX which quoted the conditions (and a reply by TX stating that it did not accept the conditions). Thus, there is sufficient evidence to defeat summary judgment on the contract theory if knowledge of the asserted conditions of use was had by TX, who nevertheless continued to send its spider into the TM interior web pages, and if it is legally concluded that doing so can lead to a binding contract. For reasons dealing with the desirability of clear unmistakable evidence of assent to the conditions on trial of such issues, the court would prefer a rule that required an unmistakable assent to the conditions easily provided by requiring clicking on an icon which says "I agree" or the equivalent. Such a rule would provide certainty in trial and make it clear that the user had called to his attention the conditions he or she accepted when using the web site. (The court notes that Professor Lemley also approves this approach, but this is treated as a legal opinion, not a fact). However, the law has not developed this way. Use of a cruise ship ticket with a venue provision printed on the back commits one to the venue provided. (Carnival Cruise Lines '91 499 U.S. 585, 113 L.Ed.2d 622.) The Carriage of Goods by Sea Act, the Carmack Act, and the Warsaw Convention provide that limitations of liability on the bill of lading, air waybill, or airplane ticket are enforceable if the services are used by the customer. The "shrinkwrap" cases find the printed conditions plainly wrapped around the cassette or CD enforceable. Even the back of your parking lot ticket may be enforceable. The principle has been applied to cases similar to this. (Register.com SDNY'00 126 FSupp2d 238; Pollstar EDCA'00 170 FSupp2d 974.) The principle has long been established that no particular form of words is necessary to indicate assent–the offeror may specify that a certain action in connection with his offer is deemed acceptance, and ripens into a contract when the action is taken. (Binder '99 75 CA4th 832, 89 CR2d 540; Penn Security Life Ins. 62 CA3d 302, 133 CR 59.) Thus, as relevant here, a contract can be formed by proceeding into the interior web pages after knowledge (or, in some cases, presumptive knowledge) of the conditions accepted when doing so. In Specht 2Cir'02 306 F.3d 17, the court found that there was no mutual assent when a notice of the existence of license terms governing the use of software was visible to internet users only if they scrolled down the screen. That case is distinguishable from the facts at hand on the grounds that in Specht, the plaintiff's terms of use were not plainly visible or known to defendants. See id. at 31. Moreover, Specht involved a different set of circumstances, that of consumers invited to download free software from an internet site that did not contain a plainly visible notice of license terms. See id. at 32. As a result, the TX motion for summary judgment on the contract issue is denied.

[3] The trespass to chattels issue requires adapting the ancient common law action to the modern age. No cases seem to have reached the appellate courts although there appears to be a number of district court cases. One case (Intel v. Hamadi '01 94 CA4th 325, 114 CR 244) is pending in the California Supreme Court since it granted a hearing which has the effect of vacating the state Court of Appeal opinion (and which has no precedent value once the hearing was granted). The court is informed that the eBayNDCA'00 100 FSupp2d 1058 preliminary injunction was not appealed. At the time of the preliminary injunction motion, only the eBaycase was before the court. Since then, there have been a number of district court cases discussing the chattel theory (some published and some not). These cases tend to support the proposition that mere invasion or use of a portion of the web site by a spider is a trespass (leading at least to nominal damages), and that there need not be an independent showing of direct harm either to the chattel (unlikely in the case of a spider) or tangible interference with the use of the computer being invaded. However, scholars and practitioners alike have criticized the extension of the trespass to chattels doctrine to the internet context, noting that this doctrinal expansion threatens basic internet functions (i.e., search engines) and exposes the flaws inherent in applying doctrines based in real and tangible property to cyberspace. See, e.g., Laura Quilter, Cyberlaw: The Continuing Expansion of Cyberspace Trespass to Chattels, 17 Berkeley Tech. L.J. 421 (2002); Clifton Merrell, Trespass to Chattels in the Age of the Internet, 80 Wash. U.L.Q. 675 (2002); Mary Anne Bendotoff and Elizabeth R. Gosse, "Stay Off My Cyberproperty!": Trespass to Chattels on the Internet (2001), 6 Intell. Prop. L. Bull. 12; Edward Lee, Rules and Standards for Cyberspace, 77 Notre Dame L.Rev. 1275, 1283–1284 (2002). Pending appellate guidance, this court comes down on the side of requiring some tangible interference with the use or operation of the computer being invaded by the spider. Restatement (Second) of Torts § 219 requires a showing that "the chattel is impaired as to its condition, quality, or value." Therefore, unless there is actual dispossession of the chattel for a substantial time (not present here), the elements of the tort have not been made out. Since the spider does not cause physical injury to the chattel, there must be some evidence that the use or utility of the computer (or computer network) being "spiderized" is adversely affected by the use of the spider. No such evidence is presented here. This court respectfully disagrees with other district courts' finding that mere use of a spider to enter a publically available web site to gather information, without more, is sufficient to fulfill the harm requirement for trespass to chattels.

TM complains that the information obtained by the use of the spider was valuable (and even that it was sold by TX), and that it spent time and money attempting to frustrate the spider, but neither of these items shows damage to the computers or their operation. One must keep in mind that we are talking about the common law tort of trespass, not damage from breach of contract or copyright infringement. The tort claim may not succeed without proof of tort-type damage. Plaintiff TM has the burden to show such damage. None is shown here. The motion for summary judgment is granted to eliminate the claim for trespass to chattels. This minute order is the order eliminating that claim. This approach to the tort of trespass to chattels should hurt no one's policy feelings; after all, what is being attempted is to apply a medieval common law concept in an entirely new situation which should be disposed of by modern law designed to protect intellectual property interests.

[4] The copyright issues are more difficult. They divide into three issues. The first is whether the momentary resting in the TX computers of all of the electronic signals which are used to form the video representation to the viewer of the interior web pages of the TX computer constitutes actionable copyright infringement. The second is whether the URLs, which were copied and used by TX, contain copyrightable material. The third is whether TX's deep-linking caused the unauthorized public display of TM event pages. In examining these questions, we must keep in mind a prime theorem of copyright law–facts, as such, are not subject to copyright protection. What is subject to copyright protection is the manner or mode of expression of those facts. Thus, addresses and telephone numbers contained in a directory do not have copyright protection (Feist Publications 499 U.S. 350, 113 L.Ed.2d 358), despite the fact that time, money, and effort went into compiling the information. Similarly, in this case, the existence of the event, its date and time, and its ticket prices, are not subject to copyright. Anyone is free to print (or show on the internet) such information. Thus, if TX had sat down a secretary at the computer screen with instructions manually to go through TM's web sites and pick out and write down purely factual information about the events, and then feed it into the TX web pages (using the TX distinctive format only), no one could complain. The objection is that the same thing was done with an electronic program. However, the difference is that the spider picks up all of the electronic symbols which, if it had been put on a monitor with the right software, would duplicate the TM web page. However, this is not the way it was done. The spider picks up the electronic symbols and loads them momentarily (for 10 to 15 seconds) into the RAM of the TX computers, where a program picks up the factual data (not protected), places same into the TX format for its web pages, and immediately discards the balance, which may consist of TM logos, TM advertisements, TM format for presentation of the material, and other material which is copyrightable. Thus, the actual copying (if it can be called that) is momentary while the non-protected material, all open to the public, is extracted. Is this momentary resting of the electronic symbols from which a TM web page could be (but is not) constructed fair use where the purpose is to obtain non-protected facts? The court thinks the answer is "yes". There is not much law in point. However, there are two Ninth Circuit cases which shed light on the problem. They are Sony Computer Entertainment 9 Cir '00 203 F3d 596 and Sega 9 Cir '92 977 F.2d 1510. In each of these cases, the alleged infringer attempted to get at non-protected source code by reverse engineering of the plaintiff's copyrighted software. In doing so, the necessary method was to copy the software and work backwards to derive the unprotected source code. The copied software was then destroyed. In each case, this was held to be fair use since it was necessary to temporarily copy the software to obtain the non-protected material. There may be a difference with this case, however, at least TM claims so. It asserts in its points and authorities that taking the temporary copy in this case was not the only way to obtain the unprotected information, and that TX was able to, and in actuality did purchase such information from certain third-parties. Both Sony and Sega stated that the fair use was justified because reverse engineering (including taking a temporary copy) was the only way the unprotected information could be obtained. Although this court recognizes that the holdings of Sony and Sega were limited to the specific context of "disassembling" copyrighted object code in order to access unprotected elements contained in the source code, this court believes that the "fair use" doctrine can be applied to the current facts.

[5] Taking the temporary copy of the electronic information for the limited purpose of extracting unprotected public facts leads to the conclusion that the temporary use of the electronic signals was "fair use" and not actionable. In determining whether a challenged use of copyrighted material is fair, a court must keep in mind the public policy underlying the Copyright Act: to secure a fair return for an author's creative labor and to stimulate artistic creativity for the general good. This court sees no public policy that would be served by restricting TX from using spiders to temporarily download TM's event pages in order to acquire the unprotected, publicly available factual event information. The rest of the event page information (which consisted of TM identification, logos, ads, and other information) was discarded and not used by TX and is not exposed to the public by TX. In temporarily downloading TM's event pages to its RAM through the use of spiders, TX was not exploiting TM's creative labors in any way: its spiders gathered copyrightable and non-copyrightable information alike but then immediately discarded the copyrighted material. It is unlikely that the spiders could have been programmed to take only the factual information from the TM web pages without initially downloading the entire page.

Consideration of the fair use factors listed in 17 USC § 106 supports this result. First, TX operates its site for commercial purposes, and this fact tends to weigh against a finding of fair use. Campbell '94 510 U.S. 569, 585, 127 L.Ed.2d 500, 519. TX's use of the data gathered from TM's event pages was only slightly transformative. As for the second factor, the nature of the copyrighted work, the copying that occurred when spiders download the event page, access the source code for each page, and extract the factual data embedded in the code, is analogous to the process of copying that the Sony court condoned (however, the Court recognizes that the fair use holding from that decision does not fit perfectly onto the facts at hand). Third, because TX's final product-the TX web site-did not contain any infringing material, the "amount and substantiality of the portion used" is of little weight. Connectix 9Cir'00 203F3d at 606 (quoting Sega 9Cir'93 977 F.2d at 1526–1537). The fourth factor (the effect on the market value of the copyrighted work) is, of course nil, and weighs towards finding fair use. TM's arguments and evidence regarding loss of advertising revenue, as well as the loss of potential business with Volt Delta, are not persuasive.

The second copyright problem is whether the URLs (Uniform Resource Locator) are subject to copyright protection. The URLs are copied by TX and, while TX was deep hyper-linking to TM interior web pages, were used by TX to allow the deep-linking (by providing the electronic address of the particular relevant TM interior web page). This electronic address is kept in TX's computer (not provided to the customer) but was used to connect the customer to the TM interior web page when the customer pushed the button to be transferred to the web page of the broker who sells the tickets. In fact, anyone who uses the TM interior web page–TM customer or not–uses the URL to get there, although sometimes through another computer which also has the URL. TM contends that, although the URLs are strictly functional, they are entitled to copyright protection because there are several ways to write the URL, and, thus, original authorship is used. The court disagrees. A URL is simply an address, open to the public, like the street address of a building, which, if known, can enable the user to reach the building. There is nothing sufficiently original to make the URL a copyrightable item, especially the way it is used. Feist Publications '91 499 U.S. 340, 345, 113 L.Ed.2d 358, 369. There appear to be no cases holding the URLs to be subject to copyright. On principle, they should not be.

[6] The third copyright problem is whether TX's deep-linking caused the unauthorized public display of TM event pages in violation of TM's exclusive rights of reproduction and display under 17 U.S.C. § 106. The Ninth Circuit in Kelly 9 Cir '02 280 F3d 934, recognized that inline linking and framing of full-sized images of plaintiff's copyrighted photographs within the defendant's web site violated the plaintiff's public display rights. In that case, defendant's web site contained links to plaintiff's photographs (which were on plaintiff's publicly available website). Users were able to view plaintiff's photographs within the context of defendant's site: Plaintiff's images were "framed" by the defendant's window, and were thus surrounded by defendant web page's text and advertising. In one short paragraph in a declaration offered on the preliminary injunction motion, TM alleges that when a user was deep-linked from the TX site to a TM event page, a smaller window was opened. The smaller window was described as containing a page from the TM web site which was "framed" by the larger window. At the time of the preliminary injunction motion, TX stated that whether "framing" occurs or not depends on the settings on the user's computer, over which TX has no control. Thus, framing occurred on some occasions but not on others. However, TX says that it "did not try to disguise a sale by use of frames occurring on the Tickets.com website." (Reply, p. 10) TX further states that when users were linked to TM web pages, the TM event pages were clearly identified as belonging to TM.

However, even if the TM interior web site page was "framed" within the TX web page, this case is distinguishable from Kelly. In Kelly, the defendant's site would display a variety of "thumbnail" images as a result of the user's search. By clicking on the desired thumbnail image, a user could view the "Images Attributes" page, which displayed the original full-size image, a description of its dimensions, a link to the originating web site, and defendant's banner and advertising. The full-size image was not technically located on defendant's web site, but was taken directly from the originating web site. However, only the image itself, and not any other part of the originating web site, was displayed on the "Images Attributes" page. The Ninth Circuit determined that by importing plaintiff's images into its own web page, and by showing them in the context of its own site, defendant infringed upon plaintiff's exclusive public display right.

In this case, a user on the TX site was taken directly to the originating TM site, containing all the elements of that particular TM event page. Each TM event page clearly identified itself as belonging to TM. Moreover, the link on the TX site to the TM event page contained the following notice: "Buy this ticket from another online ticketing company. Click here to buy tickets. These tickets are sold by another ticketing company. Although we can't sell them to you, the link above will take you directly to the other company's web site where you can purchase them." (2d Am.Compl.Ex.I) (emphasis in original) Even if the TM site may have been displayed as a smaller window that was literally "framed" by the larger TX window, it is not clear that, as matter of law, the linking to TX event pages would constitute a showing or public display in violation of 17 U.S.C. § 106(5). Accordingly, summary judgment is granted on the copyright claims of TM and it is eliminated from this action.

8.2 OIL Casebook: Computer Fraud & Abuse Act I 8.2 OIL Casebook: Computer Fraud & Abuse Act I

8.2.1 Computer Fraud and Abuse Act: 18 U.S. Code § 1030 - Fraud and related activity in connection with computers 8.2.1 Computer Fraud and Abuse Act: 18 U.S. Code § 1030 - Fraud and related activity in connection with computers

(a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n)  [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. [2]
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;  [3]
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;
shall be punished as provided in subsection (c) of this section.
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is—
(1)
(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(2)
(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000; and
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(3)
(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), [4] or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(4)
(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
(ii) an attempt to commit an offense punishable under this subparagraph;
(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;
(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or
(G) a fine under this title, imprisonment for not more than 1 year, or both, for—
(i) any other offense under subsection (a)(5); or
(ii) an attempt to commit an offense punishable under this subparagraph.
(d)
(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.
(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014 (y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056 (a) of this title.
(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section—
(1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
(3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
(4) the term “financial institution” means—
(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 orsection 25(a)  [1] of the Federal Reserve Act;
(5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
(7) the term “department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and
(12) the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses  [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).
(i)
(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States—
(A) such person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and
(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.
(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.
(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:
(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.
(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section  [6]


[1]  See References in Text note below. 

[2]  So in original. The period probably should be a semicolon. 

[3]  So in original. Probably should be followed by “or”. 

[4]  So in original. The comma probably should not appear. 

[5]  So in original. Probably should be “subclause”. 

[6]  So in original. Probably should be followed by a period. 

8.2.2 U.S. v. Morris 8.2.2 U.S. v. Morris

United States Court of Appeals for the Second Circuit
928 F.2d 504
No. 774, Docket 90-1336
1991-03-07

928 F.2d 504 (1991)

UNITED STATES of America, Appellee,
v.
Robert Tappan MORRIS, Defendant-Appellant.

No. 774, Docket 90-1336.

United States Court of Appeals, Second Circuit.

Argued December 4, 1990.
Decided March 7, 1991.

Thomas A. Guidoboni, Washington, D.C., for defendant-appellant.

Ellen R. Meltzer, U.S. Dept. of Justice, Washington, D.C. (Frederick J. Scullin, Jr., U.S. Atty., Syracuse, N.Y., Mark D. Rasch, U.S. Dept. of Justice, Washington, D.C., on the brief), for appellee.

[505] Before NEWMAN and WINTER, Circuit Judges, and DALY, District Judge.[1]

JON O. NEWMAN, Circuit Judge:

This appeal presents two narrow issues of statutory construction concerning a provision Congress recently adopted to strengthen protection against computer crimes. Section 2(d) of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030(a)(5)(A) (1988), punishes anyone who intentionally accesses without authorization a category of computers known as "[f]ederal interest computers" and damages or prevents authorized use of information in such computers, causing loss of $1,000 or more. The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of "access without authorization."

These questions are raised on an appeal by Robert Tappan Morris from the May 16, 1990, judgment of the District Court for the Northern District of New York (Howard G. Munson, Judge) convicting him, after a jury trial, of violating 18 U.S.C. § 1030(a)(5)(A). Morris released into INTERNET, a national computer network, a computer program known as a "worm"[2] that spread and multiplied, eventually causing computers at various educational institutions and military sites to "crash" or cease functioning.

We conclude that section 1030(a)(5)(A) does not require the Government to demonstrate that the defendant intentionally prevented authorized use and thereby caused loss. We also find that there was sufficient evidence for the jury to conclude that Morris acted "without authorization" within the meaning of section 1030(a)(5)(A). We therefore affirm.

FACTS

In the fall of 1988, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Through undergraduate work at Harvard and in various jobs he had acquired significant computer experience and expertise. When Morris entered Cornell, he was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. Morris engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate it.

In October 1988, Morris began work on a computer program, later known as the INTERNET "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into INTERNET, which is a group of national networks that connect university, governmental, and military computers around the country. The network permits communication and transfer of information between computers on the network.

Morris sought to program the INTERNET worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily.

[506] Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make the worm easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If it responded "no," then the worm would copy onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection.

Morris identified four ways in which the worm could break into computers on the network:

(1) through a "hole" or "bug" (an error) in SEND MAIL, a computer program that transfers and receives electronic mail on a computer;

(2) through a bug in the "finger demon" program, a program that permits a person to obtain limited information about the users of another computer;

(3) through the "trusted hosts" feature, which permits a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and

(4) through a program of password guessing, whereby various combinations of letters are tried out in rapid sequence in the hope that one will be an authorized user's password, which is entered to permit whatever level of activity that user is authorized to perform.

On November 2, 1988, Morris released the worm from a computer at the Massachusetts Institute of Technology. MIT was selected to disguise the fact that the worm came from Morris at Cornell. Morris soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.

Morris was found guilty, following a jury trial, of violating 18 U.S.C. § 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

DISCUSSION

I. The intent requirement in section 1030(a)(5)(A)

Section 1030(a)(5)(A), covers anyone who

(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby

(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; ... [emphasis added].

The District Court concluded that the intent requirement applied only to the accessing and not to the resulting damage. [507] Judge Munson found recourse to legislative history unnecessary because he considered the statute clear and unambiguous. However, the Court observed that the legislative history supported its reading of section 1030(a)(5)(A).

Morris argues that the Government had to prove not only that he intended the unauthorized access of a federal interest computer, but also that he intended to prevent others from using it, and thus cause a loss. The adverb "intentionally," he contends, modifies both verb phrases of the section. The Government urges that since punctuation sets the "accesses" phrase off from the subsequent "damages" phrase, the provision unambiguously shows that "intentionally" modifies only "accesses." Absent textual ambiguity, the Government asserts that recourse to legislative history is not appropriate. See Burlington N.R. Co. v. Oklahoma Tax Comm'n, 481 U.S. 454, 461, 107 S.Ct. 1855, 1859, 95 L.Ed.2d 404 (1987); Consumer Product Safety Comm'n v. GTE Sylvania, Inc., 447 U.S. 102, 108, 100 S.Ct. 2051, 2056, 64 L.Ed.2d 766 (1980); United States v. Holroyd, 732 F.2d 1122, 1125 (2d Cir.1984).

With some statutes, punctuation has been relied upon to indicate that a phrase set off by commas is independent of the language that followed. See United States v. Ron Pair Enterprises, Inc., 489 U.S. 235, 241, 109 S.Ct. 1026, 1030, 103 L.Ed.2d 290 (1989) (interpreting the Bankruptcy Code). However, we have been advised that punctuation is not necessarily decisive in construing statutes, see Costanzo v. Tillinghast, 287 U.S. 341, 344, 53 S.Ct. 152, 153, 77 L.Ed. 350 (1932), and with many statutes, a mental state adverb adjacent to initial words has been applied to phrases or clauses appearing later in the statute without regard to the punctuation or structure of the statute. See Liparota v. United States, 471 U.S. 419, 426-29, 105 S.Ct. 2084, 2088-90, 85 L.Ed.2d 434 (1985) (interpreting food stamps provision); United States v. Nofziger, 878 F.2d 442, 446-50 (D.C.Cir.) (interpreting government "revolving door" statute), cert. denied, ___ U.S. ___, 110 S.Ct. 564, 107 L.Ed.2d 559 (1989); United States v. Johnson & Towers, Inc., 741 F.2d 662, 667-69 (3d Cir.1984) (interpreting the conservation act), cert. denied, 469 U.S. 1208, 105 S.Ct. 1171, 84 L.Ed.2d 321 (1985). In the present case, we do not believe the comma after "authorization" renders the text so clear as to preclude review of the legislative history.

The first federal statute dealing with computer crimes was passed in 1984, Pub.L. No. 98-473 (codified at 18 U.S.C. § 1030 (Supp. II 1984)). The specific provision under which Morris was convicted was added in 1986, Pub.L. No. 99-474, along with some other changes. The 1986 amendments made several changes relevant to our analysis.

First, the 1986 amendments changed the scienter requirement in section 1030(a)(2) from "knowingly" to "intentionally." See Pub.L. No. 99-474, section 2(a)(1). The subsection now covers anyone who

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

According to the Senate Judiciary Committee, Congress changed the mental state requirement in section 1030(a)(2) for two reasons. Congress sought only to proscribe intentional acts of unauthorized access, not "mistaken, inadvertent, or careless" acts of unauthorized access. S.Rep. No. 99-432, 99th Cong., 2d Sess. 5 (1986), reprinted in 1986 U.S.Code Cong. & Admin.News 2479, 2483 [hereinafter Senate Report].

Also, Congress expressed concern that the "knowingly" standard "might be inappropriate for cases involving computer technology." Id. The concern was that a scienter requirement of "knowingly" might encompass the acts of an individual "who inadvertently `stumble[d] into' someone else's computer file or computer data," especially where such individual was authorized [508] to use a particular computer. Id. at 6, 1986 U.S.Code Cong. & Admin.News at 2483. The Senate Report concluded that "[t]he substitution of an `intentional' standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another." Id., U.S.Code Cong. & Admin.News at 2484. Congress retained the "knowingly" standard in other subsections of section 1030. See 18 U.S.C. § 1030(a)(1), (a)(4).

This use of a mens rea standard to make sure that inadvertent accessing was not covered is also emphasized in the Senate Report's discussion of section 1030(a)(3) and section 1030(a)(5), under which Morris was convicted. Both subsections were designed to target "outsiders," individuals without authorization to access any federal interest computer. Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. The rationale for the mens rea requirement suggests that it modifies only the "accesses" phrase, which was the focus of Congress's concern in strengthening the scienter requirement.

The other relevant change in the 1986 amendments was the introduction of subsection (a)(5) to replace its earlier version, subsection (a)(3) of the 1984 act, 18 U.S.C. § 1030(a)(3) (Supp. II 1984). The predecessor subsection covered anyone who

knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend, and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer, if such computer is operated for or on behalf of the Government of United States and such conduct affects such operation.

The 1986 version changed the mental state requirement from "knowingly" to "intentionally," and did not repeat it after the "accesses" phrase, as had the 1984 version. By contrast, other subsections of section 1030 have retained "dual intent" language, placing the scienter requirement at the beginning of both the "accesses" phrase and the "damages" phrase. See, e.g., 18 U.S.C. § 1030(a)(1).

Morris notes the careful attention that Congress gave to selecting the scienter requirement for current subsections (a)(2) and (a)(5). Then, relying primarily on comments in the Senate and House reports, Morris argues that the "intentionally" requirement of section 1030(a)(5)(A) describes both the conduct of accessing and damaging. As he notes, the Senate Report said that "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. The House Judiciary Committee stated that "the bill proposes a new section (18 U.S.C. § 1030(a)(5)) which can be characterized as a `malicious damage' felony violation involving a Federal interest computer. We have included an `intentional' standard for this felony and coverage is extended only to outside trespassers with a $1,000 threshold damage level." H.R.Rep. No. 99-612, 99th Cong.2d Sess. at 7 (1986). A member of the Judiciary Committee also referred to the section 1030(a)(5) offense as a "malicious damage" felony during the floor debate. 132 Cong.Rec. H3275, 3276 (daily ed. June 3, 1986) (remarks of Rep. Hughes).

The Government's argument that the scienter requirement in section 1030(a)(5)(A) applies only to the "accesses" phrase is premised primarily upon the difference between subsection (a)(5)(A) and its predecessor in the 1984 statute. The decision to state the scienter requirement only once in subsection (a)(5)(A), along with the decision to change it from "knowingly" to "intentionally," are claimed to evince a clear intent upon the part of Congress to apply the scienter requirement only to the "accesses" phrase, though making that requirement more difficult to satisfy. This reading would carry out the Congressional objective of protecting the individual who "inadvertently `stumble[s] into' someone else's computer file." Senate Report at 6, U.S.Code Cong. & Admin.News at 2483.

[509] The Government also suggests that the fact that other subsections of section 1030 continue to repeat the scienter requirement before both phrases of a subsection is evidence that Congress selectively decided within the various subsections of section 1030 where the scienter requirement was and was not intended to apply. Morris responds with a plausible explanation as to why certain other provisions of section 1030 retain dual intent language. Those subsections use two different mens rea standards; therefore it is necessary to refer to the scienter requirement twice in the subsection. For example, section 1030(a)(1) covers anyone who

(1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data ... with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation.

Since Congress sought in subsection (a)(1) to have the "knowingly" standard govern the "accesses" phrase and the "with intent" standard govern the "results" phrase, it was necessary to state the scienter requirement at the beginning of both phrases. By contrast, Morris argues, where Congress stated the scienter requirement only once, at the beginning of the "accesses" phrase, it was intended to cover both the "accesses" phrase and the phrase that followed it.

There is a problem, however, with applying Morris's explanation to section 1030(a)(5)(A). As noted earlier, the predecessor of subsection (a)(5)(A) explicitly placed the same mental state requirement before both the "accesses" phrase and the "damages" phrase. In relevant part, that predecessor in the 1984 statute covered anyone who "knowingly accesses a computer without authorization, ... and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer...." 18 U.S.C. § 1030(a)(3) (Supp. II 1984) (emphasis added). This earlier provision demonstrates that Congress has on occasion chosen to repeat the same scienter standard in the "accesses" phrase and the subsequent phrase of a subsection of the Computer Fraud Statute. More pertinently, it shows that the 1986 amendments adding subsection (a)(5)(A) placed the scienter requirement adjacent only to the "accesses" phrase in contrast to a predecessor provision that had placed the same standard before both that phrase and the subsequent phrase.

Despite some isolated language in the legislative history that arguably suggests a scienter component for the "damages" phrase of section 1030(a)(5)(A), the wording, structure, and purpose of the subsection, examined in comparison with its departure from the format of its predecessor provision persuade us that the "intentionally" standard applies only to the "accesses" phrase of section 1030(a)(5)(A), and not to its "damages" phrase.

II. The unauthorized access requirement in section 1030(a)(5)(A)

Section 1030(a)(5)(A) penalizes the conduct of an individual who "intentionally accesses a Federal interest computer without authorization." Morris contends that his conduct constituted, at most, "exceeding authorized access" rather than the "unauthorized access" that the subsection punishes. Morris argues that there was insufficient evidence to convict him of "unauthorized access," and that even if the evidence sufficed, he was entitled to have the jury instructed on his "theory of defense."

We assess the sufficiency of the evidence under the traditional standard. Morris was authorized to use computers at Cornell, Harvard, and Berkeley, all of which were on INTERNET. As a result, Morris was authorized to communicate with other computers on the network to send electronic mail (SEND MAIL), and to find out certain information about the users of other computers [510] (finger demon). The question is whether Morris's transmission of his worm constituted exceeding authorized access or accessing without authorization.

The Senate Report stated that section 1030(a)(5)(A), like the new section 1030(a)(3), would "be aimed at `outsiders,' i.e., those lacking authorization to access any Federal interest computer." Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. But the Report also stated, in concluding its discussion on the scope of section 1030(a)(3), that it applies "where the offender is completely outside the Government, ... or where the offender's act of trespass is interdepartmental in nature." Id. at 8, U.S.Code Cong. & Admin.News at 2486 (emphasis added).

Morris relies on the first quoted portion to argue that his actions can be characterized only as exceeding authorized access, since he had authorized access to a federal interest computer. However, the second quoted portion reveals that Congress was not drawing a bright line between those who have some access to any federal interest computer and those who have none. Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers. See, e.g., id. (stating that a Labor Department employee who uses Labor's computers to access without authorization an FBI computer can be criminally prosecuted).

The evidence permitted the jury to conclude that Morris's use of the SEND MAIL and finger demon features constituted access without authorization. While a case might arise where the use of SEND MAIL or finger demon falls within a nebulous area in which the line between accessing without authorization and exceeding authorized access may not be clear, Morris's conduct here falls well within the area of unauthorized access. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.

Moreover, the jury verdict need not be upheld solely on Morris's use of SEND MAIL and finger demon. As the District Court noted, in denying Morris' motion for acquittal,

Although the evidence may have shown that defendant's initial insertion of the worm simply exceeded his authorized access, the evidence also demonstrated that the worm was designed to spread to other computers at which he had no account and no authority, express or implied, to unleash the worm program. Moreover, there was also evidence that the worm was designed to gain access to computers at which he had no account by guessing their passwords. Accordingly, the evidence did support the jury's conclusion that defendant accessed without authority as opposed to merely exceeding the scope of his authority.

In light of the reasonable conclusions that the jury could draw from Morris's use of SEND MAIL and finger demon, and from his use of the trusted hosts feature and password guessing, his challenge to the sufficiency of the evidence fails.

Morris endeavors to bolster his sufficiency argument by contending that his conduct was not punishable under subsection (a)(5) but was punishable under subsection (a)(3). That concession belies the validity of his claim that he only exceeded authorization rather than made unauthorized access. Neither subsection (a)(3) nor (a)(5) punishes conduct that exceeds authorization. Both punish a person who "accesses" "without authorization" certain computers. Subsection (a)(3) covers the computers of a department or agency of the United States; subsection (a)(5) more broadly covers any federal interest computers, defined to include, among other computers, those used exclusively by the United States, 18 U.S.C. § 1030(e)(2)(A), and adds the element of causing damage or loss of use of a value of $1,000 or more. If Morris violated subsection (a)(3), as he concedes, then his conduct in inserting the worm into the INTERNET [511] must have constituted "unauthorized access" under subsection (a)(5) to the computers of the federal departments the worm reached, for example, those of NASA and military bases.

To extricate himself from the consequence of conceding that he made "unauthorized access" within the meaning of subsection (a)(3), Morris subtly shifts his argument and contends that he is not within the reach of subsection (a)(5) at all. He argues that subsection (a)(5) covers only those who, unlike himself, lack access to any federal interest computer. It is true that a primary concern of Congress in drafting subsection (a)(5) was to reach those unauthorized to access any federal interest computer. The Senate Report stated, "[T]his subsection [(a)(5)] will be aimed at `outsiders,' i.e., those lacking authorization to access any Federal interest computer." Senate Report at 10, U.S.Code Cong. & Admin.News at 2488. But the fact that the subsection is "aimed" at such "outsiders" does not mean that its coverage is limited to them. Congress understandably thought that the group most likely to damage federal interest computers would be those who lack authorization to use any of them. But it surely did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department. Congress created the misdemeanor offense of subsection (a)(3) to punish intentional trespasses into computers for which one lacks authorized access; it added the felony offense of subsection (a)(5) to punish such a trespasser who also causes damage or loss in excess of $1,000, not only to computers of the United States but to any computer within the definition of federal interest computers. With both provisions, Congress was punishing those, like Morris, who, with access to some computers that enable them to communicate on a network linking other computers, gain access to other computers to which they lack authorization and either trespass, in violation of subsection (a)(3), or cause damage or loss of $1,000 or more, in violation of subsection (a)(5).

Morris also contends that the District Court should have instructed the jury on his theory that he was only exceeding authorized access. The District Court decided that it was unnecessary to provide the jury with a definition of "authorization." We agree. Since the word is of common usage, without any technical or ambiguous meaning, the Court was not obliged to instruct the jury on its meaning. See, e.g., United States v. Chenault, 844 F.2d 1124, 1131 (5th Cir.1988) ("A trial court need not define specific statutory terms unless they are outside the common understanding of a juror or are so technical or specific as to require a definition.").

An instruction on "exceeding authorized access" would have risked misleading the jury into thinking that Morris could not be convicted if some of his conduct could be viewed as falling within this description. Yet, even if that phrase might have applied to some of his conduct, he could nonetheless be found liable for doing what the statute prohibited, gaining access where he was unauthorized and causing loss.

Additionally, the District Court properly refused to charge the jury with Morris's proposed jury instruction on access without authorization. That instruction stated, "To establish the element of lack of authorization, the government must prove beyond a reasonable doubt that Mr. Morris was an `outsider,' that is, that he was not authorized to access any Federal interest computer in any manner." As the analysis of the legislative history reveals, Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses.

CONCLUSION

For the foregoing reasons, the judgment of the District Court is affirmed.

[1] The Honorable T.F. Gilroy Daly of the District Court for the District of Connecticut, sitting by designation.

[2] In the colorful argot of computers, a "worm" is a program that travels from one computer to another but does not attach itself to the operating system of the computer it "infects." It differs from a "virus," which is also a migrating program, but one that attaches itself to the operating system of any computer it enters and can infect any other computer that uses files from the infected computer.

8.2.3 Register.com, Inc. v. Verio, Inc. 8.2.3 Register.com, Inc. v. Verio, Inc.

United States District Court for the Southern District of New York
126 F. Supp. 2d 238
No. 00 CIV. 5747(BSJ)
2000-12-08

126 F.Supp.2d 238 (2000)

REGISTER.COM, INC., Plaintiff,
v.
VERIO, INC., Defendant.

No. 00 CIV. 5747(BSJ).

United States District Court, S.D. New York.

December 8, 2000.

[239] [240] Kenneth A. Plevan, Scott D. Brown, Skadden, Arps, William F. Patry, New York City, for Plaintiff Register.com.

[241] Michael A. Jacobs, James E. Hough, Morrison Foerster, New York City, for Defendant Verio.

Order

JONES, District Judge.

Introduction

Plaintiff Register.com, a registrar of Internet domain names, moves for a preliminary injunction against the defendant, Verio, Inc. ("Verio"), a provider of Internet services. Register.com relies on claims under Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a); the Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030, as amended; as well as trespass to chattels and breach of contract under the common law of the State of New York. In essence Register.com seeks an injunction barring Verio from using automated software processes to access and collect the registrant contact information contained in its WHOIS database and from using any of that information, however accessed, for mass marketing purposes.

I. Findings of Fact

The Parties

Plaintiff Register.com is one of over fifty domain name registrars for customers who wish to register a name in the .com, .net, and .org top-level domains. As a registrar it contracts with these second-level domain ("SLD") name holders and a registry, collecting registration data about the SLD holder and submitting zone file information for entry in the registry database. In addition to its domain name registration services, Register.com offers to its customers, both directly and through its more than 450 co-branded and private label partners, a variety of other related services, such as (i) web site creation tools; (ii) web site hosting; (iii) electronic mail; (iv) domain name hosting; (v) domain name forwarding, and (vi) real-time domain name management. Register .com has invested over $15 million dollars in equipment, software, service fees, and human resources in designing, developing, and maintaining its website and the computer systems necessary to host Register.com's Internet-based services. (See Gardos Decl. ¶ 6). It has also spent in excess of $25 million on advertising and brand promotion in the year 2000 alone, including through print, radio, and television media. (See Mornell Decl. ¶ 31).

In order to give its customers control over their receipt of commercial solicitations, Register.com provides them with the opportunity to "opt-in" during the domain name registration process to receiving sales and marketing communications from Register.com or its co-brand or private label partners. Customers who do not opt-in to such communications are not solicited by Register.com or its co-brands. Significantly, Register.com's co-brand and private label partners have contracted with Register.com for the right to have their services featured on the www.register.com website. (See Mornell Decl. ¶ 18).

Defendant Verio is one of the largest operators of web sites for businesses and a leading provider of comprehensive Internet services. Although not a registrar of domain names, Verio directly competes with Register.com and its partners to provide registration services and a variety of other Internet services including website hosting and development. Verio recently made a multimillion dollar investment in its computer system and facilities for its expanded force of telephone sales associates in its efforts to "provide recent domain name registration customers with the services they need, at the time they need them." (Eden Decl. ¶ 31).

The WHOIS database

To become an accredited domain name registrar for the .com, .net, and .org domains, all registrars, including Register.com are required to enter into a registrar Accreditation Agreement ("Agreement") with the Internet Corporation for Assigned Names and Numbers [242] ("ICANN").[1] Under that Agreement, Register.com, as well as all other registrars, is required to provide an on-line, interactive WHOIS database. This database contains the names and contact information — postal address, telephone number, electronic mail address and in some cases facsimile number — for customers who register domain names through the registrar. The Agreement also requires Register.com to make the database freely accessible to the public via its web page and through an independent access port called port 43. These query-based channels of access to the WHOIS database allow the user to collect registrant contact information for one domain name at a time by entering the domain name into the provided search engine.[2]

The primary purpose of the WHOIS database is to provide necessary information in the event of domain name disputes, such as those arising from cybersquatting or trademark infringement. (See Rony Decl. ¶ 18, Ex. B to McPherson Decl. at 13). The parties also agree that the WHOIS data may be used for market research.

Specifically, section II.F.5 of Register.com's Accreditation Agreement with ICANN requires that:

In providing query-based public access to registration data as required by Sections II.F.1 and II.F.4, Registrar shall not impose terms and conditions on use of the data provided except as permitted by ICANN-adopted policy. Unless and until ICANN adopts a different policy, Registrar shall permit use of data it provides in response to queries for any lawful purposes except to: (a) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (b) enable high volume, automated, electronic processes that apply to Registrar (or its systems).

(Ex. E to McPherson Decl.) (emphasis added).

Originally Register.com's terms and conditions for users of its WHOIS database were substantially the same. In April 2000, however, Register.com implemented the following more restrictive terms of use governing its WHOIS database:

By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; or (2) enable high volume, automated, electronic processes that apply to Register.com (or its systems). The compilation, repackaging, dissemination or other use of this data is expressly prohibited without the prior [243] written consent of Register.com. Register.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms.

(Ex. 27 to Pl.'s Sept. 8, 2000 Motion)(emphasis added).[3]

Verio's Project Henhouse

In late 1999, to better target their marketing and sales efforts toward customers in need of web hosting services and to reach those customers more quickly, Verio developed an automated software program or "robot."[4] With its search robot, Verio accessed the WHOIS database maintained by the accredited registrars, including Register.com, and collected the contact information of customers who had recently registered a domain name. Then, despite the marketing prohibitions in Register.com's terms of use, Verio utilized this data in a marketing initiative known as Project Henhouse and began to contact and solicit Register.com's customers, within the first several days after their registration, by e-mail, regular mail, and telephone.

Verio's Search Robots

In general, the process worked as follows: First, each day Verio downloaded, in compressed format, a list of all currently registered domain names, of all registrars, ending in .com, .net, and .org. That list or database is maintained by Network Solutions, Inc. ("NSI") and is published on 13 different "root zone" servers. The registry list is updated twice daily and provides the domain name, the sponsoring registrar, and the nameservers for all registered names. Using a computer program, Verio then compared the newly downloaded NSI registry with the NSI registry it downloaded a day earlier in order to isolate the domain names that had been registered in the last day and the names that had been removed. After downloading the list of new domain names, only then was a search robot used to query the NSI database to extract the name of the accredited registrar of each new name.[5] That search robot then automatically made successive queries to the various registrars' WHOIS databases, via the port 43 access channels, to harvest the relevant contact information for each new domain name registered. (See Eden Depo. at 26-30; Eden Decl. ¶¶ 36-38). Once retrieved, the WHOIS data was deposited into an information database maintained by Verio. The resulting database of sales leads was then provided to Verio's telemarketing staff.

Marketing History

Beginning in January, 2000, Register.com learned that Verio was e-mailing its customers to solicit business. Register.com through its Director of Strategic Initiatives Lauren Gaviser complained to Eric Eden, Director of Sales and Channel Operations of Verio, citing an e-mail received by a customer which identified Verio as the sender but stated "[b]y now you [244] should have received an email from us confirming the registration of your domain name(s) ... you have taken the first step towards having your own website ... the next step is to set up a hosting account ..." (Ex. 4 to Pl.'s Sept. 8, 2000 Motion). Gaviser advised Eden that the e-mail had misled the customer into thinking that Verio had an affiliation with or sponsorship from Register.com. (See Ex. 5 to Pl.'s Sept. 8, 2000 Motion). Eden replied that "our intention is not to mislead people. The e-mail that was sent resulted from a system problem." Id. He promised to correct it.

Register.com continued to get complaints about e-mail and telephone solicitations by Verio from its customers and co-brand partners through January. In March 2000 Gaviser again contacted Eden to complain that Register.com was still receiving numerous complaints, including that a number of telephone messages similar to the following were left with Register.com customers: "This is [name of telemarketer] calling from Verio regarding the registration of [customer's domain name]. Please contact me at your earliest convenience." (Ex. 44 to Pl.'s Sept. 8, 2000 Motion).

On May 5, 2000 Register.com's lawyers wrote to Verio's General Counsel requesting that Verio immediately cease and desist from this marketing conduct. Register.com complained generally that the use of its mark as well as the timing of the solicitations was harming its good will and specifically warned Verio that it was violating the terms of use it had agreed to in submitting its WHOIS queries by sending "mass unsolicited, commercial advertising or solicitations via e-mail (spam)." (Ex. E to McPherson Decl.).

On May 9, 2000 Verio, through an Associate Counsel, communicated that it had stopped using the Register.com mark or any other similar mark or phrase which would lead to confusion and had ceased accessing the WHOIS database for the purpose of marketing through e-mail. (See Ex. 7 to Pl.'s Sept. 8, 2000 Motion). In an effort to confirm settlement of the dispute, Register.com's lawyers sent Verio a terms letter for it to sign and acknowledge. In that letter Register.com specifically required Verio to cease use of the WHOIS database for not just e-mail marketing, but also direct mail and telemarketing. Verio refused to sign and although it ceased e-mail solicitation, it continued to use the WHOIS contact information for telemarketing purposes into July 2000. (See Ex. 14 to Pl.'s Sept. 8, 2000 Motion, Ayers Depo. at 56).

Accordingly, Register.com commenced this lawsuit and moved for a temporary restraining order and preliminary injunction on August 3, 2000. On August 4, 2000, Verio sought expedited discovery and agreed on August 9, 2000 to enter into a stipulated temporary restraining order with Register.com which prevents it from accessing Register.com's WHOIS database by using a search robot and prevents Verio from using any data obtained from Register.com to solicit Register.com's customers. Prior to the Court's September 15, 2000 hearing, the Court asked ICANN to submit an amicus curiae brief outlining its position with respect to the parties' dispute. The Court granted the parties' request to respond to ICANN's brief, which responses were received on September 28, 2000.

II. Discussion

This dispute centers on both Verio's end use of the WHOIS data and its use of the automated search robot. While Register.com acknowledges its obligation to provide public access to its customers' contact information, it has developed "terms of use" which prohibit third parties, such as Verio, from using the contact information for any mass marketing purpose — whether by e-mail, regular mail or telephone. Register.com also argues that the use of automated software to access the WHOIS database violates its terms of use and harms its computer systems.

[245] Verio admits both the use of the WHOIS data for marketing purposes and the use of the search robot. Verio also concedes that its end use of the information violates the marketing restriction imposed by Register.com, but argues that this restriction should not be enforced because — at a minimum — direct mail and telephone marketing are permissible uses under the terms of the Accreditation Agreement Register.com signed with ICAAN.[6] Verio argues that by imposing these impermissible anti-marketing restrictions Register.com is in breach of that Agreement. Verio also argues that the use of the robot is not prohibited by Register.com's terms of use and claims that Register.com has not proven that the robot causes any harm, let alone irreparable harm, to Register.com's computer systems.

III. Standard For Injunctive Relief

In order to obtain a preliminary injunction, a plaintiff must demonstrate both (1) that it will suffer irreparable harm if the motion is not granted and (2) either (a) a likelihood that it will succeed on the merits of the action or (b) a sufficiently serious question going to the merits of the litigation and the balance of hardships tipping decidedly in plaintiff's favor. See L. & J.G. Stickley, Inc. v. Canal Dover Furniture Co., 79 F.3d 258, 261-62 (2d Cir.1996).

The purpose of a preliminary injunction is to keep the parties, while the suit is pending, as much as possible in the respective positions they occupied when the suit began and to preserve the Court's ability to render a meaningful decision after a trial on the merits. See WarnerVision Entertainment v. Empire of Carolina, Inc., 101 F.3d 259, 261-62 (2d Cir.1996). A preliminary injunction is an extraordinary and drastic measure that should not be routinely granted, see Mazurek v. Armstrong, 520 U.S. 968, 117 S.Ct. 1865, 138 L.Ed.2d 162 (1997), because it is "one of the most drastic tools in the arsenal of judicial remedies." Hanson Trust PLC v. SCM Corp., 774 F.2d 47, 60 (2d Cir.1985). The granting of a preliminary injunction is within the equitable discretion of the trial judge. Societe Comptoir De L'Industrie Cotonniere Etablissements Boussac v. Alexander's Dep't Stores, Inc., 299 F.2d 33 (2d Cir.1962).

IV. Register.com's Claims

The heart of Verio's defense is that this Court should refuse to enforce Register.com's terms of use. Accordingly, the Court turns to a discussion of Register.com's breach of contract claim.

A. Breach of Contract

Register.com imposes conditions on the access to and end use of data contained in its WHOIS database. It publishes those terms of use on the home page of its Internet website and conditions entry into the WHOIS database on assent to those terms. As noted above, Verio concedes that it violated Register.com's posted restriction on the use of WHOIS data for direct mail and telephone marketing purposes. Verio contends however that violating Register.com's restrictions on the use of WHOIS data for marketing purposes did not constitute a breach of contract for two reasons. First, Verio argues that the promises Register.com made to ICANN in the Agreement have created a privilege in Verio to access the WHOIS database, and that it may interpose the Agreement as a defense to any claim by [246] Register .com that Verio violated an access or use restriction broader than those permitted in the Accreditation Agreement. Second, Verio argues that even if Register.com's terms of use are enforceable, Verio has never manifested any assent to those terms. Neither defense is availing.

With respect to Verio's first argument, the ICANN Accreditation Agreement specifically disclaims any intention to vest rights in a third-party beneficiary. Section II.S.2 of the Agreement reads: "No Third-Party Beneficiaries. This Agreement shall not be construed to create any obligation by either ICANN or Registrar to any non-party to this agreement, including any SLD holder." (Ex. 27 to Pl.'s Sept. 8, 2000 Motion). Verio argues that while II.S.2 might prevent it from using the Agreement as the basis for a contract cause of action against Register.com, II.S.2 does not foreclose the possibility that the contract grants Verio a defense to this cause of action by creating a privilege or immunity in Verio to access the WHOIS data free from any restrictions which would violate Register.com's promises to ICANN.

However, the authority cited by Verio in support of this argument is unpersuasive. Verio cites 4 Corbin on Contracts § 780 at 67-70, Rochester Tel. Co. v. Ross, 195 N.Y. 429, 88 N.E. 793 (1909), Continental Corp. v. Gowdy, 283 Mass. 204, 186 N.E. 244 (1933), Fidelity-Phenix Fire Ins. Co. of New York v. Forest Oil Corp., 141 So.2d 841 (La.Ct.App.1962) and Baurer v. Devenes, 99 Conn. 203, 121 A. 566 (1923). Most importantly, as Register.com has pointed out, none of the authority cited by Verio addresses a contract containing a clause similar to II.S.2 of the Agreement specifically disclaiming any intention to benefit a third party. The Accreditation Agreement, unlike the agreements discussed in the above-cited cases, is clear and unambiguous, and creates no right in Verio to breach its agreement to abide by Register.com's terms of use for accessing its WHOIS data. Moreover, the cases are distinguishable on other grounds as well.

Rochester Tel. Co. v. Ross, 195 N.Y. 429, 88 N.E. 793 (1909) involved a telephone company which, in consideration for being granted a monopolistic franchise to provide telephone service in Rochester, agreed with the city franchisor not to charge subscribers more than $48 per year. Public utilities such as telephone companies occupy a different position than other private companies by virtue of their monopolistic position and by virtue of the necessity of the service they provide. The Restatement (Second) of Torts § 259 (1965) provides that:

One who has a right to the use of a facility of a public utility is privileged to make any reasonable use of the chattels of the utility that is or is reasonably believed to be necessary to the enjoyment of the facility.

Although Verio does make the argument that it is privileged to access Register.com's WHOIS database, Verio has not specifically argued that the port 43 access facility is a public utility[7] similar to telephone service. Even if Verio were to make that argument, it would fail. Comment (a) to § 259 defines a public utility as:

[A] person, corporation, or other association carrying on an enterprise for the accommodation of the public, the members of which have the right as such to use its facilities. Instances of a public utility are common carriers, common innkeepers, telegraph and telephone companies, and gas and electric light companies.

New York courts define a public utility as:

A privately owned and operated business ... which is engaged in regularly supplying the public with some commodity or service which is of public consequence [247] [and] need ... The test for determining if a concern is a public utility is whether it has held itself out as ready, able and willing to serve the public.

See City of New York v. New York State Dept. of Health, 164 Misc.2d 247, 623 N.Y.S.2d 491, 496 (1995) (citing Black's Law Dictionary, 1232 (6th Ed.1990)). The provision of port 43 access to WHOIS data is not "a commodity or service which is of public consequence and need" and therefore Register.com is not acting as a public utility in agreeing to provide port 43 access. Cf. Island Online, Inc. v. Network Solutions, Inc., 119 F.Supp.2d 289, 306-07 (E.D.N.Y.2000) (noting that "the Internet is, by no stretch of the imagination, a traditional and exclusive public function. For most of its history, its growth and development have been nurtured by and realized through private action."); CompuServe, Inc. v. Cyber Promotions, Inc., 962 F.Supp. 1015, 1024 (S.D.Ohio 1997) (holding that under Ohio law, public utility analysis demands that the entity "devote[] an essential good or service to the general public" and holding that defendant had not demonstrated that Internet service provider qualified as public utility). Accordingly, Verio has no privilege on that basis to breach its agreement to abide by Register.com's WHOIS terms of use.

In Continental Corp. v. Gowdy, 283 Mass. 204, 186 N.E. 244 (1933), the Court permitted the directors of a corporation to interpose a bond contract to which they were not a party as a defense to an action on the bonds. However, the bonds indicated on their face that they were without recourse to the directors, and thereby specifically provided for the defense asserted. Gowdy therefore is factually and analytically distinguishable from this case, where no defense was specifically provided to Verio and indeed the Agreement specifically states that it creates duties solely between the parties. Fidelity-Phenix Fire Ins. Co. of New York v. Forest Oil Corp., 141 So.2d 841 (La.Ct.App.1962) is analytically similar to Gowdy and therefore provides no support to Verio's position. See generally id. (allowing non-party to insurance contract to enforce insurer's explicit waiver of subrogation rights).

Accordingly, the Agreement does not grant Verio a defense to Register.com's breach of contract claim for Verio's violation of the terms of use restrictions Register.com places on access to its WHOIS database.[8]

Reasoning that the terms of the Accreditation Agreement represent quasi-regulatory standards, Verio argues that Register.com's more restrictive terms of use also violate public policy. This argument must fail because ICANN is not a governmental body. No government entity has undertaken to regulate the Internet and no statutory scheme exists to provide the framework for Verio's policy arguments. See CompuServe, 962 F.Supp. at 1026. Rather, as discussed above, the Department of Commerce's establishment of ICANN signified a movement away from nascent public regulation of the Internet and toward a consensus-based private ordering regime. Indeed, the Department of Commerce's Statement of Policy on the Management of Internet Names and Addresses, also known as the "White Paper," expressly states:

[T]he Department of Commerce has determined that it should issue a general statement of policy, rather than define or impose a substantive regulatory regime for the domain name system. As such, this policy statement is not a substantive rule, does not contain mandatory [248] provisions, and does not itself have the force and effect of law.

(Ex. B. to McPherson Decl.). Accordingly, the Accreditation Agreement represents a private bargain between ICANN and Register.com and does not provide Verio with any privilege or defense.

Nor can Verio argue that it has not assented to Register.com's terms of use. Register.com's terms of use are clearly posted on its website. The conclusion of the terms paragraph states "[b]y submitting this query, you agree to abide by these terms." (Ex. 27 to Pl.'s Sept. 8, 2000 Motion). Verio does not argue that it was unaware of these terms, only that it was not asked to click on an icon indicating that it accepted the terms. However, in light of this sentence at the end of Register.com's terms of use, there can be no question that by proceeding to submit a WHOIS query, Verio manifested its assent to be bound by Register.com's terms of use, and a contract was formed and subsequently breached.

Register.com alleges that the breach has resulted in irreparable harm: in lost opportunities to sell competing services to its opt-in customers, and to its reputation and good will with customers and co-brand partners, who have threatened to take their business elsewhere if Register.com cannot protect the WHOIS contact information.

The classic remedy for breach of contract is an action at law for monetary damages. If the injury complained of can be compensated by an award of monetary damages, then an adequate remedy at law exists and no irreparable injury may be found as a matter of law. However, the Second Circuit has recognized that even where damages are available, irreparable harm may be found where those damages are clearly difficult to assess and measure. The Second Circuit Court's opinion Ticor Title Ins. Co. v. Cohen, 173 F.3d 63, 69 (2d Cir.1999) captures precisely why damages in this case are incalculable and the harm resulting from the breach is irreparable. The Court wrote, in finding irreparable harm resulting from the breach of a covenant not to compete in an employment contract, "[i]nitially, it would be very difficult to calculate monetary damages that would successfully redress the loss of a relationship with a client that would produce an indeterminate amount of business in years to come." See id. at 69.

Neither this Court nor the parties to this action could calculate with any precision the amount of the monetary loss which has resulted and which would result in the future from the loss of Register.com's relationships with customers and co-brand partners. Register.com has therefore demonstrated that Verio's past and future breaches have resulted and will result in irreparable harm. See also Gulf & Western Corp. v. Craftique Productions, Inc., 523 F.Supp. 603, 607 (1981) ("even in situations where damages are available, irreparable harm may be found if damages are `clearly difficult to assess and measure.'") (citing Danielson v. Local 275, Laborers Int'l Union of North America, 479 F.2d 1033, 1037 (2d Cir.1973)).

Register.com has demonstrated both a likelihood of success on the merits of its breach of contract claim with respect to Verio's use of WHOIS data for marketing purposes, and has demonstrated irreparable harm resulting from the breach. Accordingly, it is entitled to an injunction against any future use by Verio of information taken from its WHOIS database for marketing by e-mail, direct mail or telephone.[9]

B. Trespass To Chattels

Register.com argues that Verio's use of an automated software robot to search the "WHOIS" database constitutes trespass to chattels. Register.com states that it has made its computer system available on the Internet, and that "Verio has used `software automation' to flood that computer [249] system with traffic in order to retrieve the contact information of Register.com customers for the purpose of solicitation in knowing violation of Register.com's posted policies and terms of use." (Pl.'s Mem. of Law at 36.)

The standard for trespass to chattels in New York is based upon the standard set forth in the Restatement of Torts:

One who uses a chattel with the consent of another is subject to liability in trespass for any harm to the chattel which is caused by or occurs in the course of any use exceeding the consent, even though such use is not a conversion.

City of Amsterdam v. Goldreyer, Ltd., 882 F.Supp. 1273 (E.D.N.Y.1995) (citing Restatement (Second) of Torts, § 256 (1965)).

As an initial matter, the Court does not believe that Register.com's terms of use forbid the particular use of the search robot at issue here. Register.com's posted policies and terms of use require a party who seeks access to its WHOIS database to agree that it will not "use this data to ... enable high volume, automated, electronic processes that apply to Register.com (or its systems)." Register.com argues that use of a search robot is prohibited by that term of use. The Court disagrees.

The terms state that under no circumstances may one "use this data [the WHOIS data] to ... enable high volume, automated, electronic processes that apply to Register.com." The temporal aspect of this term is important because it only bars future automated processes. Although Verio uses an automated process to collect the WHOIS data, it does not then use the collected data to enable an automated process that applies to Register.com's systems. Once Verio's software robot secures the WHOIS information from Register.com's systems, it has completed its automated process with respect to Register.com's systems. The robot does not then use that WHOIS data to "enable high volume, automated, electronic processes that apply to Register.com (or its systems)," it simply deposits the data into a database.

However, despite the fact that Register.com's terms of use may not specifically forbid this use of a search robot by Verio and such use does not therefore constitute a breach of contract, it is clear since at least the date this lawsuit was filed that Register.com does not consent to Verio's use of a search robot, and Verio is on notice that its search robot is unwelcome. (Pl.'s V.C. ¶ 36)

Accordingly, Verio's future use of a search robot to access the database exceeds the scope of Register.com's consent, and Verio is liable for any harm to the chattel (Register.com's computer systems) caused by that unauthorized access. See CompuServe, 962 F.Supp. at 1024 (holding that defendants' continued use after CompuServe notified defendants that it no longer consented to the use of its proprietary computer equipment was a trespass) (citing Restatement (Second) of Torts §§ 252 and 892A(5)).

Having established that Verio's access to its WHOIS database by robot is unauthorized, Register.com must next demonstrate that Verio's unauthorized access caused harm to its chattels, namely its computer system. To that end, Robert Gardos, Register.com's Vice President for Technology, submitted a declaration estimating that Verio's searching of Register.com's WHOIS database has resulted in a diminishment of 2.3% of Register.com's system resources. (See Gardos Decl. ¶ 32.) However, during discovery, the basis for Gardos' estimations of the impact Verio's search robot had on Register.com's computer systems was thoroughly undercut. Gardos admitted in his deposition that he had taken measurements of neither the capacity of Register.com's computer systems nor the portion of that capacity which was consumed by Verio's search robots. Furthermore, when describing how he arrived [250] at his conclusion that Verio's search robots occupied a certain percentage of Register.com's systems capacity, Mr. Gardos testified that the numbers he used were "all rough estimates." (Gardos Depo. at 76).

Although Register.com's evidence of any burden or harm to its computer system caused by the successive queries performed by search robots is imprecise, evidence of mere possessory interference is sufficient to demonstrate the quantum of harm necessary to establish a claim for trespass to chattels. "A trespasser is liable when the trespass diminishes the condition, quality, or value of personal property." EBay, Inc. v. Bidder's Edge, Inc., 100 F.Supp.2d 1058, 1071 (N.D.Cal.2000) (citing CompuServe, 962 F.Supp. at 1022). "The quality or value of personal property may be `diminished even though it is not physically damaged by defendant's conduct.'" Id. Though it does correctly dispute the trustworthiness and accuracy of Mr. Gardos' calculations, Verio does not dispute that its search robot occupies some of Register.com's systems capacity.

Although Register.com was unable to directly measure the amount by which its systems capacity was reduced, the record evidence is sufficient to establish the possessory interference necessary to establish a trespass to chattels claim. As the eBay Court wrote:

BE argues that its searches present a negligible load on plaintiff's computer systems, and do not rise to the level of impairment to the condition or value of eBay's computer system required to constitute a trespass. However, it is undisputed that eBay's server and its capacity are personal property, and that BE's searches use a portion of this property. Even if, as BE argues, its searches only use a small amount of eBay's computer system capacity, BE has nonetheless deprived eBay of the ability to use that portion of its personal property for its own purposes. The law recognizes no such right to use another's personal property. Accordingly, BE's actions appear to have caused injury to eBay and appear likely to continue to cause injury to eBay.

(100 F.Supp.2d at 1071.) (emphasis added).

Furthermore, Gardos also noted in his declaration "if the strain on Register.com's resources generated by Verio's searches becomes large enough, it could cause Register.com's computer systems to malfunction or crash" and "I believe that if Verio's searching of Register.com's WHOIS database were determined to be lawful, then every purveryor of Internet-based services would engage in similar conduct." (Gardos Decl. ¶¶ 33, 34). Gardos' concerns are supported by Verio's testimony that it sees no need to place a limit on the number of other companies that should be allowed to harvest data from Register.com's computers. (See Ayers Depo. at 71). Furthermore, Verio's own internal documents reveal that Verio was aware that its robotic queries could slow the response times of the registrars' databases and even overload them. (See Ex. 29 & to Pl.'s Sept. 8, 2000 Motion). Because of that possibility, Verio contemplated cloaking the origin of its queries by using a process called IP aliasing. (See id.; see also Ex. 64 to Pl.'s Sept. 8, 2000 Motion).

Accordingly, Register.com's evidence that Verio's search robots have presented and will continue to present an unwelcome interference with, and a risk of interruption to, its computer system and servers is sufficient to demonstrate a likelihood of success on the merits of its trespass to chattels claim.

There is no adequate remedy at law for an ongoing trespass and without an injunction the victim of such a trespass will be irreparably harmed. The eBay court specifically held that eBay was entitled to preliminary injunctive relief based on the claim that if such relief were denied, other companies would be encouraged to deploy search robots against eBay's servers and would further diminish eBay's server capacity [251] to the point of denying effective access to eBay's customers. See id. at 1071-72.

The same reasoning applies here. Register.com, through Mr. Gardos, has expressed the fear that its servers will be flooded by search robots deployed by competitors in the absence of injunctive relief. Register.com has therefore demonstrated both a likelihood of success on the merits of its trespass to chattels claim and the existence of irreparable harm, and is entitled to a preliminary injunction against Verio based upon that claim.

C. Computer Fraud And Abuse Act §§ 1030(a)(2)(C) and (a)(5)(C)

The issue of the scope of Verio's authorization to access the WHOIS database is also central to the Court's analysis of Register.com's claims that Verio is violating two discrete provisions of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq.[10]

Register.com claims both that the use of software robots to harvest customer information from its WHOIS database in violation of its terms of use violates 18 U.S.C. §§ 1030(a)(2)(C) and (a)(5)(C), and that using the harvested information in violation of Register.com's policy forbidding the use of WHOIS data for marketing also violates those sections. That is, that both Verio's method of accessing the WHOIS data and Verio's end uses of the data violate the CFAA.

1. Verio's Use of Search Robots

Both §§ 1030(a)(2)(C) and (a)(5)(C) require that the plaintiff prove that the defendant's access to its computer system was unauthorized, or in the case of § 1030(a)(2)(C) that it was unauthorized or exceeded authorized access. However, although each section requires proof of some degree of unauthorized access, each addresses a different type of harm. Section 1030(a)(2)(C) requires Register.com to prove that Verio intentionally accessed its computers without authorization and thereby obtained information. Section 1030(a)(5)(C) requires Register.com to show that Verio intentionally accessed its computer without authorization and thereby caused damage.

As discussed more fully in the context of the trespass to chattels claim, because Register.com objects to Verio's use of search robots they represent an unauthorized access to the WHOIS database.

The type of harm that Register.com alleges is caused by the search robots, including diminished server capacity and potential system shutdowns, is better analyzed under § 1030(a)(5)(C), which specifically addresses damages to the computer system. Pursuant to the pertinent part[11] of § 1030(e)(8), "the term `damage' means any impairment to the integrity or availability of data, a program, a system, or information that (A) causes loss aggregating at least $5000 in value during any 1-year period to one or more individuals."

On this record Register.com has demonstrated that Verio's unauthorized use of search robots to harvest registrant contact information from Register.com' WHOIS database has diminished server capacity, however slightly, and could diminish response time, which could impair the availability of data to clients trying to get registrant contact information. Moreover, Register.com has raised the possibility that if Verio's robotic queries of Register.com's WHOIS database were determined [252] to be lawful, then other vendors of Internet services would engage in similar conduct. This Court finds that it is highly probable that other Internet service vendors would also use robots to obtain this potential customer information were it to be permitted. The use of the robot allows a marketer to reach a potential client within the first several days of the domain name registration, an optimal time to solicit the customer for other services. In contrast, if instead of using a search robot the service vendor obtains registrant contact information pursuant to a bulk license, the vendor must wait to receive the information on a weekly basis. As Eric Eden, the director of operation Henhouse wrote in an e-mail to a Verio employee "[c]onsistent testing has found that the faster we approach someone after they register a domain name, the more likely we are to sell them hosting." (Ex. 40 to Pl.'s Sept. 8, 2000 Motion).

If the strain on Register.com's resources generated by robotic searches becomes large enough, it could cause Register.com's computer systems to malfunction or crash. Such a crash would satisfy § 1030(a)(5)(C)'s threshold requirement that a plaintiff demonstrate $5000 in economic damages[12] resulting from the violation, both because of costs relating to repair and lost data and also because of lost good will based on adverse customer reactions.

A potential harm which cannot be addressed by a legal or equitable remedy following a trial, such as the loss of customers that might result from a system shutdown or slowed response times complained of here, constitutes an irreparable injury. See Instant Air Freight Co. v. C.F. Air Freight, Inc., 882 F.2d 797, 799-800 (3rd Cir.1989); Cyber Promotions, Inc. v. Apex Global Info. Services, 1997 WL 634384, at *2 (E.D.Pa.1997). A showing that a plaintiff may suffer a substantial loss of business if relief is not granted meets the standards for interim relief. See Doran v. Salem Inn, 422 U.S. 922, 95 S.Ct. 2561, 45 L.Ed.2d 648 (1975).

Because Register.com has demonstrated that Verio's access to its WHOIS database by means of an automated search robot is unauthorized and caused or could cause $5000 in damages by impairing the availability of data or the availability of its computer systems, Register.com has established both irreparable harm and a likelihood of success on the merits of its claim that Verio's use of the search robot violated § 1030(a)(5)(C) of the Computer Fraud And Abuse Act. Register.com is therefore entitled to injunctive relief based upon this claim.

2. Verio's Use of WHOIS Data For Marketing Purposes

With respect to its use of Register.com's WHOIS data for e-mail, direct mail and telephone marketing, Verio argues that such an act can only be analyzed under § 1030(a)(2)(C)'s provision assessing liability where a party exceeds authorized access and obtains information it is not entitled to obtain. Verio argues that because it is authorized to access the WHOIS database for some purposes its access was authorized. Verio then argues that its conduct must meet the Act's specific definition of conduct that "exceeds authorized [253] access." Pursuant to the definition contained in § 1030(e)(6) of the CFAA, "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter." 18 U.S.C. § 1030(e)(6) (emphasis added). Verio then argues that this definition does not contemplate a violation of end use restrictions placed on data as "exceeding authorized access," and therefore that Verio has not violated § 1030(a)(2)(C).

Again, neither party disputes that Verio is not authorized under Register.com's terms of use to use the data for mass marketing purposes, and neither party disputes that Verio is authorized to obtain the data for some purposes. However, Verio's distinctions between authorized access and an unauthorized end use of information strike the Court as too fine. First, the means of access Verio employs, namely the automated search robot, is unauthorized. Second, even if Verio's means of access to the WHOIS database would otherwise be authorized, that access would be rendered unauthorized ab initio by virtue of the fact that prior to entry Verio knows that the data obtained will be later used for an unauthorized purpose.

Accordingly, the Court finds that Verio's access to the WHOIS database was unauthorized and that Verio violated § 1030(a)(2)(C) by using that unauthorized access to obtain data for mass marketing purposes. As discussed above, the harvesting and subsequent use of that data has caused and will cause Register.com irreparable harm. Therefore, because Register.com has demonstrated a likelihood of success on the merits of its claim that Verio's use of its WHOIS data for mass marketing purposes violates § 1030(a)(2)(C) of the Computer Fraud And Abuse Act and has demonstrated irreparable harm stemming from that violation, Register.com is entitled to injunctive relief based on that claim.

D. Lanham Act

Section 43(a) of the Lanham Act prohibits any false designation of origin which

is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities with another person.

15 U.S.C. § 1125(a)(1). In order to prove its Lanham act claims, Register.com must demonstrate that it has a valid mark entitled to protection and that Verio's conduct is likely to cause confusion concerning the source or sponsorship of Verio's services. See, e.g., Morningside Group Ltd. v. Morningside Capital Group, L.L.C., 182 F.3d 133, 137 (2d Cir.1999).

Verio does not dispute that Register.com has a valid and protectible mark. It does however dispute Register.com's claims that its customers were or will continue to be confused about Verio's relationship to Register.com because of Verio's marketing practices. Verio also argues that if confusion occurred or is likely to occur in the future, it is not the type of confusion actionable under the Lanham Act.

To begin with, Verio's solicitation of Register.com's customers evolved over the course of project Henhouse. Initially, some of Verio's e-mail solicitations mentioned Register.com's name and contained the phrase "first step," which is similar to "first step on the web," a phrase for which Register.com has sought trademark protection. (See, e.g., Ex. 14 to Pl.'s Sept. 8, 2000 Motion). These e-mails, because they use Register.com's marks, were clearly likely to cause confusion as to whether there was some affiliation or sponsorship between Verio and Register.com, and therefore violated the Lanham Act. And, by a letter dated May 9, 2000, Verio agreed not to refer to the Register.com mark or any other similar mark in its future solicitations.

[254] Register.com maintains that even without these references, Verio's subsequent solicitations violated the Lanham Act. While Verio's later phone solicitations did not mention the Register.com or "first step" marks, they did indicate that the caller from Verio was calling "regarding your recently registered domain name" or "regarding the registration of [domain name]. Please contact me at your earliest convenience ... If I don't hear from you in a couple days, I will call back." (See Exs. 44 & 45 to Pl.'s Sept. 8, 2000 Motion). Whether these solicitations violate the Lanham Act is a closer question. Although Verio does not employ any of Register .com's marks in these communications, the Court finds that the phrasing does create the impression that the reason for the call is related to the registration of the domain name, rather than the solicitation of web hosting services for the new domain name. The Court also finds that the impression that Verio telemarketers are calling because of some problem with the domain name registration could lead to confusion with respect to whether there is some affiliation or sponsorship between Verio and Register.com. In fact, Register.com presented evidence of actual customer confusion stemming from this practice. (See Pl.'s Ex. 12 "The telephone message seemed to me to imply that there was some problem with the name I had just registered"). Accordingly, such phrasing violates the Lanham Act.

Register.com also seems to claim that Verio's solicitations violate the Lanham Act regardless of their content because of the short time between the customers' registration of a domain name with Register.com and the solicitation by Verio. Register.com alleges that because of the timing its customers are under the mistaken impression that Verio is affiliated with Register.com and because of that give greater consideration to these solicitations than they otherwise would.

However, to make out a claim under § 43(a) sufficient to entitle it to injunctive relief, Register.com must show that (1) Verio makes material misrepresentations about the nature, characteristics or geographic origin of its services; (2) it uses the false or misleading representations "in commerce" (3) it makes the representations in the context of commercial advertising or commercial promotion; and (4) that Register.com is likely to be damaged by the misrepresentations. See Towers Financial Corp. v. Dun & Bradstreet, Inc., 803 F.Supp. 820, 823 (S.D.N.Y.1992) (citing McNeil-P.C.C., Inc. v. Bristol-Myers Squibb Co., 938 F.2d 1544, 1548-49 (2d Cir.1991)); National Artists Management Co. v. Weaving, 769 F.Supp. 1224, 1230 (S.D.N.Y.1991); McCarthy on Trademarks, § 27.04(1)(a).

Register.com cannot claim that rapid timing alone constitutes a violation of the Lanham Act where Verio neither makes a false or misleading representation about the origin of its services nor uses Register.com's mark in its solicitations. See Holiday Inns, Inc. v. 800 Reservation, Inc., 86 F.3d 619, 625 (6th Cir.1996) ("the defendants' use of a protected mark or their use of a misleading representation is a prerequisite to the finding of a Lanham Act violation."). It is not enough that Register.com's customers might be confused as to any affiliation between Register.com and Verio because of Verio's rapid solicitation. To state a claim under § 43(a), Register.com must show not only that its customers are confused, but that they have been misled by some representation made by Verio.

Register.com is correct that some of Verio's solicitations were in the past misleading on their face and violated the Lanham Act. Register.com is also correct that some of Verio's more recent solicitations, although they did not use any protected mark, created confusion as to whether Verio was calling because of some problem with the customer's domain name registration, which resulted in confusion with respect to whether Verio and Register.com were affiliated in any way. Accordingly, [255] the Court finds on the current record that Register.com is likely to succeed on the merits of its claims of unfair competition and false designation of origin under § 43(a) of the Lanham Act with respect to any e-mail, telephone, or direct mail solicitation that uses the "Register.com" or "first step on the Web" marks or any similar marks. Register.com is also likely to succeed on Lanham Act claims claims based on Verio's solicitations that suggest that Verio is calling with regard to the registration of the domain name or any problem arising from that registration. As more fully discussed in the context of the breach of contract claim, these Lanham Act violations may result in the irreparable harm of lost client relationships.

Accordingly, the Court enjoins Verio from any future use in its e-mail, direct mail, or telephone solicitations of the marks Register.com or "first step on the web" or any similar mark. Furthermore, the Court enjoins Verio from indicating in any affirmative way that it is calling regarding the registration of the customer's domain name, rather than in regard to the provision of web-hosting or other services related to the domain name.

V. Injunction

For the foregoing reasons and pursuant to Fed.R.Civ.P. 65, it is hereby ORDERED, that pending a final decision on the merits of plaintiff's claims, defendant Verio Inc., its officers, agents, servants, employees, successors and assigns, all persons acting in concert or participation with Verio, and/or acting on its behalf or at its direction (collectively, "Verio"), are enjoined from engaging in the following activities:

1. Using or causing to be used the "Register.com" mark or the "first step on the web" mark or any other designation similar thereto, on or in connection with the advertising, marketing, or promotion of Verio and/or any of Verio's services;

2. Representing, or committing any act which is calculated to or is likely to cause third parties to believe that Verio and/or Verio's services are sponsored by, or have the endorsement or approval of Register.com;

3. Accessing Register.com's computers and computer networks in any manner, including, but not limited to, by software programs performing multiple, automated, successive queries, provided that nothing in this Order shall prohibit Verio from accessing Register.com's WHOIS database in accordance with the terms and conditions thereof; and

4. Using any data currently in Verio's possession, custody or control, that using its best efforts, Verio can identify as having been obtained from Register.com's computers and computer networks to enable the transmission of unsolicited commercial electronic mail, telephone calls, or direct mail to the individuals listed in said data, provided that nothing in this Order shall prohibit Verio from (i) communicating with any of its existing customers, (ii) responding to communications received from any Register.com customer initially contacted before August 4, 2000, or (iii) communicating with any Register.com customer whose contact information is obtained by Verio from any source other than Register.com's computers and computer networks.

VI. Bond

Pursuant to Fed.R.Civ.P. 65(c), plaintiff is ordered to provide security in the amount of $250,000.

SO ORDERED.

[1] ICANN was created in 1998 to assume the U.S. Government's responsibilities for the management of the Internet Domain Name System ("DNS"). It is a private, not-for-profit corporation initiated by the Department of Commerce to privatize the Domain Name System in a manner that increases competition and facilitates international participation in its management. (See Ex. B to McPherson Decl.). Network Solutions, Inc. ("NSI") formerly enjoyed a monopoly as the only domain name registrar. NSI still operates and maintains the top-level domain name servers and zone files which enable the other registrars to access the DNS and to transmit domain name registration information for the .com, .net, and .org top level domain names to the System.

[2] The Agreement also obligates Register.com to provide third parties with bulk access to the same WHOIS data pursuant to a license agreement. The bulk access license entitles the licensee to receive weekly — in one transmission — an electronic copy of the same WHOIS information that is provided continuously through Register.com's web page and its access port 43. The Agreement allows Register.com to charge a $10,000 yearly fee for the license. Register.com has imposed the same mass marketing prohibition on the use the bulk license data. (See Eden Depo. at 34).

[3] ICANN in its amicus submission dated September 22, 2000 through Louis Touton, its General Counsel, stated that:

To the extent that Register.com is using this legend to restrict otherwise lawful use of the data for mass unsolicited, commercial advertising or solicitations by direct mail or telephone (and not just by electronic mail), it is ICANN's position that Registrar.com (sic) has failed to comply with the promise it made in Section II.F.5 of the Registrar Accreditation Agreement.

(ICANN Amicus Br. at 11).

[4] Before the development of its search robot, Verio relied primarily on banner and print ads, and briefly on predictive dialing in its marketing efforts. Under the predictive dialing approach, Verio purchased potential customer leads, then contacted those leads by telephone, using a computer dialer and connecting the call to a telemarketer when a potential customer answered. (See Ayers Depo. at 33-34, 75-76).

[5] Although Register.com and ICANN have also criticized Verio's use of its search robot to collect the registrar names from NSI's computer system (see ICANN Amicus Br. at 15), that issue is not before the Court.

[6] Verio contests Register.com's assertion that its particular use of e-mail to solicit Register.com's customers constitutes the "spamming" that is prohibited by the ICANN agreement. The Court need not determine whether Verio' e-mails constitute "spam" because it is Register.com's terms of use, rather than ICANN's, that are at issue here. Register.com's terms do not specifically prohibit "spam", but rather simply prohibit the use of WHOIS data for mass, unsolicited e-mail. Verio's e-mails clearly violate Register.com's terms of use. Verio's unsolicited e-mail solicitations are "mass" by any definition of the term. Even though the e-mails are not sent simultaneously with one mouse click, as Verio argues, they are sent in massive quantities over a short period of time, and thus fit the definition of "mass" e-mails.

[7] In its brief opposing the motion, Verio refers to Register.com's port 43 access channel as a "public resource" and a "public facility." (See Def.'s Opp. Memo. at 21 & 22.)

[8] The Court notes that ICANN may terminate Register.com's accreditation under section II. N.4 of the Agreement for its breach of the Agreement. ICANN urges this Court "to promote the integrity of the ICANN process by allowing the contractually specified exclusive remedies for [Register.com's] breach to operate as they were intended." To date this Court is unaware of any decision by ICANN with respect to the issue of Register.com's breach. However, ICANN's inaction does not grant Verio the right to breach its contract with Register.com.

[9] Editor's note: The text of this footnote was deleted by the court.

[10] Remedies under this criminal code provision include injunctive relief under 18 U.S.C. § 1030(g).

[11] None of the other provisions of § 1030(e)(8) are relevant to this case. Section 1030(e)(8)(B) covers impairment or modification of data or systems affecting "the medical examination, diagnosis, treatment, or care of one or more individuals;" § 1030(e)(8)(C) covers impairment or modification of data or systems causing "physical injury to any person," and 1030(e)(8)(D) covers impairment or modification of data or systems which "threatens public health or safety."

[12] Register.com relies upon lost revenue from Verio's exploitation of the WHOIS data for marketing purposes to constitute the damages required under § 1030(a)(5)(C). Although lost good will or business could provide the loss figure required under § 1030(a)(5)(C), it could only do so if it resulted from the impairment or unavailability of data or systems. The good will losses cited by Register.com are not the result of the harm addressed by § 1030(a)(5)(C). How Verio uses the WHOIS data, once extracted, has no bearing on whether Verio has impaired the availability or integrity of Register.com's data or computer systems in extracting it. Accordingly, because violating an anti-marketing restriction on the end use of data harms neither the data nor the computer and therefore does not cause the type of harm that § 1030(a)(5)(C) addresses, the specific good will damages cited by Register.com cannot satisfy its burden under § 1030(a)(5)(C).

8.2.4 EF Cultural Travel BV v. Explorica, Inc. 8.2.4 EF Cultural Travel BV v. Explorica, Inc.

This case considers website "scraping." Be sure to read the footnotes - they include a lot of important facts and limitations of the holding.

United States Court of Appeals for the First Circuit
274 F.3d 577
No. 01-2000
2001-12-17

274 F.3d 577 (2001)

EF CULTURAL TRAVEL BV, EF Cultural Tours BV, EF Institute for Cultural Exchange, Inc., EF Cultural Services BV, and Go Ahead Vacations, Inc., Plaintiffs, Appellees,
v.
EXPLORICA, INC., Olle Olsson, Peter Nilsson, Philip Gormley, Alexandra Bernadotte, Anders Eriksson, Deborah Johnson, and Stefan Nilsson, Defendants, Appellants.

No. 01-2000.

United States Court of Appeals, First Circuit.

Heard October 1, 2001.
Decided December 17, 2001.

[578] Anthony M. Feeherry, with whom James W. Nagle, R. David Hosp, and Goodwin Proctor LLP were on brief, for appellants.

Nathaniel H. Akerman, with whom Seyfarth Shaw was on brief, for appellees.

Before BOUDIN, Chief Judge, COFFIN, Senior Circuit Judge, and LYNCH, Circuit Judge.

COFFIN, Senior Circuit Judge.

Appellant Explorica, Inc. ("Explorica") and several of its employees challenge a preliminary injunction issued against them for alleged violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.[1] We affirm the district court's [579] conclusion that appellees will likely succeed on the merits of their CFAA claim, but rest on a narrower basis than the court below.

I. Background

Explorica was formed in 2000 to compete in the field of global tours for high school students. Several of Explorica's employees formerly were employed by appellee EF, which has been in business for more than thirty-five years. EF and its partners and subsidiaries make up the world's largest private student travel organization.

Shortly after the individual defendants left EF in the beginning of 2000, Explorica began competing in the teenage tour market. The company's vice president (and former vice president of information strategy at EF), Philip Gormley, envisioned that Explorica could gain a substantial advantage over all other student tour companies, and especially EF, by undercutting EF's already competitive prices on student tours. Gormley considered several ways to obtain and utilize EF's prices: by manually keying in the information from EF's brochures and other printed materials; by using a scanner to record that same information; or, by manually searching for each tour offered through EF's website. Ultimately, however, Gormley engaged Zefer, Explorica's Internet consultant, to design a computer program called a "scraper" to glean all of the necessary information from EF's website. Zefer designed the program in three days.

The scraper has been likened to a "robot," a tool that is extensively used on the Internet. Robots are used to gather information for countless purposes, ranging from compiling results for search engines such as Yahoo! to filtering for inappropriate content. The widespread deployment of robots enables global Internet users to find comprehensive information quickly and almost effortlessly.

Like a robot, the scraper sought information through the Internet. Unlike other robots, however, the scraper focused solely on EF's website, using information that other robots would not have. Specifically, Zefer utilized tour codes whose significance was not readily understandable to the public. With the tour codes, the scraper accessed EF's website repeatedly and easily obtained pricing information for those specific tours. The scraper sent more than 30,000 inquiries to EF's website and recorded the pricing information into a spreadsheet.[2]

[580] Zefer ran the scraper program twice, first to retrieve the 2000 tour prices and then the 2001 prices. All told, the scraper downloaded 60,000 lines of data, the equivalent of eight telephone directories of information.[3] Once Zefer "scraped" all of the prices, it sent a spreadsheet containing EF's pricing information to Explorica, which then systematically undercut EF's prices.[4] Explorica thereafter printed its own brochures and began competing in EF's tour market.

The development and use of the scraper came to light about a year and a half later during state-court litigation regarding appellant Olsson's departure from appellee EFICE. EF then filed this action, alleging violations of the CFAA; the Copyright Act of 1976, 17 U.S.C. § 101; the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. § 1961; and various related state laws. It sought a preliminary injunction barring Explorica and Zefer from using the scraper program and demanded the return of all materials generated through use of the scraper.

On May 30, 2001, the district court granted a preliminary injunction against Explorica based on the CFAA, which criminally and civilly prohibits certain access to computers. See 18 U.S.C. § 1030(a)(4). The court found that EF would likely prove that Explorica violated the CFAA when it used EF's website in a manner outside the "reasonable expectations" of both EF and its ordinary users. The court also concluded that EF could show that it suffered a loss, as required by the statute, consisting of reduced business, harm to its goodwill, and the cost of diagnostic measures it incurred to evaluate possible harm to EF's systems, although it could not show that Explorica's actions physically damaged its computers. In a supplemental opinion[5] the district court further articulated its "reasonable expectations" standard and explained that copyright, contractual and technical restraints sufficiently notified Explorica that its use of a scraper would be unauthorized and thus would violate the CFAA.

The district court first relied on EF's use of a copyright symbol on one of the pages of its website and a link directing users with questions to contact the company,[6] finding that "such a clear statement should have dispelled any notion a reasonable person may have had that the `presumption of open access' applied to information on EF's website." The court next found that the manner by which Explorica accessed EF's website likely violated a confidentiality agreement between appellant Gormley and EF, because Gormley provided to Zefer technical instructions concerning the creation of the scraper. Finally, the district court noted without elaboration that the scraper bypassed technical restrictions embedded in the [581] website to acquire the information. The court therefore let stand its earlier decision granting the preliminary injunction. Appellants contend that the district court erred in taking too narrow a view of what is authorized under the CFAA and similarly mistook the reach of the confidentiality agreement. Appellants also argue that the district court erred in finding that appellees suffered a "loss," as defined by the CFAA, and that the preliminary injunction violates the First Amendment.

II. Standard of Review

A district court may issue a preliminary injunction only upon considering "(1) the likelihood of success on the merits; (2) the potential for irreparable harm if the injunction is denied; (3) the balance of relevant impositions ...; and (4) the effect (if any) of the court's ruling on the public interest." Ross-Simons of Warwick, Inc. v. Baccarat, Inc., 102 F.3d 12, 15 (1st Cir.1996). Appellants challenge only the district court's finding that appellees are likely to succeed on the merits, and we thus confine our review to that factor. As in any other appeal, we review the merits of a preliminary injunction depending on the issue under consideration. "Generally speaking, pure issues of law (e.g., the construction of a statute) are reviewed de novo, findings of fact for clear error, and `judgment calls' with considerable deference...." Langlois v. Abington Hous. Auth., 207 F.3d 43, 47 (1st Cir.2000). Each of these is applicable here, where the district court's judgment relied on both its analysis of the CFAA and its assessment of the voluminous documentary evidence.

III. The Computer Fraud and Abuse Act

Although appellees alleged violations of three provisions of the CFAA, the district court found that they were likely to succeed only under section 1030(a)(4).[7] That section provides

[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ... shall be punished.

18 U.S.C. § 1030(a)(4).[8]

Appellees allege that the appellants knowingly and with intent to defraud accessed the server hosting EF's website more than 30,000 times to obtain proprietary pricing and tour information, and confidential information about appellees' technical abilities. At the heart of the parties' dispute is whether appellants' actions either were "without authorization" or "exceed[ed] authorized access" as defined by the CFAA.[9] We conclude that because of the broad confidentiality agreement appellants' actions "exceed[ed] authorized access," and so we do not reach the more general arguments made about statutory [582] meaning, including whether use of a scraper alone renders access unauthorized.[10]

A. "Exceeds authorized access"

Congress defined "exceeds authorized access," as accessing "a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). EF is likely to prove such excessive access based on the confidentiality agreement between Gormley and EF. Pertinently, that agreement provides:

Employee agrees to maintain in strict confidence and not to disclose to any third party, either orally or in writing, any Confidential or Proprietary information ... and never to at any time (i) directly or indirectly publish, disseminate or otherwise disclose, deliver or make available to anybody any Confidential or Proprietary Information or (ii) use such Confidential or [P]roprietary Information for Employee's own benefit or for the benefit of any other person or business entity other than EF.

* * *

As used in this Agreement, the term "Confidential or Proprietary Information" means (a) any trade or business secrets or confidential information of EF, whether or not reduced to writing ...; (b) any technical, business, or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.

...

The record contains at least two communications from Gormley to Zefer seeming to rely on information about EF to which he was privy only because of his employment there. First, in an email to Zefer employee Joseph Alt exploring the use of a scraper, Gormley wrote: "[m]ight one of the team be able to write a program to automatically extract prices ... ? I could work with him/her on the specification." Gormley also sent the following email to Zefer employee John Hawley:

Here is a link to the page where you can grab EF's prices. There are two important drop down menus on the right.... With the lowest one you select one of about 150 tours. * * * You then select your origin gateway from a list of about 100 domestic gateways (middle drop down menu). When you select your origin gateway a page with a couple of tables comes up. One table has 1999-2000 prices and the other has 2000-2001 prices. * * * On a high speed connection it is possible to move quickly from one price table to the next by hitting backspace and then the down arrow.

This documentary evidence points to Gormley's heavy involvement in the conception of the scraper program. Furthermore, the voluminous spreadsheet containing all of the scraped information includes the tour codes, which EF claims are proprietary [583] information. Each page of the spreadsheet produced by Zefer includes the tour and gateway codes, the date of travel, and the price for the tour. An uninformed reader would regard the tour codes as nothing but gibberish.[11] Although the codes can be correlated to the actual tours and destination points, the codes standing alone need to be "translated" to be meaningful.

Explorica argues that none of the information Gormley provided Zefer was confidential and that the confidentiality agreement therefore is irrelevant.[12] The case on which they rely, Lanier Professional Services, Inc. v. Ricci, 192 F.3d 1, 5 (1st Cir.1999), focused almost exclusively on an employee's non-compete agreement. The opinion mentioned in passing that there was no actionable misuse of confidential information because the only evidence that the employee had taken protected information was a "practically worthless" affidavit from the employee's successor. Id. at 5.

Here, on the other hand, there is ample evidence that Gormley provided Explorica proprietary information about the structure of the website and the tour codes. To be sure, gathering manually the various codes through repeated searching and deciphering of the URLs[13] theoretically may be possible. Practically speaking, however, if proven, Explorica's wholesale use of EF's travel codes to facilitate gathering EF's prices from its website reeks of use — and, indeed, abuse — of proprietary information that goes beyond any authorized use of EF's website.[14]

Gormley voluntarily entered a broad confidentiality agreement prohibiting his disclosure of any information "which might reasonably be construed to be contrary to the interests of EF."[15] Appellants would face an uphill battle trying to argue that it was not against EF's interests for appellants to use the tour codes to mine EF's pricing data. See Anthony's Pier Four, Inc. v. HBC Assoc., 411 Mass. 451, 471, 583 N.E.2d 806, 820 (1991) (imposing a duty of good faith and fair dealing in all contracts under Massachusetts law). If EF's allegations are proven, it will likely prove that whatever authorization Explorica had to navigate around EF's site (even in a competitive vein), it exceeded that authorization by providing proprietary information and know-how to Zefer to create the scraper.[16] Accordingly, the district [584] court's finding that Explorica likely violated the CFAA was not clearly erroneous.

B. Damage or Loss under section 1030(g)

Appellants also challenge the district court's finding that the appellees would likely prove they met the CFAA's "damage or loss" requirements. Under the CFAA, EF may maintain a private cause of action if it suffered "damage or loss." 18 U.S.C. § 1030(g). "Damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information that ... causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals...." 18 U.S.C. § 1030(e)(8). "Loss" is not defined.

The district court held that although EF could not show any "damage" it would likely be able to show "loss" under the statute. It reasoned that a general understanding of the word "loss" would fairly encompass a loss of business, goodwill, and the cost of diagnostic measures that EF took after it learned of Explorica's access to its website.[17] Appellants respond that such diagnostic measures cannot be included in the $5,000 threshold because their actions neither caused any physical damage nor placed any stress on EF's website.

Few courts have endeavored to resolve the contours of damage and loss under the CFAA. See, e.g., Shaw v. Toshiba Am. Info. Sys., 91 F.Supp.2d 926 (E.D.Tex. 1999) (noting the paucity of decisions construing the Act). Two district courts that have addressed the issue have found that expenses such as those borne by EF do fall under the statute. In Shurgard Storage Centers v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D.Wa.2000), the district court found that the need to assess whether a defendant's actions compromised the plaintiff's computers was compensable under the CFAA because the computer's integrity was called into question. The court based its finding on the legislative history of the 1996 amendments to the CFAA:

The 1994 Amendment required both "damage" and "loss," but it is not always clear what constitutes "damage." For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to re-securing the system. Thus, although there is arguably no "damage," the victim does suffer "loss." If the loss to the victim meets the required monetary threshold, the conduct should be criminal, and the victim should be entitled to relief. [585] S.Rep. No. 104-357, at 11 (1996) (quoted in Shurgard, 119 F.Supp.2d at 1126). Another district court held that this legislative history makes "clear that Congress intended the term `loss' to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker." In re DoubleClick Inc. Privacy Litig., 154 F.Supp.2d 497, 521 (S.D.N.Y.2001).

We agree with this construction of the CFAA. In the absence of a statutory definition for "loss," we apply the well-known rule of assigning undefined words their normal, everyday meaning. See Inmates of Suffolk Cty. Jail v. Rouse, 129 F.3d 649, 653-54 (1st Cir.1997). The word "loss" means "detriment, disadvantage, or deprivation from failure to keep, have or get." The Random House Dictionary of the English Language 1137 (2d ed.1983). Appellees unquestionably suffered a detriment and a disadvantage by having to expend substantial sums to assess the extent, if any, of the physical damage to their website caused by appellants' intrusion. That the physical components were not damaged is fortunate, but it does not lessen the loss represented by consultant fees. Congress's use of the disjunctive, "damage or loss," confirms that it anticipated recovery in cases involving other than purely physical damage. But see In re Intuit Privacy Litig., 138 F.Supp.2d 1272, 1281 (C.D.Ca.2001) (loss means "irreparable damage" and any other interpretation "would render the term `damage' superfluous"); Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 252 n. 12 (S.D.N.Y. 2000) (lost business or goodwill could not constitute loss absent the impairment or unavailability of data or systems). To parse the words in any other way would not only impair Congress's intended scope of the Act, but would also serve to reward sophisticated intruders. As we move into an increasingly electronic world, the instances of physical damage will likely be fewer while the value to the victim of what has been stolen and the victim's costs in shoring up its security features undoubtedly will loom ever-larger. If we were to restrict the statute as appellants urge, we would flout Congress's intent by effectively permitting the CFAA to languish in the twentieth century, as violators of the Act move into the twenty-first century and beyond.

We do not hold, however, that any loss is compensable. The CFAA provides recovery for "damage" only if it results in a loss of at least $5,000. We agree with the court in In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001), that Congress could not have intended other types of loss to support recovery unless that threshold were met. Indeed, the Senate Report explicitly states that "if the loss to the victim meets the required monetary threshold," the victim is entitled to relief under the CFAA. S. Rep. 104-357, at 11. We therefore conclude that expenses of at least $5,000 resulting from a party's intrusion are "losses" for purposes of the "damage or loss" requirement of the CFAA.

IV. Conclusion

For the foregoing reasons, we agree with the district court that appellees will likely succeed on the merits of their CFAA claim under 18 U.S.C. § 1030(a)(4). Accordingly, the preliminary injunction was properly ordered.

Affirmed.

[1] The individual defendants-appellants are Olle Olsson, Peter Nilsson, Philip Gormley, Alexandra Bernadotte, Anders Erikkson, Deborah Johnson, and Stefan Nilsson. They are all former employees of plaintiffs-appellees, EF Cultural Tours BV, EF Institute for Cultural Exchange, Inc. ("EFICE"), EF Cultural Services BV, and Go Ahead Vacations, Inc. The appellees are collectively referred to as "EF."

The injunction was also issued against a second company, Zefer Corporation ("Zefer"), which also appealed. After briefing was completed, Zefer filed for bankruptcy. We granted a joint motion to sever Zefer's appeal, which has been stayed.

[2] John Hawley, one of Zefer's senior technical associates, explained the technical progression of the scraper in an affidavit:

[a.] Open an Excel spreadsheet. The initially contains EFTours gateway and destination city codes, which are available on the EFTours web site.

[b.] Identify the first gateway and destination city codes [on the] Excel spreadsheet.

[c.] Create a [website address] request for the EFTours tour prices page based on a combination of gateway and destination city. Example: show me all the prices for a London trip leaving JFK.

[d.] View the requested web page which is retained in the random access memory of the requesting computer in the form of HTML [computer language] code. * * *

[e.] Search the HTML for the tour prices for each season, year, etc.

[f.] Store the prices into the Excel spreadsheet.

[g.] Identify the next gateway and city codes in the spreadsheet.

[8.] Repeat steps 3-7 for all gateway and destination city combinations.

[3] Appellants dispute the relevance of the size of the printed data, arguing that 60,000 printed lines, while voluminous on paper, is not a large amount of data for a computer to store. This is a distinction without a difference. The fact is that appellants utilized the scraper program to download EF's pricing data. In June 2000, EF's website listed 154,293 prices for various tours.

[4] Explorica later varied its prices slightly to mask its across-the-board discount of EF's prices.

[5] Zefer, Explorica's consultant, had objected to the initial decision on the ground that it could face liability under the preliminary injunction even though it had not had an opportunity to respond to EF's preliminary injunction motion. The district court allowed all of the parties to submit supplemental briefs and issued a further decision on July 2, 2001.

[6] The notice stated in full:

Copyright © 2000 EF Cultural Travel BV EF Educational Tours is a member of the EF group of companies.

Questions? Please contact us.

[7] Appellees have not challenged the district court's finding that they were unlikely to succeed on claims brought under 18 U.S.C. §§ 1030(5)(C) and(6)(A).

[8] Although the CFAA is primarily a criminal statute, under § 1030(g), "any person who suffers damage or loss ... may maintain a civil action ... for compensatory damages and injunctive relief or other equitable relief."

[9] At oral argument, appellants contended that they had no "intent to defraud" as defined by the CFAA. That argument was not raised in the briefs and thus has been waived. See Garcia-Ayala v. Parenterals, Inc., 212 F.3d 638, 645 (1st Cir.2000) (failure to brief an argument constitutes waiver despite attempt to raise the argument at oral argument). Likewise, at oral argument Explorica attempted to adopt appellant Zefer's argument that the preliminary injunction violates the First Amendment. The lateness of Explorica's attempt renders it fruitless. See id.

[10] Congress did not define the phrase "without authorization," perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive. The district court applied what it termed the "default rule" that conduct is without authorization only if it is not "in line with the reasonable expectations" of the website owner and its users. Appellants argue that this is an overly broad reading that restricts access and is at odds with the Internet's intended purpose of providing the "open and free exchange of information." They urge us to adopt instead the Second Circuit's reasoning that computer use is "without authorization" only if the use is not "in any way related to [its] intended function," United States v. Morris, 928 F.2d 504, 510 (2d Cir.1991). Appellees contend that the result would be the same under either test, but we need not resolve this dispute because we affirm the court's ruling based on the "exceeds authorized access" prong of § 1030(a)(4).

[11] An example of the website address including the tour information is http://www.eftours. com/tours/PriceResult.asp? Gate=GTF & TourID=LPM. In this address, the proprietary codes are "GTF" and "LPM."

[12] The Agreement provides that confidential information does not include anything that "is or becomes generally known within EF's industry."

[13] URL is the acronym for "uniform resource locator," the technical name for the web address typed in by an Internet user. For example, EF's URL is http://www.eftours.com.

[14] Among the several emails in the record is one from Zefer employee Joseph Alt to the Explorica "team" at Zefer:

Below is the information needed to log into EF's site as a tour leader. Please use this to gather competitor information from both a business and experience design perspective. We may also be able to glean knowledge of their technical abilities. As with all of our information, this is extremely confidential. Please do not share it with anyone.

[15] Ironically, appellant Olsson countersigned Gormley's confidentiality agreement as the representative of EF.

[16] EF also claims that Explorica skirted the website's technical restraints. To learn about a specific tour, a user must navigate through several different web pages by "clicking" on various drop-down menus and choosing the desired departure location, date, tour destination, tour length, and price range. The district court found that the scraper circumvented the technical restraints by operating at a warp speed that the website was not normally intended to accommodate. We need not reach the argument that this alone was a violation of the CFAA, however, because the apparent transfer of information in violation of the Confidentiality Agreement furnishes a sufficient basis for injunctive relief.

Likewise, we express no opinion on the district court's ruling that EF's copyright notice served as a "clear statement [that] should have dispelled any notion a reasonable person may have had the `presumption of open access'" to EF's website.

[17] It is undisputed that appellees paid $20,944.92 to assess whether their website had been compromised. Appellees also claim costs exceeding $40,000 that they will incur to "remedy and secure their website and computer." We need not consider whether these expenses constitute loss because the initial $20,944.92 greatly exceeds the threshold.

8.2.5 Introduction to Subject Matter Jurisdiction 8.2.5 Introduction to Subject Matter Jurisdiction

 

Subject matter jurisdiction concerns the court’s power to hear a case based on the nature of the controversy at issue. Both state and federal courts have limited subject matter jurisdiction. In the federal system, Article III of the Constitution, federal statutes and judicial decisions all govern subject matter jurisdiction (SMJ).

 

Federal courts are courts of limited jurisdiction and they have only the jurisdiction granted to them by Constitution and Congress. Article III, §§ 1 and 2 of U.S. Constitution is source for subject matter jurisdiction.  

  • Article III §§ 2: “The judicial power shall extend to all cases, in law and equity, arising under this constitution, the laws of the United States, and treaties made, or which shall be made under their authority; to all cases affecting ambassadors, other public ministers and consuls; to all cases of admiralty and maritime jurisdiction; to controversies to which the United States shall be a party; to controversies between two or more states, between a state and Citizens of another state, between Citizens of different states, between Citizens of the same state, claiming lands under grants of different states, and between a state, or the Citizens thereof, and foreign states, Citizens or subjects.” (This last section is modified by Amendment XI)

    • 
The Supreme Court has original jurisdiction over only those cases “affecting ambassadors, other public ministers and consuls, and those in which a state shall be a party.” (Art. III, §§2.2).

     

    Two types of jurisdiction are important for our purposes: federal question (the “arising under” clause) and diversity of citizenship (“between citizens of different states”).

    The Constitution does not itself authorize SMJ for federal courts, it merely spells out the outer limits of what Congress can grant. It is up to Congress to specify what kind of SMJ it wants the federal courts to have. Congress can give less than the constitutional limit but it cannot give more.

    For some areas of law, such as patent law, federal courts have exclusive jurisdiction. For many other claims, state and federal courts have overlapping jurisdiction and plaintiffs can choose in which court to bring a claim. Removal jurisdiction allows the defendant, in certain cases, the right to ‘remove’ the case from state to federal court. Subject matter jurisdiction may be limited by the nature of the conflict or by the amount at issue in the claim.

    As we explore the requirements of subject matter jurisdiciton, keep in mind whether opportunities to ‘forum shop’ empower litigants or create additional problems of public concern.

     

    8.3 OIL Casebook: Computer Fraud & Abuse Act II 8.3 OIL Casebook: Computer Fraud & Abuse Act II

    8.3.1 U.S. v. Drew 8.3.1 U.S. v. Drew

    This case considers CFAA violations for breach of terms of service

    United States District Court for the Central District of California
    259 F.R.D. 449
    No. CR 08-0582-GW
    2009-08-28

    259 F.R.D. 449

    UNITED STATES of America, Plaintiff,
    v.
    Lori DREW, Defendant.

    No. CR 08–0582–GW.

    United States District Court, C.D. California.

    Aug. 28, 2009.

    [451] Mark Krause, Yvonne Leticia Garcia, Office of U.S. Attorney, Los Angeles, CA, for Plaintiff.

    H. Dean Steward, San Clemente, CA, Prof. Orin Kerr, George Washington University Law School, Washington, DC, for Defendant.

    DECISION ON DEFENDANT'S F.R.CRIM.P. 29(c) MOTION

    GEORGE H. WU, District Judge.

    I. INTRODUCTION

    This case raises the issue of whether (and/or when will) violations of an Internet website's[1] terms of service constitute a crime under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030. Originally, the question arose in the context of Defendant Lori Drew's motions to dismiss the Indictment on grounds of vagueness, failure to state an offense, and unconstitutional delegation of prosecutorial power. See Case Docket Document Numbers ("Doc.Nos.") 21, 22, and 23. At that time, this Court found that the presence of the scienter element (i.e. the requirement that the intentional accessing of a computer without authorization or in excess of authorization be in furtherance of the commission of a criminal or tortious act) within the CFAA felony provision as delineated in 18 U.S.C. § 1030(c)(2)(B)(ii) overcame Defendant's constitutional challenges and arguments against the criminalization of breaches of contract involving the use of computers. See Reporter's Transcripts of Hearings on September 4 and October 30, 2008. However, Drew was subsequently acquitted by a jury of the felony CFAA counts but convicted of misdemeanor CFAA violations. Hence, the question in the present motion under Federal Rule of Criminal Procedure ("F.R.Crim.P.") 29(c) is whether an intentional breach of an Internet website's terms of service, without more, is sufficient to constitute a misdemeanor violation of the CFAA; and, if so, would the statute, as so interpreted, survive constitutional challenges on the grounds of vagueness and related doctrines.[2]

    [452] II. BACKGROUND

    A. Indictment

    In the Indictment, Drew was charged with one count of conspiracy in violation of 18 U.S.C. § 371 and three counts of violating a felony portion of the CFAA, i.e., 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii), which prohibit accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act. See Doc. No. 1.

    The Indictment included, inter alia, the following allegations (not all of which were established by the evidence at trial). Drew, a resident of O'Fallon, Missouri, entered into a conspiracy in which its members agreed to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress[3] upon "M.T.M.," subsequently identified as Megan Meier ("Megan"). Megan was a 13 year old girl living in O'Fallon who had been a classmate of Drew's daughter Sarah. Id. at ¶¶ 1–2, 14. Pursuant to the conspiracy, on or about September 20, 2006, the conspirators registered and set up a profile for a fictitious 16 year old male juvenile named "Josh Evans" on the www.My Space.com website ("MySpace"), and posted a photograph of a boy without that boy's knowledge or consent. Id. at ¶ 16. Such conduct violated My Space's terms of service. The conspirators contacted Megan through the MySpace network (on which she had her own profile) using the Josh Evans pseudonym and began to flirt with her over a number of days. Id. On or about October 7, 2006, the conspirators had "Josh" inform Megan that he was moving away. Id. On or about October 16, 2006, the conspirators had "Josh" tell Megan that he no longer liked her and that "the world would be a better place without her in it." Id. Later on that same day, after learning that Megan had killed herself, Drew caused the Josh Evans MySpace account to be deleted. Id.

    B. Verdict

    At the trial, after consultation between counsel and the Court, the jury was instructed that, if they unanimously decided that they were not convinced beyond a reasonable doubt as to the Defendant's guilt as to the felony CFAA violations of 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii), they could then consider whether the Defendant was guilty of the "lesser included"[4]misdemeanor [453] CFAA violation of 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A).[5]

    At the end of the trial, the jury was deadlocked and was unable to reach a verdict as to the Count 1 conspiracy charge.[6]See Doc. Nos. 105 and 120. As to Counts 2 through 4, the jury unanimously found the Defendant "not guilty" "of [on the dates specified in the Indictment] accessing a computer involved in interstate or foreign communication without authorization or in excess of authorization to obtain information in furtherance of the tort of intentional infliction of emotional distress in violation of Title 18, United States Code, Section 1030(a)(2)(C) and (c)(2)(B)(ii)...." Id. The jury did find Defendant "guilty" "of [on the dates specified in the Indictment] accessing a computer involved in interstate or foreign communication without authorization or in excess of authorization to obtain information in violation of Title 18, United States Code, Section 1030(a)(2)(C) and (c)(2)(A), a misdemeanor." Id.

    C. MySpace.com

    As Jae Sung (Vice President of Customer Care at MySpace) ("Sung") testified at trial, MySpace is a "social networking" website where members can create "profiles" and interact with other members. See Reporter's Transcript of the November 21, 2008 Sung testimony ("11/21/08 Transcript") at pages 40–41. Anyone with Internet access can go onto the MySpace website and view content which is open to the general public such as a music area, video section, and members' profiles which are not set as "private." Id. at 42. However, to create a profile, upload and display photographs, communicate with persons on the site, write "blogs," and/or utilize other services or applications on the MySpace website, one must be a "member." Id. at 42–43. Anyone can become a member of MySpace at no charge so long as they meet a minimum age requirement and register. Id.

    In 2006, to become a member, one had to go to the sign-up section of the MySpace website and register by filling in personal information (such as name, email address, date of birth, country/state/postal code, and gender) and creating a password. Id. at 44–45. In addition, the individual had to check on the box indicating that "You agree to the MySpace Terms of Service and Privacy Policy." See Government's[7] Exhibit 1 at page 2 (emphasis in original); 11/21/08 Transcript at 45–47. The terms of service did not appear on the same registration page that contained this "check box" for users to confirm their agreement to those provisions. Id. In order to find the terms of service, one had (or would have had) to proceed to the bottom of the page where there were several "hyperlinks" including one entitled "Terms." 11/21/08 Transcript at 50; Exhibit 1 at 5. Upon clicking the "Terms" hyperlink, the screen would display the terms of service section of the website. Id. A person could become a MySpace member without ever reading or otherwise becoming aware of the provisions and conditions of the MySpace terms of service by merely clicking on the "check box" and then the "Sign Up" button without first accessing the "Terms" section. 11/21/08 Transcript at 94.[8]

    [454] As used in its website, "terms of service" refers to the "MySpace.com Terms of Use Agreement" ("MSTOS"). See Government's Exhibit 3. The MSTOS in 2006 stated, inter alia:

    This Terms of Use Agreement ("Agreement") sets forth the legally binding terms for your use of the Services. By using the Services, you agree to be bound by this Agreement, whether you are a "Visitor" (which means that you simply browse the Website) or you are a "Member" (which means that you have registered with MySpace.com). The term "User" refers to a Visitor or a Member. You are only authorized to use the Services (regardless of whether your access or use is intended) if you agree to abide by all applicable laws and to this Agreement. Please read this Agreement carefully and save it. If you do not agree with it, you should leave the Website and discontinue use of the Services immediately. If you wish to become a Member, communicate with other Members and make use of the Services, you must read this Agreement and indicate your acceptance at the end of this document before proceeding.

    By using the Services, you represent and warrant that (a) all registration information you submit is truthful and accurate; (b) you will maintain the accuracy of such information; (c) you are 14 years of age or older; and (d) your use of the Services does not violate any applicable law or regulation.

    Id. at 2.

    The MSTOS prohibited the posting of a wide range of content on the website including (but not limited to) material that: a) "is potentially offensive and promotes racism, bigotry, hatred or physical harm of any kind against any group or individual"; b) "harasses or advocates harassment of another person"; c) "solicits personal information from anyone under 18"; d) "provides information that you know is false or misleading or promotes illegal activities or conduct that is abusive, threatening, obscene, defamatory or libelous"; e) "includes a photograph of another person that you have posted without that person's consent"; f) "involves commercial activities and/or sales without our prior written consent"; g) "contains restricted or password only access pages or hidden pages or images"; or h) "provides any phone numbers, street addresses, last names, URLs or email addresses...." Id. at 4. MySpace also reserved the right to take appropriate legal action (including reporting the violating conduct to law enforcement authorities) against persons who engaged in "prohibited activity" which was defined as including, inter alia: a) "criminal or tortious activity", b) "attempting to impersonate another Member or person", c) "using any information obtained from the Services in order to harass, abuse, or harm another person", d) "using the Service in a manner inconsistent with any and all applicable laws and regulations", e) "advertising to, or solicitation of, any Member to buy or sell any products or services through the Services", f) "selling or otherwise transferring your profile", or g) "covering or obscuring the banner advertisements on your personal profile page...." Id. at 5. The MSTOS warned users that "information provided by other MySpace.com Members (for instance, in their Profile) may contain inaccurate, inappropriate, offensive or sexually explicit material, products or services, and MySpace.com assumes no responsibility or liability for this material."Id. at 1–2. Further, MySpace was allowed to unilaterally modify the terms of service, with such modifications taking effect upon the posting of notice on its website. Id. at 1. Thus, members would have to review the MSTOS each time they logged on to the website, to ensure that they were aware of any updates in order to avoid violating some new provision of the terms of service. Also, the MSTOS provided that "any dispute" between a visitor/member and MySpace "arising out of this Agreement must be settled by arbitration" if demanded by either party. Id. at 7.

    At one point, MySpace was receiving an estimated 230,000 new accounts per day and eventually the number of profiles exceeded 400 million with over 100 million unique visitors [455] worldwide. 11/21/08 Transcript at 74–75. "Generally speaking," MySpace would not monitor new accounts to determine if they complied with the terms of service except on a limited basis, mostly in regards to photographic content. Id. at 75. Sung testified that there is no way to determine how many of the 400 million existing MySpace accounts were created in a way that violated the MSTOS.[9]Id. at 82–84. The MySpace website did have hyperlinks labeled "Safety Tips" (which contained advice regarding personal, private and financial security vis-a-vis the site) and "Report Abuse" (which allowed users to notify MySpace as to inappropriate content and/or behavior on the site). Id. at 51–52. MySpace attempts to maintain adherence to its terms of service. Id. at 60. It has different teams working in various areas such as "parent care" (responding to parents' questions about this site), handling "harassment/cyberbully cases, imposter profiles," removing inappropriate content, searching for underage users, etc. Id. at 60–61. As to MySpace's response to reports of harassment:

    It varies depending on the situation and what's being reported. It can range from ... letting the user know that if they feel threatened to contact law enforcement, to us removing the profile, and in rare circumstances we would actually contact law enforcement ourselves.

    Id. at 61.

    Once a member is registered and creates his or her profile, the data is housed on computer servers which are located in Los Angeles County. Id. at 53. Members can create messages which can be sent to other MySpace members, but messages cannot be sent to or from other Internet service providers such as Yahoo!. Id. at 54. All communications among MySpace members are routed from the sender's computer through the MySpace servers in Los Angeles. Id. at 54–55.

    Profiles created by adult MySpace members are by default available to any user who accesses the MySpace website. Id. at 56. The adult members can, however, place privacy settings on their accounts such that only pre-authorized "friends" are able to view the members' profile pages and contents. Id. For members over 16 but under 18, their profiles are by default set at "private" but can be changed by the member. Id. at 57. Members under 16 have a privacy setting for their profiles which cannot be altered to allow regular public access. Id. To communicate with a member whose profile has a privacy setting, one must initially send a "friend" request to that person who would have to accept the request. Id. at 57–58. To become a "friend" of a person under 16, one must not only send a "friend" request but must also know his or her email address or last name. Id. at 58.

    According to Sung, MySpace owns the data contained in the profiles and the other content on the website.[10] MySpace is owned by Fox Interactive Media which is part of News Corporation. Id. at 42.

    III. APPLICABLE LAW

    A. F.R.Crim.P. 29(c)

    A motion for judgment of acquittal under F.R.Crim.P. 29(c) may be made by a [456] defendant seeking to challenge a conviction on the basis of the sufficiency of the evidence, see, e.g., United States v. Freter, 31 F.3d 783, 785 (9th Cir.1994), or on other grounds including ones involving issues of law for the court to decide, see, e.g. United States v. Pardue, 983 F.2d 843, 847 (8th Cir.1993) (issue as to whether a defendant is entitled to a judgment of acquittal based on outrageous government conduct is "one of law for the court"). Where the Rule 29(c) motion rests in whole or in part on the sufficiency of the evidence, the evidence must be viewed "in the light most favorable to the government" (see Freter, 31 F.3d at 785), with circumstantial evidence and inferences drawn in support of the jury's verdict. See United States v. Lewis, 787 F.2d 1318, 1323 (9th Cir.1986).

    B. The CFAA

    In 2006, the CFAA (18 U.S.C. § 1030) provided in relevant part that:

    (a) Whoever—

    * * * *

    (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

    (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

    (B) information from any department or agency of the United States; or

    (C) information from any protected computer if the conduct involved an interstate or foreign communication;[11]

    * * * *

    shall be punished as provided in subsection (c) of this section.

    * * * *

    (c) The punishment for an offense under subsection (a) or (b) of this section is—

    * * * *

    (2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph; ...

    (B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—

    (i) the offense was committed for purposes of commercial advantage or private financial gain;

    (ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

    (iii) the value of the information obtained exceeds $5,000....

    As used in the CFAA, the term "computer" "includes any data storage facility or communication facility directly related to or operating in conjunction with such device...." 18 U.S.C. § 1030(e)(1). The term "protected computer" "means a computer—(A) exclusively for the use of a financial institution or the United States Government ...; or (B) which is used in interstate or foreign commerce or communication...." Id. § 1030(e)(2). The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter ...." Id. § 1030(e)(6).

    In addition to providing criminal penalties for computer fraud and abuse, the CFAA also states that "[A]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. § 1030(g). Because of the availability of civil remedies, much of the law as to the meaning and scope of the [457] CFAA has been developed in the context of civil cases.

    IV. DISCUSSION

    A. The Misdemeanor 18 U.S.C. § 1030(a)(2)(C) Crime Based on Violation of a Website's Terms of Service

    During the relevant time period herein,[12] the misdemeanor 18 U.S.C. § 1030(a)(2)(C) crime consisted of the following three elements:

    First, the defendant intentionally [accessed without authorization] [exceeded authorized access of] a computer;

    Second, the defendant's access of the computer involved an interstate or foreign communication; and

    Third, by [accessing without authorization] [exceeding authorized access to] a computer, the defendant obtained information from a computer ... [used in interstate or foreign commerce or communication]....

    Ninth Circuit Model Criminal Jury Instruction 8.79 (2003 Ed.) (brackets in original).

    In this case, a central question is whether a computer user's intentional violation of one or more provisions in an Internet website's terms of services (where those terms condition access to and/or use of the website's services upon agreement to and compliance with the terms) satisfies the first element of section 1030(a)(2)(C). If the answer to that question is "yes," then seemingly, any and every conscious violation of that website's terms of service will constitute a CFAA misdemeanor.

    Initially, it is noted that the latter two elements of the section 1030(a)(2)(C) crime will always be met when an individual using a computer contacts or communicates with an Internet website. Addressing them in reverse order, the third element requires "obtain[ing] information" from a "protected computer"—which is defined in 18 U.S.C. § 1030(e)(2)(B) as a computer "which is used in interstate or foreign commerce or communication...." "Obtain [ing] information from a computer" has been described as " 'includ[ing] mere observation of the data. Actual aspiration ... need not be proved in order to establish a violation....' S.Rep. No. 99–432. at 6–7 (1986). reprinted at 1986 U.S.C.C.A.N. 2479, 2484." Comment, Ninth Circuit Model Criminal Instructions 8.77.[13] As for the "interstate or foreign commerce or communication" component, the Supreme Court in Reno v. American Civil Liberties Union, 521 U.S. 844, 849, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997), observed that: "The Internet is an international network of interconnected computers." See also Brookfield Communications v. West Coast Entertainment Corp., 174 F.3d 1036, 1044 (9th Cir.1999) ("The Internet is a global network of interconnected computers which allows individuals and organizations around the world to communicate and to share information with one another."). The Ninth Circuit in United States v. Sutcliffe, 505 F.3d 944, 952 (9th Cir.2007), found the Internet to be "similar to—and often using—our national network of telephone lines." It went on to conclude that:

    We have previously agreed that "[i]t can not be questioned that the nation's vast network of telephone lines constitutes interstate commerce," United States v. Holder, 302 F.Supp. 296, 298 (D.Mont.1969)), aff'd and adopted, 427 F.2d 715 (9th Cir.1970) (per curiam), and, a fortiori, it seems clear that use of the internet is intimately related to interstate commerce. As we have noted, "[t]he Internet engenders a medium of communication that enables information to be quickly, conveniently, and inexpensively disseminated to hundreds of millions of individuals worldwide." United States v. Pirello, 255 F.3d 728 729 (9th Cir.2001). It is "comparable ... to both a vast library including millions of readily available and indexed publications and a sprawling mall offering goods and services," ACLU, 521 U.S. at 853, 117 S.Ct. 2329, and is "a valuable tool in today's commerce," Pirello, 255 F.3d at 730. We are therefore in agreement with the Eighth Circuit's conclusion that "[a]s both [458] the means to engage in commerce and the method by which transactions occur, the Internet is an instrumentality and channel of interstate commerce." United States v. Trotter, 478 F.3d 918, 921 (8th Cir.2007) (per curiam) (quoting United States v. MacEwan, 445 F.3d 237, 245 (3d Cir.2006)).

    Id. at 952–53. Thus, the third element is satisfied whenever a person using a computer contacts an Internet website and reads any response from that site.

    As to the second element (i.e., that the accessing of the computer involve an interstate or foreign communication),[14] an initial question arises as to whether the communication itself must be interstate or foreign (i.e., it is transmitted across state lines or country borders) or whether it simply requires that the computer system, which is accessed for purposes of the communication, is interstate or foreign in nature (for example, akin to a national telephone system).[15] The term "interstate or foreign communication" is not defined in the CFAA. However, as observed in Patrick Patterson Custom Homes, Inc. v. Bach, 586 F.Supp.2d 1026, 1033 (N.D.Ill.2008), "[t]he plain language of section 1030(a)(2)(C) requires that the conduct of unlawfully accessing a computer, and not the obtained information, must involve an interstate or foreign communication." See also Charles Schwab & Co. Inc. v. Carter, 2005 WL 2369815 at *8, 2005 U.S. Dist. LEXIS 21348 at *26 (N.D.Ill.2005). It has been held that "[a]s a practical matter, a computer providing a 'web-based' application accessible through the internet would satisfy the 'interstate communication' requirement." Paradigm Alliance, Inc. v. Celeritas Technologies, LLC, 248 F.R.D. 598, 602 (D.Kan.2008); see also Patrick Patterson Custom Homes, 586 F.Supp.2d at 1033–34; Modis, Inc. v. Bardelli, 531 F.Supp.2d 314, 318–19 (D.Conn.2008); Charles Schwab & Co., 2005 WL 2369815 at *8, 2005 U.S. Dist. LEXIS 21348 at *26–27. This interpretation is consistent with the legislative history of the CFAA.[16] Therefore, where contact is made between an individual's computer and an Internet website, the second element is per se established.

    As to the first element (i.e. intentionally accessing a computer without authorization or exceeding authorized access), the primary question here is whether any conscious violation of an Internet website's terms of service will cause an individual's contact with the website via computer to become "intentionally access[ing] ... without authorization" or "exceeding authorization." Initially, it is noted that three of the key terms of the first element (i.e., "intentionally," "access a computer," and "without authorization") are undefined, and there is a considerable amount of controversy as to the meaning of the latter two phrases. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n. 10 (1st Cir.2001) ("Congress did not define the phrase 'without authorization,' perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive."); Southwest Airlines Co. v. BoardFirst, [459] L.L.C., 2007 WL 4823761 at *12–13, 2007 U.S. Dist. LEXIS 96230 at *36 (N.D.Tex.2007) ( "BoardFirst ") ("The CFAA does not define the term 'access'."); Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U.L.Rev. 1596, 1619–21 (2003) ("Kerr, Cybercrime's Scope "); Mark A. Lemley, Place and Cyberspace, 91 Cal. L.Rev. 521, 528–29 (2003); Dan Hunter, Cyberspace as Place and the Tragedy of the Digital Anticommons, 91 Cal. L.Rev. 439, 477 (2003).

    While "intentionally" is undefined, the legislative history of the CFAA clearly evinces Congress's purpose in its choice of that word. Prior to 1986, 18 U.S.C. § 1030(a)(2) utilized the phrase "knowingly accesses." See United States Code 1982 Ed. Supp. III at 16–17. In the 1986 amendments to the statute, the word "intentionally" was substituted for the word "knowingly." See 18 U.S.C.A. § 1030 "Historical and Statutory Notes" at 450 (West 2000). In Senate Report No. 99–432 at 5–6, reprinted at 1986 U.S.C.C.A.N. 2479, 2483–84, it was stated that:

    Section 2(a)(1) amends 18 U.S.C. 1030(a)(2) to change the scienter requirement from "knowingly" to "intentionally," for two reasons. First, intentional acts of unauthorized access—rather than mistaken, inadvertent, or careless ones—are precisely what the Committee intends to proscribe. Second, the Committee is concerned that the "knowingly" standard in the existing statute might be inappropriate for cases involving computer technology.... The substitution of an "intentional" standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another. Again, this will comport with the Senate Report on the Criminal Code, which states that " 'intentional' means more than that one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the person's conscious objective." [Footnote omitted.]

    Under § 1030(a)(2)(C), the "requisite intent" is "to obtain unauthorized access of a protected computer." United States v. Willis, 476 F.3d 1121, 1125 (10th Cir.2007) ("The government need not also prove that ... the information was used to any particular ends."); see also S.Rep. No.104–357, at 7–8 ("[T]he crux of the offense under subsection 1030(a)(2)(C) ... is abuse of a computer to obtain the information.").

    As to the term "accesses a computer," one would think that the dictionary definition of verb transitive "access" would be sufficient. That definition is "to gain or have access to; to retrieve data from, or add data to, a database...." Webster's New World Dictionary, Third College Edition, 7 (1988) (henceforth "Webster's New World Dictionary "). Most courts that have actually considered the issue of the meaning of the word "access" in the CFAA have basically turned to the dictionary meaning. See e.g. BoardFirst, 2007 WL 4823761 at *12–13, 2007 U.S. Dist. LEXIS 96230 at *36; Role Models Am., Inc. v. Jones, 305 F.Supp.2d 564, 566–67 (D.Md.2004); Am. Online, Inc. v. Nat'l Health Care Discount, Inc., 121 F.Supp.2d 1255, 1272–73 (N.D.Iowa 2000). However, academic commentators have generally argued for a different interpretation of the word. For example, as stated in Patricia L. Bellia, Defending Cyberproperty, 79 N.Y.U.L.Rev. 2164, 2253–54 (2004):

    We can posit two possible readings of the term "access." First, it is possible to adopt a broad reading, under which "access" means any interaction between two computers. In other words, "accessing" a computer simply means transmitting electronic signals to a computer that the computer processes in some way. A narrower understanding of "access" would focus not merely on the successful exchange of electronic signals, but rather on conduct by which one is in a position to obtain privileges or information not available to the general public. The choice between these two meanings of 'access' obviously affects what qualifies as unauthorized conduct. If we adopt the broader reading of access, and any successful interaction between computers qualifies, then breach of policies or contractual terms purporting to outline permissible uses of a system can constitute unauthorized access to the system. Under the narrower reading of access, however, [460] only breach of a code-based restriction on the system would qualify.

    Professor Bellia goes on to conclude that "[c]ourts would better serve both the statutory intent of the CFAA and public policy by limiting its application to unwanted uses only in connection with code-based controls on access." Id. at 2258. But see Kerr, Cybercrime's Scope, 78 N.Y.U.L.Rev. at 1619–21, 1643, and 1646–48 (arguing for a "broad construction of access .... as any successful interaction with the computer"). It is simply noted that, while defining "access" in terms of a code-based restriction might arguably be a preferable approach, no case has adopted it[17] and the CFAA legislative history does not support it.

    As to the term "without authorization," the courts that have considered the phrase have taken a number of different approaches in their analysis. See generally Kerr, Cybercrime's Scope. 78 N.Y.U.L.Rev. at 1628–40. Those approaches are usually based upon analogizing the concept of "without authorization" as to computers to a more familiar and mundane predicate presented in or suggested by the specific factual situation at hand. See e.g. United States v. Phillips, 477 F.3d 215, 219 (5th Cir.), cert. denied, 552 U.S. 820, 128 S.Ct. 119, 169 L.Ed.2d 27 (2007), ("Courts have therefore typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user."). Thus, for example, where a case arises in the context of employee misconduct, some courts have treated the issue as falling within an agency theory of authorization. See, e.g., International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124–25 (W.D.Wash.2000). Likewise, the Ninth Circuit (in dealing with the issue of purported consent to access emails pursuant to a subpoena obtained in bad faith in the context of the Stored Communications Act, 18 U.S.C. § 2701 et seq., and the CFAA) applied the law of trespass to determine whether a subpoenaed party had effectively authorized the defendants' access. See Theofel v. Farey–Jones, 359 F.3d 1066, 1072–75, 1078 (9th Cir.2004). Further, where the relationship between the parties is contractual in nature or resembles such a relationship, access has been held to be unauthorized where there has been an ostensible breach of contract. See e.g., EF Cultural Travel BV, 274 F.3d at 583–84; Phillips, 477 F.3d at 221 ("[c]ourts have recognized that authorized access typically arises only out of a contractual or agency relationship."). But see Brett Senior & Associates v. Fitzgerald, 2007 WL 2043377 at *4, 2007 U.S. Dist. LEXIS 50833 at *13–14 (E.D.Pa.2007) (observing—in the context of an employee's breach of a confidentiality agreement when he copied information from his firm's computer files to give to his new employer: "It is unlikely that Congress, given its concern 'about the appropriate scope of Federal jurisdiction' in the area of computer crime, intended essentially to criminalize state-law breaches of contract.").

    Within the breach of contract approach, most courts that have considered the issue have held that a conscious violation of a website's terms of service/use will render the access unauthorized and/or cause it to exceed authorization. See, e.g., Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435, 439–40 (N.D.Tex.2004); Nat'l Health Care Disc., Inc., 174 F.Supp.2d at 899; Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 247–51 (S.D.N.Y.2000), aff'd, 356 F.3d 393 (2d Cir.2004); Am. Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450 (E.D.Va.1998); see also EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62–63 (1st Cir.2003)("A lack of authorization could be established by an explicit statement on the website restricting access.... [W]e think that the public website provider can easily spell out explicitly what is forbidden...."). But see BoardFirst, 2007 WL 4823761 at *13–14, 2007 U.S. Dist. LEXIS 96230 at *40 (noting that the above cases and their particular application of the law "have received their share of criticism from commentators" [461] ). The court in BoardFirst further stated:

    [It] is at least arguable here that BoardFirst's access of the Southwest website is not at odds with the site's intended function; after all, the site is designed to allow users to obtain boarding passes for Southwest flights via the computer. In no sense can BoardFirst be considered an "outside hacker[ ] who break[s] into a computer" given that southwest.com is a publicly available website that anyone can access and use. True, the Terms posted on southwest.com do not give sanction to the particular manner in which BoardFirst uses the site—to check in Southwest customers for financial gain. But then again § 1030(a)(2)(C) does not forbid theuse of a protected computer for any prohibited purpose; instead it prohibits one from intentionally accessing a computer "without authorization". As previously explained, the term "access", while not defined by the CFAA, ordinarily means the "freedom or ability to ... make use of" something. Here BoardFirst or any other computer user obviously has the ability to make use of southwest.com given the fact that it is a publicly available website the access to which is not protected by any sort of code or password. Cf. Am. Online, 121 F.Supp.2d at 1273 (remarking that it is unclear whether an AOL member's violation of the AOL membership agreement results in "unauthorized access").[18]

    Id. at 2007 WL 4823761 at *14–15, 2007 U.S. Dist. LEXIS 96230 at 43–44 (emphasis in original).

    In this particular case, as conceded by the Government,[19] the only basis for finding that Drew intentionally accessed MySpace's computer/servers without authorization and/or in excess of authorization was her and/or her co-conspirator's violations of the MSTOS by deliberately creating the false Josh Evans profile, posting a photograph of a juvenile without his permission and pretending to be a sixteen year old O'Fallon resident for the purpose of communicating with Megan. Therefore, if conscious violations of the My Space terms of service were not sufficient to satisfy the first element of the CFAA misdemeanor violation as per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(b)(2)(A), Drew's Rule 29(c) motion would have to be granted on that basis alone. However, this Court concludes that an intentional breach of the MSTOS can potentially constitute accessing the MySpace computer/server without authorization and/or in excess of authorization under the statute.

    There is nothing in the way that the undefined words "authorization" and "authorized" are used in the CFAA (or from the CFAA's legislative history[20]) which indicates that Congress intended for them to have specialized meanings.[21] As delineated in Webster's New World Dictionary at 92, to "authorize" ordinarily means "to give official approval to or permission for...."

    It cannot be considered a stretch of the law to hold that the owner of an Internet website has the right to establish the extent to (and the conditions under) which members of the public will be allowed access to information, services and/or applications which are available on the website. See generally Phillips, 477 F.3d at 219–21; EF Cultural Travel BV, 318 F.3d at 62; Register.com, Inc., 126 F.Supp.2d at 245–46; CompuServe Inc. v. Cyber Promotions, Inc., 962 F.Supp. 1015, 1023–24 (S.D.Ohio 1997). Nor can it be doubted that the owner can relay and impose [462] those limitations/restrictions/conditions by means of written notice such as terms of service or use provisions placed on the home page of the website. See EF Cultural Travel BV, 318 F.3d at 62–63. While issues might be raised in particular cases as to the sufficiency of the notice and/or sufficiency of the user's assent to the terms, see generally Specht v. Netscape Communications Corp., 306 F.3d 17, 30–35 (2d Cir.2002); BoardFirst, 2007 WL 4823761 at *3–7, 2007 U.S. Dist. LEXIS 96230 at *11–21, and while public policy considerations might in turn limit enforcement of particular restrictions, see EF Cultural Travel BV. 318 F.3d at 62, the vast majority of the courts (that have considered the issue) have held that a website's terms of service/use can define what is (and/or is not) authorized access vis-a-vis that website.

    Here, the MSTOS defined "services" as including "the MySpace.com Website ..., the MySpace.com instant messenger, and any other connection with the Website...." See Exhibit 3 at 1. It further notified the public that the MSTOS "sets forth the legally binding terms for your use of the services." Id. Visitors and members were informed that "you are only authorized to use the Services ... if you agree to abide by all applicable laws and to this Agreement." Id. Moreover, to become a MySpace member and thereby be allowed to communicate with other members and fully utilize the MySpace Services, one had to click on a box to confirm that the user had agreed to the MySpace Terms of Service. Id.; see also Exhibit 1 at 2. Clearly, the MSTOS was capable of defining the scope of authorized access of visitors, members and/or users to the website.[22]

    B. Contravention of the Void–for–Vagueness Doctrine

    1. Applicable Law

    Justice Holmes observed that, as to criminal statutes, there is a "fair warning" requirement. As he stated inMcBoyle v. United States, 283 U.S. 25, 27, 51 S.Ct. 340, 75 L.Ed. 816 (1931):

    Although it is not likely that a criminal will carefully consider the text of the law before he murders or steals, it is reasonable that a fair warning should be given to the world in language that the common world will understand, of what the law intends to do if a certain line is passed. [463] To make the warning fair, so far as possible the line should be clear.

    As further elaborated by the Supreme Court in United States v. Lanier, 520 U.S. 259, 266, 117 S.Ct. 1219, 137 L.Ed.2d 432 (1997):

    There are three related manifestations of the fair warning requirement. First, the vagueness doctrine bars enforcement of "a statute which either forbids or requires the doing of an act in terms so vague that men of common intelligence must necessarily guess at its meaning and differ as to its application." Connally v. General Constr. Co., 269 U.S. 385, 391, 46 S.Ct. 126, 70 L.Ed. 322 (1926).... Second, as a sort of "Junior version of the vagueness doctrine," H. Packer, The Limits of the Criminal Sanction 95 (1968), the canon of strict construction of criminal statutes, or rule of lenity, ensures fair warning by so resolving ambiguity in a criminal statute as to apply it only to conduct clearly covered.... Third, although clarity at the requisite level may be supplied by judicial gloss on an otherwise uncertain statute, ... due process bars courts from applying a novel construction of a criminal statute to conduct that neither the statute nor any prior judicial decision has fairly disclosed to be within its scope In each of these guises, the touchstone is whether the statute, either standing alone or as construed, made it reasonably clear at the relevant time that the defendant's conduct was criminal. [Citations omitted.]

    The void-for-vagueness doctrine has two prongs: 1) a definitional/notice sufficiency requirement and, more importantly, 2) a guideline setting element to govern law enforcement. In Kolender v. Lawson, 461 U.S. 352, 357–58, 103 S.Ct. 1855, 75 L.Ed.2d 903 (1983), the Court explained that:

    As generally stated, the void-for-vagueness doctrine requires that a penal statute define the criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.... Although the doctrine focuses both on actual notice to citizens and arbitrary enforcement, we have recognized recently that the more important aspect of the vagueness doctrine "is not actual notice, but the other principal element of the doctrine—the requirement that a legislature establish minimal guidelines to govern law enforcement." Smith [v. Goguen], 415 U.S. 566,] 574, 94 S.Ct. 1242 [1974]. Where the legislature fails to provide such minimal guidelines, a criminal statute may permit "a standardless sweep [that] allows policemen, prosecutors, and juries to pursue their personal predilections."Id. at 575, 94 S.Ct. 1242. [Footnote and citations omitted.]

    To avoid contraving the void-for-vagueness doctrine, the criminal statute must contain "relatively clear guidelines as to prohibited conduct" and provide "objective criteria" to evaluate whether a crime has been committed. Gonzales v. Carhart, 550 U.S. 124, 149, 127 S.Ct. 1610, 167 L.Ed.2d 480 (2007) (quoting Posters 'N' Things, Ltd. v. United States, 511 U.S. 513, 525–26, 114 S.Ct. 1747, 128 L.Ed.2d 539 (1994)). As stated in Connally v. General Construction Co., 269 U.S. 385, 391–92, 46 S.Ct. 126, 70 L.Ed. 322 (1926):

    The question whether given legislative enactments have been thus wanting in certainty has frequently been before this court. In some of the cases the statutes involved were upheld; in others, declared invalid. The precise point of differentiation in some instances is not easy of statement. But it will be enough for present purposes to say generally that the decisions of the court upholding statutes as sufficiently certain, rested upon the conclusion that they employed words or phrases having a technical or other special meaning, well enough known to enable those within their reach to correctly apply them, ... or a well-settled common law meaning, notwithstanding an element of degree in the definition as to which estimates might differ, ... or, as broadly stated ... in United States v. L Cohen Grocery Co., 255 U.S. 81, 92, 41 S.Ct. 298, 65 L.Ed. 516 (1921), "that, for reasons found to result either from the text of the statutes involved or the subjects with which they dealt, a standard of some sort was afforded." [Citations omitted.]

    However, a "difficulty in determining whether certain marginal offenses are within the meaning of the language under attack as [464]vague does not automatically render a statute unconstitutional for indefiniteness.... Impossible standards of specificity are not required." Jordan v. De George, 341 U.S. 223, 231, 71 S.Ct. 703, 95 L.Ed. 886 (1951) (citation and footnote omitted). "What renders a statute vague is not the possibility that it will sometimes be difficult to determine whether the incriminating fact it establishes has been proved; but rather the indeterminacy of precisely what that fact is." United States v. Williams, 553 U.S. 285, 128 S.Ct. 1830, 1846, 170 L.Ed.2d 650 (2008). In this regard, the Supreme Court "has made clear that scienter requirements alleviate vagueness concerns." Gonzales, 550 U.S. at 149, 127 S.Ct. 1610; see also Colautti v. Franklin, 439 U.S. 379, 395, 99 S.Ct. 675, 58 L.Ed.2d 596 (1979) ("This Court has long recognized that the constitutionality of a vague statutory standard is closely related to whether that standard incorporates a requirement of mens rea ").

    "It is well established that vagueness challenges to statutes which do not involve First Amendment freedoms must be examined in the light of the facts of the case at hand." United States v. Mazurie, 419 U.S. 544, 550, 95 S.Ct. 710, 42 L.Ed.2d 706 (1975); United States v. Purdy, 264 F.3d 809, 811 (9th Cir.2001). "Whether a statute is ... unconstitutionally vague is a question of law...." United States v. Ninety–Five Firearms, 28 F.3d 940, 941 (9th Cir.1994).

    2. Definitional/Actual Notice Deficiencies

    The pivotal issue herein is whether basing a CFAA misdemeanor violation as per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website's terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies.

    As discussed in Section IV(A) above, terms of service which are incorporated into a browsewrap or clickwrap agreement can, like any other type of contract, define the limits of authorized access as to a website and its concomitant computer/server(s). However, the question is whether individuals of "common intelligence" are on notice that a breach of a terms of service contract can become a crime under the CFAA. Arguably, they are not.

    First, an initial inquiry is whether the statute, as it is written, provides sufficient notice. Here, the language of section 1030(a)(2)(C)does not explicitly state (nor does it implicitly suggest) that the CFAA has "criminalized breaches of contract" in the context of website terms of service. Normally, breaches of contract are not the subject of criminal prosecution. See generally United States v. Handakas, 286 F.3d 92, 107 (2d Cir.2002). overruled on other grounds in United States v. Rybicki, 354 F.3d 124, 144 (2d Cir.2003)(en banc). Thus, while "ordinary people" might expect to be exposed to civil liabilities for violating a contractual provision, they would not expect criminal penalties.[23]Id. This would especially be the case where the services provided by MySpace are in essence offered at no cost to the users and, hence, there is no specter of the users "defrauding" MySpace in any monetary sense.[24]

    Second, if a website's terms of service controls what is "authorized" and what is "exceeding authorization"—which in turn governs whether an individual's accessing information or services on the website is criminal or not, section 1030(a)(2)(C) would be unacceptably vague because it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will. For example, in the present case, MySpace's terms of service prohibits a member from engaging in a multitude of activities on the website, including such conduct as "criminal or tortious [465] activity," "gambling," "advertising to ... any Member to buy or sell any products," "transmit[ting] any chain letters," "covering or obscuring the banner advertisements on your personal profile page," "disclosing your password to any third party," etc. See Exhibit 3 at 5. The MSTOS does not specify which precise terms of service, when breached, will result in a termination of MySpace's authorization for the visitor/member to access the website. If any violation of any term of service is held to make the access unauthorized, that strategy would probably resolve this particular vagueness issue; but it would, in turn, render the statute incredibly overbroad and contravene the second prong of the void-for-vagueness doctrine as to setting guidelines to govern law enforcement.[25]

    Third, by utilizing violations of the terms of service as the basis for the section 1030(a)(2)(C) crime, that approach makes the website owner-in essence-the party who ultimately defines the criminal conduct. This will lead to further vagueness problems. The owner's description of a term of service might itself be so vague as to make the visitor or member reasonably unsure of what the term of service covers. For example, the MSTOS prohibits members from posting in "band and filmmaker profiles ... sexually suggestive imagery or any other unfair ... [c]ontent intended to draw traffic to the profile." Exhibit 3 at 4. It is unclear what "sexually suggestive imagery" and "unfair content"[26] mean. Moreover, website owners can establish terms where either the scope or the application of the provision are to be decided by them ad hoc and/or pursuant to undelineated standards. For example, the MSTOS provides that what constitutes "prohibited content" on the website is determined "in the sole discretion of MySpace.com...." Id. Additionally, terms of service may allow the website owner to unilaterally amend and/or add to the terms with minimal notice to users. See, e.g., id. at 1.

    Fourth, because terms of service are essentially a contractual means for setting the scope of authorized access, a level of indefiniteness arises from the necessary application of contract law in general and/or other contractual requirements within the applicable terms of service to any criminal prosecution. For example, the MSTOS has a provision wherein "any dispute" between MySpace and a visitor/member/user arising out of the terms of service is subject to arbitration upon the demand of either party. Before a breach of a term of service can be found and/or the effect of that breach upon MySpace's ability to terminate the visitor/member/user's access to the site can be determined, the issue would be subject to arbitration.[27] Thus, a question arises as to whether a finding of unauthorized access or in excess of authorized access can be made without arbitration.

    Furthermore, under California law,[28] a material breach of the MSTOS by a user/member does not automatically discharge the contract, but merely "excuses the injured party's performance, and gives him or her the election [466] of certain remedies." 1 Witkin,Summary of California Law (Tenth Ed.): Contracts § 853 at 940 (2008). Those remedies include rescission and restitution, damages, specific performance, injunction, declaratory relief, etc. Id. The contract can also specify particular remedies and consequences in the event of a breach which are in addition to or a substitution for those otherwise afforded by law. Id. at § 855 at 942. The MSTOS does provide that: "MySpace.com reserves the right, in its sole discretion ... to restrict, suspend, or terminate your access to all or part of the services at any time, for any or no reason, with or without prior notice, and without liability." Exhibit 3 at 2. However, there is no provision which expressly states that a breach of the MSTOS automatically results in the termination of authorization to access the website. Indeed, the MSTOS cryptically states: "you are only authorized to use the Services ... if you agree to abide by all applicable laws and to this Agreement." Id. at 1 (emphasis added).

    3. The Absence of Minimal Guidelines to Govern Law Enforcement

    Treating a violation of a website's terms of service, without more, to be sufficient to constitute "intentionally access[ing] a computer without authorization or exceed[ing] authorized access" would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals. As noted in Section IV(A) above, utilizing a computer to contact an Internet website by itself will automatically satisfy all remaining elements of the misdemeanor crime in 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A). Where the website's terms of use only authorizes utilization of its services/applications upon agreement to abide by those terms (as, for example, the MSTOS does herein), any violation of any such provision can serve as a basis for finding access unauthorized and/or in excess of authorization.

    One need only look to the MSTOS terms of service to see the expansive and elaborate scope of such provisions whose breach engenders the potential for criminal prosecution. Obvious examples of such breadth would include: 1) the lonely-heart who submits intentionally inaccurate data about his or her age, height and/or physical appearance, which contravenes the MSTOS prohibition against providing "information that you know is false or misleading"; 2) the student who posts candid photographs of classmates without their permission, which breaches the MSTOS provision covering "a photograph of another person that you have posted without that person's consent"; and/or 3) the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter's girl scout cookies, which transgresses the MSTOS rule against "advertising to, or solicitation of, any Member to buy or sell any products or services through the Services." See Exhibit 3 at 4. However, one need not consider hypotheticals to demonstrate the problem. In this case, Megan (who was then 13 years old) had her own profile on MySpace, which was in clear violation of the MSTOS which requires that users be "14 years of age or older." Id. at 2. No one would seriously suggest that Megan's conduct was criminal or should be subject to criminal prosecution.

    Given the incredibly broad sweep of 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A), should conscious violations of a website's terms of service be deemed sufficient by themselves to constitute accessing without authorization or exceeding authorized access, the question arises as to whether Congress has "establish[ed] minimal guidelines to govern law enforcement." Kolender, 461 U.S. at 358, 103 S.Ct. 1855; see also City of Chicago v. Morales, 527 U.S. 41, 60, 119 S.Ct. 1849, 144 L.Ed.2d 67 (1999). Section 1030(a)(2)(C) does not set forth "clear guidelines" or "objective criteria" as to the prohibited conduct in the Internet/website or similar contexts. See generally Posters 'N' Things, Ltd., 511 U.S. at 525–26, 114 S.Ct. 1747. For instance, section 1030(a)(2)(C) is not limited to instances where the website owner contacts law enforcement to complain about an individual's unauthorized access or exceeding permitted access on the site.[29] Nor is there any [467] requirement that there be any actual loss or damage suffered by the website or that there be a violation of privacy interests.

    The Government argues that section 1030(a)(2)(C) has a scienter requirement which dispels any definitional vagueness and/or dearth of guidelines, citing to United States v. Sablan, 92 F.3d 865 (9th Cir.1996). The Court in Sablan did observe that:

    [T]he computer fraud statute does not criminalize otherwise innocent conduct. Under the statute, the Government must prove that the defendant intentionally accessed a federal interest computer without authorization. Thus, Sablan must have had a wrongful intent in accessing the computer in order to be convicted under the statute. This case does not present the prospect of a defendant being convicted without any wrongful intent as was the situation in [United States v.] X–Citement Video [513 U.S. 64, 71–73, 115 S.Ct. 464, 130 L.Ed.2d 372 (1994) ].

    Id. at 869. However, Sablan is easily distinguishable from the present case as it: 1) did not involve the defendant's accessing an Internet website;[30] 2) did not consider the void-for-vagueness doctrine but rather the mens rea requirement; and 3) dealt with a different CFAA subsection (i.e. 18 U.S.C. § 1030(a)(5)) and in a felony situation.

    The only scienter element in section 1030(a)(2)(C) is the requirement that the person must "intentionally" access a computer without authorization or "intentionally" exceed authorized access. It has been observed that the term "intentionally" itself can be vague in a particular statutory context. See, e.g., American Civil Liberties Union v. Gonzales, 478 F.Supp.2d 775, 816–17 (E.D.Pa.2007), aff'd, 534 F.3d 181, 205 (3rd Cir.2008) cert. denied, 555 U.S. 1137, 129 S.Ct. 1032, 173 L.Ed.2d 293 (2009).

    Here, the Government's position is that the "intentional" requirement is met simply by a conscious violation of a website's terms of service. The problem with that view is that it basically eliminates any limiting and/or guiding effect of the scienter element. It is unclear that every intentional breach of a website's terms of service would be or should be held to be equivalent to an intent to access the site without authorization or in excess of authorization. This is especially the case with MySpace and similar Internet venues which are publically available for access and use. See generally BoardFirst, 2007 WL 4823761 at *14–15, 2007 U.S. Dist. LEXIS 96230 at *43. However, if every such breach does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. Given the "standardless sweep" that results, federal law enforcement entities would be improperly free "to pursue their personal predilections."[31]Kolender, 461 U.S. at 358, 103 S.Ct. 1855 (citing Smith v. Goguen, 415 U.S. 566, 575, 94 S.Ct. 1242, 39 L.Ed.2d 605 (1974)).

    In sum, if any conscious breach of a website's terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law "that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet]." City of Chicago, 527 U.S. at 64, 119 S.Ct. 1849.

    [468] V. CONCLUSION

    For the reasons stated above, the Defendant's motion under F.R.Crim.P. 29(c) is GRANTED.

    [1] There is some disagreement as to whether the words "Internet" and "website" should be capitalized and whether the latter should be two words (i.e. "web site") or one. "Internet" is capitalized as that is how the word appears most often in Supreme Court opinions. See, e.g., Pac. Bell Tel. Co. v. Linkline Comms., Inc., 555 U.S. 438, 129 S.Ct. 1109, 1115, 172 L.Ed.2d 836 (2009).

    [2] While this case has been characterized as a prosecution based upon purported "cyberbulling," there is nothing in the legislative history of the CFAA which suggests that Congress ever envisioned such an application of the statute. See generally, A. Hugh Scott & Kathleen Shields, Computer and Intellectual Property Crime: Federal and State Law (2006 Cumulative Supplement) 4–8 to 4–16 (BNA Books 2006). As observed in Charles Doyle & Alyssa Weir, CRS Report for Congress–Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws (Order Code 97–1025) (Updated June 28, 2005):

    The federal computer fraud and abuse statute, 18 U.S.C. 1030, protects computers in which there is a federal interest—federal computers, bank computers, and computers used in interstate and foreign commerce. It shields them from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud. It is not a comprehensive provision, instead it fills cracks and gaps in the protection afforded by other state and federal criminal laws.

    Moreover, once Drew was acquitted by the jury of unauthorized accessing of a protected computer in furtherance of the commission of acts of intentional infliction of emotional distress, this case was no longer about "cyberbulling" (if, indeed, it was ever properly characterized as such); but, rather, it concerned the proper scope of the application of the CFAA in the context of violations of a website's terms of service.

    [3] The elements of the tort of intentional infliction of emotional distress are the same under both Missouri and California state laws. Those elements are: (1)the defendant must act intentionally or recklessly; (2) the defendant's conduct must be extreme or outrageous; and (3) the conduct must be the cause (4) of extreme emotional distress. See, e.g.,Thomas v. Special Olympics Missouri, Inc., 31 S.W.3d 442, 446 (Mo.Ct.App.2000); Hailey v. California Physicians' Service, 158 Cal.App.4th 452, 473–74, 69 Cal.Rptr.3d 789 (2007).

    [4] As provided in F.R.Crim.P. 31(c)(1), a "defendant may be found guilty of ... an offense necessarily included in the offense charged...." A "lesser included" crime is one where "the elements of the lesser offense are a subset of the elements of the charged offense." Carter v. United States, 530 U.S. 255, 260, 120 S.Ct. 2159, 147 L.Ed.2d 203 (2000)(quoting Schmuck v. United States, 489 U.S. 705, 716, 109 S.Ct. 1443, 103 L.Ed.2d 734 (1989)). Because the felony CFAA crime in 18 U.S.C. § 1030(c)(2)(B)(ii) consists of committing acts which constitute a violation of the misdemeanor CFAA crime in 18 U.S.C. § 1030(a)(2)(C) (as delineated in 18 U.S.C. § 1030(c)(2)(A)) plus the additional element that the acts were done "in furtherance of any crime or tortious act in violation of the Constitution or laws of the United States or any State," the misdemeanor CFAA crime is a "lesser included" offense as to the felony CFAA violation.

    A defendant is entitled to a "lesser included" offense jury instruction if the evidence warrants it. Guam v. Fejeran, 687 F.2d 302, 305 (9th Cir.1982).

    [5] Specifically, the jury was instructed that:

    The crime of accessing a protected computer without authorization or in excess of authorization to obtain information, and to do so in furtherance of a tortious act in violation of the laws of any State, includes the lesser crime of accessing a protected computer without authorization or in excess of authorization. If (1) all of you are not convinced beyond a reasonable doubt that the defendant is guilty of accessing a protected computer without authorization or in excess of authorization to obtain information, and doing so in furtherance of a tortious act in violation of the laws of any State; and (2) all of you are convinced beyond a reasonable doubt that the defendant is guilty of the lesser crime of accessing a protected computer without authorization or in excess of authorization, you may find the defendant guilty of accessing a protected computer without authorization or in excess of authorization.

    See Jury Instruction No. 24, Doc. No. 107.

    [6] The conspiracy count was subsequently dismissed without prejudice at the request of the Government.

    [7] All exhibits referenced herein were proffered by the Government and admitted during the trial.

    [8] Certain websites endeavor to compel visitors to read their terms of service by requiring them to scroll down through such terms before being allowed to click on the sign-on box or by placing the box at the end of the "terms" section of the site. Id. at 93. MySpace did not have such provisions in 2006. Id. See generally Southwest Airlines, Co. v. BoardFirst, L.L.C., 2007 WL 4823761 at *4–5 n. 4, 2007 U.S. Dist. LEXIS 96230 at *13–16 n. 4 (N.D.Tex.2007)(discussing various methods that websites employ to notify users of terms of service).

    [9] As stated in the MSTOS:

    MySpace.com does not endorse and has no control over the Content. Content is not necessarily reviewed by MySpace.com prior to posting and does not necessarily reflect the opinions or policies of MySpace.com. MySpace.com makes no warranties, express or implied, as to the Content or to the accuracy and reliability of the Content or any material or information that you transmit to other Members.

    Exhibit 3 at 3.

    [10] Technically, as delineated in the MSTOS, Exhibit 3 at pages 2–3:

    By displaying or publishing ("posting") any Content, messages, text, files, images, photos, video, sounds, profiles, works or authorship, or any other materials (collectively, "Content") on or through the Services, you hereby grant to MySpace.com, a non-exclusive, fully-paid and royalty-free, worldwide license (with the right to sublicense through unlimited levels of sublicensees) to use, copy, modify, adapt, translate, publicly perform, publicly display, store, reproduce, transmit, and distribute such Content on and through the Services. This license will terminate at the time you remove such Content from the Services. Notwithstanding the foregoing, a back-up or residual copy of the Content posted by you may remain on the MySpace.com servers after you have removed the Content from the Services, and MySpace.com retains the rights to those copies.

    [11] On September 26, 2008, the Identity Theft Enforcement and Restitution Act of 2008 was passed which amended 18 U.S.C. § 1030(a)(2)(C) by inter alia striking the words "if the conduct involved an interstate or foreign communication" after "protected computer." See 110 P.L. 326, Title II, § 203, 112 Stat. 3560–65.

    [12] See footnote 11, supra.

    [13] As also stated in Senate Report No. 104–357, at 7 (1996), reprinted at 1996 WL 492169 (henceforth "S.Rep. No. 104–357"), "... the term 'obtaining information' includes merely reading it."

    [14] It is noted that, with the 2008 amendment to section 1030(a)(2)(C) which struck the provision that "the conduct involved an interstate or foreign communication" (see footnote 11, supra ), the second element is no longer a requirement for the CFAA 18 U.S.C. § 1030(a)(2)(C) crime, although the interstate/foreign nexus remains as part of the third element.

    [15] A resolution of that question would not effect Defendant's conviction here since the undisputed evidence at trial is that MySpace's server is connected to the Internet and the communications made by the alleged conspirators in O'Fallon, Missouri to Megan would automatically be routed to MySpace's server in Beverly Hills, California where it would be stored and thereafter sent to or retrieved by Megan in O'Fallon.

    [16] For example, as stated in S.Rep. No. 104–357, at 13:

    The bill would amend subsection 1030(e)(2) by replacing the term "Federal interest computer" with the new term "protected computer" and a new definition.... The new definition also replaces the current limitation in subsection 1030(e)(2)(B) of "Federal interest computer" being "one of two or more computers used in committing the offense, not all of which are located in the same State." Instead, "protected computer" would include computers "used in interstate or foreign commerce or communications." Thus, hackers who steal information or computer usage from computers in their own State would be subject to this law, under amended section 1030(a)(4), if the requisite damage threshold is met and the computer is used in interstate commerce or foreign commerce or communications.

    [17] But see BoardFirst, 2007 WL 4823761 at *14–15, 2007 U.S. Dist. LEXIS 96230 at *43–44 ("§ 1030(a)(2)(C)). However, the BoardFirst court did not adopt a "code-based" definition of "accessing without authorization" but requested further briefing on the issue.

    [18] Subsequently, the court in Am. Online did conclude that violating the website's terms of service would be sufficient to constitute "exceed[ing] authorized access." 174 F.Supp.2d at 899.

    [19] See Reporter's Transcript of July 2, 2009 Hearing at 3–4.

    [20] For example, when Congress added the term "exceeds authorized access" to the CFAA in 1986 and defined it as meaning "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter", it was observed that the definition (which includes the concept of accessing a computer with authorization) was "self-explanatory." See S.Rep. No. 99–432, at 13 (1986), reprinted at1986 U.S.C.C.A.N. 2479, 2491.

    [21] Commentators have criticized the legislatures' understandings of computers and the accessing of computers as "simplistic" and based upon the technology in existence in the 1970's and 1980's (e.g. pre-Internet) rather than upon what currently exists. See, e.g., Kerr, Cybercrime's Scope, 78 N.Y.U.L.Rev. at 1640–41.

    [22] MySpace utilizes what have become known as "browsewrap" and "clickwrap" agreements in regards to its terms of service. Browsewraps can take various forms but basically the website will contain a notice that—by merely using the services of, obtaining information from, or initiating applications within the website—the user is agreeing to and is bound by the site's terms of service. See Burcham v. Expedia, Inc., 2009 WL 586513 at *3 n. 5, 2009 U.S. Dist. LEXIS 17104 at *9–10 n. 5 (E.D.Mo.2009); BoardFirst, 2007 WL 4823761 at *4–5, 2007 U.S. Dist. LEXIS 96230 at *13–15; Ticketmaster Corp. v. Tickets.Com, Inc., 2003 WL 21406289 at *2, 2003 U.S. Dist. LEXIS 6483 at *9 (C.D.Cal.2003)("[A] contract can be formed by proceeding into the interior web pages after knowledge (or, in some cases presumptive knowledge) of the conditions accepted when doing so."); Specht v. Netscape Communications Corp., 150 F.Supp.2d 585, 594 (S.D.N.Y.2001), aff'd, 306 F.3d 17 (2d Cir.2002); Pollstar v. Gigmania, Ltd., 170 F.Supp.2d 974, 981 (E.D.Cal.2000). "Courts considering browsewrap agreements have held that 'the validity of a browsewrap license turns on whether a website user has actual or constructive knowledge of a site's terms and conditions prior to using the site.' " Burcham, 2009 WL 586513 at *3 n. 5, 2009 U.S. Dist. LEXIS 17104 at *9–10 n. 5, quoting BoardFirst, 2007 WL 4823761 at *4–5, 2007 U.S. Dist. LEXIS 96230 at *15–16.

    Clickwrap agreements require a user to affirmatively click a box on the website acknowledging awareness of and agreement to the terms of service before he or she is allowed to proceed with further utilization of the website. SeeSpecht, 306 F.3d at 22 n. 4; CoStar Realty Info., Inc. v. Field, 612 F.Supp.2d 660, 669 (D.Md.2009). Clickwrap agreements "have been routinely upheld by circuit and district courts." Burcham, 2009 WL 586513 at *2–3, 2009 U.S. Dist. LEXIS 17104 at *8; see also Specht, 306 F.3d at 22 n. 4; CoStar Realty Info., 612 F.Supp.2d at 669; DeJohn v. The .TV Corp. Int'l, 245 F.Supp.2d 913, 921 (N.D.Ill.2003).

    As a "visitor" to the MySpace website and being initially limited to the public areas of the site, one is bound by MySpace's browsewrap agreement. If one wishes further access into the site for purposes of creating a profile and contacting MySpace members (as Drew and the co-conspirators did), one would have to affirmatively acknowledge and assent to the terms of service by checking the designated box, thereby triggering the clickwrap agreement. As stated in the MSTOS, "This Agreement is accepted upon your use of the Website or any of the Services and is further affirmed by you becoming a Member." Exhibit 3 at 7; see generally. Doe v. MySpace. Inc., 474 F.Supp.2d 843, 846 (W.D.Tex.2007).

    [23] But see United States v. Sorich, 427 F.Supp.2d 820, 834 (N.D.Ill.2006), aff'd, 531 F.3d 501 (7th Cir.2008). cert. denied,555 U.S. 1204, 129 S.Ct. 1308, 173 L.Ed.2d 645 (2009) ("[S]imply because ... actions can be considered violations of the 'contract' ... does not mean that those same actions do not qualify as violations of [a criminal] statute.").

    [24] Also, it is noted here that virtually all of the decisions which have found a breach of a website's terms of service to be a sufficient basis to establish a section 1030(a)(2)(C) violation have been in civil actions, not criminal cases.

    [25] Another uncertainty is whether, once a user breaches a term of service, is every subsequent accessing of the website by him or her without authorization or in excess of authorization.

    [26] See Time Warner Entm't Co., L.P. v. FCC, 240 F.3d 1126, 1135 (D.C.Cir.2001) ("The word 'unfair' is of course extremely vague.").

    [27] An arbitration clause is considered to be "broad" when it contains language to the effect that arbitration is required for "any" claim or dispute which "arises out of" the agreement. Fleet Tire Service v. Oliver Rubber Co., 118 F.3d 619, 621 (8th Cir.1997); see also Schoenduve Corp. v. Lucent Technologies, Inc., 442 F.3d 727, 729 (9th Cir.2006). Where a broad arbitration clause is in effect, "even the question of whether the controversy relates to the agreement containing the clause is subject to arbitration." Fleet Tire Service, 118 F.3d at 621. Moreover, "[a]n agreement to arbitrate 'any dispute' without strong limiting or excepting language immediately following it logically includes not only the dispute, but the consequences naturally flowing from it...." Management & Tech. Consultants v. Parsons–Jurden, 820 F.2d 1531, 1534–35 (9th Cir.1987). Further, where the parties have agreed that an issue is to be resolved by way of arbitration, the matter must be decided by the arbitrator, and "a court is not to rule on the potential merits of the underlying claim[ ] .... indeed even if it appears to the court to be frivolous...." AT & T Technologies, Inc. v. Communications Workers of Am., 475 U.S. 643, 649–50, 106 S.Ct. 1415, 89 L.Ed.2d 648 (1986).

    [28] According to the MSTOS, "If there is any dispute about or involving the Services, you agree that the dispute shall be governed by the laws of the State of California without regard to conflict of law provisions...." Exhibit 3 at 7.

    [29] Here, the prosecution was not initiated based on a complaint or notification from MySpace to law enforcement officials.

    [30] In Sablan, the defendant was a bank employee who had been recently fired for circumventing its security procedures in retrieving files. Early one morning, she entered the closed bank through an unlocked door and, using an unreturned key, went to her former work site. Utilizing an old password, she logged onto the bank's mainframe where she called up several computer files. Although defendant denied any additional actions, the government charged her with changing certain files and deleting others. As a result of her conduct, several bank files were severely damaged. See 92 F.3d at 866.

    [31] In comparison, the felony violation of 18 U.S.C. § 1030(a)(2)(C) contains effective scienter elements because it not only requires the intentional accessing of a computer without authorization or in excess of authorization, but also the prerequisite that such access must be "in furtherance" of a crime or tortious act which, in turn, will normally contain additional scienter and/or wrongful intent conditions.

    8.3.2 U.S. v. Lowson, Oct. 12, 2010 (D.N.J.) 8.3.2 U.S. v. Lowson, Oct. 12, 2010 (D.N.J.)

    This is another case that considers breach of contract. Does it reach the right outcome?

    UNITED STATES of America

    v.

    Kenneth LOWSON, a/k/a “Money”, Kristofer Kirsch, a/k/a “Robert Woods”, Joel Stevenson and Faisal Nahdi, Defendants.

    United States District Court,

    D. New Jersey.

    Criminal No. 10–114 (KSH). | Oct. 12, 2010.

    Attorneys and Law Firms

    Josh Aaron Goldfoot, U.S. Department of Justice, Washington, DC, Erez Liebermann, Seth B. Kosto, Office of the U.S. Attorney, Newark, NJ, for Plaintiff.

    Mark A. Rush, K & L Gates, LLP, Pittsburg, PA, John Patrick McDonald, McDonald & Rogers, LLC, Somerville, NJ, John H. Yauch, Office of the Federal Public Defender, Newark, NJ, John A. Azzarello, Arseneault, Whipple, Fassett & Azzarello, LLP, Chatham, NJ, for Defendants.

     

    OPINION

    KATHARINE S. HAYDEN, District Judge.

     

    I. Introduction

    Defendants are charged with violations of the Computer Fraud and Abuse Act and the wire fraud statute arising from an alleged scheme to circumvent security measures put in place by Online Ticket Vendors (OTVs) in order to buy large blocks of tickets meant for the general public and then to re-sell those tickets at great profit on the secondary market. Defendants argue that their conduct is not criminal, and that in fact the government seeks to criminalize what otherwise would be a breach of contract action for violating the terms of service for ticket sales on OTVs’ websites. The defendants state, “This Indictment does not seek to punish computer fraud, it inappropriately tries to regulate the legal secondary market for event ticket sales through an overreaching prosecution.” (Moving Br. 5.) The government counters that this case is anything but novel, and that “[e]ach and every step of the way is [a] traditional fraud ... the same thing that we see in court every day.” (Oral argument transcript 17:7–11.) The defendants, according to the government, “lied about who they were. They lied about their business model. They lied when they impersonated thousands of individual ticket buyers. And they lied when they established thousands of false email addresses and domain names.” (Opp’n Br. 1.)

     

    The yawning gap between the government’s and the defendants’ positions is not lost on the Court, and it highlights and echoes tensions in other courts’ viewpoints on where the line falls between what is civilly actionable conduct, and what is criminal.

     

    Defendants now move to dismiss the Superseding Indictment (“the indictment”). For the reasons to be discussed, the Court denies the defendants’ motion.

     

     

    II. Legal Standard

    An indictment, if valid on its face and returned by a legally constituted and unbiased grand jury, “0 ‘is enough to call for trial of the charge on the merits.’ ” United States v. Vitillo, 490 F.3d 314, 320 (3d Cir.2007) (quoting Costello v. United States, 350 U.S. 359, 363, 76 S.Ct. 406, 100 L.Ed. 397 (1956)). “An indictment is generally deemed sufficient if it [ ](1) contains the elements of the offense intended to be charged, (2) sufficiently apprises the defendant of what he must be prepared to meet, and (3) allows the defendant to show with accuracy to what extent he may plead a former acquittal or conviction in the event of a subsequent prosecution.” Id. (quoting United States v. Rankin, 870 F.2d 109, 112 (3d Cir.1989)) (internal quotation marks omitted).

     

    Where an indictment is valid on its face, a motion to dismiss is appropriate only after the government has had an opportunity to present its proofs at trial. United States v. Forero, 623 F.Supp. 694, 699 (E.D.N.Y.1985). In other words, a motion to dismiss an indictment is not a vehicle for a summary trial on the evidence, United States v. Winer, 323 F.Supp. 604, 605 (C.D.Pa.1971), and any factual assertions related to a charge must be tested at trial. United States v. Bender, 2003 WL 282184 (S.D.N.Y.2003). Moreover, on occasion a defendant’s legal contentions may be so bound up with those facts that a court cannot grant a motion to dismiss. United States v. Shabbir, 64 F.Supp.2d 479, 481 (D.Md.1999).

     

     

    III. The Wire Fraud Counts

    Counts 27–36 and 37–43 of the indictment charge wire fraud by the use of CAPTCHA Challenges (counts 27–36) and e-mails (counts 37–43).

     

    To charge the crime of wire fraud sufficiently, the government must allege three elements of the offense: (1) the defendants’ “knowing and willful participation in a scheme or artifice to defraud, (2) with the specific intent to defraud, and (3) the use of the mails or interstate wire communications in furtherance of the scheme.” United States v. Al Hedaithy, 392 F.3d 580, 590 (3d Cir.2006); see also 18 U.S.C. § 1343 (2006). In addition, the object of the scheme must be a traditionally recognized property right. Al Hedaithy, 392 F.3d at 590.

     

    First, the government sufficiently alleges an extensive scheme in which Wiseguys knowingly and willfully engaged to defraud Ticketmaster. The indictment alleges that Wiseguys circumvented computer code and surreptitiously obtained and resold event tickets that online ticket vendors would not otherwise sell to them. According to the indictment, defendants wrote automated software to defeat the vendors’ security measures, including CAPTCHA, by opening thousands of connections and using CAPTCHA Bots to quickly solve CAPTCHA challenges. (Superseding Indict. Count 1, ¶¶ 7, 10) The defendants allegedly acquired source code the vendors used to protect their websites, created a database of CAPTCHA challenges and their answers, and tested means of navigating to ticket “Buy Pages” without having to answer CAPTCHA challenges at all. (Superseding Indict. Count 1, ¶¶ 9, 11, 12.) Wiseguys also allegedly used various means of deception, including mimicking the steps a human would take when answering CAPTCHA challenges (including making mistakes), using thousands of non-consecutive IP addresses to create the illusion that the addresses were not owned by a single company, using as many as 150 different credit cards to buy tickets, registering for fan clubs under fake names, creating a voicemail system with as many as 1,000 different telephone numbers, renting a mail drop in Las Vegas, renting real estate under an assumed name, and lying to lessors about the nature of their business. (Superseding Indict. Count 1, ¶¶ 14–16, 19, 20, 35–37 .)

     

    Second, the indictment sufficiently charges that Wiseguys had the specific intent to defraud the online ticket vendors. First, the alleged deceptive tactics in themselves suggest that the defendants knew what they were doing was wrong. Language in the indictment cites to the defendants’ correspondence with each other and with third parties to demonstrate intent to defraud. According to the indictment, the defendants talked about pursuing “non-human” means of buying tickets and finding backdoors at online ticket vendors’ websites. (Superseding Indict. Count 1, ¶ 43.) They are charged with discussing the use of “hacks” and breaking CAPTCHA challenges, ignoring Ticketmaster’s cease and desist requests, and using tactics like the voicemail system to divert Ticketmaster’s efforts to track them down. (Superseding Indict. Count 1, ¶¶ 44, 46.) The indictment also states that Wiseguys also told their employees to keep quiet about what the company did and discussed using “stealth protocol” to go undetected. (Superseding Indict. Count 1, ¶ 47.) Moreover, the indictment alleges that Wiseguys stated that after undermining Ticketmaster’s goodwill and position as an exclusive ticket distributor, it intended to become a vendor in the primary market for tickets and attract Ticketmaster’s customers by providing better protection against scalpers. (Superseding Indict. Count 1, ¶ 41–42.)

     

    Third, the indictment adequately charges that Wiseguys used interstate wire communications to further their scheme. To wit, counts 27–36 allege that Wiseguys’s responses to CAPTCHA challenges and automated ticket purchases generated by CAPTCHA Bots for ten sets of Bruce Springsteen tickets constitute the use of interstate wire communications. (Superseding Indict. Counts 27–36, ¶ 2.) Counts 37–43 allege that seven emails between the defendants and various individuals regarding Wiseguys’ business operations constitute the use of interstate wire communications. (Superseding Indict. Counts 37–43, ¶ 2.)

     

    Finally, the indictment charges that the object of Wiseguys’s scheme was to deprive the online ticket vendors of (1) their right to be the exclusive distributor of tickets, (2) their right to define the terms of sale for tickets by refusing to sell to people who use automated programs, and (3) the goodwill value of providing event tickets to the public. (Superseding Indict. Count 1, ¶ 2(c) .)

     

    This has led to one of the more hotly debated points in the defendants’ motion. While the government describes the online ticket vendors’ interests as valuable property rights and this case as a “classic wire fraud case” (Oral argument transcript 28:6–7), the defendants label the government’s theory as the tail wagging the dog of secondary-market regulation.

     

    The case law mirrors the opposing positions taken by the parties. While the property right at issue in a wire fraud indictment need not be a tangible one, United States v. Henry, 29 F.3d 112, 115 (3d Cir.1994), the defendants cite to several cases that they claim stand for the proposition that the particular intangible rights asserted by the government in this case are not property rights for purposes of the wire fraud statute. For instance, in Henry, the Third Circuit held that competing banks’ right to a fair bidding opportunity to be the depository for toll bridge revenues was not a property right. Id. In United States v. Bruchhausen, the Ninth Circuit held that a manufacturer’s interest in the post-sale destination of its products did not constitute a property right under the wire fraud statute, 977 F.2d 464, 467–68 (9th Cir.1992), and in United States v. Alkaabi, the Third Circuit held that a testing service’s interest in maintaining the integrity of its testing process did not constitute a property right. 223 F.Supp.2d 583, 590 (D.N.J.2002).

     

    On the other hand, the government points out that a hallmark of a property right is exclusivity, United States v. Carpenter, 484 U.S. 19, 26, 108 S.Ct. 316, 98 L.Ed.2d 275 (1987), and the property right asserted here is tied to the online ticket vendors’ interest in being the exclusive distributor of tickets for a given event. Further, in United States v. Al Hedaithy, the Third Circuit held that a testing service had a property right in controlling who could take its exam and receive a score report, 392 F.3d 580, 603 (2004), and in United States v. Alsugair, the court held that a testing service had a property right in its goodwill. 256 F.Supp.2d 306, 316 (D.N.J.2003).

     

    At the motion to dismiss stage, it would be premature for this Court affirmatively to cast its lot with one theory over the other, especially given the broad range of factual situations reflected in the cases cited in the parties’ briefs, which are more numerous than those discussed here. For one thing, a court’s analysis of a motion to dismiss an indictment must not be converted into a summary trial on the evidence. United States v. Delle Donna, 552 F.Supp.2d 475, 482 (D.N.J.2008) (“ ‘[A]t this stage of the proceedings the indictment must be tested by its sufficiency to charge an offense’ rather than by whether the ‘charges have been established by the evidence.’ ” (quoting United States v. Sampson, 371 U.S. 75, 76, 78–79, 83 S.Ct. 173, 9 L.Ed.2d 136 (1962))); United States v. Miller, 694 F.Supp.2d 1259, 1267 (M.D.Ala.2010) (court could not decide, on motion to dismiss indictment, whether defendant was a “sex offender” within the meaning of a statute because such decision would require the court to look beyond the face of the indictment and rule on the merits). It suffices now to determine whether the government has charged a required element of wire fraud, and it has. Whether the government’s theory is correct is properly decided after it has offered its proofs. The Court’s direct response to the defendants’ strenuous arguments about property rights is simply that, the legal determination of whether the online ticket vendors’ interests alleged constitute property rights under the wire fraud statute is so bound up with the facts of the case that a decision at this stage is premature. See United States v. Shabbir, 64 F.Supp.2d 479, 480 (D.Md.1999); United States v. Nanz, 471 F.Supp. 968, 972 (D.Wis.1979) (“Trial of the merits of [the] charges would not only be of assistance, but would be indispensable to the proper resolution of the motion.”). It is worth noting that most of the cases cited by both the government and the defense were decided on appeal from a conviction, and one was actually a civil case decided at the summary judgment stage. Here, the alleged facts have not been developed enough for the Court to determine how the online ticket vendors conduct their businesses so as to make a considered judgment about the nature of the property rights they allegedly possessed. On its face, however, the indictment sufficiently specifies property rights that Wiseguys allegedly targeted, such that it must survive the defendant’s motion to dismiss.

     

     

    IV. The CFAA Counts:

    1. Counts 2 through 10: Obtaining Information from a Protected Computer, 18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)

    Counts 2 through 10 of the indictment charge that defendants Lowson, Kirsch and Stevenson knowingly and intentionally accessed computers without authorization and exceeded authorized access, and using an interstate communication, obtained information from protected computers used in and affecting interstate and foreign commerce and communication, for the purpose of commercial gain. In so doing, the Indictment charges a crime under CFAA § 1030(a)(2) (C), which prohibits intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining information from any protected computer.

     

    The crimes charged under the CFAA—including the two additional CFAA violations alleged in counts 11 to 26—center on the defendants’ alleged unauthorized access of Ticketmaster’s computer network. Throughout their briefs and at oral argument, both the government and the defendants have fiercely contested what constitutes “unauthorized access” for the purpose of a prosecution under the CFAA. The central and recurring question is whether the scheme and conduct alleged here is merely an egregious breach of contract based on violations of the terms of service on Ticketmaster’s website, or something criminal. Defendants assert that the indictment “unambiguously depend[s] upon alleged breaches of contract to establish criminal liability.” (Def. Reply Br. 5.) The government insists that defendants’ conduct amounted to a crime.

     

    The Court is satisfied that the indictment sufficiently alleges the elements of unauthorized access and exceeding authorized access under the CFAA, and sufficiently alleges conduct demonstrating defendants’ knowledge and intent to gain unauthorized access.

     

    The indictment alleges a number of actions taken by defendants to defeat code-based security restrictions on Ticketmaster’s websites. (Although the government’s briefs speak of unauthorized access of the websites of Online Ticket Vendors in general, the indictment’s CFAA charges in counts 2 through 26 reference only the network belonging to Ticketmaster.) A non-exhaustive list of the steps defendants allegedly took to defeat Ticketmaster’s code-based security measures includes: circumventing Proof of Work protections; writing automated software to defeat CAPTCHA (itself an extensive process which allegedly involved opening thousands of connections at once and using CAPTCHA Bots to respond to CAPTCHA challenges in fractions of a second); employing optical character recognition to defeat CAPTCHA challenges; testing the vulnerability of security encryption to get directly to “Buy Pages”; and implementing “hacks” and using “backdoors” to enable automated programs to purchase tickets. The defendants also allegedly disregarded cease-and-desist letters and hired programmers, including “contract hackers,” to defeat difficult security restrictions. (See Superseding Indict. Count 1 ¶¶ 35–40.)

     

    The indictment also sufficiently pleads the other elements of obtaining information from a protected computer under § 1030. The protected computers referenced in the statute are described in the indictment as Ticketmaster’s network, which is used in interstate commerce and communication. The elements of commercial advantage and private financial gain are pleaded as 10 separate purchases of tickets for resale to concerts and sports events in 2006 and 2007. (Superseding Indict. Counts 2 through 10 ¶ 2.) Finally, the indictment alleges that the “information” obtained by defendants from Ticketmaster’s website was a seat-map “built” by CAPTCHA Bots “to seize a number of prize seats,” which Wiseguys employees then would “cull through” in order to select and purchase the best ones. (Superseding Indict. Count 1 ¶¶ 22–25.)

     

    The Court notes and must take seriously the arguments advanced by the defendants, as well as those made by Amici, regarding whether the unauthorized access alleged here amounts to contract-based violations of Ticketmaster’s terms of service that are actionable under civil laws. The Court is aware, for example, that the investigation of Wiseguys, and ultimately these defendants, began after a civil case was successfully prosecuted by Ticketmaster. See Ticketmaster LLC v. RMG Technologies, 507 F.Supp.2d 1096 (C.D.Cal.2007). Courts have differed over what constitutes unauthorized access under the CFAA and where the line falls between a civil and criminal violation of the statute. Defendants point to United States v. Drew, in which a district court dismissed the indictment against a defendant who had been found guilty of a misdemeanor violation of the CFAA for unauthorized access based solely on the defendant’s “conscious breach of a website’s terms of service.” United States v. Drew, 259 F.R.D. 449, 467 (C.D.Cal.2009). To hold otherwise, the Drew court stated, would be to transform § 1030(a)(2)(C) into a law that violates the void for vagueness doctrine by affording “too much discretion to the police and too little notice to citizens who wish to use the [Internet].” Id. at 467 (quoting City of Chicago v. Morales, 527 U.S. 41, 64, 119 S.Ct. 1849, 144 L.Ed.2d 67 (1999)). Defendants here go further and argue that, under the government’s theory, a teenager hypothetically could be prosecuted under the CFAA for violating the age requirement restrictions in the terms of service when using a search engine like Google.

     

    But, as the government goes to pains to stress, and as the indictment makes clear, the unauthorized access charges at the heart of this indictment involve allegations of breaches of both contract-and code-based restrictions. In Drew, the conduct charged did not involve allegations of circumvention of code-based restrictions. And significantly, the Drew court’s decision to dismiss the indictment came after trial, which allowed for the full presentation of all the government’s proofs and a development of the factual record in what admittedly is a technology-intensive and unsettled area of the law. This Court is satisfied that a full presentation of the government’s proofs is required to determine if the defendants’ arguments ring true that the “code-based restrictions ... are red herrings ... [and] are inextricably intertwined with the vendors’ terms of use.” (Def. Reply 3.) For now, the indictment sufficiently alleges conduct supporting the government’s theory of distinct code-and contract-based violations, and the government is entitled to the opportunity to fully offer its evidence, subject to cross-examination, as to why the conduct at issue here is criminal. In this case, the facts and the law are so closely related that further development of the record will shed light on crucial questions, such as what exactly the defendants did, how the alleged code-based restrictions worked, and whether the defeat of CAPTCHA challenges and circumvention of Ticketmaster’s security measures is indeed distinct conduct from the terms of service violations described in Drew. It is only at that point that the Court can examine and rule on the defense theory that the CFAA and wire fraud counts are inextricably entwined, and so if the CFAA counts fall, so must the wire fraud counts.

     

    Defendants also make a vagueness challenge. But as the Supreme Court has noted, “vagueness challenges to statutes which do not involve First Amendment freedoms must be examined in light of the facts of the case at hand.” Drew at 464 (citing United States v. Mazurie, 419 U.S. 544, 550, 95 S.Ct. 710, 42 L.Ed.2d 706 (1975)). Here, the factual record before the Court remains undeveloped.

     

    In addition, defendants argue that the indictment fails to identify the “information” that defendants “obtained” under counts 2 through 10. They contend that the only things they obtained were tickets, that the “information” at issue was publicly available to “every other member of the public that uses the online vendors’ public websites” (Def.Br.17), and that “[c]omprehensive seating information was available from numerous other sources.” (Def. Reply 10.) In effect, defendants argue, the government seeks to criminalize obtaining publicly available “information” and, in the process, the government will increase “exponentially” the universe of federal crimes. (Def. Moving Br. 18.) The government, however, argues that the information obtained included a detailed map of “available premium seats for each Event” that was unavailable to individual users and “confidential in the aggregate.” (Opp’n Br. 30–32.) These clashing characterizations of what exactly defendants saw and whether it constituted “obtaining information” within the meaning of the CFAA highlights yet again the need for further factual development of the record. Applying the analysis that is proper at this stage, the Court finds that the indictment does allege sufficient facts to satisfy the element of obtaining information.

     

    2. Accessing a protected computer with intent to defraud, 18 U.S.C. §§ 1030(a)(4) and (c)(3)(A):

    Counts 11 through 20 of the indictment allege that defendants Lowson, Kirsch and Stevenson knowingly, and with intent to defraud, accessed Ticketmaster’s computer network and exceeded authorized access, and by doing so furthered the intended fraud and obtained things of value.

     

    The “things of value” obtained, according to the indictment, were tickets to a July 28, 2008 Bruce Springsteen concert at Giants Stadium. (Superseding Indict. Counts 11 through 20 ¶ 2.) The key contested areas in counts 11 through 20 are the issues of unauthorized access (discussed above in counts 2 through 10), and the element of “intent to defraud.”

     

    The “intent to defraud” is demonstrated in the indictment by the defendants’ alleged scheme to, among other things, pose as individual buyers and deceive Ticketmaster into selling tickets to defendants that Ticketmaster otherwise would not sell. (See e.g. Superseding Indict. Count 1 ¶¶ 14–21.)

     

    Defendants argue that the charged fraud and access violations are essentially one in the same (Def. Moving Br. 18), while the government contends that the unauthorized access and the fraud are alleged distinctly. According to the government, the unauthorized access consisted of circumventing code restrictions, defeating IP blocking and other conduct. The fraud, the government argues, consisted of the overall scheme to deprive Ticketmaster of its rights to exclusivity and to dictate terms of sale and also of its good will. (Opp’n 28–29.)

     

    The Court finds that the indictment sufficiently pleads facts demonstrating intent to defraud and that the government is entitled to fully present its evidence on this question.

     

    3. Transmitting a program that causes unauthorized damage, 18 U.S.C. § 1030(a)(5)(A)

    Counts 21 through 26 allege that defendants Lowson, Kirsch and Stevenson knowingly caused the transmission of programs, information, code, and commands, and as a result of such conduct, intentionally caused damage without authorization to protected computers, in and affecting interstate and foreign commerce and communication, thereby causing loss to one or more persons during a 1–year period aggregating at least $5,000 in value.

     

    The indictment pleads a knowledge element demonstrated by allegations that, among other things, defendants discussed and implemented means to purchase tickets automatically without responding to CAPTCHA challenges; to defeat CAPTCHA using optical character recognition; and to update their CAPTCHA answer base when they encountered new CAPTCHA challenges. The pleaded “transmission” involves defendants’ responses to CAPTCHA challenges and automated ticket purchase requests for six different concerts and other events. (Superseding Indict. Counts 21 through 26 ¶ 2.) The pleaded damage element of at least $5,000 involves defendants’ blocking out authorized, individual users from the website by using CAPTCHA Bots, which “seized” the best seats for events and made those seats unavailable for purchase or consideration until their release by a Wiseguys employee. (See Superseding Indict. Count 1 ¶¶ 2, 25, 56.)

     

    Defendants argue that the conduct at issue in the damage allegation essentially is identical to the conduct underlying the unauthorized access allegations, that the government again is seeking to “criminalize a breach of contract,” and that the indictment as a result contains no valid damage allegation. (Def. Reply 11.) While these arguments fit logically into the defendants’ overall argument that this is a civil and not a criminal matter, the Court is satisfied that, for the purposes of deciding the motion to dismiss, the indictment sufficiently pleads the damage element of counts 21 through 26.

     

     

    V. Conclusion

    This case poses a good example of the complexity of criminal prosecutions under statutes written specifically about, for, and as a result of the Internet—and more, insofar as the parties are wrestling with the always perplexing issue of what constitutes criminal fraud. The challenge is to harmonize the CFAA and the government’s charges of crime in the highly specialized marketplace the defendants operated in, with traditional and, indeed, sacrosanct tenets of the criminal law. The Court—and the parties as well—will be in a far better position to meet that challenge after the government presents its evidence. The motion to dismiss the Superseding Indictment is denied.

    8.3.3 U.S. v. Nosal 8.3.3 U.S. v. Nosal

    This case considers a critical question: what does it mean to exceed authorized access? In this case, the contractual terms were much more clear and were affirmatively agreed to. Should this change things?

    United States Court of Appeals for the Ninth Circuit
    676 F.3d 854
    No. 10-10038
    2012-04-10

    676 F.3d 854 (2012)

    UNITED STATES of America, Plaintiff-Appellant,
    v.
    David NOSAL, Defendant-Appellee.

    No. 10-10038.

    United States Court of Appeals, Ninth Circuit.

    Argued and Submitted December 15, 2011.
    Filed April 10, 2012.

    [855] Jenny C. Ellickson (argued), Lanny A. Breuer, Jaikumar Ramaswamy, Scott N. Schools, Kyle Francis Waldinger, United States Department of Justice, San Francisco, CA, for the plaintiff-appellant.

    Ted Sampsell Jones (argued), Dennis P. Riordan, Donald M. Horgan, Riordan & Horgan, San Francisco, CA, for the defendant-appellee.

    Kathryn M. Davis, Law Office of Kathryn M. Davis, Pasadena, CA, filed a brief on behalf of amicus curiae En Pointe Technologies, Inc., in support of the plaintiff-appellant.

    Geoffrey M. Howard, David B. Salmons, Bryan M. Killian, Bingham McCutchen, LLP, San Francisco, CA, filed a brief on behalf of amicus curiae Oracle America Inc., in support of the plaintiff-appellant.

    Kenneth M. Stern, Law Offices of Kenneth M. Stern, Woodland Hills, CA, filed a brief in support of the plaintiff-appellant.

    Marcia Hofmann, Electronic Frontier Foundation, San Francisco, CA, filed a brief on behalf of amicus curiae Electronic Frontier Foundation in support of the defendant-appellee.

    Before: ALEX KOZINSKI, Chief Judge, HARRY PREGERSON, BARRY G. SILVERMAN, M. MARGARET McKEOWN, KIM McLANE WARDLAW, RONALD M. GOULD, RICHARD A. PAEZ, RICHARD C. TALLMAN, RICHARD R. CLIFTON, JAY S. BYBEE and MARY H. MURGUIA, Circuit Judges.

    Opinion by Chief Judge KOZINSKI; Dissent by Judge SILVERMAN.

    [856] OPINION

    KOZINSKI, Chief Judge:

    Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

    FACTS

    David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information.[1] The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. The CFAA counts charged Nosal with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in "exceed[ing their] authorized access" with intent to defraud.

    Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. The district court initially rejected Nosal's argument, holding that when a person accesses a computer "knowingly and with the intent to defraud... [it] renders the access unauthorized or in excess of authorization." Shortly afterwards, however, we decided LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), which construed narrowly the phrases "without authorization" and "exceeds authorized access" in the CFAA. Nosal filed a motion for reconsideration and a second motion to dismiss.

    The district court reversed field and followed Brekka's guidance that "[t]here is simply no way to read [the definition of `exceeds authorized access'] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate," as "[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense." Accordingly, the district court dismissed counts 2 and 4-7 for failure to state an offense. The government appeals. We have jurisdiction over this interlocutory appeal. 18 U.S.C. § 3731; United States v. Russell, 804 F.2d 571, 573 (9th Cir.1986). We review de novo. United States v. Boren, 278 F.3d 911, 913 (9th Cir.2002).

    DISCUSSION

    The CFAA defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who's authorized to access only certain [857] data or files but accesses unauthorized data or files — what is colloquially known as "hacking." For example, assume an employee is permitted to access only product information on the company's computer but accesses customer data: He would "exceed[] authorized access" if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

    The government argues that the statutory text can support only the latter interpretation of "exceeds authorized access." In its opening brief, it focuses on the word "entitled" in the phrase an "accesser is not entitled so to obtain or alter." Id. § 1030(e)(6) (emphasis added). Pointing to one dictionary definition of "entitle" as "to furnish with a right," Webster's New Riverside University Dictionary 435, the government argues that Korn/Ferry's computer use policy gives employees certain rights, and when the employees violated that policy, they "exceed[ed] authorized access." But "entitled" in the statutory text refers to how an accesser "obtain[s] or alter[s]" the information, whereas the computer use policy uses "entitled" to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of "entitled" is as a synonym for "authorized."[2] So read, "exceeds authorized access" would refer to data or files on a computer that one is not authorized to access.

    In its reply brief and at oral argument, the government focuses on the word "so" in the same phrase. See 18 U.S.C. § 1030(e)(6) ("accesser is not entitled so to obtain or alter" (emphasis added)). The government reads "so" to mean "in that manner," which it claims must refer to use restrictions. In the government's view, reading the definition narrowly would render "so" superfluous.

    The government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.[3] Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so. See Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) ("[U]nless Congress conveys its purpose clearly, it will not be deemed to have significantly changed the federal-state balance in the prosecution of crimes." (internal quotation marks omitted)).

    [858] In any event, the government's "so" argument doesn't work because the word has meaning even if it doesn't refer to use restrictions. Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not "entitled so to obtain." Or, let's say an employee is given full access to the information, provided he logs in with his username and password. In an effort to cover his tracks, he uses another employee's login to copy information from the database. Once again, this would be an employee who is authorized to access the information but does so in a manner he was not authorized "so to obtain." Of course, this all assumes that "so" must have a substantive meaning to make sense of the statute. But Congress could just as well have included "so" as a connector or for emphasis.[4]

    While the CFAA is susceptible to the government's broad interpretation, we find Nosal's narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, "[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system." S.Rep. No. 99-432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.). The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer "without authorization." According to the government, that prohibition applies to hackers, so the "exceeds authorized access" prohibition must apply to people who are authorized to use the computer, but do so for an unauthorized purpose. But it is possible to read both prohibitions as applying to hackers: "[W]ithout authorization" would apply to outside hackers (individuals who have no authorized access to the computer at all) and "exceeds authorized access" would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate.[5]

    [859] The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.

    The government argues that defendants here did have notice that their conduct was wrongful by the fraud and materiality requirements in subsection 1030(a)(4), which punishes whoever:

    knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

    18 U.S.C. § 1030(a)(4). But "exceeds authorized access" is used elsewhere in the CFAA as a basis for criminal culpability without intent to defraud. Subsection 1030(a)(2)(C) requires only that the person who "exceeds authorized access" have "obtain[ed]... information from any protected computer." Because "protected computer" is defined as a computer affected by or involved in interstate commerce — effectively all computers with Internet access — the government's interpretation of "exceeds authorized access" makes every violation of a private computer use policy a federal crime. See id. § 1030(e)(2)(B).

    The government argues that our ruling today would construe "exceeds authorized access" only in subsection 1030(a)(4), and we could give the phrase a narrower meaning when we construe other subsections. This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the "standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning." Powerex Corp. v. Reliant Energy Servs., Inc., 551 U.S. 224, 232, 127 S.Ct. 2411, 168 L.Ed.2d 112 (2007). The phrase appears five times in the first seven subsections of the statute, including subsection 1030(a)(2)(C). See 18 U.S.C. § 1030(a)(1), (2), (4) and (7). Giving a different interpretation to each is impossible because Congress provided a single definition of "exceeds authorized access" for all iterations of the statutory phrase. See id. § 1030(e)(6). Congress obviously meant "exceeds authorized access" to have the same meaning throughout section 1030. We must therefore consider how the interpretation we adopt will operate wherever in that section the phrase appears.

    In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government's proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.

    [860] Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it's unlikely that you'll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.[6] Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.[7]

    Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government's proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a "nonbusiness purpose"? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?

    Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.

    The effect this broad construction of the CFAA has on workplace conduct pales by [861] comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu-Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody's Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.[8]

    For example, it's not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007 — March 1, 2012, § 2.3, http://www.google.com/intl/en/policies/terms/archive/20070416 ("You may not use the Services and may not accept the Terms if ... you are not of legal age to form a binding contract with Google....") (last visited Mar. 4, 2012).[9] Adopting the government's interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents — and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms ("You will not share your password, ... let anyone else access your account, or do anything else that might jeopardize the security of your account.") (last visited Mar. 4, 2012). Yet it's very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

    Or consider the numerous dating websites whose terms of use prohibit inaccurate or misleading information. See, e.g., eHarmony Terms of Service § 2(I), http://www.eharmony.com/about/terms ("You will not provide inaccurate, misleading or false information to eHarmony or to any other user.") (last visited Mar. 4, 2012). Or eBay and Craigslist, where it's a violation of the terms of use to post items in an [862] inappropriate category. See, e.g., eBay User Agreement, http://pages.ebay.com/help/policies/user-agreement.html ("While using eBay sites, services and tools, you will not: post content or items in an inappropriate category or areas on our sites and services ....") (last visited Mar. 4, 2012). Under the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist's policy, or describing yourself as "tall, dark and handsome," when you're actually short and homely, will earn you a handsome orange jumpsuit.

    Not only are the terms of service vague and generally unknown — unless you look real hard at the small print at the bottom of a webpage — but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms ("YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.") (last visited Mar. 4, 2012). Accordingly, behavior that wasn't criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

    The government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations. But we shouldn't have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, ___ U.S. ___, 130 S.Ct. 1577, 1591, 176 L.Ed.2d 435 (2010) ("We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly."). And it's not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17-year-old boy and cyber-bullied her daughter's classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace's terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D.Cal.2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

    In United States v. Kozminski, 487 U.S. 931, 108 S.Ct. 2751, 101 L.Ed.2d 788 (1988), the Supreme Court refused to adopt the government's broad interpretation of a statute because it would "criminalize a broad range of day-to-day activity." Id. at 949, 108 S.Ct. 2751. Applying the rule of lenity, the Court warned that the broader statutory interpretation would "delegate to prosecutors and juries the inherently legislative task of determining what type of ... activities are so morally reprehensible that they should be punished as crimes" and would "subject individuals to the risk of arbitrary or discriminatory prosecution and conviction." Id. By giving that much power to prosecutors, we're inviting discriminatory and arbitrary enforcement.

    We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); United States v. John, 597 F.3d 263 (5th Cir.2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of "exceeds authorized access." They therefore failed to apply the long-standing principle that we must [863] construe ambiguous criminal statutes narrowly so as to avoid "making criminal law in Congress's stead." United States v. Santos, 553 U.S. 507, 514, 128 S.Ct. 2020, 170 L.Ed.2d 912 (2008).

    We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion. These courts recognize that the plain language of the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation." Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz.2008) (internal quotation marks omitted); see also Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (S.D.N.Y.2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper `access' of computer information. It does not prohibit misuse or misappropriation."); Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1343 (N.D.Ga.2007) ("[A] violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted."); Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 499 (D.Md. 2005) ("[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.").

    CONCLUSION

    We need not decide today whether Congress could base criminal liability on violations of a company or website's computer use restrictions. Instead, we hold that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires "penal laws ... to be construed strictly." United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95, 5 L.Ed. 37 (1820). "[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite." Jones, 529 U.S. at 858, 120 S.Ct. 1904 (internal quotation marks and citation omitted).

    The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. "[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity." United States v. Bass, 404 U.S. 336, 348, 92 S.Ct. 515, 30 L.Ed.2d 488 (1971). "If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [Nosal] engaged, then `we must choose the interpretation least likely to impose penalties unintended by Congress.'" United States v. Cabaccang, 332 F.3d 622, 635 n. 22 (9th Cir.2003) (quoting United States v. Arzate-Nunez, 18 F.3d 730, 736 (9th Cir. 1994)).

    This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking — the circumvention of technological access barriers — not misappropriation of trade secrets — a subject Congress has dealt with elsewhere. See supra note 3. Therefore, we hold that [864] "exceeds authorized access" in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.

    Because Nosal's accomplices had permission to access the company database and obtain the information contained within, the government's charges fail to meet the element of "without authorization, or exceeds authorized access" under 18 U.S.C. § 1030(a)(4). Accordingly, we affirm the judgment of the district court dismissing counts 2 and 4-7 for failure to state an offense. The government may, of course, prosecute Nosal on the remaining counts of the indictment.

    AFFIRMED.

    SILVERMAN, Circuit Judge, with whom TALLMAN, Circuit Judge concurs, dissenting:

    This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim's valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.

    The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does.

    18 U.S.C. § 1030(a)(4) is quite clear. It states, in relevant part:

    (a) Whoever —

    (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ...

    shall be punished....

    Thus, it is perfectly clear that a person with both the requisite mens rea and the specific intent to defraud — but only such persons — can violate this subsection in one of two ways: first, by accessing a computer without authorization, or second, by exceeding authorized access. 18 U.S.C. § 1030(e)(6) defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

    "As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has `exceed[ed] authorized access.'" LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009).

    "[T]he definition of the term `exceeds authorized access' from § 1030(e)(6) implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer. The plain language of the statute therefore indicates that `authorization' depends on actions taken by the employer." Id. at 1135. [865] In Brekka, we explained that a person "exceeds authorized access" when that person has permission to access a computer but accesses information on the computer that the person is not entitled to access. Id. at 1133. In that case, an employee allegedly emailed an employer's proprietary documents to his personal computer to use in a competing business. Id. at 1134. We held that one does not exceed authorized access simply by "breach[ing] a state law duty of loyalty to an employer" and that, because the employee did not breach a contract with his employer, he could not be liable under the Computer Fraud and Abuse Act. Id. at 1135, 1135 n. 7.

    This is not an esoteric concept. A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself. A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled — he would "exceed his authority" — to take the vehicle to Mexico on a drug run. A person of ordinary intelligence understands that he may be totally prohibited from doing something altogether, or authorized to do something but prohibited from going beyond what is authorized. This is no doubt why the statute covers not only "unauthorized access," but also "exceed[ing] authorized access." The statute contemplates both means of committing the theft.

    The majority holds that a person "exceeds authorized access" only when that person has permission to access a computer generally, but is completely prohibited from accessing a different portion of the computer (or different information on the computer). The majority's interpretation conflicts with the plain language of the statute. Furthermore, none of the circuits that have analyzed the meaning of "exceeds authorized access" as used in the Computer Fraud and Abuse Act read the statute the way the majority does. Both the Fifth and Eleventh Circuits have explicitly held that employees who knowingly violate clear company computer restrictions agreements "exceed authorized access" under the CFAA.

    In United States v. John, 597 F.3d 263, 271-73 (5th Cir.2010), the Fifth Circuit held that an employee of Citigroup exceeded her authorized access in violation of § 1030(a)(2) when she accessed confidential customer information in violation of her employer's computer use restrictions and used that information to commit fraud. As the Fifth Circuit noted in John, "an employer may `authorize' employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer's business. An employee would `exceed[] authorized access' if he or she used that access to obtain or steal information as part of a criminal scheme." Id. at 271 (alteration in original). At the very least, when an employee "knows that the purpose for which she is accessing information in a computer is both in violation of an employer's policies and is part of[a criminally fraudulent] scheme, it would be `proper' to conclude that such conduct `exceeds authorized access.'" Id. at 273.

    Similarly, the Eleventh Circuit held in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir.2010), that an employee of the Social Security Administration exceeded his authorized access under § 1030(a)(2) when he obtained personal information about former girlfriends and potential paramours and used that information to send the women flowers or to show up at their homes. The court rejected Rodriguez's argument that unlike the defendant in John, his use was "not criminal." The court held: "The problem with Rodriguez's argument is that his use of [866] information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access." Id.; see also EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir.2001) (holding that an employee likely exceeded his authorized access when he used that access to disclose information in violation of a confidentiality agreement).

    The Third Circuit has also implicitly adopted the Fifth and Eleventh circuit's reasoning. In United States v. Teague, 646 F.3d 1119, 1121-22 (8th Cir.2011), the court upheld a conviction under § 1030(a)(2) and (c)(2)(A) where an employee of a government contractor used his privileged access to a government database to obtain President Obama's private student loan records.

    The indictment here alleges that Nosal and his coconspirators knowingly exceeded the authority that they had to access their employer's computer, and that they did so with the intent to defraud and to steal trade secrets and proprietary information from the company's database for Nosal's competing business. It is alleged that at the time the employee coconspirators accessed the database they knew they only were allowed to use the database for a legitimate business purpose because the co-conspirators allegedly signed an agreement which restricted the use and disclosure of information on the database except for legitimate Korn/Ferry business. Moreover, it is alleged that before using a unique username and password to log on to the Korn/Ferry computer and database, the employees were notified that the information stored on those computers were the property of Korn/Ferry and that to access the information without relevant authority could lead to disciplinary action and criminal prosecution. Therefore, it is alleged, that when Nosal's co-conspirators accessed the database to obtain Korn/Ferry's secret source lists, names, and contact information with the intent to defraud Korn/Ferry by setting up a competing company to take business away using the stolen data, they "exceed[ed their] authorized access" to a computer with an intent to defraud Korn/Ferry and therefore violated 18 U.S.C. § 1030(a)(4). If true, these allegations adequately state a crime under a commonsense reading of this particular subsection.

    Furthermore, it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA, such as subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that subsection (a)(4) has. Maldonado v. Morales, 556 F.3d 1037, 1044 (9th Cir.2009) ("The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases, but to adjudicate live cases or controversies.") (citation and internal quotation marks omitted). Other sections of the CFAA may or may not be unconstitutionally vague or pose other problems. We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals. I express no opinion on the validity or application of other subsections of 18 U.S.C. § 1030, other than § 1030(a)(4), and with all due respect, neither should the majority.

    The majority's opinion is driven out of a well meaning but ultimately misguided concern that if employment agreements or internet terms of service violations could subject someone to criminal liability, all internet users will suddenly become criminals overnight. I fail to see how anyone can seriously conclude that reading ESPN. com in contravention of office policy could come within the ambit of 18 U.S.C. § 1030(a)(4), a statute explicitly requiring an intent to defraud, the obtaining of [867] something of value by means of that fraud, while doing so "knowingly." And even if an imaginative judge can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, ... that is what an as-applied challenge is for. Meantime, back to this case, 18 U.S.C. § 1030(a)(4) clearly is aimed at, and limited to, knowing and intentional fraud. Because the indictment adequately states the elements of a valid crime, the district court erred in dismissing the charges.

    I respectfully dissent.

    [1] The opening screen of the database also included the warning: "This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only."

    [2] Fowler's offers these as usage examples: "Everyone is entitled to an opinion" and "We are entitled to make personal choices." "Fowler's Modern English Usage: Entitled," Answers.com, http://www.answers.com/topic/entitle (last visited Mar. 5, 2012).

    [3] Congress did just that in the federal trade secrets statute — 18 U.S.C. § 1832 — where it used the common law terms for misappropriation, including "with intent to convert," "steals," "appropriates" and "takes." See 18 U.S.C. § 1832(a). The government also charged Nosal with violating 18 U.S.C. § 1832, and those charges remain pending.

    [4] The government fails to acknowledge that its own construction of "exceeds authorized access" suffers from the same flaw of superfluity by rendering an entire element of subsection 1030(a)(4) meaningless. Subsection 1030(a)(4) requires a person to (1) knowingly and (2) with intent to defraud (3) access a protected computer (4) without authorization or exceeding authorized access (5) in order to further the intended fraud. See 18 U.S.C. § 1030(a)(4). Using a computer to defraud the company necessarily contravenes company policy. Therefore, if someone accesses a computer with intent to defraud — satisfying elements (2) and (3) — he would invariably satisfy (4) under the government's definition.

    [5] Although the legislative history of the CFAA discusses this anti-hacking purpose, and says nothing about exceeding authorized use of information, the government claims that the legislative history supports its interpretation. It points to an earlier version of the statute, which defined "exceeds authorized access" as "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." Pub. L. No. 99-474, § 2(c), 100 Stat. 1213 (1986). But that language was removed and replaced by the current phrase and definition. And Senators Mathias and Leahy — members of the Senate Judiciary Committee — explained that the purpose of replacing the original broader language was to "remove[] from the sweep of the statute one of the murkier grounds of liability, under which a[n] ... employee's access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances." S.Rep. No. 99-432, at 21, 1986 U.S.C.C.A.N. 2479 at 2494. Were there any need to rely on legislative history, it would seem to support Nosal's position rather than the government's.

    [6] Enforcement of the CFAA against minor workplace dalliances is not chimerical. Employers have invoked the CFAA against employees in civil cases. In a recent Florida case, after an employee sued her employer for wrongful termination, the company counterclaimed that plaintiff violated section 1030(a)(2)(C) by making personal use of the Internet at work — checking Facebook and sending personal email — in violation of company policy. See Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D.Fla. May 6, 2011). The district court dismissed the counterclaim, but it could not have done so if "exceeds authorized access" included violations of private computer use policies.

    [7] This concern persists even if intent to defraud is required. Suppose an employee spends six hours tending his FarmVille stable on his work computer. The employee has full access to his computer and the Internet, but the company has a policy that work computers may be used only for business purposes. The employer should be able to fire the employee, but that's quite different from having him arrested as a federal criminal. Yet, under the government's construction of the statute, the employee "exceeds authorized access" by using the computer for non-work activities. Given that the employee deprives his company of six hours of work a day, an aggressive prosecutor might claim that he's defrauding the company, and thereby violating section 1030(a)(4).

    [8] See, e.g., Craigslist Terms of Use (http://www.craigslist.org/about/terms.of.use), eBay User Agreement (http://pages.ebay.com/help/policies/user-agreement.html?rt=nc), eHarmony Terms of Service (http://www.eharmony.com/about/terms), Facebook Statement of Rights and Responsibilities (http://www.facebook.com/#!/legal/terms), Google Terms of Service (http://www.google.com/intl/en/policies/terms/), Hulu Terms of Use (http://www.hulu.com/terms), IMDb Conditions of Use (http://www.imdb.com/help/show_article?conditions), JDate Terms and Conditions of Service (http://www.jdate.com/Applications/Article/ArticleView.aspx?CategoryID=1948&ArticleID;=6498&HideNav;=True#service), LinkedIn User Agreement (http://www.linkedin.com/static?key=user_agreement), Match.com Terms of Use Agreement (http://www.match.com/registration/membagr.aspx?lid=4), MySpace.com Terms of Use Agreement (http://www.myspace.com/Help/Terms?pm_cmp=ed_footer), Netflix Terms of Use (https://signup.netflix.com/TermsOfUse), Pandora Terms of Use (http://www.pandora.com/legal), Spotify Terms and Conditions of Use (http://www.spotify.com/us/legal/end-user-agreement/), Twitter Terms of Service (http://twitter.com/tos), Wikimedia Terms of Use (http://wikimediafoundation.org/wiki/Terms_of_use) and YouTube Terms of Service (http://www.youtube.com/t/terms).

    [9] A number of other well-known websites, including Netflix, eBay, Twitter and Amazon, have this age restriction.

    8.4 OIL Casebook: Digital Locks I 8.4 OIL Casebook: Digital Locks I

    8.4.1 Digital Millenium Copyright Act: 17 U.S. Code § 1201 - Circumvention of copyright protection systems 8.4.1 Digital Millenium Copyright Act: 17 U.S. Code § 1201 - Circumvention of copyright protection systems

    (a) Violations Regarding Circumvention of Technological Measures.—
    (1)
    (A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.
    (B) The prohibition contained in subparagraph (A) shall not apply to persons who are users of a copyrighted work which is in a particular class of works, if such persons are, or are likely to be in the succeeding 3-year period, adversely affected by virtue of such prohibition in their ability to make noninfringing uses of that particular class of works under this title, as determined under subparagraph (C).
    (C) During the 2-year period described in subparagraph (A), and during each succeeding 3-year period, the Librarian of Congress, upon the recommendation of the Register of Copyrights, who shall consult with the Assistant Secretary for Communications and Information of the Department of Commerce and report and comment on his or her views in making such recommendation, shall make the determination in a rulemaking proceeding for purposes of subparagraph (B) of whether persons who are users of a copyrighted work are, or are likely to be in the succeeding 3-year period, adversely affected by the prohibition under subparagraph (A) in their ability to make noninfringing uses under this title of a particular class of copyrighted works. In conducting such rulemaking, the Librarian shall examine—
    (i) the availability for use of copyrighted works;
    (ii) the availability for use of works for nonprofit archival, preservation, and educational purposes;
    (iii) the impact that the prohibition on the circumvention of technological measures applied to copyrighted works has on criticism, comment, news reporting, teaching, scholarship, or research;
    (iv) the effect of circumvention of technological measures on the market for or value of copyrighted works; and
    (v) such other factors as the Librarian considers appropriate.
    (D) The Librarian shall publish any class of copyrighted works for which the Librarian has determined, pursuant to the rulemaking conducted under subparagraph (C), that noninfringing uses by persons who are users of a copyrighted work are, or are likely to be, adversely affected, and the prohibition contained in subparagraph (A) shall not apply to such users with respect to such class of works for the ensuing 3-year period.
    (E) Neither the exception under subparagraph (B) from the applicability of the prohibition contained in subparagraph (A), nor any determination made in a rulemaking conducted under subparagraph (C), may be used as a defense in any action to enforce any provision of this title other than this paragraph.
    (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
    (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
    (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
    (3) As used in this subsection—
    (A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
    (B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
    (b) Additional Violations.—
    (1) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
    (A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof;
    (B) has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof; or
    (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof.
    (2) As used in this subsection—
    (A) to “circumvent protection afforded by a technological measure” means avoiding, bypassing, removing, deactivating, or otherwise impairing a technological measure; and
    (B) a technological measure “effectively protects a right of a copyright owner under this title” if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title.
    (c) Other Rights, Etc., Not Affected.—(1) Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title.
    (2) Nothing in this section shall enlarge or diminish vicarious or contributory liability for copyright infringement in connection with any technology, product, service, device, component, or part thereof.
    (3) Nothing in this section shall require that the design of, or design and selection of parts and components for, a consumer electronics, telecommunications, or computing product provide for a response to any particular technological measure, so long as such part or component, or the product in which such part or component is integrated, does not otherwise fall within the prohibitions of subsection (a)(2) or (b)(1).
    (4) Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products.
    (d) Exemption for Nonprofit Libraries, Archives, and Educational Institutions.—
    (1) A nonprofit library, archives, or educational institution which gains access to a commercially exploited copyrighted work solely in order to make a good faith determination of whether to acquire a copy of that work for the sole purpose of engaging in conduct permitted under this title shall not be in violation of subsection (a)(1)(A). A copy of a work to which access has been gained under this paragraph—
    (A) may not be retained longer than necessary to make such good faith determination; and
    (B) may not be used for any other purpose.
    (2) The exemption made available under paragraph (1) shall only apply with respect to a work when an identical copy of that work is not reasonably available in another form.
    (3) A nonprofit library, archives, or educational institution that willfully for the purpose of commercial advantage or financial gain violates paragraph (1)—
    (A) shall, for the first offense, be subject to the civil remedies under section 1203; and
    (B) shall, for repeated or subsequent offenses, in addition to the civil remedies under section 1203, forfeit the exemption provided under paragraph (1).
    (4) This subsection may not be used as a defense to a claim under subsection (a)(2) or (b), nor may this subsection permit a nonprofit library, archives, or educational institution to manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, component, or part thereof, which circumvents a technological measure.
    (5) In order for a library or archives to qualify for the exemption under this subsection, the collections of that library or archives shall be—
    (A) open to the public; or
    (B) available not only to researchers affiliated with the library or archives or with the institution of which it is a part, but also to other persons doing research in a specialized field.
    (e) Law Enforcement, Intelligence, and Other Government Activities.— This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term “information security” means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.
    (f) Reverse Engineering.—
    (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.
    (2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.
    (3) The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section.
    (4) For purposes of this subsection, the term “interoperability” means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.
    (g) Encryption Research.—
    (1) Definitions.— For purposes of this subsection—
    (A) the term “encryption research” means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and
    (B) the term “encryption technology” means the scrambling and descrambling of information using mathematical formulas or algorithms.
    (2) Permissible acts of encryption research.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if—
    (A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;
    (B) such act is necessary to conduct such encryption research;
    (C) the person made a good faith effort to obtain authorization before the circumvention; and
    (D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
    (3) Factors in determining exemption.— In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include—
    (A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
    (B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and
    (C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.
    (4) Use of technological means for research activities.— Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to—
    (A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and
    (B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
    (5) Report to congress.— Not later than 1 year after the date of the enactment of this chapter, the Register of Copyrights and the Assistant Secretary for Communications and Information of the Department of Commerce shall jointly report to the Congress on the effect this subsection has had on—
    (A) encryption research and the development of encryption technology;
    (B) the adequacy and effectiveness of technological measures designed to protect copyrighted works; and
    (C) protection of copyright owners against the unauthorized access to their encrypted copyrighted works.
    The report shall include legislative recommendations, if any.
    (h) Exceptions Regarding Minors.— In applying subsection (a) to a component or part, the court may consider the necessity for its intended and actual incorporation in a technology, product, service, or device, which—
    (1) does not itself violate the provisions of this title; and
    (2) has the sole purpose to prevent the access of minors to material on the Internet.
    (i) Protection of Personally Identifying Information.—
    (1) Circumvention permitted.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure that effectively controls access to a work protected under this title, if—
    (A) the technological measure, or the work it protects, contains the capability of collecting or disseminating personally identifying information reflecting the online activities of a natural person who seeks to gain access to the work protected;
    (B) in the normal course of its operation, the technological measure, or the work it protects, collects or disseminates personally identifying information about the person who seeks to gain access to the work protected, without providing conspicuous notice of such collection or dissemination to such person, and without providing such person with the capability to prevent or restrict such collection or dissemination;
    (C) the act of circumvention has the sole effect of identifying and disabling the capability described in subparagraph (A), and has no other effect on the ability of any person to gain access to any work; and
    (D) the act of circumvention is carried out solely for the purpose of preventing the collection or dissemination of personally identifying information about a natural person who seeks to gain access to the work protected, and is not in violation of any other law.
    (2) Inapplicability to certain technological measures.— This subsection does not apply to a technological measure, or a work it protects, that does not collect or disseminate personally identifying information and that is disclosed to a user as not having or using such capability.
    (j) Security Testing.—
    (1) Definition.— For purposes of this subsection, the term “security testing” means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.
    (2) Permissible acts of security testing.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
    (3) Factors in determining exemption.— In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include—
    (A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and
    (B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.
    (4) Use of technological means for security testing.— Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), [1] provided such technological means does not otherwise violate section  [2] (a)(2).
    (k) Certain Analog Devices and Certain Technological Measures.—
    (1) Certain analog devices.—
    (A) Effective 18 months after the date of the enactment of this chapter, no person shall manufacture, import, offer to the public, provide or otherwise traffic in any—
    (i) VHS format analog video cassette recorder unless such recorder conforms to the automatic gain control copy control technology;
    (ii) 8mm format analog video cassette camcorder unless such camcorder conforms to the automatic gain control technology;
    (iii) Beta format analog video cassette recorder, unless such recorder conforms to the automatic gain control copy control technology, except that this requirement shall not apply until there are 1,000 Beta format analog video cassette recorders sold in the United States in any one calendar year after the date of the enactment of this chapter;
    (iv) 8mm format analog video cassette recorder that is not an analog video cassette camcorder, unless such recorder conforms to the automatic gain control copy control technology, except that this requirement shall not apply until there are 20,000 such recorders sold in the United States in any one calendar year after the date of the enactment of this chapter; or
    (v) analog video cassette recorder that records using an NTSC format video input and that is not otherwise covered under clauses (i) through (iv), unless such device conforms to the automatic gain control copy control technology.
    (B) Effective on the date of the enactment of this chapter, no person shall manufacture, import, offer to the public, provide or otherwise traffic in—
    (i) any VHS format analog video cassette recorder or any 8mm format analog video cassette recorder if the design of the model of such recorder has been modified after such date of enactment so that a model of recorder that previously conformed to the automatic gain control copy control technology no longer conforms to such technology; or
    (ii) any VHS format analog video cassette recorder, or any 8mm format analog video cassette recorder that is not an 8mm analog video cassette camcorder, if the design of the model of such recorder has been modified after such date of enactment so that a model of recorder that previously conformed to the four-line colorstripe copy control technology no longer conforms to such technology.
    Manufacturers that have not previously manufactured or sold a VHS format analog video cassette recorder, or an 8mm format analog cassette recorder, shall be required to conform to the four-line colorstripe copy control technology in the initial model of any such recorder manufactured after the date of the enactment of this chapter, and thereafter to continue conforming to the four-line colorstripe copy control technology. For purposes of this subparagraph, an analog video cassette recorder “conforms to” the four-line colorstripe copy control technology if it records a signal that, when played back by the playback function of that recorder in the normal viewing mode, exhibits, on a reference display device, a display containing distracting visible lines through portions of the viewable picture.
    (2) Certain encoding restrictions.— No person shall apply the automatic gain control copy control technology or colorstripe copy control technology to prevent or limit consumer copying except such copying—
    (A) of a single transmission, or specified group of transmissions, of live events or of audiovisual works for which a member of the public has exercised choice in selecting the transmissions, including the content of the transmissions or the time of receipt of such transmissions, or both, and as to which such member is charged a separate fee for each such transmission or specified group of transmissions;
    (B) from a copy of a transmission of a live event or an audiovisual work if such transmission is provided by a channel or service where payment is made by a member of the public for such channel or service in the form of a subscription fee that entitles the member of the public to receive all of the programming contained in such channel or service;
    (C) from a physical medium containing one or more prerecorded audiovisual works; or
    (D) from a copy of a transmission described in subparagraph (A) or from a copy made from a physical medium described in subparagraph (C).
    In the event that a transmission meets both the conditions set forth in subparagraph (A) and those set forth in subparagraph (B), the transmission shall be treated as a transmission described in subparagraph (A).
    (3) Inapplicability.— This subsection shall not—
    (A) require any analog video cassette camcorder to conform to the automatic gain control copy control technology with respect to any video signal received through a camera lens;
    (B) apply to the manufacture, importation, offer for sale, provision of, or other trafficking in, any professional analog video cassette recorder; or
    (C) apply to the offer for sale or provision of, or other trafficking in, any previously owned analog video cassette recorder, if such recorder was legally manufactured and sold when new and not subsequently modified in violation of paragraph (1)(B).
    (4) Definitions.— For purposes of this subsection:
    (A) An “analog video cassette recorder” means a device that records, or a device that includes a function that records, on electromagnetic tape in an analog format the electronic impulses produced by the video and audio portions of a television program, motion picture, or other form of audiovisual work.
    (B) An “analog video cassette camcorder” means an analog video cassette recorder that contains a recording function that operates through a camera lens and through a video input that may be connected with a television or other video playback device.
    (C) An analog video cassette recorder “conforms” to the automatic gain control copy control technology if it—
    (i) detects one or more of the elements of such technology and does not record the motion picture or transmission protected by such technology; or
    (ii) records a signal that, when played back, exhibits a meaningfully distorted or degraded display.
    (D) The term “professional analog video cassette recorder” means an analog video cassette recorder that is designed, manufactured, marketed, and intended for use by a person who regularly employs such a device for a lawful business or industrial use, including making, performing, displaying, distributing, or transmitting copies of motion pictures on a commercial scale.
    (E) The terms “VHS format”, “8mm format”, “Beta format”, “automatic gain control copy control technology”, “colorstripe copy control technology”, “four-line version of the colorstripe copy control technology”, and “NTSC” have the meanings that are commonly understood in the consumer electronics and motion picture industries as of the date of the enactment of this chapter.
    (5) Violations.— Any violation of paragraph (1) of this subsection shall be treated as a violation of subsection (b)(1) of this section. Any violation of paragraph (2) of this subsection shall be deemed an “act of circumvention” for the purposes of section 1203(c)(3)(A) of this chapter.


    [1]  So in original. Probably should be subsection “(a)(2),”. 

    [2]  So in original. Probably should be “subsection”. 

    8.4.2 Universal City Studios, Inc. v. Reimerdes 8.4.2 Universal City Studios, Inc. v. Reimerdes

    United States District Court for the Southern District of New York
    111 F. Supp. 2d 294
    No. 00 Civ. 0277 (LAK)
    2000-08-17

    111 F.Supp.2d 294 (2000)

    UNIVERSAL CITY STUDIOS, INC., et al., Plaintiffs,
    v.
    Shawn C. REIMERDES, et al., Defendants.

    No. 00 Civ. 0277 (LAK).

    United States District Court, S.D. New York.

    August 17, 2000.
    As Amended September 6, 2000.

    [295] [296] [297] [298] [299] [300] [301] [302] Leon P. Gold, Jon A. Baumgarten, Charles S. Sims, Scott P. Cooper, William M. Hart, Michael M. Mervis, Carla M. Miller, Proskauer Rose LLP, New York City, for Plaintiffs.

    Martin Garbus, George E. Singleton, David Y. Atlas, Edward Hernstadt, Frankfurt, Garbus, Klein & Selz, P.C., New York City, for Defendants.

    OPINION

    KAPLAN, District Judge.

    Plaintiffs, eight major United States motion picture studios, distribute many of their copyrighted motion pictures for home use on digital versatile disks ("DVDs"), which contain copies of the motion pictures in digital form. They protect those motion pictures from copying by using an encryption system called CSS. CSS-protected motion pictures on DVDs may be viewed only on players and computer drives equipped with licensed technology that permits the devices to decrypt and play — but not to copy — the films.

    Late last year, computer hackers devised a computer program called DeCSS that circumvents the CSS protection system and allows CSS-protected motion pictures to be copied and played on devices that lack the licensed decryption technology. Defendants quickly posted DeCSS on their Internet web site, thus making it readily available to much of the world. Plaintiffs promptly brought this action under the Digital Millennium Copyright Act (the "DMCA")[1] to enjoin defendants from posting DeCSS and to prevent them from electronically "linking" their site to others that post DeCSS. Defendants responded with what they termed "electronic civil disobedience" — increasing their efforts to link their web site to a large number of [304] others that continue to make DeCSS available.

    Defendants contend that their actions do not violate the DMCA and, in any case, that the DMCA, as applied to computer programs, or code, violates the First Amendment.[2] This is the Court's decision after trial, and the decision may be summarized in a nutshell.

    Defendants argue first that the DMCA should not be construed to reach their conduct, principally because the DMCA, so applied, could prevent those who wish to gain access to technologically protected copyrighted works in order to make fair — that is, non-infringing — use of them from doing so. They argue that those who would make fair use of technologically protected copyrighted works need means, such as DeCSS, of circumventing access control measures not for piracy, but to make lawful use of those works.

    Technological access control measures have the capacity to prevent fair uses of copyrighted works as well as foul. Hence, there is a potential tension between the use of such access control measures and fair use. Defendants are not the first to recognize that possibility. As the DMCA made its way through the legislative process, Congress was preoccupied with precisely this issue. Proponents of strong restrictions on circumvention of access control measures argued that they were essential if copyright holders were to make their works available in digital form because digital works otherwise could be pirated too easily. Opponents contended that strong anti-circumvention measures would extend the copyright monopoly inappropriately and prevent many fair uses of copyrighted material.

    Congress struck a balance. The compromise it reached, depending upon future technological and commercial developments, may or may not prove ideal.[3] But the solution it enacted is clear. The potential tension to which defendants point does not absolve them of liability under the statute. There is no serious question that defendants' posting of DeCSS violates the DMCA.

    Defendants' constitutional argument ultimately rests on two propositions — that computer code, regardless of its function, is "speech" entitled to maximum constitutional protection and that computer code therefore essentially is exempt from regulation by government. But their argument is baseless.

    Computer code is expressive. To that extent, it is a matter of First Amendment concern. But computer code is not purely expressive any more than the assassination of a political figure is purely a political statement. Code causes computers to perform desired functions. Its expressive element no more immunizes its functional aspects from regulation than the expressive motives of an assassin immunize the assassin's action.

    In an era in which the transmission of computer viruses — which, like DeCSS, are simply computer code and thus to some degree expressive — can disable systems upon which the nation depends and in which other computer code also is capable of inflicting other harm, society must be able to regulate the use and dissemination [305] of code in appropriate circumstances. The Constitution, after all, is a framework for building a just and democratic society. It is not a suicide pact.

    I. The Genesis of the Controversy

    As this case involves computers and technology with which many are unfamiliar, it is useful to begin by defining some of the vocabulary.

    A. The Vocabulary of this Case

    1. Computers and Operating Systems

    A computer is "a digital information processing device .... consist[ing] of central processing components . . . and mass data storage .... certain peripheral input/output devices . . ., and an operating system." Personal computers ("PCs") are computers designed for use by one person at a time. "[M]ore powerful, more expensive computer systems known as `servers' . . . are designed to provide data, services, and functionality through a digital network to multiple users."[4]

    An operating system is "a software program that controls the allocation and use of computer resources (such as central processing unit time, main memory space, disk space, and input/output channels). The operating system also supports the functions of software programs, called `applications,' that perform specific user-oriented tasks.... Because it supports applications while interacting more closely with the PC system's hardware, the operating system is said to serve as a `platform.'"[5]

    Microsoft Windows ("Windows") is an operating system released by Microsoft Corp. It is the most widely used operating system for PCs in the United States, and its versions include Windows 95, Windows 98, Windows NT and Windows 2000.

    Linux, which was and continues to be developed through the open source model of software development,[6] also is an operating system.[7] It can be run on a PC as an alternative to Windows, although the extent to which it is so used is limited.[8] Linux is more widely used on servers.[9]

    2. Computer Code

    "[C]omputers come down to one basic premise: They operate with a series of on and off switches, using two digits in the binary (base 2) number system — 0 (for off) and 1 (for on)."[10] All data and instructions input to or contained in computers therefore must be reduced the numerals 1 and 0.[11]

    "The smallest unit of memory in a computer," a bit, "is a switch with a value of [306] 0(off) or 1(on)."[12] A group of eight bits is called a byte and represents a character — a letter or an integer.[13] A kilobyte ("K") is 1024 bytes, a megabyte ("MB") 1024 kilobytes, and a gigabyte ("GB") 1024 megabytes.[14]

    Some highly skilled human beings can reduce data and instructions to strings of 1's and 0's and thus program computers to perform complex tasks by inputting commands and data in that form.[15] But it would be inconvenient, inefficient and, for most people, probably impossible to do so. In consequence, computer science has developed programming languages. These languages, like other written languages, employ symbols and syntax to convey meaning. The text of programs written in these languages is referred to as source code.[16] And whether directly or through the medium of another program,[17] the sets of instructions written in programming languages — the source code — ultimately are translated into machine "readable" strings of 1's and 0's, known in the computer world as object code, which typically are executable by the computer.[18]

    The distinction between source and object code is not as crystal clear as first appears. Depending upon the programming language, source code may contain many 1's and 0's and look a lot like object code or may contain many instructions derived from spoken human language. Programming languages the source code for which approaches object code are referred to as low level source code while those that are more similar to spoken language are referred to as high level source code.

    All code is human readable. As source code is closer to human language than is object code, it tends to be comprehended more easily by humans than object code.

    3. The Internet and the World Wide Web

    The Internet is "a global electronic network, consisting of smaller, interconnected networks, which allows millions of computers to exchange information over telephone wires, dedicated data cables, and wireless links. The Internet links PCs by means of servers, which run specialized operating systems and applications designed for servicing a network environment."[19]

    Internet Relay Chat ("IRC") is a system that enables individuals connected to the Internet to participate in live typed discussions.[20] Participation in an IRC discussion requires an IRC software program, which sends messages via the Internet to the IRC server, which in turn broadcasts the messages to all participants. The IRC [307] system is capable of supporting many separate discussions at once.

    The World Wide Web (the "Web") is "a massive collection of digital information resources stored on servers throughout the Internet. These resources are typically provided in the form of hypertext documents, commonly referred to as `Web pages,' that may incorporate any combination of text, graphics, audio and video content, software programs, and other data. A user of a computer connected to the Internet can publish a page on the Web simply by copying it into a specially designated, publicly accessible directory on a Web server. Some Web resources are in the form of applications that provide functionality through a user's PC system but actually execute on a server."[21]

    A web site is "a collection of Web pages [published on the Web by an individual or organization] .... Most Web pages are in the form of `hypertext'; that is, they contain annotated references, or `hyperlinks,' to other Web pages. Hyperlinks can be used as cross-references within a single document, between documents on the same site, or between documents on different sites."[22]

    A home page is "one page on each Web site ... [that typically serves as] the first access point to the site. The home page is usually a hypertext document that presents an overview of the site and hyperlinks to the other pages comprising the site."[23]

    A Web client is "software that, when running on a computer connected to the Internet, sends information to and receives information from Web servers throughout the Internet. Web clients and servers transfer data using a standard known as the Hypertext Transfer Protocol (`HTTP'). A `Web browser' is a type of Web client that enables a user to select, retrieve, and perceive resources on the Web. In particular, Web browsers provide a way for a user to view hypertext documents and follow the hyperlinks that connect them, typically by moving the cursor over a link and depressing the mouse button."[24]

    4. Portable Storage Media

    Digital files may be stored on several different kinds of storage media, some of which are readily transportable. Perhaps the most familiar of these are so called floppy disks or "floppies," which now are 3½ inch magnetic disks upon which digital files may be recorded.[25] For present purposes, however, we are concerned principally with two more recent developments, CD-ROMs and digital versatile disks, or DVDs.

    A CD-ROM is a five-inch wide optical disk capable of storing approximately 650 MB of data. To read the data on a CD-ROM, a computer must have a CD-ROM drive.

    DVDs are five-inch wide disks capable of storing more than 4.7 GB of data. In the application relevant here, they are used to hold full-length motion pictures in digital form. They are the latest technology for private home viewing of recorded motion pictures and result in drastically improved audio and visual clarity and quality of motion pictures shown on televisions or computer screens.[26]

    [308] 5. The Technology Here at Issue

    CSS, or Content Scramble System, is an access control and copy prevention system for DVDs developed by the motion picture companies, including plaintiffs.[27] It is an encryption-based system that requires the use of appropriately configured hardware such as a DVD player or a computer DVD drive to decrypt, unscramble and play back, but not copy, motion pictures on DVDs.[28] The technology necessary to configure DVD players and drives to play CSS-protected DVDs[29] has been licensed to hundreds of manufacturers in the United States and around the world.

    DeCSS is a software utility, or computer program, that enables users to break the CSS copy protection system and hence to view DVDs on unlicensed players and make digital copies of DVD movies.[30] The quality of motion pictures decrypted by DeCSS is virtually identical to that of encrypted movies on DVD.[31]

    DivX is a compression program available for download over the Internet.[32] It compresses video files in order to minimize required storage space, often to facilitate transfer over The Internet or other networks.[33]

    B. Parties

    Plaintiffs are eight major motion picture studios. Each is in the business of producing and distributing copyrighted material including motion pictures. Each distributes, either directly or through affiliates, copyrighted motion pictures on DVDs.[34] Plaintiffs produce and distribute a large majority of the motion pictures on DVDs on the market today.[35]

    Defendant Eric Corley is viewed as a leader of the computer hacker community and goes by the name Emmanuel Goldstein, after the leader of the underground in George Orwell's classic, 1984.[36] He and his company, defendant 2600 Enterprises, Inc., together publish a magazine called 2600: The Hacker Quarterly, which Corley founded in 1984,[37] and which is something of a bible to the hacker community.[38] The name "2600" was derived from the fact that hackers in the 1960's found that the transmission of a 2600 hertz tone over a long distance trunk connection gained access to "operator mode" and allowed the user to explore aspects of the telephone system that were not otherwise accessible.[39] Mr. Corley chose the name because he regarded it as a "mystical thing,"[40] commemorating something that he evidently admired. Not surprisingly, 2600: The Hacker Quarterly has included articles on such topics as how to steal an Internet domain name,[41] access other people's e-mail,[42] intercept cellular phone calls,[43] and break into the computer systems [309] at Costco stores[44] and Federal Express.[45] One issue contains a guide to the federal criminal justice system for readers charged with computer hacking.[46] In addition, defendants operate a web site located at ("2600.com"), which is managed primarily by Mr. Corley and has been in existence since 1995.[47]

    Prior to January 2000, when this action was commenced, defendants posted the source and object code for DeCSS on the 2600.com web site, from which they could be downloaded easily.[48] At that time, 2600.com contained also a list of links to other web sites purporting to post DeCSS.[49]

    C. The Development of DVD and CSS

    The major motion picture studios typically distribute films in a sequence of so-called windows, each window referring to a separate channel of distribution and thus to a separate source of revenue. The first window generally is theatrical release, distribution, and exhibition. Subsequently, films are distributed to airlines and hotels, then to the home market, then to pay television, cable and, eventually, free television broadcast. The home market is important to plaintiffs, as it represents a significant source of revenue.[50]

    Motion pictures first were, and still are, distributed to the home market in the form of video cassette tapes. In the early 1990's, however, the major movie studios began to explore distribution to the home market in digital format, which offered substantially higher audio and visual quality and greater longevity than video cassette tapes.[51] This technology, which in 1995 became what is known today as DVD,[52] brought with it a new problem — increased risk of piracy by virtue of the fact that digital files, unlike the material on video cassettes, can be copied without degradation from generation to generation.[53] In consequence, the movie studios became concerned as the product neared market with the threat of DVD piracy.[54]

    Discussions among the studios with the goal of organizing a unified response to the piracy threat began in earnest in late 1995 or early 1996.[55] They eventually came to include representatives of the consumer electronics and computer industries, as well as interested members of the public,[56] and focused on both legislative proposals and technological solutions.[57] In 1996, Matsushita Electric Industrial Co. ("MEI") and Toshiba Corp., presented — and the studios adopted — CSS.[58]

    CSS involves encrypting, according to an encryption algorithm,[59] the digital [310] sound and graphics files on a DVD that together constitute a motion picture. A CSS-protected DVD can be decrypted by an appropriate decryption algorithm that employs a series of keys stored on the DVD and the DVD player. In consequence, only players and drives containing the appropriate keys are able to decrypt DVD files and thereby play movies stored on DVDs.

    As the motion picture companies did not themselves develop CSS and, in any case, are not in the business of making DVD players and drives, the technology for making compliant devices, i.e., devices with CSS keys, had to be licensed to consumer electronics manufacturers.[60] In order to ensure that the decryption technology did not become generally available and that compliant devices could not be used to copy as well as merely to play CSS-protected movies, the technology is licensed subject to strict security requirements.[61] Moreover, manufacturers may not, consistent with their licenses, make equipment that would supply digital output that could be used in copying protected DVDs.[62] Licenses to manufacture compliant devices are granted on a royalty-free basis subject only to an administrative fee.[63] At the time of trial, licenses had been issued to numerous hardware and software manufacturers, including two companies that plan to release DVD players for computers running the Linux operating system.[64]

    With CSS in place, the studios introduced DVDs on the consumer market in early 1997.[65] All or most of the motion pictures released on DVD were, and continue to be, encrypted with CSS technology.[66] Over 4,000 motion pictures now have been released in DVD format in the United States, and movies are being issued on DVD at the rate of over 40 new titles per month in addition to re-releases of classic films. Currently, more than five million households in the United States own DVD players,[67] and players are projected to be in ten percent of United States homes by the end of 2000.[68]

    DVDs have proven not only popular, but lucrative for the studios. Revenue from their sale and rental currently accounts for a substantial percentage of the movie studios' revenue from the home video market.[69] Revenue from the home market, in [311] turn, makes up a large percentage of the studios' total distribution revenue.[70]

    D. The Appearance of DeCSS

    In late September 1999, Jon Johansen, a Norwegian subject then fifteen years of age, and two individuals he "met" under pseudonyms over the Internet, reverse engineered a licensed DVD player and discovered the CSS encryption algorithm and keys.[71] They used this information to create DeCSS, a program capable of decrypting or "ripping" encrypted DVDs, thereby allowing playback on non-compliant computers as well as the copying of decrypted files to computer hard drives.[72] Mr. Johansen then posted the executable code on his personal Internet web site and informed members of an Internet mailing list that he had done so.[73] Neither Mr. Johansen nor his collaborators obtained a license from the DVD CCA.[74]

    Although Mr. Johansen testified at trial that he created DeCSS in order to make a DVD player that would operate on a computer running the Linux operating system,[75] DeCSS is a Windows executable file; that is, it can be executed only on computers running the Windows operating system.[76] Mr. Johansen explained the fact that he created a Windows rather than a Linux program by asserting that Linux, at the time he created DeCSS, did not support the file system used on DVDs.[77] Hence, it was necessary, he said, to decrypt the DVD on a Windows computer in order subsequently to play the decrypted files on a Linux machine.[78] Assuming that to be true,[79] however, the fact remains that Mr. Johansen created DeCSS in the full knowledge that it could be used on computers running Windows rather than Linux. Moreover, he was well aware that the files, once decrypted, could be copied like any other computer files.

    In January 1999, Norwegian prosecutors filed charges against Mr. Johansen stemming from the development of DeCSS.[80] The disposition of the Norwegian case does not appear of record.

    E. The Distribution of DeCSS

    In the months following its initial appearance on Mr. Johansen's web site, DeCSS has become widely available on the Internet, where hundreds of sites now purport to offer the software for download.[81] A few other applications said to decrypt CSS-encrypted DVDs also have appeared on the Internet.[82]

    [312] In November 1999, defendants' web site began to offer DeCSS for download.[83] It established also a list of links to several web sites that purportedly "mirrored" or offered DeCSS for download.[84] The links on defendants' mirror list fall into one of three categories. By clicking the mouse on one of these links, the user may be brought to a page on the linked-to site on which there appears a further link to the DeCSS software.[85] If the user then clicks on the DeCSS link, download of the software begins. This page may or may not contain content other than the DeCSS link.[86] Alternatively, the user may be brought to a page on the linked-to site that does not itself purport to link to DeCSS, but that links, either directly or via a series of other pages on the site, to another page on the site on which there appears a link to the DeCSS software.[87] Finally, the user may be brought directly to the DeCSS link on the linked-to site such that download of DeCSS begins immediately without further user intervention.[88]

    F. The Preliminary Injunction and Defendants' Response

    The movie studios, through the Internet investigations division of the Motion Picture Association of America ("MPAA"), became aware of the availability of DeCSS on the Internet in October 1999.[89] The industry responded by sending out a number of cease and desist letters to web site operators who posted the software, some of which removed it from their sites.[90] In January 2000, the studios filed this lawsuit against defendant Eric Corley and two others.[91]

    After a hearing at which defendants presented no affidavits or evidentiary material, the Court granted plaintiffs' motion for a preliminary injunction barring defendants from posting DeCSS.[92] At the conclusion of the hearing, plaintiffs sought also to enjoin defendants from linking to other sites that posted DeCSS, but the Court declined to entertain the application at that time in view of plaintiffs' failure to raise the issue in their motion papers.[93]

    Following the issuance of the preliminary injunction, defendants removed DeCSS from the 2600.com web site.[94] In what they termed an act of "electronic civil disobedience,"[95] however, they continued to support links to other web sites purporting to offer DeCSS for download, a list which had grown to nearly five hundred by July 2000.[96] Indeed, they carried a banner [313] saying "Stop the MPAA" and, in a reference to this lawsuit, proclaimed:

    "We have to face the possibility that we could be forced into submission. For that reason it's especially important that as many of you as possible, all throughout the world, take a stand and mirror these files."[97]

    Thus, defendants obviously hoped to frustrate plaintiffs' recourse to the judicial system by making effective relief difficult or impossible.

    At least some of the links currently on defendants' mirror list lead the user to copies of DeCSS that, when downloaded and executed, successfully decrypt a motion picture on a CSS-encrypted DVD.[98]

    G. Effects on Plaintiffs

    The effect on plaintiffs of defendants' posting of DeCSS depends upon the ease with which DeCSS decrypts plaintiffs' copyrighted motion pictures, the quality of the resulting product, and the convenience with which decrypted copies may be transferred or transmitted.

    As noted, DeCSS was available for download from defendants' web site and remains available from web sites on defendants' mirror list.[99] Downloading is simple and quick — plaintiffs' expert did it in seconds.[100] The program in fact decrypts at least some DVDs.[101] Although the process is computationally intensive, plaintiffs' expert decrypted a store-bought copy of Sleepless in Seattle in 20 to 45 minutes.[102] The copy is stored on the hard drive of the computer. The quality of the decrypted film is virtually identical to that of encrypted films on DVD.[103] The decrypted file can be copied like any other.[104]

    The decryption of a CSS-protected DVD is only the beginning of the tale, as the decrypted file is very large — approximately 4.3 to 6 GB or more depending on the length of the film[105] — and thus extremely cumbersome to transfer or to store on portable storage media. One solution to this problem, however, is DivX, a compression utility available on the Internet that is promoted as a means of compressing decrypted motion picture files to manageable size.[106]

    DivX is capable of compressing decrypted files constituting a feature length motion picture to approximately 650 MB at a compression ratio that involves little loss of quality.[107] While the compressed sound and graphic files then must be synchronized, a tedious process that took plaintiffs' expert between 10 and 20 hours,[108] the task is entirely feasible. Indeed, having compared a store-bought DVD with portions of a copy compressed and synchronized with DivX (which often are referred to as "DivX'd" motion pictures), the Court finds that the loss of quality, at least [314] in some cases, is imperceptible or so nearly imperceptible as to be of no importance to ordinary consumers.[109]

    The fact that DeCSS-decrypted DVDs can be compressed satisfactorily to 650 MB is very important. A writeable CD-ROM can hold 650 MB.[110] Hence, it is entirely feasible to decrypt a DVD with DeCSS, compress and synchronize it with DivX, and then make as many copies as one wishes by burning the resulting files onto writeable CD-ROMs, which are sold blank for about one dollar apiece.[111] Indeed, even if one wished to use a lower compression ratio to improve quality, a film easily could be compressed to about 1.3 GB and burned onto two CD-ROMs. But the creation of pirated copies of copyrighted movies on writeable CD-ROMs, although significant, is not the principal focus of plaintiffs' concern, which is transmission of pirated copies over the Internet or other networks.

    Network transmission of decrypted motion pictures raises somewhat more difficult issues because even 650 MB is a very large file that, depending upon the circumstances, may take a good deal of time to transmit. But there is tremendous variation in transmission times. Many home computers today have modems with a rated capacity of 56 kilobits per second. DSL lines, which increasingly are available to home and business users, offer transfer rates of 7 megabits per second.[112] Cable modems also offer increased bandwidth. Student rooms in many universities are equipped with network connections rated at 10 megabits per second.[113] Large institutions such as universities and major companies often have networks with backbones rated at 100 megabits per second.[114] While effective transmission times generally are much lower than rated maximum capacities in consequence of traffic volume and other considerations, there are many environments in which very high transmission rates may be achieved.[115] Hence, transmission times ranging from three[116] totwenty minutes[117] to six hours[118] or more for a feature length film are readily achievable, depending upon the users' precise circumstances.[119]

    At trial, defendants repeated, as if it were a mantra, the refrain that plaintiffs, as they stipulated,[120] have no direct evidence of a specific occasion on which any person decrypted a copyrighted motion picture with DeCSS and transmitted it over the Internet. But that is unpersuasive. Plaintiffs' expert expended very little effort to find someone in an IRC chat room who exchanged a compressed, decrypted copy of The Matrix, one of plaintiffs' copyrighted motion pictures, for a [315] copy of Sleepless in Seattle.[121] While the simultaneous electronic exchange of the two movies took approximately six hours,[122] the computers required little operator attention during the interim. An MPAA investigator downloaded between five and ten DVD-sourced movies over the Internet after December 1999.[123] At least one web site contains a list of 650 motion pictures, said to have been decrypted and compressed with DivX, that purportedly are available for sale, trade or free download.[124] And although the Court does not accept the list, which is hearsay, as proof of the truth of the matters asserted therein, it does note that advertisements for decrypted versions of copyrighted movies first appeared on the Internet in substantial numbers in late 1999, following the posting of DeCSS.[125]

    The net of all this is reasonably plain. DeCSS is a free, effective and fast means of decrypting plaintiffs' DVDs and copying them to computer hard drives. DivX, which is available over the Internet for nothing, with the investment of some time and effort, permits compression of the decrypted files to sizes that readily fit on a writeable CD-ROM. Copies of such CD-ROMs can be produced very cheaply and distributed as easily as other pirated intellectual property. While not everyone with Internet access now will find it convenient to send or receive DivX'd copies of pirated motion pictures over the Internet, the availability of high speed network connections in many businesses and institutions, and their growing availability in homes, make Internet and other network traffic in pirated copies a growing threat.

    These circumstances have two major implications for plaintiffs. First, the availability of DeCSS on the Internet effectively has compromised plaintiffs' system of copyright protection for DVDs, requiring them either to tolerate increased piracy or to expend resources to develop and implement a replacement system unless the availability of DeCSS is terminated.[126] It is analogous to the publication of a bank vault combination in a national newspaper. Even if no one uses the combination to open the vault, its mere publication has the effect of defeating the bank's security system, forcing the bank to reprogram the lock. Development and implementation of a new DVD copy protection system, however, is far more difficult and costly than reprogramming a combination lock and may carry with it the added problem of rendering the existing installed base of compliant DVD players obsolete.

    Second, the application of DeCSS to copy and distribute motion pictures on DVD, both on CD-ROMs and via the Internet, threatens to reduce the studios' revenue from the sale and rental of DVDs. It threatens also to impede new, potentially lucrative initiatives for the distribution of motion pictures in digital form, such as video-on-demand via the Internet.[127]

    In consequence, plaintiffs already have been gravely injured. As the pressure for and competition to supply more and more users with faster and faster network connections grows, the injury will multiply.

    II. The Digital Millennium Copyright Act

    A. Background and Structure of the Statute

    In December 1996, the World Intellectual Property Organization ("WIPO"), held a diplomatic conference in Geneva that led to the adoption of two treaties. Article 11 of the relevant treaty, the WIPO Copyright [316] Treaty, provides in relevant part that contracting states "shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law."[128]

    The adoption of the WIPO Copyright Treaty spurred continued Congressional attention to the adaptation of the law of copyright to the digital age. Lengthy hearings involving a broad range of interested parties both preceded and succeeded the Copyright Treaty. As noted above, a critical focus of Congressional consideration of the legislation was the conflict between those who opposed anti-circumvention measures as inappropriate extensions of copyright and impediments to fair use and those who supported them as essential to proper protection of copyrighted materials in the digital age.[129] The DMCA was enacted in October 1998 as the culmination of this process.[130]

    The DMCA contains two principal anti-circumvention provisions. The first, Section 1201(a)(1), governs "[t]he act of circumventing a technological protection measure put in place by a copyright owner to control access to a copyrighted work," an act described by Congress as "the electronic equivalent of breaking into a locked room in order to obtain a copy of a book."[131] The second, Section 1201(a)(2), which is the focus of this case, "supplements the prohibition against the act of circumvention in paragraph (a)(1) with prohibitions on creating and making available certain technologies ... developed or advertised to defeat technological protections against unauthorized access to a work."[132] As defendants are accused here only of posting and linking to other sites posting DeCSS, and not of using it themselves to bypass plaintiffs' access controls, it is principally the second of the anticircumvention provisions that is at issue in this case.[133]

    B. Posting of DeCSS

    1. Violation of Anti-Trafficking Provision

    Section 1201(a)(2) of the Copyright Act, part of the DMCA, provides that:

    "No person shall ... offer to the public, provide or otherwise traffic in any technology ... that —

    "(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act];

    "(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under [the Copyright Act]; or

    [317] "(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act]."[134]

    In this case, defendants concededly offered and provided and, absent a court order, would continue to offer and provide DeCSS to the public by making it available for download on the 2600.com web site. DeCSS, a computer program, unquestionably is "technology" within the meaning of the statute.[135] "[C]ircumvent a technological measure" is defined to mean descrambling a scrambled work, decrypting an encrypted work, or "otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner,"[136] so DeCSS clearly is a means of circumventing a technological access control measure.[137] In consequence, if CSS otherwise falls within paragraphs (A), (B) or (C) of Section 1201(a)(2), and if none of the statutory exceptions applies to their actions, defendants have violated and, unless enjoined, will continue to violate the DMCA by posting DeCSS.

    a. Section 1201(a)(2)(A)

    (1) CSS Effectively Controls Access to Copyrighted Works

    During pretrial proceedings and at trial, defendants attacked plaintiffs' Section 1201(a)(2)(A) claim, arguing that CSS, which is based on a 40-bit encryption key, is a weak cipher that does not "effectively control" access to plaintiffs' copyrighted works. They reasoned from this premise that CSS is not protected under this branch of the statute at all. Their post-trial memorandum appears to have abandoned this argument. In any case, however, the contention is indefensible as a matter of law.

    First, the statute expressly provides that "a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information or a process or a treatment, with the authority of the copyright owner, to gain access to a work."[138] One cannot gain access to a CSS-protected work on a DVD without application of the three keys that are required by the software. One cannot lawfully gain access to the keys except by entering into a license with the DVD CCA [318] under authority granted by the copyright owners or by purchasing a DVD player or drive containing the keys pursuant to such a license. In consequence, under the express terms of the statute, CSS "effectively controls access" to copyrighted DVD movies. It does so, within the meaning of the statute, whether or not it is a strong means of protection.[139]

    This view is confirmed by the legislative history, which deals with precisely this point. The House Judiciary Committee section-by-section analysis of the House bill, which in this respect was enacted into law, makes clear that a technological measure "effectively controls access" to a copyrighted work if its function is to control access:

    "The bill does define the functions of the technological measures that are covered — that is, what it means for a technological measure to `effectively control access to a work' ... and to `effectively protect a right of a copyright owner under this title' .... The practical, common-sense approach taken by H.R.2281 is that if, in the ordinary course of its operation, a technology actually works in the defined ways to control access to a work ... then the `effectiveness' test is met, and the prohibitions of the statute are applicable. This test, which focuses on the function performed by the technology, provides a sufficient basis for clear interpretation."[140]

    Further, the House Commerce Committee made clear that measures based on encryption or scrambling "effectively control" access to copyrighted works,[141] although it is well known that what may be encrypted or scrambled often may be decrypted or unscrambled. As CSS, in the ordinary course of its operation — that is, when DeCSS or some other decryption program is not employed — "actually works" to prevent access to the protected work, it "effectively controls access" within the contemplation of the statute.

    Finally, the interpretation of the phrase "effectively controls access" offered by defendants at trial — viz., that the use of the word "effectively" means that the statute protects only successful or efficacious technological means of controlling access — would gut the statute if it were adopted. If a technological means of access control is circumvented, it is, in common parlance, ineffective. Yet defendants' construction, if adopted, would limit the application of the statute to access control measures that thwart circumvention, but withhold protection for those measures that can be circumvented. In other words, defendants would have the Court construe the statute to offer protection where none is needed but to withhold protection precisely where protection is essential. The Court declines to do so. Accordingly, the Court holds that CSS effectively controls access to plaintiffs' copyrighted works.[142]

    (2) DeCSS Was Designed Primarily to Circumvent CSS

    As CSS effectively controls access to plaintiffs' copyrighted works, the only remaining question under Section 1201(a)(2)(A) is whether DeCSS was designed primarily to circumvent CSS. The [319] answer is perfectly obvious. By the admission of both Jon Johansen, the programmer who principally wrote DeCSS, and defendant Corley, DeCSS was created solely for the purpose of decrypting CSS — that is all it does.[143] Hence, absent satisfaction of a statutory exception, defendants clearly violated Section 1201(a)(2)(A) by posting DeCSS to their web site.

    b. Section 1201(a)(2)(B)

    As the only purpose or use of DeCSS is to circumvent CSS, the foregoing is sufficient to establish a prima facie violation of Section 1201(a)(2)(B) as well.

    c. The Linux Argument

    Perhaps the centerpiece of defendants' statutory position is the contention that DeCSS was not created for the purpose of pirating copyrighted motion pictures. Rather, they argue, it was written to further the development of a DVD player that would run under the Linux operating system, as there allegedly were no Linux compatible players on the market at the time.[144] The argument plays itself out in various ways as different elements of the DMCA come into focus. But it perhaps is useful to address the point at its most general level in order to place the preceding discussion in its fullest context.

    As noted, Section 1201(a) of the DMCA contains two distinct prohibitions. Section 1201(a)(1), the so-called basic provision, "aims against those who engage in unauthorized circumvention of technological measures.... [It] focuses directly on wrongful conduct, rather than on those who facilitate wrongful conduct...."[145] Section 1201(a)(2), the anti-trafficking provision at issue in this case, on the other hand, separately bans offering or providing technology that may be used to circumvent technological means of controlling access to copyrighted works.[146] If the means in question meets any of the three prongs of the standard set out in Section 1201(a)(2)(A), (B), or (C), it may not be offered or disseminated.

    As the earlier discussion demonstrates, the question whether the development of a Linux DVD player motivated those who wrote DeCSS is immaterial to the question whether the defendants now before the Court violated the anti-trafficking provision of the DMCA. The inescapable facts are that (1) CSS is a technological means that effectively controls access to plaintiffs' copyrighted works, (2) the one and only function of DeCSS is to circumvent CSS, and (3) defendants offered and provided DeCSS by posting it on their web site. Whether defendants did so in order to infringe, or to permit or encourage others to infringe, copyrighted works in violation of other provisions of the Copyright Act simply does not matter for purposes of Section 1201(a)(2). The offering or provision of the program is the prohibited conduct — and it is prohibited irrespective of why the program was written, except to whatever extent motive may be germane to determining whether their conduct falls within one of the statutory exceptions.

    2. Statutory Exceptions

    Earlier in the litigation, defendants contended that their activities came within several exceptions contained in the DMCA and the Copyright Act and constitute fair use under the Copyright Act. Their post-trial memorandum appears to confine their argument to the reverse engineering exception.[147] In any case, all of their assertions are entirely without merit.

    a. Reverse engineering

    Defendants claim to fall under Section 1201(f) of the statute, which provides [320] in substance that one may circumvent, or develop and employ technological means to circumvent, access control measures in order to achieve interoperability with another computer program provided that doing so does not infringe another's copyright[148] and, in addition, that one may make information acquired through such efforts "available to others, if the person [in question] ... provides such information solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement...."[149] They contend that DeCSS is necessary to achieve interoperability between computers running the Linux operating system and DVDs and that this exception therefore is satisfied.[150] This contention fails.

    First, Section 1201(f)(3) permits information acquired through reverse engineering to be made available to others only by the person who acquired the information. But these defendants did not do any reverse engineering. They simply took DeCSS off someone else's web site and posted it on their own.

    Defendants would be in no stronger position even if they had authored DeCSS. The right to make the information available extends only to dissemination "solely for the purpose" of achieving interoperability as defined in the statute. It does not apply to public dissemination of means of circumvention, as the legislative history confirms.[151] These defendants, however, did not post DeCSS "solely" to achieve interoperability with Linux or anything else.

    Finally, it is important to recognize that even the creators of DeCSS cannot credibly maintain that the "sole" purpose of DeCSS was to create a Linux DVD player. DeCSS concededly was developed on and runs under Windows — a far more widely used operating system. The developers of DeCSS therefore knew that DeCSS could be used to decrypt and play DVD movies on Windows as well as Linux machines. They knew also that the decrypted files could be copied like any other unprotected computer file. Moreover, the Court does not credit Mr. Johansen's testimony that he created DeCSS solely for the purpose of building a Linux player. Mr. Johansen is a very talented young man and a member of a well known hacker group who viewed "cracking" CSS as an end it itself and a means of demonstrating his talent and who fully expected that the use of DeCSS would not be confined to Linux machines. Hence, the Court finds that Mr. Johansen and the others who actually did develop DeCSS did not do so solely for the purpose of making a Linux DVD player if, indeed, developing a Linux-based DVD player was among their purposes.

    Accordingly, the reverse engineering exception to the DMCA has no application here.

    b. Encryption research

    Section 1201(g)(4) provides in relevant part that:

    "Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to —

    "(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and

    "(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts [321] of good faith encryption research described in paragraph (2)."[152]

    Paragraph (2) in relevant part permits circumvention of technological measures in the course of good faith encryption research if:

    "(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

    "(B) such act is necessary to conduct such encryption research;

    "(C) the person made a good faith effort to obtain authorization before the circumvention; and

    "(D) such act does not constitute infringement under this title...."[153]

    In determining whether one is engaged in good faith encryption research, the Court is instructed to consider factors including whether the results of the putative encryption research are disseminated in a manner designed to advance the state of knowledge of encryption technology versus facilitation of copyright infringement, whether the person in question is engaged in legitimate study of or work in encryption, and whether the results of the research are communicated in a timely fashion to the copyright owner.[154]

    Neither of the defendants remaining in this case was or is involved in good faith encryption research.[155] They posted DeCSS for all the world to see. There is no evidence that they made any effort to provide the results of the DeCSS effort to the copyright owners. Surely there is no suggestion that either of them made a good faith effort to obtain authorization from the copyright owners. Accordingly, defendants are not protected by Section 1201(g).[156]

    c. Security testing

    Defendants contended earlier that their actions should be considered exempt security testing under Section 1201(j) of the statute.[157] This exception, however, is limited to "assessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting [of a] security flaw or vulnerability, with the authorization of the owner or operator of such computer system or computer network."[158]

    The record does not indicate that DeCSS has anything to do with testing computers, computer systems, or computer networks. Certainly defendants sought, and plaintiffs' granted, no authorization for defendants' activities. This exception therefore has no bearing in this case.[159]

    d. Fair use

    Finally, defendants rely on the doctrine of fair use. Stated in its most general terms, the doctrine, now codified in Section 107 of the Copyright Act,[160] limits the exclusive rights of a copyright holder by permitting others to make limited use of portions of the copyrighted work, for appropriate purposes, free of liability for copyright infringement. For example, it is permissible for one other than the copyright owner to reprint or quote a suitable part of a copyrighted book or article in certain circumstances. The doctrine traditionally has facilitated literary and artistic criticism, teaching and scholarship, and other socially useful forms of expression. [322] It has been viewed by courts as a safety valve that accommodates the exclusive rights conferred by copyright with the freedom of expression guaranteed by the First Amendment.

    The use of technological means of controlling access to a copyrighted work may affect the ability to make fair uses of the work.[161] Focusing specifically on the facts of this case, the application of CSS to encrypt a copyrighted motion picture requires the use of a compliant DVD player to view or listen to the movie. Perhaps more significantly, it prevents exact copying of either the video or the audio portion of all or any part of the film.[162] This latter point means that certain uses that might qualify as "fair" for purposes of copyright infringement — for example, the preparation by a film studies professor of a single CD-ROM or tape containing two scenes from different movies in order to illustrate a point in a lecture on cinematography, as opposed to showing relevant parts of two different DVDs — would be difficult or impossible absent circumvention of the CSS encryption. Defendants therefore argue that the DMCA cannot properly be construed to make it difficult or impossible to make any fair use of plaintiffs' copyrighted works and that the statute therefore does not reach their activities, which are simply a means to enable users of DeCSS to make such fair uses.

    Defendants have focused on a significant point. Access control measures such as CSS do involve some risk of preventing lawful as well as unlawful uses of copyrighted material. Congress, however, clearly faced up to and dealt with this question in enacting the DMCA.

    The Court begins its statutory analysis, as it must, with the language of the statute. Section 107 of the Copyright Act provides in critical part that certain uses of copyrighted works that otherwise would be wrongful are "not ... infringement[s] of copyright."[163] Defendants, however, are not here sued for copyright infringement. They are sued for offering and providing technology designed to circumvent technological measures that control access to copyrighted works and otherwise violating Section 1201(a)(2) of the Act. If Congress had meant the fair use defense to apply to such actions, it would have said so. Indeed, as the legislative history demonstrates, the decision not to make fair use a defense to a claim under Section 1201(a) was quite deliberate.

    Congress was well aware during the consideration of the DMCA of the traditional role of the fair use defense in accommodating the exclusive rights of copyright owners with the legitimate interests of noninfringing users of portions of copyrighted works. It recognized the contention, voiced by a range of constituencies concerned with the legislation, that technological controls on access to copyrighted works might erode fair use by preventing access even for uses that would be deemed "fair" if only access might be gained.[164] And it struck a balance among the competing interests.

    [323] The first element of the balance was the careful limitation of Section 1201(a)(1)'s prohibition of the act of circumvention to the act itself so as not to "apply to subsequent actions of a person once he or she has obtained authorized access to a copy of a [copyrighted] work...."[165] By doing so, it left "the traditional defenses to copyright infringement, including fair use, ... fully applicable" provided "the access is authorized."[166]

    Second, Congress delayed the effective date of Section 1201(a)(1)'s prohibition of the act of circumvention for two years pending further investigation about how best to reconcile Section 1201(a)(1) with fair use concerns. Following that investigation, which is being carried out in the form of a rule-making by the Register of Copyright, the prohibition will not apply to users of particular classes of copyrighted works who demonstrate that their ability to make noninfringing uses of those classes of works would be affected adversely by Section 1201(a)(1).[167]

    Third, it created a series of exceptions to aspects of Section 1201(a) for certain uses that Congress thought "fair," including reverse engineering, security testing, good faith encryption research, and certain uses by nonprofit libraries, archives and educational institutions.[168]

    Defendants claim also that the possibility that DeCSS might be used for the purpose of gaining access to copyrighted works in order to make fair use of those works saves them under Sony Corp. v. Universal City Studios, Inc.[169] But they are mistaken. Sony does not apply to the activities with which defendants here are charged. Even if it did, it would not govern here. Sony involved a construction of the Copyright Act that has been overruled by the later enactment of the DMCA to the extent of any inconsistency between Sony and the new statute.

    Sony was a suit for contributory infringement brought against manufacturers of video cassette recorders on the theory that the manufacturers were contributing to infringing home taping of copyrighted television broadcasts. The Supreme Court held that the manufacturers were not liable in view of the substantial numbers of copyright holders who either had authorized or did not object to such taping by viewers.[170] But Sony has no application here.

    When Sony was decided, the only question was whether the manufacturers could be held liable for infringement by those who purchased equipment from them in circumstances in which there were many noninfringing uses for their equipment. But that is not the question now before this Court. The question here is whether the possibility of noninfringing fair use by someone who gains access to a protected copyrighted work through a circumvention technology distributed by the defendants saves the defendants from liability under Section 1201. But nothing in Section 1201 so suggests. By prohibiting the provision of circumvention technology, the DMCA fundamentally altered the landscape. A given device or piece of technology might have "a substantial noninfringing use, and hence be immune from attack under Sony's construction of the Copyright Act — but nonetheless still be subject to suppression under Section 1201."[171] Indeed, [324] Congress explicitly noted that Section 1201 does not incorporate Sony.[172]

    The policy concerns raised by defendants were considered by Congress. Having considered them, Congress crafted a statute that, so far as the applicability of the fair use defense to Section 1201(a) claims is concerned, is crystal clear. In such circumstances, courts may not undo what Congress so plainly has done by "construing" the words of a statute to accomplish a result that Congress rejected. The fact that Congress elected to leave technologically unsophisticated persons who wish to make fair use of encrypted copyrighted works without the technical means of doing so is a matter for Congress unless Congress' decision contravenes the Constitution, a matter to which the Court turns below. Defendants' statutory fair use argument therefore is entirely without merit.

    C. Linking to Sites Offering DeCSS

    Plaintiffs seek also to enjoin defendants from "linking" their 2600.com web site to other sites that make DeCSS available to users. Their request obviously stems in no small part from what defendants themselves have termed their act of "electronic civil disobedience" — their attempt to defeat the purpose of the preliminary injunction by (a) offering the practical equivalent of making DeCSS available on their own web site by electronically linking users to other sites still offering DeCSS, and (b) encouraging other sites that had not been enjoined to offer the program. The dispositive question is whether linking to another web site containing DeCSS constitutes "offer[ing DeCSS] to the public" or "provid[ing] or otherwise traffic[king]" in it within the meaning of the DMCA.[173] Answering this question requires careful consideration of the nature and types of linking.

    Most web pages are written in computer languages, chiefly HTML, which allow the programmer to prescribe the appearance of the web page on the computer screen and, in addition, to instruct the computer to perform an operation if the cursor is placed over a particular point on the screen and the mouse then clicked.[174] Programming a particular point on a screen to transfer the user to another web page when the point, referred to as a hyperlink, is clicked is called linking.[175] Web pages can be designed to link to other web pages on the same site or to web pages maintained by different sites.[176]

    As noted earlier, the links that defendants established on their web site are of several types. Some transfer the user to a web page on an outside site that contains a good deal of information of various types, does not itself contain a link to DeCSS, but that links, either directly or via a series of other pages, to another page on the same site that posts the software. It then is up to the user to follow the link or series of links on the linked-to web site in order to arrive at the page with the DeCSS link and commence the download of the software. Others take the user to a page on an outside web site on which there appears a direct link to the DeCSS software and which may or may not contain text or links other than the DeCSS link. The user has only to click on the DeCSS link to commence the download. Still others may directly transfer the user to a file on the linked-to web site such that the download of DeCSS to the user's computer automatically [325] commences without further user intervention.

    The statute makes it unlawful to offer, provide or otherwise traffic in described technology.[177] To "traffic" in something is to engage in dealings in it,[178] conduct that necessarily involves awareness of the nature of the subject of the trafficking. To "provide" something, in the sense used in the statute, is to make it available or furnish it.[179] To "offer" is to present or hold it out for consideration.[180] The phrase "or otherwise traffic in" modifies and gives meaning to the words "offer" and "provide."[181] In consequence, the anti-trafficking provision of the DMCA is implicated where one presents, holds out or makes a circumvention technology or device available, knowing its nature, for the purpose of allowing others to acquire it.

    To the extent that defendants have linked to sites that automatically commence the process of downloading DeCSS upon a user being transferred by defendants' hyperlinks, there can be no serious question. Defendants are engaged in the functional equivalent of transferring the DeCSS code to the user themselves.

    Substantially the same is true of defendants' hyperlinks to web pages that display nothing more than the DeCSS code or present the user only with the choice of commencing a download of DeCSS and no other content. The only distinction is that the entity extending to the user the option of downloading the program is the transferee site rather than defendants, a distinction without a difference.

    Potentially more troublesome might be links to pages that offer a good deal of content other than DeCSS but that offer a hyperlink for downloading, or transferring to a page for downloading, DeCSS. If one assumed, for the purposes of argument, that the Los Angeles Times web site somewhere contained the DeCSS code, it would be wrong to say that anyone who linked to the Los Angeles Times web site, regardless of purpose or the manner in which the link was described, thereby offered, provided or otherwise trafficked in DeCSS merely because DeCSS happened to be available on a site to which one linked.[182] But that is not this case. Defendants urged others to post DeCSS in an effort to disseminate DeCSS and to inform defendants that they were doing so. Defendants then linked their site to those "mirror" sites, after first checking to ensure that the mirror sites in fact were posting DeCSS or something that looked like it, and proclaimed on their own site that DeCSS could be had by clicking on the hyperlinks on defendants' site. By doing so, they offered, provided or otherwise trafficked in DeCSS, and they continue to do so to this day.

    III. The First Amendment

    Defendants argue that the DMCA, at least as applied to prevent the public dissemination of DeCSS, violates the First Amendment to the Constitution. They claim that it does so in two ways. First, they argue that computer code is protected speech and that the DMCA's prohibition of dissemination of DeCSS therefore violates defendants' First Amendment rights. Second, they contend that the DMCA is unconstitutionally [326] overbroad, chiefly because its prohibition of the dissemination of decryption technology prevents third parties from making fair use of plaintiffs' encrypted works, and vague. They argue also that a prohibition on their linking to sites that make DeCSS available is unconstitutional for much the same reasons.

    A. Computer Code and the First Amendment

    The premise of defendants' first position is that computer code, the form in which DeCSS exists, is speech protected by the First Amendment. Examination of that premise is the logical starting point for analysis. And it is important in examining that premise first to define terms.

    Defendants' assertion that computer code is "protected" by the First Amendment is quite understandable. Courts often have spoken of certain categories of expression as "not within the area of constitutionally protected speech,"[183] so defendants naturally wish to avoid exclusion by an unfavorable categorization of computer code. But such judicial statements in fact are not literally true. All modes of expression are covered by the First Amendment in the sense that the constitutionality of their "regulation must be determined by reference to First Amendment doctrine and analysis."[184] Regulation of different categories of expression, however, is subject to varying levels of judicial scrutiny. Thus, to say that a particular form of expression is "protected" by the First Amendment means that the constitutionality of any regulation of it must be measured by reference to the First Amendment. In some circumstances, however, the phrase connotes also that the standard for measurement is the most exacting level available.

    It cannot seriously be argued that any form of computer code may be regulated without reference to First Amendment doctrine. The path from idea to human language to source code to object code is a continuum. As one moves from one to the other, the levels of precision and, arguably, abstraction increase, as does the level of training necessary to discern the idea from the expression. Not everyone can understand each of these forms. Only English speakers will understand English formulations. Principally those familiar with the particular programming language will understand the source code expression. And only a relatively small number of skilled programmers and computer scientists will understand the machine readable object code. But each form expresses the same idea, albeit in different ways.[185]

    There perhaps was a time when the First Amendment was viewed only as a limitation on the ability of government to censor speech in advance.[186] [327] But we have moved far beyond that. All modes by which ideas may be expressed or, perhaps, emotions evoked — including speech, books, movies, art, and music — are within the area of First Amendment concern.[187] As computer code — whether source or object — is a means of expressing ideas, the First Amendment must be considered before its dissemination may be prohibited or regulated. In that sense, computer code is covered or, as sometimes is said, "protected" by the First Amendment.[188] But that conclusion still leaves for determination the level of scrutiny to be applied in determining the constitutionality of regulation of computer code.

    B. The Constitutionality of the DMCA's Anti-Trafficking Provision

    1. Defendants' Alleged Right to Disseminate DeCSS

    Defendants first attack Section 1201(a)(2), the anti-trafficking provision, as applied to them on the theory that DeCSS is constitutionally protected expression and that the statute improperly prevents them from communicating it. Their attack presupposes that a characterization of code as constitutionally protected subjects any regulation of code to the highest level of First Amendment scrutiny. As we have seen, however, this does not necessarily follow.

    Just as computer code cannot be excluded from the area of First Amendment concern because it is abstract and, in many cases, arcane, the long history of First Amendment jurisprudence makes equally clear that the fact that words, symbols and even actions convey ideas and evoke emotions does not inevitably place them beyond the power of government. The Supreme Court has evolved an analytical framework by which the permissibility of particular restrictions on the expression of ideas must determined.

    Broadly speaking, restrictions on expression fall into two categories. Some are restrictions on the voicing of particular ideas, which typically are referred to as content based restrictions. Others have nothing to do with the content of the expression — i.e., they are content neutral — but they have the incidental effect of limiting expression.

    In general, "government has no power to restrict expression because of its message, its ideas, its subject matter, or its content...."[189] "[S]ubject only to narrow and well-understood exceptions, [the First Amendment] does not countenance governmental control over the content of messages expressed by private individuals."[190] In consequence, content based restrictions on speech are permissible only if they serve compelling state interests by the least restrictive means available.[191]

    Content neutral restrictions, in contrast, are measured against a less exacting standard. Because restrictions of this type are not motivated by a desire to limit the message, they will be upheld if they serve a substantial governmental interest [328] and restrict First Amendment freedoms no more than necessary.[192]

    Restrictions on the nonspeech elements of expressive conduct fall into the conduct-neutral category. The Supreme Court long has distinguished for First Amendment purposes between pure speech, which ordinarily receives the highest level of protection, and expressive conduct.[193] Even if conduct contains an expressive element, its nonspeech aspect need not be ignored.[194] "[W]hen `speech' and `nonspeech' elements are combined in the same course of conduct, a sufficiently important governmental interest in regulating the nonspeech element can justify incidental limitations on First Amendment freedoms."[195] The critical point is that nonspeech elements may create hazards for society above and beyond the speech elements. They are subject to regulation in appropriate circumstances because the government has an interest in dealing with the potential hazards of the nonspeech elements despite the fact that they are joined with expressive elements.

    Thus, the starting point for analysis is whether the DMCA, as applied to restrict dissemination of DeCSS and other computer code used to circumvent access control measures, is a content based restriction on speech or a content neutral regulation. Put another way, the question is the level of review that governs the DMCA's anti-trafficking provision as applied to DeCSS — the strict scrutiny standard applicable to content based regulations or the intermediate level applicable to content neutral regulations, including regulations of the nonspeech elements of expressive conduct.

    Given the fact that DeCSS code is expressive, defendants would have the Court leap immediately to the conclusion that Section 1201(a)(2)'s prohibition on providing DeCSS necessarily is content based regulation of speech because it suppresses dissemination of a particular kind of expression.[196] But this would be a unidimensional approach to a more textured reality and entirely too facile.

    The "principal inquiry in determining content neutrality ... is whether the government has adopted a regulation of speech because of [agreement or] disagreement with the message it conveys."[197] The computer code at issue in this case, however, does more than express the programmers' concepts. It does more, in other words, than convey a message. DeCSS, like any other computer program, is a series of instructions that causes a computer to perform a particular sequence [329] of tasks which, in the aggregate, decrypt CSS-protected files. Thus, it has a distinctly functional, non-speech aspect in addition to reflecting the thoughts of the programmers. It enables anyone who receives it and who has a modicum of computer skills to circumvent plaintiffs' access control system.

    The reason that Congress enacted the anti-trafficking provision of the DMCA had nothing to do with suppressing particular ideas of computer programmers and everything to do with functionality — with preventing people from circumventing technological access control measures — just as laws prohibiting the possession of burglar tools have nothing to do with preventing people from expressing themselves by accumulating what to them may be attractive assortments of implements and everything to do with preventing burglaries. Rather, it is focused squarely upon the effect of the distribution of the functional capability that the code provides. Any impact on the dissemination of programmers' ideas is purely incidental to the overriding concerns of promoting the distribution of copyrighted works in digital form while at the same time protecting those works from piracy and other violations of the exclusive rights of copyright holders.[198]

    These considerations suggest that the DMCA as applied here is content neutral, a view that draws support also from City of Renton v. Playtime Theatres, Inc.[199] The Supreme Court there upheld against a First Amendment challenge a zoning ordinance that prohibited adult movie theaters within 1,000 feet of a residential, church or park zone or within one mile of a school. Recognizing that the ordinance did "not appear to fit neatly into either the `content based or the `content-neutral' category," it found dispositive the fact that the ordinance was justified without reference to the content of the regulated speech in that the concern of the municipality had been with the secondary effects of the presence of adult theaters, not with the particular content of the speech that takes place in them.[200] As Congress' concerns in enacting the anti-trafficking provision of the DMCA were to suppress copyright piracy and infringement and to promote the availability of copyrighted works in digital form, and not to regulate the expression of ideas that might be inherent in particular anti-circumvention devices or technology, this provision of the statute properly is viewed as content neutral.[201]

    Congress is not powerless to regulate content neutral regulations that incidentally affect expression, including the dissemination of the functional capabilities of computer code. A sufficiently important governmental interest in seeing to it that computers are not instructed to perform particular functions may justify incidental restrictions on the dissemination of the expressive elements of a program. Such a regulation will be upheld if:

    "it furthers an important or substantial governmental interest; if the governmental interest is unrelated to the suppression of free expression; and if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that [330] interest."[202]

    Moreover, "[t]o satisfy this standard, a regulation need not be the least speech-restrictive means of advancing the Government's interests."[203] "Rather, the requirement of narrow tailoring is satisfied `so long as the ... regulation promotes a substantial government interest that would be achieved less effectively absent the regulation.'"[204]

    The anti-trafficking provision of the DMCA furthers an important governmental interest — the protection of copyrighted works stored on digital media from the vastly expanded risk of piracy in this electronic age. The substantiality of that interest is evident both from the fact that the Constitution specifically empowers Congress to provide for copyright protection[205] and from the significance to our economy of trade in copyrighted materials.[206] Indeed, the Supreme Court has made clear that copyright protection itself is "the engine of free expression."[207] That substantial interest, moreover, is unrelated to the suppression of particular views expressed in means of gaining access to protected copyrighted works. Nor is the incidental restraint on protected expression — the prohibition of trafficking in means that would circumvent controls limiting access to unprotected materials or to copyrighted materials for noninfringing purposes — broader than is necessary to accomplish Congress' goals of preventing infringement and promoting the availability of content in digital form.[208]

    This analysis finds substantial support in the principal case relied upon by defendants, Junger v. Daley.[209] The plaintiff in that case challenged on First Amendment grounds an Export Administration regulation that barred the export of computer encryption software, arguing that the software was expressive and that the regulation therefore was unconstitutional. The Sixth Circuit acknowledged the expressive nature of computer code, holding that it therefore was within the scope of the First Amendment. But it recognized also that computer code is functional as well and said that "[t]he functional capabilities of source code, particularly those of encryption source code, should be considered when analyzing the governmental interest in regulating the exchange of this form of speech."[210] Indeed, it went on to indicate that the pertinent standard of review was that established in United States v. O'Brien,[211] the seminal speech-versus-conduct [331] decision. Thus, rather than holding the challenged regulation unconstitutional on the theory that the expressive aspect of source code immunized it from regulation, the court remanded the case to the district court to determine whether the O'Brien standard was met in view of the functional aspect of code.[212]

    Notwithstanding its adoption by the Sixth Circuit, the focus on functionality in order to determine the level of scrutiny is not an inevitable consequence of the speech-conduct distinction. Conduct has immediate effects on the environment. Computer code, on the other hand, no matter how functional, causes a computer to perform the intended operations only if someone uses the code to do so. Hence, one commentator, in a thoughtful article, has maintained that functionality is really "a proxy for effects or harm" and that its adoption as a determinant of the level of scrutiny slides over questions of causation that intervene between the dissemination of a computer program and any harm caused by its use.[213]

    The characterization of functionality as a proxy for the consequences of use is accurate. But the assumption that the chain of causation is too attenuated to justify the use of functionality to determine the level of scrutiny, at least in this context, is not.

    Society increasingly depends upon technological means of controlling access to digital files and systems, whether they are military computers, bank records, academic records, copyrighted works or something else entirely. There are far too many who, given any opportunity, will bypass those security measures, some for the sheer joy of doing it, some for innocuous reasons, and others for more malevolent purposes. Given the virtually instantaneous and worldwide dissemination widely available via the Internet, the only rational assumption is that once a computer program capable of bypassing such an access control system is disseminated, it will be used. And that is not all.

    There was a time when copyright infringement could be dealt with quite adequately by focusing on the infringing act. If someone wished to make and sell high quality but unauthorized copies of a copyrighted book, for example, the infringer needed a printing press. The copyright holder, once aware of the appearance of infringing copies, usually was able to trace the copies up the chain of distribution, find and prosecute the infringer, and shut off the infringement at the source.

    In principle, the digital world is very different. Once a decryption program like DeCSS is written, it quickly can be sent all over the world. Every recipient is capable not only of decrypting and perfectly copying plaintiffs' copyrighted DVDs, but also of retransmitting perfect copies of DeCSS and thus enabling every recipient to do the same. They likewise are capable of transmitting perfect copies of the decrypted DVD. The process potentially is exponential rather than linear. Indeed, the difference is illustrated by comparison of two epidemiological models describing the spread of different kinds of disease.[214] In a common source epidemic, as where members of a population contract a non-contagious disease from a poisoned well, the disease spreads only by exposure to the common source. If one eliminates the source, or closes the contaminated well, the epidemic is stopped. In a propagated [332] outbreak epidemic, on the other hand, the disease spreads from person to person. Hence, finding the initial source of infection accomplishes little, as the disease continues to spread even if the initial source is eliminated.[215] For obvious reasons, then, a propagated outbreak epidemic, all other things being equal, can be far more difficult to control.

    This disease metaphor is helpful here. The book infringement hypothetical is analogous to a common source outbreak epidemic. Shut down the printing press (the poisoned well) and one ends the infringement (the disease outbreak). The spread of means of circumventing access to copyrighted works in digital form, however, is analogous to a propagated outbreak epidemic. Finding the original source of infection (e.g., the author of DeCSS or the first person to misuse it) accomplishes nothing, as the disease (infringement made possible by DeCSS and the resulting availability of decrypted DVDs) may continue to spread from one person who gains access to the circumvention program or decrypted DVD to another. And each is "infected," i.e., each is as capable of making perfect copies of the digital file containing the copyrighted work as the author of the program or the first person to use it for improper purposes. The disease metaphor breaks down principally at the final point. Individuals infected with a real disease become sick, usually are driven by obvious self-interest to seek medical attention, and are cured of the disease if medical science is capable of doing so. Individuals infected with the "disease" of capability of circumventing measures controlling access to copyrighted works in digital form, however, do not suffer from having that ability. They cannot be relied upon to identify themselves to those seeking to control the "disease." And their self-interest will motivate some to misuse the capability, a misuse that; in practical terms, often will be untraceable.[216]

    These considerations drastically alter consideration of the causal link between dissemination of computer programs such as this and their illicit use. Causation in the law ultimately involves practical policy judgments.[217] Here, dissemination itself carries very substantial risk of imminent harm because the mechanism is so unusual by which dissemination of means of circumventing access controls to copyrighted works threatens to produce virtually unstoppable infringement of copyright. In consequence, the causal link between the dissemination of circumvention computer programs and their improper use is more than sufficiently close to warrant selection of a level of constitutional scrutiny based on the programs' functionality.

    Accordingly, this Court holds that the anti-trafficking provision of the DMCA as applied to the posting of computer code that circumvents measures that control access to copyrighted works in digital form is a valid exercise of Congress' authority. It is a content neutral regulation in furtherance of important governmental interests that does not unduly restrict expressive activities. In any case, its particular functional characteristics are such that the Court would apply the same level of scrutiny [333] even if it were viewed as content based.[218] Yet it is important to emphasize that this is a very narrow holding. The restriction the Court here upholds, notwithstanding that computer code is within the area of First Amendment concern, is limited (1) to programs that circumvent access controls to copyrighted works in digital form in circumstances in which (2) there is no other practical means of preventing infringement through use of the programs, and (3) the regulation is motivated by a desire to prevent performance of the function for which the programs exist rather than any message they might convey. One readily might imagine other circumstances in which a governmental attempt to regulate the dissemination of computer code would not similarly be justified.[219]

    2. Prior Restraint

    Defendants argue also that injunctive relief against dissemination of DeCSS is barred by the prior restraint doctrine. The Court disagrees.

    Few phrases are as firmly rooted in our constitutional jurisprudence as the maxim that "[a]ny system of prior restraints of expression comes to [a] Court bearing a heavy presumption against its constitutional validity."[220] Yet there is a significant gap between the rhetoric and the reality. Courts often have upheld restrictions on expression that many would describe as prior restraints,[221] sometimes by [334] characterizing the expression as unprotected[222] and on other occasions finding the restraint justified despite its presumed invalidity.[223] Moreover, the prior restraint doctrine, which has expanded far beyond the Blackstonian model[224] that doubtless informed the understanding of the Framers of the First Amendment,[225] has been criticized as filled with "doctrinal ambiguities and inconsistencies result[ing] from the absence of any detailed judicial analysis of [its] true rationale"[226] and, in one case, even as "fundamentally unintelligible."[227] Nevertheless, the doctrine has a well established core: administrative preclearance requirements for and at least preliminary injunctions against speech as conventionally understood are presumptively unconstitutional. Yet that proposition does not dispose of this case.[228]

    The classic prior restraint cases were dramatically different from this one. Near v. Minnesota[229] involved a state procedure for abating scandalous and defamatory newspapers as public nuisances. New York Times Co. v. United States[230] dealt with an attempt to enjoin a newspaper from publishing an internal government history of the Vietnam War. Nebraska Press Association v. Stuart[231] concerned a court order barring the reporting of certain details about a forthcoming murder case. In each case, therefore, the government sought to suppress speech at the very heart of First Amendment concern — expression about public issues of the sort [335] that is indispensable to self government. And while the prior restraint doctrine has been applied well beyond the sphere of political expression, we deal here with something new altogether — computer code, a fundamentally utilitarian construct, albeit one that embodies an expressive element. Hence, it would be a mistake simply to permit its expressive element to drive a characterization of the code as speech no different from the Pentagon Papers, the publication of a newspaper, or the exhibition of a motion picture and then to apply prior restraint rhetoric without a more nuanced consideration of the competing concerns.

    In this case, the considerations supporting an injunction are very substantial indeed. Copyright and, more broadly, intellectual property piracy are endemic, as Congress repeatedly has found.[232] The interest served by prohibiting means that facilitate such piracy — the protection of the monopoly granted to copyright owners by the Copyright Act — is of constitutional dimension. There is little room for doubting that broad dissemination of DeCSS threatens ultimately to injure or destroy plaintiffs' ability to distribute their copyrighted products on DVDs and, for that matter, undermine their ability to sell their products to the home video market in other forms. The potential damages probably are incalculable, and these defendants surely would be in no position to compensate plaintiffs for them if plaintiffs were remitted only to post hoc damage suits.

    On the other side of the coin, the First Amendment interests served by the dissemination of DeCSS on the merits are minimal. The presence of some expressive content in the code should not obscure the fact of its predominant functional character — it is first and foremost a means of causing a machine with which it is used to perform particular tasks. Hence, those of the traditional rationales for the prior restraint doctrine that relate to inhibiting the transmission and receipt of ideas are of attenuated relevance here. Indeed, even academic commentators who take the extreme position that most injunctions in intellectual property cases are unconstitutional prior restraints concede that there is no First Amendment obstacle to injunctions barring distribution of copyrighted computer object code or restraining the construction of a new building based on copyrighted architectural drawings because the functional aspects of these types of information are "sufficiently nonexpressive."[233]

    To be sure, there is much to be said in most circumstances for the usual procedural rationale for the prior restraint doctrine: prior restraints carry with them the risk of erroneously suppressing expression that could not constitutionally be punished [336] after publication.[234] In this context, however, that concern is not persuasive, both because the enjoined expressive element is minimal and because a full trial on the merits has been held.[235] Accordingly, the Court holds that the prior restraint doctrine does not require denial of an injunction in this case.

    3. Overbreadth

    Defendants' second focus is the contention that Section 1201(a)(2) is unconstitutional because it prevents others from making fair use of copyrighted works by depriving them of the means of circumventing plaintiffs' access control system.[236] In substance, they contend that the anti-trafficking provision leaves those who lack sufficient technical expertise to circumvent CSS themselves without the means of acquiring circumvention technology that they need to make fair use of the content of plaintiffs' copyrighted DVDs.[237]

    As a general proposition, "a person to whom a statute constitutionally may be applied may not challenge that statute on the ground that it conceivably may be applied unconstitutionally to others in situations not before the Court."[238] When statutes regulate speech, however, "the transcendent value to all society of constitutionally protected expression is deemed to justify `attacks on overly broad statutes with no requirement that the person making the attack demonstrate that his own conduct could not be regulated by a statute drawn with the requisite narrow specificity.'"[239] This is so because the absent third parties may not exercise their rights for fear of triggering "sanctions provided by a statute susceptible of application to protected expression."[240] But the overbreadth doctrine "is `strong medicine' .... employed ... with hesitation, and then `only as a last resort.'" because it conflicts with "the personal nature of constitutional rights and the prudential limitations on constitutional adjudication," including the importance of focusing carefully on the facts in deciding constitutional questions.[241] Moreover, the limited function of the overbreadth doctrine "`attenuates as the otherwise unprotected behavior that it forbids the State to sanction moves from `pure speech' toward conduct and that conduct — even if expressive — falls within the scope of otherwise valid criminal [337] laws....'"[242] As defendants concede, "where conduct and not merely speech is involved, . . . the overbreadth of a statute must not only be real, but substantial as well, judged in relation to the statute's plainly legitimate sweep."[243]

    Factors arguing against use of the overbreadth doctrine are present here. To begin with, we do not here have a complete view of whether the interests of the absent third parties upon whom defendants rely really are substantial and, in consequence, whether the DMCA as applied here would materially affect their ability to make fair use of plaintiffs' copyrighted works.

    The copyrighted works at issue, of course, are motion pictures. People use copies of them in DVD and other formats for various purposes, and we confine our consideration to the lawful purposes, which by definition are noninfringing or fair uses. The principal noninfringing use is to play the DVD for the purpose of watching the movie — viewing the images and hearing the sounds that are synchronized with them. Fair uses are much more varied. A movie reviewer might wish to quote a portion of the verbal script in an article or broadcast review. A television station might want to broadcast part of a particular scene to illustrate a review, a news story about a performer, or a story about particular trends in motion pictures. A musicologist perhaps would wish to play a portion of a musical sound track. A film scholar might desire to create and exhibit to students small segments of several different films to make some comparative point about the cinematography or some other characteristic. Numerous other examples doubtless could be imagined. But each necessarily involves one or more of three types of use: (1) quotation of the words of the script, (2) listening to the recorded sound track, including both verbal and non-verbal elements, and (3) viewing of the graphic images.

    All three of these types of use now are affected by the anti-trafficking provision of the DMCA, but probably only to a trivial degree. To begin with, all or substantially all motion pictures available on DVD are available also on videotape.[244] In consequence, anyone wishing to make lawful use of a particular movie may buy or rent a videotape, play it, and even copy all or part of it with readily available equipment. But even if movies were available only on DVD, as someday may be the case, the impact on lawful use would be limited. Compliant DVD players permit one to view or listen to a DVD movie without circumventing CSS in any prohibited sense. The technology permitting manufacture of compliant DVD players is available to anyone on a royalty-free basis and at modest cost, so CSS raises no technological barrier to their manufacture. Hence, those wishing to make lawful use of copyrighted movies by viewing or listening to them are not hindered in doing so in any material way by the anti-trafficking provision of the DMCA.[245]

    [338] Nor does the DMCA materially affect quotation of language from CSS-protected movies. Anyone with access to a compliant DVD player may play the movie and write down or otherwise record the sound for the purpose of quoting it in another medium.

    The DMCA does have a notable potential impact on uses that copy portions of a DVD movie because compliant DVD players are designed so as to prevent copying. In consequence, even though the fair use doctrine permits limited copying of copyrighted works in appropriate circumstances, the CSS encryption of DVD movies, coupled with the characteristics of licensed DVD players, limits such uses absent circumvention of CSS.[246] Moreover, the anti-trafficking provision of the DMCA may prevent technologically unsophisticated persons who wish to copy portions of DVD movies for fair use from obtaining the means of doing so. It is the interests of these individuals upon which defendants rely most heavily in contending that the DMCA violates the First Amendment because it deprives such persons of an asserted constitutional right to make fair use of copyrighted materials.[247]

    As the foregoing suggests, the interests of persons wishing to circumvent CSS in order to make lawful use of the copyrighted movies it protects are remarkably varied. Some presumably are technologically sophisticated and therefore capable of circumventing CSS without access to defendants' or other purveyors' decryption programs; many presumably are not. Many of the possible fair uses may be made without circumventing CSS while others, i.e., those requiring copying, may not. Hence, the question whether Section 1201(a)(2) as applied here substantially affects rights, much less constitutionally protected rights, of members of the "fair use community" cannot be decided in bloc, without consideration of the circumstances of each member or similarly situated groups of members. Thus, the prudential concern with ensuring that constitutional questions be decided only when the facts before the Court so require counsels against permitting defendants to mount an overbreadth challenge here.[248]

    Second, there is no reason to suppose here that prospective fair users will be deterred from asserting their alleged rights by fear of sanctions imposed by the DMCA or the Copyright Act.

    Third, we do not deal here with "pure speech." Rather, the issue concerns dissemination of technology that is principally functional in nature. The same consideration that warrants restraint in applying the overbreadth doctrine to statutes regulating [339] expressive conduct applies here. For reasons previously expressed, government's interest in regulating the functional capabilities of computer code is no less weighty than its interest in regulating the nonspeech aspects of expressive conduct.

    Finally, there has been no persuasive evidence that the interests of persons who wish access to the CSS algorithm in order to study its encryption methodology or to evaluate theories regarding decryption raise serious problems. The statute contains an exception for good faith encryption research.[249]

    Accordingly, defendants will not be heard to mount an overbreadth challenge to the DMCA in this context.

    4. Vagueness

    Defendants argue also that the DMCA is unconstitutionally vague because the terms it employs are not understandable to persons of ordinary intelligence and because they are subject to discriminatory enforcement.[250]

    As the Supreme Court has made clear, one who "engages in some conduct that is clearly proscribed [by the challenged statute] cannot complain of the vagueness of the law as applied to the conduct of others."[251] There can be no serious doubt that posting a computer program the sole purpose of which is to defeat an encryption system controlling access to plaintiffs copyrighted movies constituted an "offer to the public" of "technology [or a] product" that was "primarily designed for the purpose of circumventing" plaintiffs' access control system.[252] Defendants thus engaged in conduct clearly proscribed by the DMCA and will not be heard to complain of any vagueness as applied to others.

    C. Linking

    As indicated above, the DMCA reaches links deliberately created by a web site operator for the purpose of disseminating technology that enables the user to circumvent access controls on copyrighted works. The question is whether it may do so consistent with the First Amendment.

    Links bear a relationship to the information superhighway comparable to the relationship that roadway signs bear to roads but they are more functional. Like roadway signs, they point out the direction. Unlike roadway signs, they take one almost instantaneously to the desired destination with the mere click of an electronic mouse. Thus, like computer code in general, they have both expressive and functional elements. Also like computer code, they are within the area of First Amendment concern. Hence, the constitutionality of the DMCA as applied to defendants' linking is determined by the same O'Brien standard that governs trafficking in the circumvention technology generally.

    There is little question that the application of the DMCA to the linking at issue in this case would serve, at least to some extent, the same substantial governmental interest as its application to defendants' posting of the DeCSS code. Defendants' posting and their linking amount to very much the same thing. Similarly, the regulation of the linking at issue here is "unrelated to the suppression of free expression" for the same reason as the regulation of the posting. The third prong of the O'Brien test as subsequently interpreted — whether the "regulation promotes a substantial government interest that would be achieved less effectively absent the regulation"[253] — is a somewhat closer call.

    [340] Defendants and, by logical extension, others may be enjoined from posting DeCSS. Plaintiffs may seek legal redress against anyone who persists in posting notwithstanding this decision. Hence, barring defendants from linking to sites against which plaintiffs readily may take legal action would advance the statutory purpose of preventing dissemination of circumvention technology, but it would do so less effectively than would actions by plaintiffs directly against the sites that post. For precisely this reason, however, the real significance of an anti-linking injunction would not be with U.S. web sites subject to the DMCA, but with foreign sites that arguably are not subject to it and not subject to suit here. An anti-linking injunction to that extent would have a significant impact and thus materially advance a substantial governmental purpose. In consequence, the Court concludes that an injunction against linking to other sites posting DeCSS satisfies the O'Brien standard. There remains, however, one further important point.

    Links are "what unify the [World Wide] Web into a single body of knowledge, and what makes the Web unique."[254] They "are the mainstay of the Internet and indispensable to its convenient access to the vast world of information."[255] They often are used in ways that do a great deal to promote the free exchange of ideas and information that is a central value of our nation. Anything that would impose strict liability on a web site operator for the entire contents of any web site to which the operator linked therefore would raise grave constitutional concerns, as web site operators would be inhibited from linking for fear of exposure to liability.[256] And it is equally clear that exposing those who use links to liability under the DMCA might chill their use, as some web site operators confronted with claims that they have posted circumvention technology falling within the statute may be more inclined to remove the allegedly offending link rather than test the issue in court. Moreover, web sites often contain a great variety of things, and a ban on linking to a site that contains DeCSS amidst other content threatens to restrict communication of this information to an excessive degree.

    The possible chilling effect of a rule permitting liability for or injunctions against Internet hyperlinks is a genuine concern. But it is not unique to the issue of linking. The constitutional law of defamation provides a highly relevant analogy. The threat of defamation suits creates the same risk of self-censorship, the same chilling effect, for the traditional press as a prohibition of linking to sites containing circumvention technology poses for web site operators. Just as the potential chilling effect of defamation suits has not utterly immunized the press from all actions for defamation, however, the potential chilling effect of DMCA liability cannot utterly immunize web site operators from all actions for disseminating circumvention technology. And the solution to the problem is the same: the adoption of a standard of culpability sufficiently high to immunize the activity, whether it is publishing a newspaper or linking, except in cases in which the conduct in question has little or no redeeming constitutional value.

    In the defamation area, this has been accomplished by a two-tiered constitutional standard. There may be no liability under the First Amendment for defamation of a public official or a public figure unless the plaintiff proves, by clear and convincing evidence, that the defendant published the offending statement with knowledge of its [341] falsity or with serious doubt as to its truth.[257] Liability in private figure cases, on the other hand, may not be imposed absent proof at least of negligence under Gertz v. Robert Welch, Inc.[258] A similar approach would minimize any chilling effect here.

    The other concern — that a liability based on a link to another site simply because the other site happened to contain DeCSS or some other circumvention technology in the midst of other perfectly appropriate content could be overkill — also is readily dealt with. The offense under the DMCA is offering, providing or otherwise trafficking in circumvention technology. An essential ingredient, as explained above, is a desire to bring about the dissemination. Hence, a strong requirement of that forbidden purpose is an essential prerequisite to any liability for linking.

    Accordingly, there may be no injunction against, nor liability for, linking to a site containing circumvention technology, the offering of which is unlawful under the DMCA, absent clear and convincing evidence that those responsible for the link (a) know at the relevant time that the offending material is on the linked-to site, (b) know that it is circumvention technology that may not lawfully be offered, and (c) create or maintain the link for the purpose of disseminating that technology.[259] Such a standard will limit the fear of liability on the part of web site operators just as the New York Times standard gives the press great comfort in publishing all sorts of material that would have been actionable at common law, even in the face of flat denials by the subjects of their stories. And it will not subject web site operators to liability for linking to a site containing proscribed technology where the link exists for purposes other than dissemination of that technology.

    In this case, plaintiffs have established by clear and convincing evidence that these defendants linked to sites posting DeCSS, knowing that it was a circumvention device. Indeed, they initially touted it as a way to get free movies,[260] and they later maintained the links to promote the dissemination of the program in an effort to defeat effective judicial relief. They now know that dissemination of DeCSS violates the DMCA. An anti-linking injunction on these facts does no violence to the First Amendment. Nor should it chill the activities of web site operators dealing with different materials, as they may be held liable only on a compelling showing of deliberate evasion of the statute.

    IV. Relief

    A. Injury to Plaintiffs

    The DMCA provides that "[a]ny person injured by a violation of section 1201 or 1202 may bring a civil action in an appropriate United States court for such violation."[261] For the reasons set forth above, plaintiffs obviously have suffered and, absent effective relief, will continue to suffer injury by virtue of the ready availability of means of circumventing the CSS access control system on their DVDs. Defendants nevertheless argue that they have [342] not met the injury requirement of the statute. Their contentions are a farrago of distortions.

    They begin with the assertion that plaintiffs have failed to prove that decrypted motion pictures actually are available.[262] To be sure, plaintiffs might have done a better job of proving what appears to be reasonably obvious. They certainly could have followed up on more of the 650 movie titles listed on the web site described above to establish that the titles in fact were available. But the evidence they did adduce is not nearly as meager as defendants would have it. Dr. Shamos did pursue and obtain a pirated copy of a copyrighted, DivX'd motion picture from someone he met in an Internet chat room. An MPAA investigator downloaded between five and ten such copies. And the sudden appearance of listings of available motion pictures on the Internet promptly after DeCSS became available is far from lacking in evidentiary significance. In any case, in order to obtain the relief sought here, plaintiffs need show only a threat of injury by reason of a violation of the statute.[263] The Court finds that plaintiffs overwhelmingly have established a clear threat of injury by reason of defendants' violation of the statute.

    Defendants next maintain that plaintiffs exaggerate the extent of the threatened injury. They claim that the studios in fact believe that DeCSS is not a threat.[264] But the only basis for that contention is a couple of quotations from statements that the MPAA or one or another studio made (or considered making but did not in fact issue) to the effect that it was not concerned about DeCSS or that it was inconvenient to use.[265] These statements, however, were attempts to "spin" public opinion.[266] They do not now reflect the actual state of affairs or the studios' actual views, if they ever did.

    Third, defendants contend that there is no evidence that any decrypted movies that may be available, if any there are, were decrypted with DeCSS. They maintain that "[m]any utilities and devices ... can decrypt DVDs equally well and often faster and with greater ease than by using DeCSS."[267] This is a substantial exaggeration. There appear to be a few other so-called rippers, but the Court finds that DeCSS is usable on a broader range of DVDs than any of the others. Further, there is no credible evidence that any other utility is faster or easier to use than DeCSS. Indeed, the Court concludes that DeCSS is the superior product, as evidenced by the fact that the web site promoting DivX as a tool for obtaining usable copies of copyrighted movies recommends the use of DeCSS, rather than anything else, for the decryption step[268] and that the apparent availability of pirated motion pictures shot up so dramatically upon the introduction of DeCSS.[269]

    [343] B. Permanent Injunction and Declaratory Relief

    Plaintiffs seek a permanent injunction barring defendants from posting DeCSS on their web site and from linking their site to others that make DeCSS available.

    The starting point, as always, is the statute. The DMCA provides in relevant part that the court in an action brought pursuant to its terms "may grant temporary and permanent injunctions on such terms as it deems reasonable to prevent or restrain a violation...."[270] Where statutes in substance so provide, injunctive relief is appropriate if there is a reasonable likelihood of future violations absent such relief[271] and, in cases brought by private plaintiffs, if the plaintiff lacks an adequate remedy at law.[272]

    In this case, it is quite likely that defendants, unless enjoined, will continue to violate the Act. Defendants are in the business of disseminating information to assist hackers in "cracking" various types of technological security systems. And while defendants argue that they promptly stopped posting DeCSS when enjoined preliminarily from doing so, thus allegedly demonstrating their willingness to comply with the law, their reaction to the preliminary injunction in fact cuts the other way. Upon being enjoined from posting DeCSS themselves, defendants encouraged others to "mirror" the information — that is, to post DeCSS — and linked their own web site to mirror sites in order to assist users of defendants' web site in obtaining DeCSS despite the injunction barring defendants from providing it directly. While there is no claim that this activity violated the letter of the preliminary injunction, and it therefore presumably was not contumacious, and while its status under the DMCA was somewhat uncertain, it was a studied effort to defeat the purpose of the preliminary injunction. In consequence, the Court finds that there is a substantial likelihood of future violations absent injunctive relief.

    There also is little doubt that plaintiffs have no adequate remedy at law. The only potential legal remedy would be an action for damages under Section 1203(c), which provides for recovery of actual damages or, upon the election of the plaintiff, statutory damages of up to $2,500 per offer of DeCSS. Proof of actual damages in a case of this nature would be difficult if not [344] virtually impossible, as it would involve proof of the extent to which motion picture attendance, sales of broadcast and other motion picture rights, and sales and rentals of DVDs and video tapes of movies were and will be impacted by the availability of DVD decryption technology. Difficulties in determining what constitutes an "offer" of DeCSS in a world in which the code is available to much of the world via Internet postings, among other problems, render statutory damages an inadequate means of redressing plaintiffs' claimed injuries. Indeed, difficulties such as this have led to the presumption that copyright and trademark infringement cause irreparable injury,[273] i.e., injury for which damages are not an adequate remedy.[274] The Court therefore holds that the traditional requirements for issuance of a permanent injunction have been satisfied. Yet there remains another point for consideration.

    Defendants argue that an injunction in this case would be futile because DeCSS already is all over the Internet. They say an injunction would be comparable to locking the barn door after the horse is gone. And the Court has been troubled by that possibility. But the countervailing arguments overcome that concern.

    To begin with, any such conclusion effectively would create all the wrong incentives by allowing defendants to continue violating the DMCA simply because others, many doubtless at defendants' urging, are doing so as well. Were that the law, defendants confronted with the possibility of injunctive relief would be well advised to ensure that others engage in the same unlawful conduct in order to set up the argument that an injunction against the defendants would be futile because everyone else is doing the same thing.

    Second, and closely related, is the fact that this Court is sorely "troubled by the notion that any Internet user ... can destroy valuable intellectual property rights by posting them over the Internet."[275] While equity surely should not act where the controversy has become moot, it ought to look very skeptically at claims that the defendant or others already have done all the harm that might be done before the injunction issues.

    The key to reconciling these views is that the focus of injunctive relief is on the defendants before the Court. If a plaintiff seeks to enjoin a defendant from burning a pasture, it is no answer that there is a wild fire burning in its direction. If the defendant itself threatens the plaintiff with irreparable harm, then equity will enjoin the defendant from carrying out the threat even if other threats abound and even if part of the pasture already is burned.

    These defendants would harm plaintiffs every day on which they post DeCSS on their heavily trafficked web site and link to other sites that post it because someone who does not have DeCSS thereby might obtain it. They thus threaten plaintiffs with immediate and irreparable injury. They will not be allowed to continue to do so simply because others may do so as well. In short, this Court, like others than have faced the issued, is "not persuaded that modern technology has withered the strong right arm of equity."[276] Indeed, [345] the likelihood is that this decision will serve notice on others that "the strong right arm of equity" may be brought to bear against them absent a change in their conduct and thus contribute to a climate of appropriate respect for intellectual property rights in an age in which the excitement of ready access to untold quantities of information has blurred in some minds the fact that taking what is not yours and not freely offered to you is stealing. Appropriate injunctive[277] and declaratory relief will issue simultaneously with this opinion.

    V. Miscellaneous Contentions

    There remain for consideration two other matters, plaintiffs' application for costs and attorney's fees and defendants' pre-trial complaints concerning discovery.

    The DMCA permits awards of costs and attorney's fees to the prevailing party in the discretion of the Court.[278] Insofar as attorney's fees are concerned, this is an exception to the so-called "American rule" pursuant to which each side in a litigation customarily bears its own attorney's fees. As this was a test case raising important issues, it would be inappropriate to award attorney's fees pursuant to the DMCA.[279] There is no comparable reason, however, for failing to award costs, particularly as taxable costs are related to the excessive discovery demands that the Court already has commented upon.[280]

    A final word is in order in view of defendants' repeated pretrial claims that their discovery efforts were being thwarted. During the course of the trial, they applied for leave to take one deposition, which was granted. At no point did they make any showing that they were hampered in presenting their case or meeting the plaintiffs' case by virtue of any failure to obtain discovery. They applied for no continuance. They have not sought a new trial. And though they estimated that their case would take several weeks to present, the entire trial was completed in six days. Indeed, in the Court's view, the trial fully vindicated its pretrial assessment that there were, in actuality, very few genuinely disputed questions of material fact, and most of those involved expert testimony that was readily available to both sides.[281] Examination of the trial record will reveal that virtually the entire case could have been stipulated, although the legal conclusions to be drawn from the stipulated facts of course would have remained a matter of controversy.

    VI. Conclusion

    In the final analysis, the dispute between these parties is simply put if not necessarily simply resolved.

    [346] Plaintiffs have invested huge sums over the years in producing motion pictures in reliance upon a legal framework that, through the law of copyright, has ensured that they will have the exclusive right to copy and distribute those motion pictures for economic gain. They contend that the advent of new technology should not alter this long established structure.

    Defendants, on the other hand, are adherents of a movement that believes that information should be available without charge to anyone clever enough to break into the computer systems or data storage media in which it is located. Less radically, they have raised a legitimate concern about the possible impact on traditional fair use of access control measures in the digital era.

    Each side is entitled to its views. In our society, however, clashes of competing interests like this are resolved by Congress. For now, at least, Congress has resolved this clash in the DMCA and in plaintiffs' favor. Given the peculiar characteristics of computer programs for circumventing encryption and other access control measures, the DMCA as applied to posting and linking here does not contravene the First Amendment. Accordingly, plaintiffs are entitled to appropriate injunctive and declaratory relief.

    SO ORDERED.

    [1] 17 U.S.C. § 1201 et seq.

    [2] Shortly after the commencement of the action, the Court granted plaintiffs' motion for a preliminary injunction barring defendants from posting DeCSS. Universal City Studios, Inc. v. Reimerdes, 82 F.Supp.2d 211 (S.D.N.Y. 2000). Subsequent motions to expand the preliminary injunction to linking and to vacate it were consolidated with the trial on the merits. This opinion reflects the Court's findings of fact, conclusions of law and decision on the merits.

    The Court notes the receipt of a number of amicus submissions. Although many were filed by defendants' counsel on behalf of certain amici, and therefore were of debatable objectivity, the amicus submissions considered as a group were helpful.

    [3] David Nimmer, A Riff on Fair Use in the Digital Millennium Copyright Act, 148 U.PA. L.REV. 673, 739-41 (2000) (hereinafter A Riff on Fair Use).

    [4] United States v. Microsoft Corp., 84 F.Supp.2d 9, 13 (D.D.C.1999). The quotations are from a finding of fact in the Microsoft case of which the Court, after notice to and without objection by the parties, takes judicial notice. Tr. at 1121. Subsequent references to Microsoft findings reflect similar instances of judicial notice without objection.

    [5] United States v. Microsoft Corp., 84 F.Supp.2d at 13.

    [6] Open source is a software development model by which the source code to a computer program is made available publicly under a license that gives users the right to modify and redistribute the program. The program develops through this process of modification and redistribution and through a process by which users download sections of code from a web site, modify that code, upload it to the same web site, and merge the modified sections into the original code. Trial transcript ("Tr.") (Craig) at 1008.

    [7] Tr. (Pavlovich) at 936.

    [8] Tr. (DiBona) at 994-95.

    [9] Id.

    [10] THE NEW YORK PUBLIC LIBRARY, SCIENCE DESK REFERENCE 496 (1995) (hereinafter SCIENCE DESK REFERENCE); see also Tr. (Felten) at 758-59; Hon. Shira A. Scheindlin & Jeffrey Rabkin, Electronic Discovery in Federal Civil Litigation: Is Rule 34 Up to the Task? 34 B.C.L.REV. 327, 333-35 (2000).

    [11] Tr. (Felten) at 759; Scheindlin & Rabkin, 34 B.C.L.REV. at 333-35.

    [12] SCIENCE DESK REFERENCE, at 501.

    [13] Id.

    [14] Id.

    [15] See Tr. (Felten) at 759-60.

    [16] The Court's findings with respect to the definitions of source code and object code are taken from the trial testimony of Robert Schumann, Tr. at 258, and Drs. Edward Felten, Tr. at 738-39, 757-63, David S. Touretzky, Tr. at 1065-91, and Andrew Appel, Tr. at 1096, and the deposition testimony of Dr. Harold Abelson, Ex. AZO at 34-37, 45-49. See also Ex. BBE.

    [17] Frequently, programs written in such languages must be transformed or translated into machine readable form by other programs known as compilers.

    [18] This to some degree is an oversimplification. Object code often is directly executable by the computer into which it is entered. It sometimes contains instructions, however, that are readable only by computers containing a particular processor, such as a Pentium processor, or a specific operating system such as Microsoft Windows. In such instances, a computer lacking the specific processor or operating system can execute the object code only if it has an emulator program that simulates the necessary processor or operating system or if the code first is run through a translator program that converts it into object code readable by that computer. Ex. BBE.

    [19] United States v. Microsoft Corp., 84 F.Supp.2d at 13.

    [20] Tr. (Shamos) at 67-68.

    [21] United States v. Microsoft Corp., 84 F.Supp.2d at 13.

    [22] Id. at 14.

    [23] Id.

    [24] Id.

    [25] Not too many years ago, the most common transportable storage media were 5¼ inch flexible magnetic disks. Their flexibility led to their being referred to as "floppies." They have been replaced almost entirely with today's 3½ inch disks, which are enclosed in hard plastic housings and which therefore are not flexible or "floppy." The earlier name, however, has stuck.

    [26] Tr. (King) at 403-04.

    [27] Tr. (Shamos) at 24.

    [28] Id. at 24-25.

    [29] Such devices are referred to subsequently as compliant.

    [30] Tr. (Shamos) at 25.

    [31] Tr. (Schumann) at 273.

    [32] Tr. (Ramadge) at 911.

    [33] Id. at 911-12.

    [34] Ex. 2.1-2.34; 3.1-3.34.

    [35] Tr. (King) at 404.

    [36] Tr. (Corley) at 787, 827.

    [37] Tr. (Corley) at 777, 790, 795; Ex. 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.11, 1.12, 1.13, 1.14, 1.15, 1.16; 79 (Corley Dec.) ¶ 1.

    [38] See Tr. (Corley) at 781.

    [39] Tr. (Corley) 786-87.

    [40] Id. at 787.

    [41] Ex. 1.2 (Redomega Crim, How Domains Are Stolen, 2600: THE HACKER QUARTERLY, Summer 2000, at 43).

    [42] Ex. 1.16 (Schlork, Snooping via MS-Mail, 2600: THE HACKER QUARTERLY, Winter 1996-97, at 28).

    [43] Ex. 1.14 (Thomas Icom, Cellular Interception Techniques, 2600: THE HACKER QUARTERLY, Spring 1995, at 23).

    [44] Ex. 1.12 (nux, Fun at Costco, 2600: THE HACKER QUARTERLY, Summer 1999, at 12).

    [45] Ex. 1.19 (PhranSys Drak3, Hacking FedEx, 2600: THE HACKER QUARTERLY, Autumn 1997, at 14).

    [46] Ex. 1.19 (Agent Steal, Busted! A Complete Guide to Getting Caught, 2600: THE HACKER QUARTERLY, Autumn 1997, at 6).

    [47] Tr. (Corley) at 790; Ex. 52-54, 64, 79 (Corley Dec.) ¶ 20; 97.

    Interestingly, defendants' copyright both their magazine and the material on their web site to prevent others from copying their works. Tr. (Corley) at 832; Ex. 96 (Corley Dep.) at 23-24.

    [48] Tr. (Corley) at 791; Ex. 28.

    [49] Tr. (Corley) at 791, 829, 848; Ex. 28.

    [50] Tr. (King) at 402.

    [51] Id. at 404, 468.

    [52] Id. at 408, 468, 470.

    [53] Id. at 404-05.

    [54] Id. at 404-05, 468-70.

    [55] Id. at 406.

    [56] Id. at 405-06, 471, 476-78.

    [57] Id. at 405, 470-71, 479.

    [58] Id. at 406-07, 502-04.

    [59] An algorithm is a recipe that contains instructions for completing a task. It can be expressed in any language, from natural spoken language to computer programming language. Ex. AZO (Abelson Dep.) at 9-10.

    [60] The licensing function initially was performed by MEI and Toshiba. Subsequently, MEI and Toshiba granted a royalty free license to the DVD Copy Control Association ("DVD CCA"), which now handles the licensing function. Tr. (King) at 485-86, 510; Ex. XXY (Attaway Dep.) at 31. The motion picture companies themselves license CSS from the DVD CCA. Ex. XYY (Attaway Dep.) at 31-32.

    [61] See, e.g., Ex. AHV §§ 5, 6.2.

    [62] Tr. (King) at 450-51, 492-93; Ex. XXY (Attaway Dep.) at 61-62; Ex. AHV.

    [63] The administrative fee is one million yen, now about $9,200, for each "membership category" selected by the licensee. Twelve membership categories are available, and one or more are selected by a licensee depending on the use which the licensee intends to make of the licensed technology. The membership categories are: content provider, authoring studio, DVD disc replicator, DVD player manufacturer, DVD-ROM drive manufacturer, DVD decoder manufacturer, descramble module manufacturer, authentication chip manufacturer for DVD-ROM drive, authenticator manufacturer for DVD decoder, integrated product manufacturer, and reseller. Ex. AJB, AIZ, AOV, AOU, AOQ.

    [64] Tr. (King) at 437-38; see also Tr. (Pavolvich) at 961; Ex. BD.

    [65] Tr. (King) at 408-09.

    [66] Id. at 409.

    [67] Id. at 417-18.

    [68] Id. at 442.

    [69] Revenue from the distribution of DVDs makes up approximately 35 percent of Warner Brothers' total worldwide revenue from movie distribution in the home video market. Id. at 403.

    [70] Distribution in the home video market accounts for approximately 40 percent of Warner Brothers' total income from movie distribution. Id.

    [71] Tr. (Johansen) at 619-22, 633, 639.

    [72] Id. at 619-21, 634; (Schumann) at 246-48. Mr. Johansen testified that the "De" in DeCSS stands for "decrypt." Tr. (Johansen) at 628.

    [73] Tr. (Johansen) at 622-23, 638; Ex. 9 at SCH-000846. Mr. Johansen did not post the source code on his Web site. Tr. (Johansen) at 635.

    [74] Tr. (Johansen) at 620.

    [75] Id. at 620.

    [76] Id. at 621-22.

    [77] Id. at 621-22, 624; (Stevenson) at 214.

    [78] Tr. (Johansen) at 623.

    [79] Substantial questions have been raised both at trial and elsewhere as to the veracity of Mr. Johansen's claim. See Ex. CS, at S10006 ("Our analysis indicates that the primary technical breakthroughs were developed outside of the Linux development groups.").

    [80] Tr. (Johansen) at 626-27.

    [81] Ex. 97, 107, 126.

    [82] Tr. (Stevenson) at 217-18, 226-29; (Schumann) at 290, 338-41; (Johansen) at 641; (Reider) at 681-85. One, DOD (Drink or Die) Speed Ripper, does not work with all DVDs that DeCSS will decrypt. Id.; Ex.CS, at S10011; Ex. 9. Some of these programs perform only a portion of what DeCSS does and must be used in conjunction with others in order to decrypt the contents of a DVD. Tr. (Schuman) at 290, 338-39. Some of defendants' claims about these other means proved baseless at trial. See Tr. (Pavlovich) at 965-68.

    [83] Tr. (Corley) at 791; Ex. 28.

    [84] Tr. (Corley) at 791, 829, 848; Ex. 28.

    [85] Tr. (Corley) at 829-30, 845.

    [86] Id. at 831, 845.

    [87] Id. at 829-30, 845.

    [88] Id. at 830; (Shamos) at 38. As Mr. Corley testified, the download process generally begins with the appearance of a dialog box, or small window, prompting the user to confirm the location on the user's computer hard drive where the downloaded software will be stored. The actual download does not begin until the user provides the computer with this information. Tr. (Corley) at 830. It is possible also to create a link that commences the download immediately upon being clicked. See Tr. (Touretzky) at 1082-83.

    [89] Tr. (Reider) at 652.

    [90] Tr. (King) at 435, 548; (Reider) at 653; Ex. 55.

    [91] The other two defendants entered into consent decrees with plaintiffs. Plaintiffs subsequently amended the complaint to add 2600 Enterprises, Inc. as a defendant.

    [92] Preliminary Injunction, Jan. 20, 2000 (DI 6); Universal City Studios, Inc., 82 F.Supp.2d 211.

    [93] Tr., Jan. 20, 2000 (DI 17) at 85.

    [94] Tr. (Corley) at 791; Ex. 51.

    [95] Tr. (Corley) at 834; Ex. 96 (Corley Dep.) at 151-53.

    [96] Tr. (Corley) at. 791; Ex. 79 (Corley Dec.) ¶ 21; 126.

    [97] Ex. 106.

    [98] Tr. (Shamos) at 36-42; (Schumann) at 272-73; 265-66 (defendants' stipulation that their web site links to other sites containing executable copies of DeCSS).

    [99] Tr. (Shamos) at 36-42; (Schumann) at 272-73.

    [100] Tr. (Shamos) at 39-40; see also Ex. AYZ (Hunt Dep.) at 18.

    [101] Tr. (Shamos) at 41-42; (Schumann) at 272-73.

    [102] Tr. (Shamos) at 41-42, 156.

    [103] Tr. (Schumann) at 273; Ex. AYZ (Hunt Dep.) at 26.

    [104] Tr. (Johansen) at 628; see also Ex. AZN (Simons Dep.) at 48.

    [105] Tr. (Shamos) at 42; (Ramadge) at 900.

    [106] See Tr. (Shamos) at 54-56; Ex. 112-13.

    [107] DivX effects what is known as "lossy" compression — it achieves its reduction in file size by eliminating some of the data in the file being compressed. The trick, however, is that it seeks to do so by eliminating data that is imperceptible, or nearly so, to the human observer. Tr. (Shamos) at 43-44; (Ramadge) at 882-98.

    [108] Tr. (Shamos) at 51.

    [109] Defendants produced an expert whose DivX of a DeCSS decrypted file was of noticeably lower quality than that of plaintiffs' expert's DivX'd film. The reasons for the difference are not clear. The Court is satisfied, however, that it is possible to make high quality 650 MB DivX'd copies of many films.

    [110] Tr. (Ramadge) at 930.

    [111] Tr. (Shamos) at 56-57.

    The copies do not require resynchronization of the sound and graphics.

    [112] Tr. (Shamos) at 95.

    [113] Tr. (Shamos) at 89-90, 98; (Peterson) at 865; (Pavlovich) at 943.

    [114] Tr. (Shamos) at 90; (Felten) at 772; (Peterson) at 879.

    [115] See, e.g., Tr. (Peterson) at 861, 875-76.

    [116] Id. (Shamos) at 87-88.

    [117] Id.

    [118] Id. at 77.

    [119] It should be noted here that the transmission time achieved by plaintiff's expert, Dr. Shamos, almost certainly was somewhat skewed because the work was done late at night on a university system after the close of the regular school year, conditions favorable to high effective transmission rates due to low traffic on the system.

    [120] Tr. (Schumann) at 334-36.

    [121] Tr. (Shamos) at 68-76.

    [122] Id. at 76-77.

    [123] Ex. AYY (Reider Dep.) at 98-101; see also id. at 121-23.

    [124] Ex. 116B.

    [125] Tr. (Reider) at 661.

    [126] Tr. (King) at 418.

    [127] Id. at 420.

    [128] WIPO Copyright Treaty, Apr. 12, 1997, Art. 11, S. Treaty Doc. No. 105-17 (1997), available at 1997 WL 447232.

    [129] There is an excellent account of the legislative history of the statute. Nimmer, A Riff on Fair Use, 148 U.PA.L.REV. at 702-38.

    [130] See generally S.REP. No. 105-190, 105th Cong., 2d Sess. ("SENATE REP."), at 2-8 (1998).

    [131] H.R.REP. No. 105-551(I), 105th Cong., 2d Sess. ("JUDICIARY COMM.REP."), at 17 (1998).

    [132] Id. at 18.

    [133] Plaintiffs rely also on Section 1201(b), which is very similar to Section 1201(a)(2) except that the former applies to trafficking in means of circumventing protection offered by a technological measure that effectively protects "a right of a copyright owner in a work or a portion thereof" whereas the latter applies to trafficking in means of circumventing measures controlling access to a work. See generally 1 MELVILLE B. NIMMER & DAVID NIMMER, NIMMER ON COPYRIGHT ("NIMMER") § 12A.03[C] (1999). In addition, as noted below, certain of the statutory exceptions upon which defendants have relied apply only to Section 1201(a)(2).

    [134] 17 U.S.C. § 1201(a)(2). See also 1 NIMMER § 12A.03[1][a], at 12A-16.

    [135] In their Post-Trial Brief, defendants argue that "at least some of the members of Congress" understood § 1201 to be limited to conventional devices, specifically `black boxes,' as opposed to computer code. Def. Post-Trial Mem. at 21. However, the statute is clear that it prohibits "any technology," not simply black boxes. 17 U.S.C. § 1201(a)(2) (emphasis added).

    [136] 17 U.S.C. § 1201(a)(3)(A).

    [137] Decryption or avoidance of an access control measure is not "circumvention" within the meaning of the statute unless it occurs "without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A). Defendants posit that purchasers of a DVD acquire the right "to perform all acts with it that are not exclusively granted to the copyright holder." Based on this premise, they argue that DeCSS does not circumvent CSS within the meaning of the statute because the Copyright Act does not grant the copyright holder the right to prohibit purchasers from decrypting. As the copyright holder has no statutory right to prohibit decryption, the argument goes, decryption cannot be understood as unlawful circumvention. Def. Post-Trial Mem. 10-13. The argument is pure sophistry. The DMCA proscribes trafficking in technology that decrypts or avoids an access control measure without the copyright holder consenting to the decryption or avoidance. See JUDICIARY COMM.REP. at 17-18 (fair use applies "where the access is authorized"). Defendants' argument seems to be a corruption of the first sale doctrine, which holds that the copyright holder, notwithstanding the exclusive distribution right conferred by Section 106(3) of the Copyright Act, 17 U.S.C. § 106(3), is deemed by its "first sale" of a copy of the copyrighted work to have consented to subsequent sale of the copy. See generally 2 NIMMER §§ 8.11-8.12.

    [138] Id. § 1201(a)(3)(B).

    [139] RealNetworks, Inc. v. Streambox, Inc., No. 2:99CV02070, 2000 WL 127311, *9 (W.D.Wash. Jan.18, 2000).

    [140] HOUSE COMM. ON JUDICIARY, SECTION-BY-SECTION ANALYSIS OF H.R.2281 AS PASSED BY THE UNITED STATES HOUSE OF REPRESENTATIVES ON AUGUST 4, 1998 ("SECTION-BY-SECTION ANALYSIS"), at 10 (Comm.Print 1998) (emphasis in original).

    [141] H.R.REP. No. 105-551(II), 105th Cong., 2d Sess. ("COMMERCE COMM.REP."), at 39 (1998).

    [142] Defendants, in a reprise of their argument that DeCSS is not a circumvention device, argue also that CSS does not effectively control access to copyrighted works within the meaning of the statute because plaintiffs authorize avoidance of CSS by selling their DVDs. Def. Post-Trial Mem. 10-13. The argument is specious in this context as well. See supra note 137.

    [143] Tr. (Johansen) at 619; (Corley) 833-34.

    [144] Def. Post-Trial Mem. at 2.

    [145] 1 NIMMER § 12A.03[A], at 12A-15 (1999 Supp.).

    [146] See id. § 12A.03[B], at 12A-25 to 12A-26.

    [147] See Def. Post-Trial Mem. at 13.

    [148] 17 U.S.C. §§ 1201(f)(1), (2).

    [149] Id. § 1201(f)(3).

    [150] Def. Post-Trial Mem. at 13-15.

    [151] COMMERCE COMM.REP. at 43.

    [152] 17 U.S.C. § 1201(g)(4).

    [153] Id. § 1201(g)(2).

    [154] Id. § 1201(g)(3).

    [155] Ex. 96 (Corley Dep.) at 33.

    [156] In any case, Section 1201(g), where its requirements are met, is a defense only to claims under Section 1201(a)(2), not those under Section 1201(b).

    [157] Def.Mem. in Opp. to Prelim.Inj. (DI 11) at 11-12.

    [158] Id. § 1201(j)(1).

    [159] Like Section 1201(g), moreover, Section 1201(j) provides no defense to a Section 1201(b) claim.

    [160] 17 U.S.C. § 107.

    [161] Indeed, as many have pointed out, technological means of controlling access to works create a risk, depending upon future technological and commercial developments, of limiting access to works that are not protected by copyright such as works upon which copyright has expired. See, e.g., Nimmer, A Riff on Fair Use, 148 U.PA.L.REV. at 738-40; Hannibal Travis, Comment, Pirates of the Information Infrastructure: Blackstonian Copyright and the First Amendment, 15 BERKELEY TECH.L.J. 777, 861 (2000) (hereinafter Pirates of the Information Infrastructure); Yochai Benkler, Free as the Air to Common Use: First Amendment Constraints on Enclosure of the Public Domain, 74 N.Y.U.L.REV. 354, 421 (1999);

    [162] Of course, one might quote the verbal portion of the sound track, rerecord both verbal and nonverbal portions of the sound track, and video tape or otherwise record images produced on a monitor when the DVD is played on a compliant DVD player.

    [163] 17 U.S.C. § 107.

    [164] See, e.g., COMMERCE COMM.REP. 25-26.

    [165] JUDICIARY COMM.REP. 18.

    [166] Id.

    [167] 17 U.S.C. §§ 1201(a)(1)(B)-(E).

    The rule-making is under way. 65 F.R. 14505-06 (Mar. 17, 2000); see also (visited July 28, 2000).

    [168] 17 U.S.C. §§ 1201(d), (f), (g), (j).

    [169] 464 U.S. 417, 104 S.Ct. 774, 78 L.Ed.2d 574 (1984).

    [170] Id. at 443, 446, 104 S.Ct. 774.

    [171] RealNetworks, Inc., 2000 WL 127311, at *8 (quoting 1 NIMMER § 12A.18[B], at 12A-130) (internal quotation marks omitted).

    [172] SECTION-BY-SECTION ANALYSIS 9 ("The Sony test of `capab[ility] of substantial non-infringing uses,' while still operative in cases claiming contributory infringement of copyright, is not part of this legislation....").

    [173] 17 U.S.C. § 1201(a)(2).

    [174] Tr. (Schumann) at 275-76.

    [175] Id. at 261-62.

    [176] For example, a web page maintained by a radio station might provide a hyperlink to a weather report by programming its page to transfer the user to a National Weather Service site if the user clicks on the "weather" hyperlink.

    [177] 17 U.S.C. § 1201(a)(2).

    [178] See 2 THE COMPACT EDITION OF THE OXFORD ENGLISH DICTIONARY 3372 (1971).

    [179] See 2 id. 2340.

    [180] See 1 id. 1979.

    [181] See, e.g., Strom v. Goldman, Sachs & Co., 202 F.3d 138, 146-47 (2d Cir.1999).

    [182] See DVD Copy Control Ass'n, Inc. v. McLaughlin, No. CV 786804, 2000 WL 48512, *4 (Cal.Super. Jan. 21, 2000) ("website owner cannot be held responsible for all of the content of the sites to which it provides links"); Richard Raysman & Peter Brown, Recent Linking Issues, N.Y.L.J., Feb. 8, 2000, p. 3, col. 1 (same).

    [183] Roth v. United States, 354 U.S. 476, 483, 77 S.Ct. 1304, 1 L.Ed.2d 1498 (1957) (obscenity). See also, e.g., Sable Communications of California, Inc. v. F.C.C., 492 U.S. 115, 124, 109 S.Ct. 2829, 106 L.Ed.2d 93 (1989) (obscenity); Bose Corp. v. Consumers Union of U.S., Inc., 466 U.S. 485, 504, 104 S.Ct. 1949, 80 L.Ed.2d 502 (1984) (libel, obscenity, fighting words, child pornography); Beauharnais v. People of State of Illinois, 343 U.S. 250, 266, 72 S.Ct. 725, 96 L.Ed. 919 (1952) (defamation); Chaplinsky v. State of New Hampshire, 315 U.S. 568, 571-72, 62 S.Ct. 766, 86 L.Ed. 1031 (1942) (fighting words).

    [184] Robert Post, Encryption Source Code and the First Amendment, 15 BERKELEY TECH. L.J. 713, 714 (2000); see R.A.V. v. City of St. Paul, Minnesota, 505 U.S. 377, 382, 112 S.Ct. 2538, 120 L.Ed.2d 305 (1992) (statements that categories of speech are "unprotected" are not literally true; characterization indicates only that they are subject to content based regulation).

    [185] The Court is indebted to Professor David Touretzky of Carnegie-Mellon University, who testified on behalf of defendants, for his lucid explication of this point. See Tr. (Touretzky) at 1066-84 & Ex. BBE, CCO, CCP, CCQ. As will appear, however, the point does not lead the Court to the same conclusion as Dr. Touretzky.

    [186] LEONARD LEVY, FREEDOM OF SPEECH IN EARLY AMERICAN HISTORY: LEGACY OF SUPPRESSION passim (1960); see also 4 RONALD D. ROTUNDA & JOHN E. NOWAK, TREATISE ON CONSTITUTIONAL LAW § 20.5 (1999); 4 WILLIAM BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 151-52 (1769).

    [187] See, e.g., Hurley v. Irish-American Gay, Lesbian and Bisexual Group of Boston, 515 U.S. 557, 569, 115 S.Ct. 2338, 132 L.Ed.2d 487 (1995).

    [188] Junger v. Daley, 209 F.3d 481, 485 (6th Cir.2000); Bernstein v. U.S. Dept. of Justice, 176 F.3d 1132, 1141, reh'g granted and opinion withdrawn, 192 F.3d 1308 (9th Cir.1999); Bernstein v. U.S. Dept. of State, 922 F.Supp. 1426, 1436 (N.D.Cal.1996) (First Amendment extends to source code); see Karn v. U.S. Dept. of State, 925 F.Supp. 1, 10 (D.D.C.1996) (assuming First Amendment extends to source code).

    [189] Police Dept. of City of Chicago v. Mosley, 408 U.S. 92, 95-96, 92 S.Ct. 2286, 33 L.Ed.2d 212 (1972).

    [190] Turner Broadcasting System, Inc. v. F.C.C., 512 U.S. 622, 641, 114 S.Ct. 2445, 129 L.Ed.2d 497 (1994); accord, R.A.V., 505 U.S. at 382-83, 112 S.Ct. 2538.

    [191] Sable Communications of California, Inc. v. F.C.C., 492 U.S. at 126, 109 S.Ct. 2829.

    [192] Turner Broadcasting System, Inc., 512 U.S. at 662, 114 S.Ct. 2445 (citing United States v. O'Brien, 391 U.S. 367, 377, 88 S.Ct. 1673, 20 L.Ed.2d 672 (1968)).

    [193] See, e.g., United States v. O'Brien, 391 U.S. at 376, 88 S.Ct. 1673.

    [194] During the Vietnam era, many who opposed the war, the draft, or both burned draft cards as acts of protest. Lower federal courts typically concluded or assumed that the expression inherent in this act of protest brought the behavior entirely within the scope of the First Amendment. THOMAS I. EMERSON, THE SYSTEM OF FREEDOM OF EXPRESSION 82 (1970). In United States v. O'Brien, 391 U.S. at 376, 88 S.Ct. 1673, however, the Supreme Court rejected "the view that an apparently limitless variety of conduct can be labeled `speech' whenever the person engaged in the conduct intends thereby to express an idea" and adopted a new approach, discussed below, to the regulation of expressive conduct as opposed to pure speech. Accord, Spence v. State of Washington, 418 U.S. 405, 410, 94 S.Ct. 2727, 41 L.Ed.2d 842 (1974). The point for present purposes is that the presence of expression in some broader mosaic does not result in the entire mosaic being treated as "speech."

    [195] Id. at 376.

    [196] Def. Post-Trial Mem. at 15-16.

    [197] Ward v. Rock Against Racism, 491 U.S. 781, 791, 109 S.Ct. 2746, 105 L.Ed.2d 661 (1989); accord, Hill v. Colorado, ___ U.S. ___, ___, 120 S.Ct. 2480, 2491, 147 L.Ed.2d 597 (2000); Turner Broadcasting System, Inc., 512 U.S. at 642, 114 S.Ct. 2445; Madsen v. Women's Health Center, Inc., 512 U.S. 753, 763, 114 S.Ct. 2516, 129 L.Ed.2d 593 (1994).

    [198] See generally Turner Broadcasting System, Inc., 512 U.S. at 646-49, 114 S.Ct. 2445 (holding that "must-carry" provisions of the Cable Television Consumer Protection and Competition Act of 1992 are content neutral in view of "overriding congressional purpose ... unrelated to the content of expression" manifest in detailed legislative history).

    [199] 475 U.S. 41, 106 S.Ct. 925, 89 L.Ed.2d 29 (1986).

    [200] Id. at 46-49, 106 S.Ct. 925; see also Young v. American Mini Theatres, Inc., 427 U.S. 50, 71 n. 34, 96 S.Ct. 2440, 49 L.Ed.2d 310 (1976).

    [201] See Karn, 925 F.Supp. at 10 (regulations controlling export of computer code content neutral); Benkler, 74 N.Y.U.L.REV. at 413 (DMCA "content and viewpoint neutral").

    [202] Turner Broadcasting System, Inc., 512 U.S. at 662, 114 S.Ct. 2445 (quoting O'Brien, 391 U.S. at 377, 88 S.Ct. 1673 (internal quotation marks omitted)); see also, e.g., United States v. Weslin, 156 F.3d 292, 297 (2d Cir. 1998).

    [203] Turner Broadcasting System, Inc., 512 U.S. at 662, 114 S.Ct. 2445; see also Hill, ___ U.S. at ___, 120 S.Ct. at 2494.

    [204] Ward, 491 U.S. at 799, 109 S.Ct. 2746 (quoting United States v. Albertini, 472 U.S. 675, 689, 105 S.Ct. 2897, 86 L.Ed.2d 536 (1985)).

    [205] U.S. CONST., art. I, § 8 (Copyright Clause).

    [206] COMMERCE COMM.REP. 94-95; SENATE REP. 21-22, 143.

    [207] Harper & Row, Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 558, 105 S.Ct. 2218, 85 L.Ed.2d 588 (1985).

    [208] It is conceivable that technology eventually will provide means of limiting access only to copyrighted materials and only for uses that would infringe the rights of the copyright holder. See, e.g., Travis, 15 BERKELEY TECH.L.J. at 835-36; Mark Gimbel, Note, Some Thoughts on the Implications of Trusted Systems for Intellectual Property Law, 50 Stan. L.Rev. 1671, 1875-78 (1998); Mark Stefik, Shifting the Possible: How Trusted Systems and Digital Property Rights Challenge Us to Rethink Digital Publishing, 12 BERKELEY TECH. L.J. 137, 138-40 (1997). We have not yet come so far.

    [209] 209 F.3d 481 (6th Cir.2000).

    [210] Id. at 485.

    [211] 391 U.S. at 377, 88 S.Ct. 1673.

    [212] 209 F.3d at 485.

    [213] See Lee Tien, Publishing Software as a Speech Act, 15 BERKELEY TECH.L.J. 629, 694-701 (2000). Professor Tien's analysis itself has been criticized. Robert Post, Encryption Source Code and the First Amendment, 15 BERKELEY TECH.L.J. 715 (2000).

    [214] This perhaps is not as surprising as first might appear. Computer "viruses" are other programs, an understanding of which is aided by the biological analogy evident in their name. See, e.g., Jeffrey O. Kephart, Gregory B. Sorkin, David M. Chess and Steve R. White, Fighting Computer Viruses, SCIENTIFIC AMERICAN, (visited Aug. 16, 2000) .

    [215] DAVID E. LILIENFELD & PAUL D. STOLLEY, FOUNDATIONS OF EPIDEMIOLOGY 38-41 & Fig. 3-1 (3d ed.1994); JOHN P. Fox, CARRIE E. HALL & LILA R. ELVEBACK, EPIDEMIOLOGY-MAN AND DISEASE 246-47 (1970).

    [216] Of course, not everyone who obtains DeCSS or some other decryption program necessarily will use it to engage in copyright infringement, just as not everyone who is exposed to a contagious disease contracts it. But that is immaterial. The critical point is that the combination of (a) the manner in which the ability to infringe is spread and (b) the lack of any practical means of controlling infringement at the point at which it occurs once the capability is broadly disseminated render control of infringement by controlling availability of the means of infringement far more critical in this context.

    [217] See, e.g., Guido Calabresi & Jeffrey O. Cooper, New Directions in Tort Law, 30 VAL. U.L.REV. 859, 870-72 (1996).

    [218] As has been noted above, some categories of speech, which often have been referred to inaccurately as "unprotected," may be regulated on the basis of their content. R.A.V., 505 U.S. at 382-83, 112 S.Ct. 2538. These have included obscenity and "fighting words," to name two such categories. The determination of the types of speech which may be so regulated has been made through a process termed by one leading commentator as "definitional" balancing — a weighing of the value of free expression in these areas against its likely consequences and the legitimate interests of government. Melville B. Nimmer, The Right to Speak from Times to Time: First Amendment Theory Applied to Libel and Misapplied to Privacy, 56 CAL.L.REV. 935, 942 (1968); see R.A.V., 505 U.S. at 382-83, 112 S.Ct. 2538. Thus, even if one accepted defendants' argument that the anti-trafficking prohibition of the DMCA is content based because it regulates only code that "expresses" the programmer's "ideas" for circumventing access control measures, the question would remain whether such code — code designed to circumvent measures controlling access to private or legally protected data — nevertheless could be regulated on the basis of that content. For the reasons set forth in the text, the Court concludes that it may. Alternatively, even if such a categorical or definitional approach were eschewed, the Court would uphold the application of the DMCA now before it on the ground that this record establishes an imminent threat of danger flowing from dissemination of DeCSS that far outweighs the need for unfettered communication of that program. See Landmark Communications, Inc. v. Commonwealth of Virginia, 435 U.S. 829, 842-43, 98 S.Ct. 1535, 56 L.Ed.2d 1 (1978).

    [219] For example, one might imagine a computer program the object of which was to teach the user a particular view of a subject, e.g., evolution or creationism. Such a program, like this one, would be within the area of First Amendment concern and functional. Yet a regulation barring its use would be subject to a quite different analysis. Such a ban, for example, might be based on the content of the message the program caused the computer to deliver to the student-user and thus quite clearly be content based. Similarly, the function — teaching — would not involve the same likelihood that the dissemination would bring about a harm that the government has a legitimate right to prevent.

    [220] U.S. v. Washington Post Co., 403 U.S. 713, 714, 91 S.Ct. 2140, 29 L.Ed.2d 822 (1971) (per curiam) (quoting Bantam Books, Inc. v. Sullivan, 372 U.S. 58, 70, 83 S.Ct. 631, 9 L.Ed.2d 584 (1963)).

    [221] See, e.g., Posadas de Puerto Rico Assoc. v. Tourism Co. of Puerto Rico, 478 U.S. 328, 106 S.Ct. 2968, 92 L.Ed.2d 266 (1986) (upholding restrictions on casino gambling advertising); Times Film Corp. v. Chicago, 365 U.S. 43, 81 S.Ct. 391, 5 L.Ed.2d 403 (1961) (upholding local ordinance requiring review of films by municipal officials as prerequisite to issuance of permits for public screening); Salinger v. Random House, Inc., 811 F.2d 90 (2d Cir.) (enjoining biographer's use of subject's unpublished letters as copyright infringement), cert. denied, 484 U.S. 890, 108 S.Ct. 213, 98 L.Ed.2d 177 (1987); Dallas Cowboys Cheerleaders v. Pussycat Cinema, Ltd., 604 F.2d 200 (2d Cir.1979) (enjoining distribution of film on ground that actresses' uniforms infringed plaintiff's trademark). See generally LAURENCE H. TRIBE, AMERICAN CONSTITUTIONAL LAW § 12-36, at 1045-46 (1988) (hereinafter TRIBE).

    [222] See, e.g., Charles of the Ritz Group, Ltd. v. Quality King Distributors, Inc., 832 F.2d 1317 (2d Cir.1987) (upholding injunction against commercial slogan on ground that slogan created a likelihood of confusion and is therefore "beyond the protective reach of the First Amendment"); Vondran v. McLinn, No. 95-20296, 1995 WL 415153, *6 (N.D.Cal. July 5, 1995) (enjoining defendant's false and disparaging remarks regarding plaintiff's patented process for making fiber reinforced concrete on the ground that the remarks are not protected by the First Amendment).

    [223] See, e.g., Times Film Corp. v. City of Chicago, 365 U.S. 43, 81 S.Ct. 391, 5 L.Ed.2d 403 (upholding local ordinance requiring review by city officials of all films as a prerequisite to grant of permit for public screening despite concerns of First Amendment violations); Posadas de Puerto Rico Associates, 478 U.S. 328, 106 S.Ct. 2968, 92 L.Ed.2d 266 (upholding restrictions on advertising despite finding that the advertising fell within ambit of First Amendment); Dallas Cowboys Cheerleaders, Inc., 604 F.2d 200 (enjoining distribution of film for trademark infringement despite claim that injunction violated distributor's First Amendment rights).

    [224] 4 WILLIAM BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 151-52 (1769).

    [225] See Pittsburgh Press Co. v. Pittsburgh Com'n on Human Relations, 413 U.S. 376, 390, 93 S.Ct. 2553, 37 L.Ed.2d 669 (1973).

    [226] Martin H. Redish, The Proper Role of the Prior Restraint Doctrine in First Amendment Theory, 70 VA.L.REV. 53, 54 (1983) (hereinafter "Redish"). See also LAURENCE H. TRIBE, AMERICAN CONSTITUTIONAL LAW § 12-34, at 1040-41 (2d ed.1988).

    [227] John Calvin Jeffries, Jr., Rethinking Prior Restraint, 92 YALE L.J. 409, 419 (1983).

    [228] Despite the conventional wisdom, it is far from clear that an injunction necessarily is a prior restraint. Our circuit, for example, has suggested that the prior restraint doctrine does not apply to content neutral injunctions. See e.g., Dallas Cowboys Cheerleaders, Inc., 604 F.2d at 206. At least one commentator persuasively has argued that there is little justification for placing injunctions, at least permanent injunctions issued after trial, in a disfavored constitutional position. Jeffries, 92 YALE L.J. at 426-34. Nevertheless, there is no reason to decide that question in this case. The following discussion therefore assumes that the permanent injunction plaintiff seeks would be a "prior restraint," although it concludes that it would not be unconstitutional.

    [229] 283 U.S. 697, 51 S.Ct. 625, 75 L.Ed. 1357 (1931).

    [230] 403 U.S. 713, 91 S.Ct. 2140, 29 L.Ed.2d 822 (1971).

    [231] 427 U.S. 539, 96 S.Ct. 2791, 49 L.Ed.2d 683 (1976).

    [232] See H.R.REP. 106-216, 106th Cong., 1st Sess. (1999) ("Notwithstanding [penalties for copyright infringement] copyright piracy of intellectual property flourishes, assisted in large part by today's world of advanced technologies. For example, industry groups estimate that counterfeiting and piracy of computer software cost the affected copyright holders more than $11 billion last year (others believe the figure is closer to $20 billion). In some countries, software piracy rates are as high as 97% of all sales. The U.S. rate is far lower (25%), but the dollar losses ($2.9 billion) are the highest worldwide. The effect of this volume of theft is substantial: lost U.S. jobs, lost wages, lower tax revenue, and higher prices for honest purchasers of copyrighted software. Unfortunately, the potential for this problem to worsen is great."); S.REP. 106-140, 106th Cong., 1st Sess. (1999) ("Trademark owners are facing a new form of piracy on the Internet caused by acts of `cybersquatting.'"); S.REP. 105-190, 105th Cong., 2d Sess. (1998) ("Due to the ease with which digital works can be copied and distributed worldwide virtually instantaneously, copyright owners will hesitate to make their works readily available on the Internet without reasonable assurance that they will be protected against massive piracy."); H.R.REP. 105-339, 105th Cong., 1st Sess. (1997) ("[C]opyright piracy flourishes in the software world.").

    [233] Mark A. Lemley & Eugene Volokh, Freedom of Speech and Injunctions in Intellectual Property Cases, 48 DUKE L.J. 147, 210 & n. 275 (1998).

    [234] See, e.g., Pittsburgh Press Co., 413 U.S. at 390, 93 S.Ct. 2553 ("The special vice of a prior restraint is that communication will be suppressed . . . before an adequate determination that it is unprotected by the First Amendment."); Lemley & Volokh, 48 DUKE L.J. at 200-02, 211; see Redish, 70 VA.L.REV. at 75-83.

    [235] See Lemley & Volokh, 48 DUKE L.J. at 211-12, 215 (acknowledging that high likelihood of success diminishes risk of erroneous suppression of protected speech).

    [236] Def. Post-Trial Mem. at 22-24.

    [237] Id. at 22.

    Defendants argue also that the DMCA as applied is overbroad in that "it would prohibit defendants from posting and making programs such as DeCSS available in any form, from English to any level of computer code." Id. The overbreadth doctrine, however, enables litigants to challenge a statute not merely because their own First Amendment rights are violated, but because the statute may cause others to abstain from constitutionally protected expression. Broadrick v. Oklahoma, 413 U.S. 601, 612, 93 S.Ct. 2908, 37 L.Ed.2d 830 (1973). This aspect of defendants' argument, which in any case is an overstatement, therefore does not refer to overbreadth in the sense relevant here.

    [238] Broadrick, 413 U.S. at 610, 93 S.Ct. 2908.

    [239] Gooding v. Wilson, 405 U.S. 518, 520-21, 92 S.Ct. 1103, 31 L.Ed.2d 408 (1972) (quoting Dombrowski v. Pfister, 380 U.S. 479, 486, 85 S.Ct. 1116, 14 L.Ed.2d 22 (1965)).

    [240] Gooding, 405 U.S. at 521, 92 S.Ct. 1103.

    [241] Los Angeles Police Dept. v. United Reporting Pub. Corp., 528 U.S. 32, 120 S.Ct. 483, 489, 145 L.Ed.2d 451 (1999) (quoting New York v. Ferber, 458 U.S. 747, 769, 102 S.Ct. 3348, 73 L.Ed.2d 1113 (1982) (quoting Broadrick, 413 U.S. at 613, 93 S.Ct. 2908)).

    [242] Id. at 489 (quoting Ferber, 458 U.S. at 770, 102 S.Ct. 3348 (quoting Broadrick, 413 U.S. at 615, 93 S.Ct. 2908)).

    [243] Broadrick, 413 U.S. at 612, 93 S.Ct. 2908.

    [244] Tr. (King) at 441.

    [245] Defendants argue that the right of third parties to view DVD movies on computers running the Linux operating system will be materially impaired if DeCSS is not available to them. However, the technology to build a Linux-based DVD player has been licensed by the DVD CCA to at least two companies, and there is no reason to think that others wishing to develop Linux players could not obtain licenses if they so chose. Tr. (King) at 437-38. Therefore, enforcement of the DMCA to prohibit the posting of DeCSS would not materially impair the ability of Linux users to view DVDs on Linux machines. Further, it is not evident that constitutional protection of free expression extends to the type of device on which one plays copyrighted material. Therefore, even assuming arguendo that the ability of third parties to view DVD movies on Linux systems were materially impaired by enforcement of the DMCA in this case, this impairment would not necessarily implicate the First Amendment rights of these third parties.

    [246] CSS encryption coupled with the characteristics of compliant DVD players also forecloses copying of digital sound files. It is not clear, however, that this is a substantial impediment to copying sound from motion picture DVDs. A DVD can be played on a compliant player and the sound re-recorded. Whether the sound quality thus obtained would be satisfactory might well depend upon the particular use to which the copy was put.

    [247] The same point might be made with respect to copying of works upon which copyright has expired. Once the statutory protection lapses, the works pass into the public domain. The encryption on a DVD copy of such a work, however, will persist. Moreover, the combination of such a work with a new preface or introduction might result in a claim to copyright in the entire combination. If the combination then were released on DVD and encrypted, the encryption would preclude access not only to the copyrighted new material, but to the public domain work. As the DMCA is not yet two years old, this does not yet appear to be a problem, although it may emerge as one in the future.

    [248] Defendants argue that "there is now a full evidentiary record" and that the overbreadth issue therefore should be decided. Def. Post-Trial Mem. at 22 n. 11. With respect, the evidence as to the impact of the anti-trafficking provision of the DMCA on prospective fair users is scanty and fails adequately to address the issues.

    This is not to minimize the interests of the amici who have submitted briefs in this case. The Court simply does not have a sufficient evidentiary record on which to evaluate their claims.

    [249] 17 U.S.C. § 1201(g).

    [250] Def. Post-Trial Mem. at 24.

    [251] Village of Hoffman Estates v. Flipside, 455 U.S. 489, 495, 102 S.Ct. 1186, 71 L.Ed.2d 362 (1982).

    [252] See 17 U.S.C. § 1201(a)(2)(A).

    [253] Ward, 491 U.S. at 799, 109 S.Ct. 2746 (quoting United States v. Albertini, 472 U.S. 675, 689, 105 S.Ct. 2897, 86 L.Ed.2d 536 (1985)).

    [254] ACLU v. Reno, 929 F.Supp. 824, 837 (E.D.Pa.1996), aff'd, 521 U.S. 844, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997).

    [255] Richard Raysman & Peter Brown, Recent Linking Issues, N.Y.L.J., Feb. 8, 2000, p. 3, col. 1.

    [256] Cf. New York Times Co. v. Sullivan, 376 U.S. 254, 271-73, 283-88, 84 S.Ct. 710, 11 L.Ed.2d 686 (1964).

    [257] Id. at 283, 84 S.Ct. 710; Curtis Pub. Co. v. Butts, 388 U.S. 130, 155, 87 S.Ct. 1975, 18 L.Ed.2d 1094 (1967); St. Amant v. Thompson, 390 U.S. 727, 731, 88 S.Ct. 1323, 20 L.Ed.2d 262 (1968); ROBERT D. SACK, SACK ON DEFAMATION § 1.2.4 (3d ed.1999).

    [258] 418 U.S. 323, 347-38, 94 S.Ct. 2997, 41 L.Ed.2d 789 (1974).

    [259] In evaluating purpose, courts will look at all relevant circumstances. Sites that advertise their links as means of getting DeCSS presumably will be found to have created the links for the purpose of disseminating the program. Similarly, a site that deep links to a page containing only DeCSS located on a site that contains a broad range of other content, all other things being equal, would more likely be found to have linked for the purpose of disseminating DeCSS than if it merely links to the home page of the linked-to site.

    [260] Tr. (Corley) at 820.

    [261] 17 U.S.C. § 1203(a).

    [262] Def. Post-Trial Mem. at 27-28.

    [263] The statute expressly authorizes injunctions to prevent or restrain violations, 17 U.S.C. § 1203(b)(1), thus demonstrating that the requisite injury need only be threatened.

    [264] Def. Post-Trial Mem. at 28.

    [265] Id. at 28-29.

    [266] See, e.g., Ex. AYZ (Hunt Dep.) at 94-104.

    [267] Id. 30.

    [268] Ex. 113.

    [269] Defendants' argument would lack merit even if there were credible proof that other circumvention devices actually exist and produce results comparable to DeCSS. The available movies must have been decrypted with DeCSS or something else. As far as this record discloses, any such device or technology would violate the DMCA for the same reasons as does DeCSS. In consequence, this case comes within the principle of Summers v. Tice, 33 Cal.2d 80, 199 P.2d 1 (1948). Where, as here, two or more persons take substantially identical wrongful actions, one and only one of which had to be the source of the plaintiffs' injury, and it is equally likely that one inflicted the injury as the other, the burden of proof on causation shifts to the defendants, each of which is liable absent proof that its action did not cause the injury. See 4 Fowler V. Harper & Fleming James, Jr., THE LAW OF TORTS §§ 101-04 (2d ed.1996).

    Defendants' efforts to avoid the consequences of this common sense principle are unpersuasive. They argue, for example, that plaintiffs may not invoke the theory unless they join as defendants everyone who may have contributed to the injury. Def. Post-Trial Mem. at 32 n. 18 (citing Ex. UZ). It would be difficult to imagine a more nonsensical requirement in the context of this case. Where, as here, harm is done by dissemination of information over the Internet, probably by a substantial number of people all over the world, defendants' proposed rule would foreclose judicial relief anywhere because joinder of all plainly would be impossible in any one place, and technology does not permit identification of which wrongdoer's posting or product led to which pirated copy of a copyrighted work.

    [270] 17 U.S.C. § 1203(b)(1).

    [271] See, e.g., S.E.C. v. Unique Financial Concepts, Inc., 196 F.3d 1195, 1199 n. 2 (11th Cir.1999) (injunction under Section 20(b) of the Securities Act of 1933, 15 U.S.C. § 77t(b), which permits an injunction "upon a proper showing," requires "a reasonable likelihood that the wrong will be repeated"); Commodity Futures Trading Com'n v. Hunt, 591 F.2d 1211, 1220 (7th Cir.1979) (same under Commodity Exchange Act, 7 U.S.C. § 13a-1(b)); S.E.C. v. Bausch & Lomb Inc., 565 F.2d 8, 18 (2d Cir.1977) (reasonable likelihood of future violations required under § 21(d) of Securities Exchange Act of 1934, 15 U.S.C. § 78u(d), which permits an injunction "upon a proper showing" where person "engaged or ... about to engage in" violation of statute).

    [272] See, e.g., Rondeau v. Mosinee Paper Corp., 422 U.S. 49, 57, 95 S.Ct. 2069, 45 L.Ed.2d 12 (1975) (injunctive relief in private action under § 13(d) of the Securities Exchange Act of 1934, 15 U.S.C. § 78m(d), as added by the Williams Act, requires a showing of irreparable harm and inadequacy of legal remedies).

    [273] Tough Traveler, Ltd. v. Outbound Prods., 60 F.3d 964, 967-68 (2d Cir.1995) (trademark); Fisher-Price, Inc. v. Well-Made Toy Mfg. Corp., 25 F.3d 119, 124 (2d Cir.1994) (copyright).

    [274] See, e.g., Northwestern Nat'l Ins. Co. v. Alberts, 937 F.2d 77, 80 (2d Cir.1991) ("The irreparable injury requisite ... overlaps with the absent lack of adequate remedy at law necessary to establish the equitable rights."); Buffalo Forge Co. v. Ampco-Pittsburgh Corp., 638 F.2d 568, 569 (2d Cir.1981) ("There must also be a showing of irreparable harm, the absence of an adequate remedy at law, which is the sine qua non for the grant of such equitable relief.")

    [275] Religious Technology Center v. Netcom On-Line Communication Services, Inc., 923 F.Supp. 1231, 1256 (N.D.Cal.1995).

    [276] Com-Share, Inc. v. Computer Complex, Inc., 338 F.Supp. 1229, 1239 (E.D.Mich. 1971).

    [277] During the trial, Professor Touretzky of Carnegie Mellon University, as noted above, convincingly demonstrated that computer source and object code convey the same ideas as various other modes of expression, including spoken language descriptions of the algorithm embodied in the code. Tr. (Touretzky) at 1068-69; Ex. BBE, CCO, CCP, CCQ. He drew from this the conclusion that the preliminary injunction irrationally distinguished between the code, which was enjoined, and other modes of expression that convey the same idea, which were not, id., although of course he had no reason to be aware that the injunction drew that line only because that was the limit of the relief plaintiffs sought. With commendable candor, he readily admitted that the implication of his view that the spoken language and computer code versions were substantially similar was not necessarily that the preliminary injunction was too broad; rather, the logic of his position was that it was either too broad or too narrow. Id. at 1070-71. Once again, the question of a substantially broader injunction need not be addressed here, as plaintiffs have not sought broader relief.

    [278] 17 U.S.C. § 1203(b)(4)-(b)(5).

    [279] See Fogerty v. Fantasy, Inc., 510 U.S. 517, 534, 114 S.Ct. 1023, 127 L.Ed.2d 455 (1994) (articulating factors relevant to fee awards under the Copyright Act).

    [280] Universal City Studios, Inc. v. Reimerdes, 104 F.Supp.2d 334 (S.D.N.Y. 2000).

    [281] The chief factual issue actually litigated at trial was the speed with which decrypted files could be transmitted over the Internet and other networks.

    8.4.3 Universal City Studios, Inc. v. Corley 8.4.3 Universal City Studios, Inc. v. Corley

    This opinion is an appeal of the Remeirdes case. This excerpt primarily considers the defenses.

    United States Court of Appeals for the Second Circuit
    273 F.3d 429
    Docket No. 00-9185
    2001-11-28

    273 F.3d 429 (2nd Cir. 2001)

    UNIVERSAL CITY STUDIOS, INC., PARAMOUNT PICTURES CORPORATION, METRO-GOLDWYN-MAYER STUDIOS INC., TRISTAR PICTURES, INC., COLUMBIA PICTURES INDUSTRIES, INC., TIME WARNER ENTERTAINMENT COMPANY, L.P., DISNEY ENTERPRISES INC., TWENTIETH CENTURY FOX FILM CORPORATION, PLAINTIFFS-APPELLEES,
    v.
    ERIC CORLEY, ALSO KNOWN AS EMMANUEL GOLDSTEIN, AND 2600 ENTERPRISES INC., DEFENDANTS-APPELLANTS,
    UNITED STATES OF AMERICA, INTERVENOR.

    Docket No. 00-9185.
    UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT.
    Argued: May 1, 2001.
    Finally Submitted: May 30, 2001.
    Decided: November 28, 2001.

    [433] Kathleen Sullivan, Stanford, Cal. (Martin Garbus, Edward Hernstadt, Frankfurt Garbus Kurnit Klein & Selz, New York, N.Y.; Cindy A. Cohn, Lee Tien, Robin Gross, Elec. Frontier Found., San Francisco, Cal., on the brief), for Defendants-Appellants.

    Charles S. Sims, New York, N.Y. (Leon P. Gold, Jon A. Baumgarten, Carla M. Miller, Matthew J. Morris, Proskauer Rose, New York, N.Y., on the brief), for Plaintiffs-Appellees.

    Daniel S. Alter, Asst. U.S. Atty., New York, N.Y. (Mary Jo White, U.S. Atty., Marla Alhadeff, Asst. U.S. Atty., New York, N.Y., on the brief), for Intervenor United States of America.

    (Prof. Peter Jazsi, Wash. College of Law, American Univ., Wash., D.C.; Prof. Jessica Litman, Wayne State Univ., Detroit, Mich.; Prof. Pamela Samuelson, Univ. of Cal. at Berkeley, Berkeley, Cal.; Ann Beeson, Christopher Hansen, American Civil Liberties Union Foundation, New York, N.Y., submitted a brief in support of Defendants-Appellants, for amici curiae American Civil Liberties Union et al.).

    (Andrew Grosso, Wash., D.C., submitted a brief in support of Defendants-Appellants for amicus curiae ACM Committee on Law and Computing Technology).

    (James S. Tyre, Culver City, Cal., submitted a brief in support of Defendants-Appellants, for amici curiae Dr. Harold Abelson et al.).

    (Edward A. Cavazos, Gavino Morin, Cavazos, Morin, Langenkamp & Ferraro, Austin, Tex., submitted a brief in support of Defendants-Appellants, for amici curiae Ernest Miller et al.).

    (Arnold G. Rheinhold, Cambridge, Mass., submitted a brief amicus curiae in support of Defendant-Appellant 2600 Enterprises, Inc.).

    [434] (Prof. Julie E. Cohen, Georgetown Univ. Law Center, Wash., D.C., submitted a brief in support of Defendants-Appellants, for amici curiae intellectual property law professors).

    (Jennifer S. Granick, Stanford, Cal., submitted a brief in support of Defendants-Appellants, for amici curiae Dr. Steven Bellovin et al.).

    (Prof. Yochai Benkler, N.Y. Univ. School of Law, New York, N.Y.; Prof. Lawrence Lessig, Stanford Law School, Stanford, Cal., submitted a brief amici curiae in support of Defendants-Appellants).

    (David A. Greene, First Amendment Project, Oakland, Cal.; Jane E. Kirtley, Erik F. Ugland, Silha Center for the Study of Media Ethics and Law, Univ. of Minn., Minneapolis, Minn.; Milton Thurm, Thurm & Heller, New York, N.Y., submitted a brief in support of Defendants-Appellants, for amici curiae Online News Ass'n et al.).

    (Prof. Rodney A. Smolla, Univ. of Richmond School of Law, Richmond Va., submitted a brief in support of Plaintiffs-Appellees, for amici curiae Prof. Erwin Chemerinsky et al.).

    (David E. Kendall, Paul B. Gaffney, Williams & Connolly, Wash., D.C.; David M. Proper, National Football League and NFL Properties, New York, N.Y.; Thomas J. Ostertag, Office of the Commissioner of Baseball, New York, N.Y., submitted a brief in support of Plaintiff-Appellees, for amici curiae Recording Ind. Ass'n of Am. et al.).

    (Jeffrey L. Kessler, Robert G. Sugarman, Geoffrey D. Berman, Weil, Gotshal & Manges Llp, New York, N.Y., submitted a brief in support of Plaintiffs-Appellees, for amicus curiae DVD Copy Control Ass'n, Inc.).

    Before: Newman and Cabranes, Circuit Judges, and Thompson,[*] District Judge.

    Jon O. Newman, Circuit Judge.

    When the Framers of the First Amendment prohibited Congress from making any law "abridging the freedom of speech," they were not thinking about computers, computer programs, or the Internet. But neither were they thinking about radio, television, or movies. Just as the inventions at the beginning and middle of the 20th century presented new First Amendment issues, so does the cyber revolution at the end of that century. This appeal raises significant First Amendment issues concerning one aspect of computer technology—encryption to protect materials in digital form from unauthorized access. The appeal challenges the constitutionality of the Digital Millennium Copyright Act ("DMCA"), 17 U.S.C. § 1201 et seq. (Supp. V 1999) and the validity of an injunction entered to enforce the DMCA.

    Defendant-Appellant Eric C. Corley and his company, 2600 Enterprises, Inc., (collectively "Corley," "the Defendants," or "the Appellants") appeal from the amended final judgment of the United States District Court for the Southern District of New York (Lewis A. Kaplan, District Judge), entered August 23, 2000, enjoining them from various actions concerning a decryption program known as "DeCSS." Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 346 (S.D.N.Y. 2000) ("Universal II"). The injunction primarily bars the Appellants from posting DeCSS on their web site and from knowingly linking [435] their web site to any other web site on which DeCSS is posted. Id. at 346-47. We affirm.

    Introduction

    Understanding the pending appeal and the issues it raises requires some familiarity with technical aspects of computers and computer software, especially software called "digital versatile disks" or "DVDs," which are optical media storage devices currently designed to contain movies.[1] Those lacking such familiarity will be greatly aided by reading Judge Kaplan's extremely lucid opinion, Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000) ("Universal I"), beginning with his helpful section "The Vocabulary of this Case," id. at 305-09.

    This appeal concerns the anti-trafficking provisions of the DMCA, which Congress enacted in 1998 to strengthen copyright protection in the digital age. Fearful that the ease with which pirates could copy and distribute a copyrightable work in digital form was overwhelming the capacity of conventional copyright enforcement to find and enjoin unlawfully copied material, Congress sought to combat copyright piracy in its earlier stages, before the work was even copied. The DMCA therefore backed with legal sanctions the efforts of copyright owners to protect their works from piracy behind digital walls such as encryption codes or password protections. In so doing, Congress targeted not only those pirates who would circumvent these digital walls (the "anti-circumvention provisions," contained in 17 U.S.C. § 1201(a)(1)), but also anyone who would traffic in a technology primarily designed to circumvent a digital wall (the "anti-trafficking provisions," contained in 17 U.S.C. § 1201(a)(2), (b)(1)).

    Corley publishes a print magazine and maintains an affiliated web site geared towards "hackers," a digital-era term often applied to those interested in techniques for circumventing protections of computers and computer data from unauthorized access. The so-called hacker community includes serious computer-science scholars conducting research on protection techniques, computer buffs intrigued by the challenge of trying to circumvent access-limiting devices or perhaps hoping to promote security by exposing flaws in protection techniques, mischief-makers interested in disrupting computer operations, and thieves, including copyright infringers who want to acquire copyrighted material (for personal use or resale) without paying for it.

    In November 1999, Corley posted a copy of the decryption computer program "DeCSS" on his web site, http://www.2600.com ("2600.com").[2] DeCSS is designed to circumvent "CSS," the encryption technology [436] that motion picture studios place on DVDs to prevent the unauthorized viewing and copying of motion pictures. Corley also posted on his web site links to other web sites where DeCSS could be found.

    Plaintiffs-Appellees are eight motion picture studios that brought an action in the Southern District of New York seeking injunctive relief against Corley under the DMCA. Following a full non-jury trial, the District Court entered a permanent injunction barring Corley from posting DeCSS on his web site or from knowingly linking via a hyperlink to any other web site containing DeCSS. Universal II, 111 F. Supp. 2d at 346-47. The District Court rejected Corley's constitutional attacks on the statute and the injunction. Universal I, 111 F. Supp. 2d at 325-45.

    Corley renews his constitutional challenges on appeal. Specifically, he argues primarily that: (1) the DMCA oversteps limits in the Copyright Clause on the duration of copyright protection; (2) the DMCA as applied to his dissemination of DeCSS violates the First Amendment because computer code is "speech" entitled to full First Amendment protection and the DMCA fails to survive the exacting scrutiny accorded statutes that regulate "speech"; and (3) the DMCA violates the First Amendment and the Copyright Clause by unduly obstructing the "fair use" of copyrighted materials. Corley also argues that the statute is susceptible to, and should therefore be given, a narrow interpretation that avoids alleged constitutional objections.

    Background

    For decades, motion picture studios have made movies available for viewing at home in what is called "analog" format. Movies in this format are placed on videotapes, which can be played on a video cassette recorder ("VCR"). In the early 1990s, the studios began to consider the possibility of distributing movies in digital form as well. Movies in digital form are placed on disks, known as DVDs, which can be played on a DVD player (either a stand-alone device or a component of a computer). DVDs offer advantages over analog tapes, such as improved visual and audio quality, larger data capacity, and greater durability. However, the improved quality of a movie in a digital format brings with it the risk that a virtually perfect copy, i.e., one that will not lose perceptible quality in the copying process, can be readily made at the click of a computer control and instantly distributed to countless recipients throughout the world over the Internet. This case arises out of the movie industry's efforts to respond to this risk by invoking the anti-trafficking provisions of the DMCA.

    I. CSS

    The movie studios were reluctant to release movies in digital form until they were confident they had in place adequate safeguards against piracy of their copyrighted movies. The studios took several steps to minimize the piracy threat. First, they settled on the DVD as the standard digital medium for home distribution of movies. The studios then sought an encryption scheme to protect movies on DVDs. They enlisted the help of members of the consumer electronics and computer industries, who in mid-1996 developed the Content Scramble System ("CSS"). CSS is an encryption scheme that employs an algorithm configured by a set of "keys" to encrypt a DVD's contents. The algorithm is a type of mathematical formula for transforming the contents of the movie file into gibberish; the "keys" are in actuality strings of 0's and 1's that serve as values for the mathematical formula. Decryption in the case of CSS requires a set of "player keys" [437] contained in compliant DVD players, as well as an understanding of the CSS encryption algorithm. Without the player keys and the algorithm, a DVD player cannot access the contents of a DVD. With the player keys and the algorithm, a DVD player can display the movie on a television or a computer screen, but does not give a viewer the ability to use the copy function of the computer to copy the movie or to manipulate the digital content of the DVD.

    The studios developed a licensing scheme for distributing the technology to manufacturers of DVD players. Player keys and other information necessary to the CSS scheme were given to manufacturers of DVD players for an administrative fee. In exchange for the licenses, manufacturers were obliged to keep the player keys confidential. Manufacturers were also required in the licensing agreement to prevent the transmission of "CSS data" (a term undefined in the licensing agreement) from a DVD drive to any "internal recording device," including, presumably, a computer hard drive.

    With encryption technology and licensing agreements in hand, the studios began releasing movies on DVDs in 1997, and DVDs quickly gained in popularity, becoming a significant source of studio revenue.[3] In 1998, the studios secured added protection against DVD piracy when Congress passed the DMCA, which prohibits the development or use of technology designed to circumvent a technological protection measure, such as CSS. The pertinent provisions of the DMCA are examined in greater detail below.

    II. DeCSS

    In September 1999, Jon Johansen, a Norwegian teenager, collaborating with two unidentified individuals he met on the Internet, reverse-engineered a licensed DVD player designed to operate on the Microsoft operating system, and culled from it the player keys and other information necessary to decrypt CSS. The record suggests that Johansen was trying to develop a DVD player operable on Linux, an alternative operating system that did not support any licensed DVD players at that time. In order to accomplish this task, Johansen wrote a decryption program executable on Microsoft's operating system.[4] That program was called, appropriately enough, "DeCSS."

    If a user runs the DeCSS program (for example, by clicking on the DeCSS icon on a Microsoft operating system platform) with a DVD in the computer's disk drive, DeCSS will decrypt the DVD's CSS protection, allowing the user to copy the DVD's files and place the copy on the user's hard drive. The result is a very large computer file that can be played on a non-CSS-compliant player and copied, manipulated, and transferred just like any [438] other computer file.[5] DeCSS comes complete with a fairly user-friendly interface that helps the user select from among the DVD's files and assign the decrypted file a location on the user's hard drive. The quality of the resulting decrypted movie is "virtually identical" to that of the encrypted movie on the DVD. Universal I, 111 F. Supp. 2d at 308, 313. And the file produced by DeCSS, while large, can be compressed to a manageable size by a compression software called "DivX," available at no cost on the Internet. This compressed file can be copied onto a DVD, or transferred over the Internet (with some patience).[6]

    Johansen posted the executable object code, but not the source code, for DeCSS on his web site. The distinction between source code and object code is relevant to this case, so a brief explanation is warranted. A computer responds to electrical charges, the presence or absence of which [439] is represented by strings of 1's and 0's. Strictly speaking, "object code" consists of those 1's and 0's. Trial Tr. at 759 (Testimony of Professor Edward Felton). While some people can read and program in object code, "it would be inconvenient, inefficient and, for most people, probably impossible to do so." Universal I, 111 F. Supp. 2d at 306. Computer languages have been written to facilitate program writing and reading. A program in such a computer language—BASIC, C, and Java are examples—is said to be written in "source code." Source code has the benefit of being much easier to read (by people) than object code, but as a general matter, it must be translated back to object code before it can be read by a computer. This task is usually performed by a program called a compiler. Since computer languages range in complexity, object code can be placed on one end of a spectrum, and different kinds of source code can be arrayed across the spectrum according to the ease with which they are read and understood by humans. See Trial Exhibits BBC (Declaration of David S. Touretzky), BBE (Touretzky Article: Source v. Object Code: A False Dichotomy). Within months of its appearance in executable form on Johansen's web site, DeCSS was widely available on the Internet, in both object code and various forms of source code. See Trial Exhibit CCN (Touretzky Article: Gallery of CSS Descramblers).

    In November 1999, Corley wrote and placed on his web site, 2600.com, an article about the DeCSS phenomenon. His web site is an auxiliary to the print magazine, 2600: The Hacker Quarterly, which Corley has been publishing since 1984.[7] As the name suggests, the magazine is designed for "hackers," as is the web site. While the magazine and the web site cover some issues of general interest to computer users—such as threats to online privacy—the focus of the publications is on the vulnerability of computer security systems, and more specifically, how to exploit that vulnerability in order to circumvent the security systems. Representative articles explain how to steal an Internet domain name and how to break into the computer systems at Federal Express. Universal I, 111 F. Supp. 2d at 308-09.

    Corley's article about DeCSS detailed how CSS was cracked, and described the movie industry's efforts to shut down web sites posting DeCSS. It also explained that DeCSS could be used to copy DVDs. At the end of the article, the Defendants posted copies of the object and source code of DeCSS. In Corley's words, he added the code to the story because "in a journalistic world, . . . [y]ou have to show your evidence . . . and particularly in the magazine that I work for, people want to see specifically what it is that we are referring to," including "what evidence . . . we have" that there is in fact technology that circumvents CSS. Trial Tr. at 823. Writing about DeCSS without including the DeCSS code would have been, to Corley, "analogous to printing a story about a picture and not printing the picture." Id. at 825. Corley also added to the article links that he explained would take the reader to other web sites where DeCSS could be found. Id. at 791, 826, 827, 848.

    2600.com was only one of hundreds of web sites that began posting DeCSS near the end of 1999. The movie industry tried to stem the tide by sending cease-and-desist letters to many of these sites. These efforts met with only partial success; a number of sites refused to remove [440] DeCSS. In January 2000, the studios filed this lawsuit.[8]

    III. The DMCA

    The DMCA was enacted in 1998 to implement the World Intellectual Property Organization Copyright Treaty ("WIPO Treaty"), which requires contracting parties to "provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and that restrict acts, in respect of their works, which are not authorized by the authors concerned or permitted by law." WIPO Treaty, Apr. 12, 1997, art. 11, S. Treaty Doc. No. 105-17 (1997), available at 1997 WL 447232. Even before the treaty, Congress had been devoting attention to the problems faced by copyright enforcement in the digital age. Hearings on the topic have spanned several years. See, e.g., WIPO Copyright Treaties Implementation Act and Online Copyright Liability Limitation Act: Hearing on H.R. 2281 and H.R. 2280 Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 105th Cong. (1997); NII Copyright Protection Act of 1995: Hearings on H.R. 2441 Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 104th Cong. (1996); NII Copyright Protection Act of 1995: Joint Hearing on H.R. 2441 and S. 1284 Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary and the Senate Comm. on the Judiciary, 104th Cong. (1995); H.R. Rep. No. 105-551 (1998); S. Rep. No. 105-190 (1998). This legislative effort resulted in the DMCA.

    The Act contains three provisions targeted at the circumvention of technological protections. The first is subsection 1201(a)(1)(A), the anti-circumvention provision.[9] This provision prohibits a person from "circumvent[ing] a technological measure that effectively controls access to a work protected under [Title 17, governing copyright]." The Librarian of Congress is required to promulgate regulations every three years exempting from this subsection individuals who would otherwise be "adversely affected" in "their ability to make noninfringing uses." 17 U.S.C. § 1201(a)(1)(B)-(E).

    The second and third provisions are subsections 1201(a)(2) and 1201(b)(1), the "anti-trafficking provisions." Subsection 1201(a)(2), the provision at issue in this case, provides:

    No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—

    (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

    (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure [441] that effectively controls access to a work protected under this title.

    Id. § 1201(a)(2). To "circumvent a technological measure" is defined, in pertinent part, as "to descramble a scrambled work . . . or otherwise to . . . bypass . . . a technological measure, without the authority of the copyright owner." Id. § 1201(a)(3)(A).

    Subsection 1201(b)(1) is similar to subsection 1201(a)(2), except that subsection 1201(a)(2) covers those who traffic in technology that can circumvent "a technological measure that effectively controls access to a work protected under" Title 17, whereas subsection 1201(b)(1) covers those who traffic in technology that can circumvent "protection afforded by a technological measure that effectively protects a right of a copyright owner under" Title 17. Id. § 1201(a)(2), (b)(1) (emphases added). In other words, although both subsections prohibit trafficking in a circumvention technology, the focus of subsection 1201(a)(2) is circumvention of technologies designed to prevent access to a work, and the focus of subsection 1201(b)(1) is circumvention of technologies designed to permit access to a work but prevent copying of the work or some other act that infringes a copyright. See S. Rep. No. 105-190, at 11-12 (1998). Subsection 1201(a)(1) differs from both of these anti-trafficking subsections in that it targets the use of a circumvention technology, not the trafficking in such a technology.

    The DMCA contains exceptions for schools and libraries that want to use circumvention technologies to determine whether to purchase a copyrighted product, 17 U.S.C. § 1201(d); individuals using circumvention technology "for the sole purpose" of trying to achieve "interoperability" of computer programs through reverse-engineering, id. § 1201(f); encryption research aimed at identifying flaws in encryption technology, if the research is conducted to advance the state of knowledge in the field, id. § 1201(g); and several other exceptions not relevant here.

    The DMCA creates civil remedies, id. § 1203, and criminal sanctions, id. § 1204. It specifically authorizes a court to "grant temporary and permanent injunctions on such terms as it deems reasonable to prevent or restrain a violation." Id. § 1203(b)(1).

    IV. Procedural History

    Invoking subsection 1203(b)(1), the Plaintiffs sought an injunction against the Defendants, alleging that the Defendants violated the anti-trafficking provisions of the statute. On January 20, 2000, after a hearing, the District Court issued a preliminary injunction barring the Defendants from posting DeCSS. Universal City Studios, Inc. v. Reimerdes, 82 F. Supp. 2d 211 (S.D.N.Y. 2000).

    The Defendants complied with the preliminary injunction, but continued to post links to other web sites carrying DeCSS, an action they termed "electronic civil disobedience." Universal I, 111 F. Supp. 2d at 303, 312. Under the heading "Stop the MPAA [(Motion Picture Association of America)]," Corley urged other web sites to post DeCSS lest "we . . . be forced into submission." Id. at 313.

    The Plaintiffs then sought a permanent injunction barring the Defendants from both posting DeCSS and linking to sites containing DeCSS. After a trial on the merits, the Court issued a comprehensive opinion, Universal I, and granted a permanent injunction, Universal II.

    The Court explained that the Defendants' posting of DeCSS on their web site clearly falls within section 1201(a)(2)(A) of the DMCA, rejecting as spurious their claim that CSS is not a technological measure that "effectively controls access to a [442] work" because it was so easily penetrated by Johansen, Universal I, 111 F. Supp. 2d at 318, and as irrelevant their contention that DeCSS was designed to create a Linux-platform DVD player, id. at 319. The Court also held that the Defendants cannot avail themselves of any of the DMCA's exceptions, id. at 319-22, and that the alleged importance of DeCSS to certain fair uses of encrypted copyrighted material was immaterial to their statutory liability, id. at 322-24. The Court went on to hold that when the Defendants "proclaimed on their own site that DeCSS could be had by clicking on the hyperlinks" on their site, they were trafficking in DeCSS, and therefore liable for their linking as well as their posting. Id. at 325.

    Turning to the Defendants' numerous constitutional arguments, the Court first held that computer code like DeCSS is "speech" that is "protected" (in the sense of "covered") by the First Amendment, id. at 327, but that because the DMCA is targeting the "functional" aspect of that speech, id. at 328-29, it is "content neutral," id. at 329,[10] and the intermediate scrutiny of United States v. O'Brien, 391 U.S. 367, 377 (1968), applies, Universal I, 111 F. Supp. 2d at 329-30. The Court concluded that the DMCA survives this scrutiny, id. at 330-33, and also rejected prior restraint, overbreadth, and vagueness challenges, id. at 333-39.

    The Court upheld the constitutionality of the DMCA's application to linking on similar grounds: linking, the Court concluded, is "speech," but the DMCA is content-neutral, targeting only the functional components of that speech. Therefore, its application to linking is also evaluated under O'Brien, and, thus evaluated, survives intermediate scrutiny. However, the Court concluded that a blanket proscription on linking would create a risk of chilling legitimate linking on the web. The Court therefore crafted a restrictive test for linking liability (discussed below) that it believed sufficiently mitigated that risk. The Court then found its test satisfied in this case. Id. at 339-41.

    Finally, the Court concluded that an injunction was highly appropriate in this case. The Court observed that DeCSS was harming the Plaintiffs, not only because they were now exposed to the possibility of piracy and therefore were obliged to develop costly new safeguards for DVDs, but also because, even if there was only indirect evidence that DeCSS availability actually facilitated DVD piracy,[11] the threat of piracy was very real, particularly as Internet transmission speeds continue to increase. Id. at 314-15, 342. Acknowledging that DeCSS was (and still is) widely available on the Internet, the Court expressed confidence in

    the likelihood . . . that this decision will serve notice on others that "the strong right arm of equity" may be brought to bear against them absent a change in their conduct and thus contribute to a climate of appropriate respect for intellectual property rights in an age in which the excitement of ready access to [443] untold quantities of information has blurred in some minds the fact that taking what is not yours and not freely offered to you is stealing.

    Id. at 345.

    The Court's injunction barred the Defendants from: "posting on any Internet web site" DeCSS; "in any other way . . . offering to the public, providing, or otherwise trafficking in DeCSS"; violating the anti-trafficking provisions of the DMCA in any other manner, and finally "knowingly linking any Internet web site operated by them to any other web site containing DeCSS, or knowingly maintaining any such link, for the purpose of disseminating DeCSS." Universal II, 111 F. Supp. 2d at 346-47.

    The Appellants have appealed from the permanent injunction. The United States has intervened in support of the constitutionality of the DMCA. We have also had the benefit of a number of amicus curiae briefs, supporting and opposing the District Court's judgment. After oral argument, we invited the parties to submit responses to a series of specific questions, and we have received helpful responses.

    Discussion

    I. Narrow Construction to Avoid Constitutional Doubt

    The Appellants first argue that, because their constitutional arguments are at least substantial, we should interpret the statute narrowly so as to avoid constitutional problems. They identify three different instances of alleged ambiguity in the statute that they claim provide an opportunity for such a narrow interpretation.

    First, they contend that subsection 1201(c)(1), which provides that "[n]othing in this section shall affect rights, remedies, limitations or defenses to copyright infringement, including fair use, under this title," can be read to allow the circumvention of encryption technology protecting copyrighted material when the material will be put to "fair uses" exempt from copyright liability.[12] We disagree that subsection 1201(c)(1) permits such a reading. Instead, it clearly and simply clarifies that the DMCA targets the circumvention of digital walls guarding copyrighted material (and trafficking in circumvention tools), but does not concern itself with the use of those materials after circumvention has occurred. Subsection 1201(c)(1) ensures that the DMCA is not read to prohibit the "fair use" of information just because that information was obtained in a manner made illegal by the DMCA. The Appellants' much more expansive interpretation of subsection 1201(c)(1) is not only outside the range of plausible readings of the provision, but is also clearly refuted by the statute's legislative history.[13] See Commodity Futures Trading [444] Commission v. Schor, 478 U.S. 833, 841 (1986) (constitutional doubt canon "does not give a court the prerogative to ignore the legislative will").

    Second, the Appellants urge a narrow construction of the DMCA because of subsection 1201(c)(4), which provides that "[n]othing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products." This language is clearly precatory: Congress could not "diminish" constitutional rights of free speech even if it wished to, and the fact that Congress also expressed a reluctance to "enlarge" those rights cuts against the Appellants' effort to infer a narrowing construction of the Act from this provision.

    Third, the Appellants argue that an individual who buys a DVD has the "authority of the copyright owner" to view the DVD, and therefore is exempted from the DMCA pursuant to subsection 1201(a)(3)(A) when the buyer circumvents an encryption technology in order to view the DVD on a competing platform (such as Linux). The basic flaw in this argument is that it misreads subsection 1201(a)(3)(A). That provision exempts from liability those who would "decrypt" an encrypted DVD with the authority of a copyright owner, not those who would "view" a DVD with the authority of a copyright owner.[14] In any event, the Defendants offered no evidence that the Plaintiffs have either explicitly or implicitly authorized DVD buyers to circumvent encryption technology to support use on multiple platforms.[15]

    We conclude that the anti-trafficking and anti-circumvention provisions of the DMCA are not susceptible to the narrow interpretations urged by the Appellants. We therefore proceed to consider the Appellants' constitutional claims.

    II. Constitutional Challenge Based on the Copyright Clause

    In a footnote to their brief, the Appellants appear to contend that the DMCA, as construed by the District Court, exceeds the constitutional authority [445] of Congress to grant authors copyrights for a "limited time," U.S. Const. art. I, § 8, cl. 8, because it "empower[s] copyright owners to effectively secure perpetual protection by mixing public domain works with copyrighted materials, then locking both up with technological protection measures." Brief for Appellants at 42 n.30. This argument is elaborated in the amici curiae brief filed by Prof. Julie E. Cohen on behalf of herself and 45 other intellectual property law professors. See also David Nimmer, A Riff on Fair Use in the Digital Millennium Copyright Act, 148 U. Pa. L. Rev. 673, 712 (2000). For two reasons, the argument provides no basis for disturbing the judgment of the District Court.

    First, we have repeatedly ruled that arguments presented to us only in a footnote are not entitled to appellate consideration. Concourse Rehabilitation & Nursing Center Inc. v. DeBuono, 179 F.3d 38, 47 (2d Cir. 1999); United States v. Mapp, 170 F.3d 328, 333 n.8 (2d Cir. 1999); United States v. Restrepo, 986 F.2d 1462, 1463 (2d Cir. 1993). Although an amicus brief can be helpful in elaborating issues properly presented by the parties, it is normally not a method for injecting new issues into an appeal, at least in cases where the parties are competently represented by counsel. See, e.g., Concourse Center, 179 F.3d at 47.

    Second, to whatever extent the argument might have merit at some future time in a case with a properly developed record, the argument is entirely premature and speculative at this time on this record. There is not even a claim, much less evidence, that any Plaintiff has sought to prevent copying of public domain works, or that the injunction prevents the Defendants from copying such works. As Judge Kaplan noted, the possibility that encryption would preclude access to public domain works "does not yet appear to be a problem, although it may emerge as one in the future." Universal I, 111 F. Supp. 2d at 338 n.245.

    III. Constitutional Challenges Based on the First Amendment

    A. Applicable Principles

    Last year, in one of our Court's first forays into First Amendment law in the digital age, we took an "evolutionary" approach to the task of tailoring familiar constitutional rules to novel technological circumstances, favoring "narrow" holdings that would permit the law to mature on a "case-by-case" basis. See Name.Space, Inc. v. Network Solutions, Inc., 202 F.3d 573, 584 n.11 (2d Cir. 2000). In that spirit, we proceed, with appropriate caution, to consider the Appellants' First Amendment challenges by analyzing a series of preliminary issues the resolution of which provides a basis for adjudicating the specific objections to the DMCA and its application to DeCSS. These issues, which we consider only to the extent necessary to resolve the pending appeal, are whether computer code is speech, whether computer programs are speech, the scope of First Amendment protection for computer code, and the scope of First Amendment protection for decryption code. Based on our analysis of these issues, we then consider the Appellants' challenge to the injunction's provisions concerning posting and linking.

    1. Code as Speech

    Communication does not lose constitutional protection as "speech" simply because it is expressed in the language of computer code. Mathematical formulae and musical scores are written in "code," i.e., symbolic notations not comprehensible to the uninitiated, and yet both are covered by the First Amendment. If someone [446] chose to write a novel entirely in computer object code by using strings of 1's and 0's for each letter of each word, the resulting work would be no different for constitutional purposes than if it had been written in English. The "object code" version would be incomprehensible to readers outside the programming community (and tedious to read even for most within the community), but it would be no more incomprehensible than a work written in Sanskrit for those unversed in that language. The undisputed evidence reveals that even pure object code can be, and often is, read and understood by experienced programmers. And source code (in any of its various levels of complexity) can be read by many more. See Universal I, 111 F. Supp. 2d at 326. Ultimately, however, the ease with which a work is comprehended is irrelevant to the constitutional inquiry. If computer code is distinguishable from conventional speech for First Amendment purposes, it is not because it is written in an obscure language. See Junger v. Daley, 209 F.3d 481, 484 (6th Cir. 2000).

    2. Computer Programs as Speech

    Of course, computer code is not likely to be the language in which a work of literature is written. Instead, it is primarily the language for programs executable by a computer. These programs are essentially instructions to a computer. In general, programs may give instructions either to perform a task or series of tasks when initiated by a single (or double) click of a mouse or, once a program is operational ("launched"), to manipulate data that the user enters into the computer.[16] Whether computer code that gives a computer instructions is "speech" within the meaning of the First Amendment requires consideration of the scope of the Constitution's protection of speech.

    The First Amendment provides that "Congress shall make no law . . . abridging the freedom of speech. . . ." U.S. Const. amend. I. "Speech" is an elusive term, and judges and scholars have debated its bounds for two centuries. Some would confine First Amendment protection to political speech. E.g., Robert Bork, Neutral Principles and Some First Amendment Problems, 47 Ind. L.J. 1 (1971). Others would extend it further to artistic expression. E.g., Marci A. Hamilton, Art Speech, 49 Vand. L. Rev. 73 (1996).

    Whatever might be the merits of these and other approaches, the law has not been so limited. Even dry information, devoid of advocacy, political relevance, or artistic expression, has been accorded First Amendment protection. See Miller v. California, 413 U.S. 15, 34 (1973) ("The First Amendment protects works which, taken as a whole, have serious literary, artistic, political, or scientific value. . . ." (emphasis added)); Roth v. United States, 354 U.S. 476, 484 (1957) (First Amendment embraces "[a]ll ideas having even the slightest redeeming social importance," including the "'advancement of truth, science, morality, and arts in general.'" (quoting 1 Journals of the Continental Congress 108 (1774))); Board of Trustees of Stanford University v. Sullivan, 773 F. Supp. 472, 474 (D.D.C. 1991) ("It is . . . settled . . . that the First Amendment protects scientific expression and debate just [447] as it protects political and artistic expression."); see also Kent Greenawalt, Speech, Crime and the Uses of Language 85 (1989) ("[A]ssertions of fact generally fall within a principle of freedom of speech. . . ."); cf. Virginia State Board of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748, 763 (1976) ("prescription drug price information" is "speech" because a consumer's interest in "the free flow of commercial information" may be "keener by far" than "his interest in the day's most urgent political debate").

    Thus, for example, courts have subjected to First Amendment scrutiny restrictions on the dissemination of technical scientific information, United States v. Progressive, Inc., 467 F. Supp. 990 (W.D. Wis. 1979), and scientific research, Stanford University, 773 F. Supp. at 473, and attempts to regulate the publication of instructions,[17] see, e.g., United States v. Raymond, 228 F.3d 804, 815 (7th Cir. 2000) (First Amendment does not protect instructions for violating the tax laws); United States v. Dahlstrom, 713 F.2d 1423, 1428 (9th Cir. 1983) (same); Herceg v. Hustler Magazine, Inc., 814 F.2d 1017, 1020-25 (5th Cir. 1987) (First Amendment protects instructions for engaging in a dangerous sex act); United States v. Featherston, 461 F.2d 1119, 1122-23 (5th Cir. 1972) (First Amendment does not protect instructions for building an explosive device); see also Bernstein v. United States Department of State, 922 F. Supp. 1426, 1435 (N.D. Cal. 1996) ("Instructions, do-it-yourself manuals, [and] recipes" are all "speech").[18]

    Computer programs are not exempted from the category of First Amendment speech simply because their instructions require use of a computer. A recipe is no less "speech" because it calls for the use of an oven, and a musical score is no less "speech" because it specifies performance on an electric guitar. Arguably distinguishing computer programs from conventional language instructions is the fact that programs are executable on a computer. But the fact that a program has the capacity to direct the functioning of a computer does not mean that it lacks the additional capacity to convey information, and it is the conveying of information that renders instructions "speech" for purposes of the First Amendment.[19] The information [448] conveyed by most "instructions" is how to perform a task.

    Instructions such as computer code, which are intended to be executable by a computer, will often convey information capable of comprehension and assessment by a human being.[20] A programmer reading a program learns information about instructing a computer, and might use this information to improve personal programming skills and perhaps the craft of programming. Moreover, programmers communicating ideas to one another almost inevitably communicate in code, much as musicians use notes.[21] Limiting First Amendment protection of programmers to descriptions of computer code (but not the code itself) would impede discourse among computer scholars,[22] just as limiting protection for musicians to descriptions of musical scores (but not sequences of notes) would impede their exchange of ideas and expression. Instructions that communicate information comprehensible to a human qualify as speech whether the instructions are designed for execution by a computer or a human (or both).

    Vartuli is not to the contrary. The defendants in Vartuli marketed a software program called "Recurrence," which would tell computer users when to buy or sell currency futures contracts if their computers were fed currency market rates. The Commodity Futures Trading Commission charged the defendants with violating federal law for, among other things, failing to register as commodity trading advisors for their distribution of the Recurrence software. The defendants maintained that Recurrence's cues to users to buy or sell were protected speech, and that the registration requirement as applied to Recurrence was a constitutionally suspect prior restraint. We rejected the defendants' constitutional claim, holding that Recurrence "in the form it was sold and marketed by the defendants" did not generate speech protected by the First Amendment. Vartuli, 228 F.3d at 111.

    [449] Essential to our ruling in Vartuli was the manner in which the defendants marketed the software and intended that it be used: the defendants told users of the software to follow the software's cues "with no second-guessing," id., and intended that users follow Recurrence's commands "mechanically" and "without the intercession of the mind or the will of the recipient," id. We held that the values served by the First Amendment were not advanced by these instructions, even though the instructions were expressed in words. Id. We acknowledged that some users would, despite the defendants' marketing, refuse to follow Recurrence's cues mechanically but instead would use the commands as a source of information and advice, and that, as to these users, Recurrence's cues might very "well have been 'speech.'" Id. at 111-12. Nevertheless, we concluded that the Government could require registration for Recurrence's intended use because such use was devoid of any constitutionally protected speech. Id. at 112.

    Vartuli considered two ways in which a programmer might be said to communicate through code: to the user of the program (not necessarily protected) and to the computer (never protected).[23] However, this does not mean that Vartuli denied First Amendment protection to all computer programs. Since Vartuli limited its constitutional scrutiny to the code "as marketed," i.e., as an automatic trading system, it did not have occasion to consider a third manner in which a programmer might communicate through code: to another programmer.

    For all of these reasons, we join the other courts that have concluded that computer code, and computer programs constructed from code can merit First Amendment protection, see Junger, 209 F.3d at 484;[24] Bernstein, 922 F. Supp. at 1434-36; see also Bernstein, 176 F.3d at 1140-41; Karn v. United States Department of State, 925 F. Supp. 1, 9-10 (D.D.C. 1996) (assuming, without deciding, that source code with English comments interspersed throughout is "speech"), although the scope of such protection remains to be determined.

    3. The Scope of First Amendment Protection for Computer Code

    Having concluded that computer code conveying information is "speech" [450] within the meaning of the First Amendment, we next consider, to a limited extent, the scope of the protection that code enjoys. As the District Court recognized, Universal I, 111 F. Supp. 2d at 327, the scope of protection for speech generally depends on whether the restriction is imposed because of the content of the speech. Content-based restrictions are permissible only if they serve compelling state interests and do so by the least restrictive means available. See Sable Communications of California, Inc. v. FCC, 492 U.S. 115, 126 (1989). A content-neutral restriction is permissible if it serves a substantial governmental interest, the interest is unrelated to the suppression of free expression, and the regulation is narrowly tailored, which "in this context requires . . . that the means chosen do not 'burden substantially more speech than is necessary to further the government's legitimate interests.'" Turner Broadcasting System, Inc. v. FCC, 512 U.S. 622, 662 (1994) (quoting Ward v. Rock Against Racism, 491 U.S. 781, 799 (1989)).[25]

    "[G]overnment regulation of expressive activity is 'content neutral' if it is justified without reference to the content of regulated speech." Hill v. Colorado, 530 U.S. 703, 720 (2000). "The government's purpose is the controlling consideration. A regulation that serves purposes unrelated to the content of expression is deemed neutral, even if it has an incidental effect on some speakers or messages but not others." Ward, 491 U.S. at 791. The Supreme Court's approach to determining content-neutrality appears to be applicable whether what is regulated is expression, see id. at 791-93 (regulation of volume of music), conduct, see O'Brien, 391 U.S. at 377, or any "activity" that can be said to combine speech and non-speech elements, see Spence v. Washington, 418 U.S. 405, 410-11 (1974) (applying O'Brien to "activity" of displaying American flag hung upside down and decorated with a peace symbol).

    To determine whether regulation of computer code is content-neutral, the initial inquiry must be whether the regulated activity is "sufficiently imbued with elements of communication to fall within the scope of the First . . . Amendment[]." Id. at 409; see also Name.Space, 202 F.3d at 585. Computer code, as we have noted, often conveys information comprehensible to human beings, even as it also directs a computer to perform various functions. Once a speech component [451] is identified, the inquiry then proceeds to whether the regulation is "justified without reference to the content of regulated speech." Hill, 530 U.S. at 720.

    The Appellants vigorously reject the idea that computer code can be regulated according to any different standard than that applicable to pure speech, i.e., speech that lacks a nonspeech component. Although recognizing that code is a series of instructions to a computer, they argue that code is no different, for First Amendment purposes, than blueprints that instruct an engineer or recipes that instruct a cook. See Supplemental Brief for Appellants at 2, 3.[26] We disagree. Unlike a blueprint or a recipe, which cannot yield any functional result without human comprehension of its content, human decision-making, and human action, computer code can instantly cause a computer to accomplish tasks and instantly render the results of those tasks available throughout the world via the Internet. The only human action required to achieve these results can be as limited and instantaneous as a single click of a mouse. These realities of what code is and what its normal functions are require a First Amendment analysis that treats code as combining nonspeech and speech elements, i.e., functional and expressive elements. See Red Lion Broadcasting Co. v. FCC, 395 U.S. 367, 386 (1969) ("[D]ifferences in the characteristics of new media justify differences in the First Amendment standards applied to them." (footnote omitted)).

    We recognize, as did Judge Kaplan, that the functional capability of computer code cannot yield a result until a human being decides to insert the disk containing the code into a computer and causes it to perform its function (or programs a computer to cause the code to perform its function). Nevertheless, this momentary intercession of human action does not diminish the nonspeech component of code, nor render code entirely speech, like a blueprint or a recipe. Judge Kaplan, in a passage that merits extensive quotation, cogently explained why this is especially so with respect to decryption code:

    [T]he focus on functionality in order to determine the level of scrutiny is not an inevitable consequence of the speech-conduct distinction. Conduct has immediate effects on the environment. Computer code, on the other hand, no matter how functional, causes a computer to perform the intended operations only if someone uses the code to do so. Hence, one commentator, in a thoughtful article, has maintained that functionality is really "a proxy for effects or harm" and that its adoption as a determinant of the level of scrutiny slides over questions of causation that intervene between the dissemination of a computer program and any harm caused by its use.

    The characterization of functionality as a proxy for the consequences of use is accurate. But the assumption that the chain of causation is too attenuated to justify the use of functionality to determine the level of scrutiny, at least in this context, is not.

    Society increasingly depends upon technological means of controlling access to digital files and systems, whether they are military computers, bank records, academic records, copyrighted works or something else entirely. There are far too many who, given any opportunity, will bypass security measures, [452] some for the sheer joy of doing it, some for innocuous reasons, and others for more malevolent purposes. Given the virtually instantaneous and worldwide dissemination widely available via the Internet, the only rational assumption is that once a computer program capable of bypassing such an access control system is disseminated, it will be used. And that is not all.

    There was a time when copyright infringement could be dealt with quite adequately by focusing on the infringing act. If someone wished to make and sell high quality but unauthorized copies of a copyrighted book, for example, the infringer needed a printing press. The copyright holder, once aware of the appearance of infringing copies, usually was able to trace the copies up the chain of distribution, find and prosecute the infringer, and shut off the infringement at the source.

    In principle, the digital world is very different. Once a decryption program like DeCSS is written, it quickly can be sent all over the world. Every recipient is capable not only of decrypting and perfectly copying plaintiffs' copyrighted DVDs, but also of retransmitting perfect copies of DeCSS and thus enabling every recipient to do the same. They likewise are capable of transmitting perfect copies of the decrypted DVD. The process potentially is exponential rather than linear.

    . . . . .

    These considerations drastically alter consideration of the causal link between dissemination of computer programs such as this and their illicit use. Causation in the law ultimately involves practical policy judgments. Here, dissemination itself carries very substantial risk of imminent harm because the mechanism is so unusual by which dissemination of means of circumventing access controls to copyrighted works threatens to produce virtually unstoppable infringement of copyright. In consequence, the causal link between the dissemination of circumvention computer programs and their improper use is more than sufficiently close to warrant selection of a level of constitutional scrutiny based on the programs' functionality.

    Universal I, 111 F. Supp. 2d at 331-32 (footnotes omitted). The functionality of computer code properly affects the scope of its First Amendment protection.

    4. The Scope of First Amendment Protection for Decryption Code

    In considering the scope of First Amendment protection for a decryption program like DeCSS, we must recognize that the essential purpose of encryption code is to prevent unauthorized access. Owners of all property rights are entitled to prohibit access to their property by unauthorized persons. Homeowners can install locks on the doors of their houses. Custodians of valuables can place them in safes. Stores can attach to products security devices that will activate alarms if the products are taken away without purchase. These and similar security devices can be circumvented. Burglars can use skeleton keys to open door locks. Thieves can obtain the combinations to safes. Product security devices can be neutralized.

    Our case concerns a security device, CSS computer code, that prevents access by unauthorized persons to DVD movies. The CSS code is embedded in the DVD movie. Access to the movie cannot be obtained unless a person has a device, a licensed DVD player, equipped with computer code capable of decrypting the CSS encryption code. In its basic function, [453] CSS is like a lock on a homeowner's door, a combination of a safe, or a security device attached to a store's products.

    DeCSS is computer code that can decrypt CSS. In its basic function, it is like a skeleton key that can open a locked door, a combination that can open a safe, or a device that can neutralize the security device attached to a store's products.[27] DeCSS enables anyone to gain access to a DVD movie without using a DVD player.

    The initial use of DeCSS to gain access to a DVD movie creates no loss to movie producers because the initial user must purchase the DVD. However, once the DVD is purchased, DeCSS enables the initial user to copy the movie in digital form and transmit it instantly in virtually limitless quantity, thereby depriving the movie producer of sales. The advent of the Internet creates the potential for instantaneous worldwide distribution of the copied material.

    At first glance, one might think that Congress has as much authority to regulate the distribution of computer code to decrypt DVD movies as it has to regulate distribution of skeleton keys, combinations to safes, or devices to neutralize store product security devices. However, despite the evident legitimacy of protection against unauthorized access to DVD movies, just like any other property, regulation of decryption code like DeCSS is challenged in this case because DeCSS differs from a skeleton key in one important respect: it not only is capable of performing the function of unlocking the encrypted DVD movie, it also is a form of communication, albeit written in a language not understood by the general public. As a communication, the DeCSS code has a claim to being "speech," and as "speech," it has a claim to being protected by the First Amendment. But just as the realities of what any computer code can accomplish must inform the scope of its constitutional protection, so the capacity of a decryption program like DeCSS to accomplish unauthorized—indeed, unlawful—access to materials in which the Plaintiffs have intellectual property rights must inform and limit the scope of its First Amendment protection. Cf. Red Lion, 395 U.S. at 386 ("[D]ifferences in the characteristics of new media justify differences in the First Amendment standards applied to them.").

    With all of the foregoing considerations in mind, we next consider the Appellants' First Amendment challenge to the DMCA as applied in the specific prohibitions that have been imposed by the District Court's injunction.

    B. First Amendment Challenge

    The District Court's injunction applies the DMCA to the Defendants by imposing two types of prohibition, both grounded on the anti-trafficking provisions of the DMCA. The first prohibits posting DeCSS or any other technology for circumventing CSS on any Internet web site. Universal II, 111 F. Supp. 2d at 346-47, ¶ 1(a), (b). The second prohibits knowingly linking any Internet web site to any other web site containing DeCSS. Id. at 347, ¶ 1(c). The validity of the posting and linking prohibitions must be considered separately.

    1. Posting

    The initial issue is whether the posting prohibition is content-neutral, since, as we have explained, this classification [454] determines the applicable constitutional standard. The Appellants contend that the anti-trafficking provisions of the DMCA and their application by means of the posting prohibition of the injunction are content-based. They argue that the provisions "specifically target . . . scientific expression based on the particular topic addressed by that expression—namely, techniques for circumventing CSS." Supplemental Brief for Appellants at 1. We disagree. The Appellants' argument fails to recognize that the target of the posting provisions of the injunction—DeCSS—has both a nonspeech and a speech component, and that the DMCA, as applied to the Appellants, and the posting prohibition of the injunction target only the nonspeech component. Neither the DMCA nor the posting prohibition is concerned with whatever capacity DeCSS might have for conveying information to a human being, and that capacity, as previously explained, is what arguably creates a speech component of the decryption code. The DMCA and the posting prohibition are applied to DeCSS solely because of its capacity to instruct a computer to decrypt CSS. That functional capability is not speech within the meaning of the First Amendment. The Government seeks to "justif[y]," Hill, 530 U.S. at 720, both the application of the DMCA and the posting prohibition to the Appellants solely on the basis of the functional capability of DeCSS to instruct a computer to decrypt CSS, i.e., "without reference to the content of the regulated speech," id. This type of regulation is therefore content-neutral, just as would be a restriction on trafficking in skeleton keys identified because of their capacity to unlock jail cells, even though some of the keys happened to bear a slogan or other legend that qualified as a speech component.

    As a content-neutral regulation with an incidental effect on a speech component, the regulation must serve a substantial governmental interest, the interest must be unrelated to the suppression of free expression, and the incidental restriction on speech must not burden substantially more speech than is necessary to further that interest. Turner Broadcasting, 512 U.S. at 662. The Government's interest in preventing unauthorized access to encrypted copyrighted material is unquestionably substantial, and the regulation of DeCSS by the posting prohibition plainly serves that interest. Moreover, that interest is unrelated to the suppression of free expression. The injunction regulates the posting of DeCSS, regardless of whether DeCSS code contains any information comprehensible by human beings that would qualify as speech. Whether the incidental regulation on speech burdens substantially more speech than is necessary to further the interest in preventing unauthorized access to copyrighted materials requires some elaboration.

    Posting DeCSS on the Appellants' web site makes it instantly available at the click of a mouse to any person in the world with access to the Internet, and such person can then instantly transmit DeCSS to anyone else with Internet access. Although the prohibition on posting prevents the Appellants from conveying to others the speech component of DeCSS, the Appellants have not suggested, much less shown, any technique for barring them from making this instantaneous worldwide distribution of a decryption code that makes a lesser restriction on the code's speech component.[28] It is true that the [455] Government has alternative means of prohibiting unauthorized access to copyrighted materials. For example, it can create criminal and civil liability for those who gain unauthorized access, and thus it can be argued that the restriction on posting DeCSS is not absolutely necessary to preventing unauthorized access to copyrighted materials. But a content-neutral regulation need not employ the least restrictive means of accomplishing the governmental objective. Id. It need only avoid burdening "substantially more speech than is necessary to further the government's legitimate interests." Id. (internal quotation marks and citation omitted). The prohibition on the Defendants' posting of DeCSS satisfies that standard.[29]

    2. Linking

    In considering linking, we need to clarify the sense in which the injunction prohibits such activity. Although the injunction defines several terms, it does not define "linking." Nevertheless, it is evident from the District Court's opinion that it is concerned with "hyperlinks," Universal I, 111 F. Supp. 2d at 307; see id. at 339.[30] A hyperlink is a cross-reference (in a distinctive font or color) appearing on one web page that, when activated by the point-and-click of a mouse, brings onto the computer screen another web page. The hyperlink can appear on a screen (window) as text, such as the Internet address ("URL") of the web page being called up or a word or phrase that identifies the web page to be called up, for example, "DeCSS web site." Or the hyperlink can appear as an image, for example, an icon depicting a person sitting at a computer watching a DVD movie and text stating "click here to access DeCSS and see DVD movies for free!" The code for the web page containing the hyperlink contains a computer instruction that associates the link with the URL of the web page to be accessed, such that clicking on the hyperlink instructs the computer to enter the URL of the desired web page and thereby access that page. With a hyperlink on a web page, the linked web site is just one click away.[31]

    [456] In applying the DMCA to linking (via hyperlinks), Judge Kaplan recognized, as he had with DeCSS code, that a hyperlink has both a speech and a nonspeech component. It conveys information, the Internet address of the linked web page, and has the functional capacity to bring the content of the linked web page to the user's computer screen (or, as Judge Kaplan put it, to "take one almost instantaneously to the desired destination." Id.). As he had ruled with respect to DeCSS code, he ruled that application of the DMCA to the Defendants' linking to web sites containing DeCSS is content-neutral because it is justified without regard to the speech component of the hyperlink. Id. The linking prohibition applies whether or not the hyperlink contains any information, comprehensible to a human being, as to the Internet address of the web page being accessed. The linking prohibition is justified solely by the functional capability of the hyperlink.

    Applying the O'Brien/Ward/Turner Broadcasting requirements for content-neutral regulation, Judge Kaplan then ruled that the DMCA, as applied to the Defendants' linking, served substantial governmental interests and was unrelated to the suppression of free expression. Id. We agree. He then carefully considered the "closer call," id., as to whether a linking prohibition would satisfy the narrow tailoring requirement. In an especially carefully considered portion of his opinion, he observed that strict liability for linking to web sites containing DeCSS would risk two impairments of free expression. Web site operators would be inhibited from displaying links to various web pages for fear that a linked page might contain DeCSS, and a prohibition on linking to a web site containing DeCSS would curtail access to whatever other information was contained at the accessed site. Id. at 340.

    To avoid applying the DMCA in a manner that would "burden substantially more speech than is necessary to further the government's legitimate interests," Turner Broadcasting, 512 U.S. at 662 (internal quotation marks and citation omitted), Judge Kaplan adapted the standards of New York Times Co. v. Sullivan, 376 U.S. 254, 283 (1964), to fashion a limited prohibition against linking to web sites containing DeCSS. He required clear and convincing evidence

    that those responsible for the link (a) know at the relevant time that the offending material is on the linked-to site, (b) know that it is circumvention technology that may not lawfully be offered, and (c) create or maintain the link for the purpose of disseminating that technology.

    Universal I, 111 F. Supp. 2d at 341. He then found that the evidence satisfied his three-part test by his required standard of proof. Id.

    In response to our post-argument request for the parties' views on various issues, including specifically Judge Kaplan's test for a linking prohibition, the Appellants replied that his test was deficient for not requiring proof of intent to cause, or aid or abet, harm, and that the only valid test for a linking prohibition would be one that could validly apply to the publication in a print medium of an address for obtaining prohibited material. Supplemental Brief for Appellants at 14. The Appellees and the Government accepted [457] Judge Kaplan's criteria for purposes of asserting the validity of the injunction as applied to the Appellants, with the Government expressing reservations as to the standard of clear and convincing evidence. Supplemental Brief for Appellees at 22-23; Supplemental Brief for Government at 19-21.

    Mindful of the cautious approach to First Amendment claims involving computer technology expressed in Name.Space, 202 F.3d at 584 n.11, we see no need on this appeal to determine whether a test as rigorous as Judge Kaplan's is required to respond to First Amendment objections to the linking provision of the injunction that he issued. It suffices to reject the Appellants' contention that an intent to cause harm is required and that linking can be enjoined only under circumstances applicable to a print medium. As they have throughout their arguments, the Appellants ignore the reality of the functional capacity of decryption computer code and hyperlinks to facilitate instantaneous unauthorized access to copyrighted materials by anyone anywhere in the world. Under the circumstances amply shown by the record, the injunction's linking prohibition validly regulates the Appellants' opportunity instantly to enable anyone anywhere to gain unauthorized access to copyrighted movies on DVDs.[32]

    At oral argument, we asked the Government whether its undoubted power to punish the distribution of obscene materials would permit an injunction prohibiting a newspaper from printing addresses of bookstore locations carrying such materials. In a properly cautious response, the Government stated that the answer would depend on the circumstances of the publication. The Appellants' supplemental papers enthusiastically embraced the arguable analogy between printing bookstore addresses and displaying on a web page links to web sites at which DeCSS may be accessed. Supplemental Brief for Appellants at 14. They confidently asserted that publication of bookstore locations carrying obscene material cannot be enjoined consistent with the First Amendment, and that a prohibition against linking to web sites containing DeCSS is similarly invalid. Id.

    Like many analogies posited to illuminate legal issues, the bookstore analogy is helpful primarily in identifying characteristics that distinguish it from the context of the pending dispute. If a bookstore proprietor is knowingly selling obscene materials, the evil of distributing such materials can be prevented by injunctive relief against the unlawful distribution (and similar distribution by others can be deterred by punishment of the distributor). And if others publish the location of the bookstore, preventive relief against a distributor can be effective before any significant distribution of the prohibited materials has occurred. The digital world, however, creates a very different problem. If obscene materials are posted on one web site and other sites post hyperlinks to the first site, the materials are available for instantaneous worldwide distribution before any preventive measures can be effectively taken.

    This reality obliges courts considering First Amendment claims in the context of the pending case to choose between two unattractive alternatives: either tolerate some impairment of communication in order [458] to permit Congress to prohibit decryption that may lawfully be prevented, or tolerate some decryption in order to avoid some impairment of communication. Although the parties dispute the extent of impairment of communication if the injunction is upheld and the extent of decryption if it is vacated, and differ on the availability and effectiveness of techniques for minimizing both consequences, the fundamental choice between impairing some communication and tolerating decryption cannot be entirely avoided.

    In facing this choice, we are mindful that it is not for us to resolve the issues of public policy implicated by the choice we have identified. Those issues are for Congress. Our task is to determine whether the legislative solution adopted by Congress, as applied to the Appellants by the District Court's injunction, is consistent with the limitations of the First Amendment, and we are satisfied that it is.

    IV. Constitutional Challenge Based on Claimed Restriction of Fair Use

    Asserting that fair use "is rooted in and required by both the Copyright Clause and the First Amendment," Brief for Appellants at 42, the Appellants contend that the DMCA, as applied by the District Court, unconstitutionally "eliminates fair use" of copyrighted materials, id. at 41 (emphasis added). We reject this extravagant claim.

    Preliminarily, we note that the Supreme Court has never held that fair use is constitutionally required, although some isolated statements in its opinions might arguably be enlisted for such a requirement. In Stewart v. Abend, 495 U.S. 207 (1990), cited by the Appellants, the Court merely noted that fair use "'permits courts to avoid rigid application of the copyright statute when, on occasion, it would stifle the very creativity which that law is designed to foster,'" id. (quoting Iowa State University Research Foundation, Inc. v. American Broadcasting Cos., 621 F.2d 57, 60 (2d Cir. 1980)); see also Harper & Row, Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 560 (1985) (noting "the First Amendment protections already embodied in the Copyright Act's distinction between copyrightable expression and uncopyrightable facts and ideas, and the latitude for scholarship and comment traditionally afforded by fair use"). In Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569 (1994), the Court observed, "From the infancy of copyright protection, some opportunity for fair use of copyrighted materials has been thought necessary to fulfill copyright's very purpose, '[t]o promote the Progress of Science and useful Arts. . . .'"[33] Id. at 575 (citation omitted); see generally William F. Patry, The Fair Use Privilege in Copyright Law 573-82 (2d ed. 1995) (questioning First Amendment protection for fair use).

    We need not explore the extent to which fair use might have constitutional protection, grounded on either the First Amendment or the Copyright Clause, because whatever validity a constitutional claim might have as to an application of the DMCA that impairs fair use of copyrighted materials, such matters are far beyond the [459] scope of this lawsuit for several reasons. In the first place, the Appellants do not claim to be making fair use of any copyrighted materials, and nothing in the injunction prohibits them from making such fair use. They are barred from trafficking in a decryption code that enables unauthorized access to copyrighted materials.

    Second, as the District Court properly noted, to whatever extent the anti-trafficking provisions of the DMCA might prevent others from copying portions of DVD movies in order to make fair use of them, "the evidence as to the impact of the anti-trafficking provision[s] of the DMCA on prospective fair users is scanty and fails adequately to address the issues." Universal I, 111 F. Supp. 2d at 338 n.246.

    Third, the Appellants have provided no support for their premise that fair use of DVD movies is constitutionally required to be made by copying the original work in its original format.[34] Their examples of the fair uses that they believe others will be prevented from making all involve copying in a digital format those portions of a DVD movie amenable to fair use, a copying that would enable the fair user to manipulate the digitally copied portions. One example is that of a school child who wishes to copy images from a DVD movie to insert into the student's documentary film. We know of no authority for the proposition that fair use, as protected by the Copyright Act, much less the Constitution, guarantees copying by the optimum method or in the identical format of the original. Although the Appellants insisted at oral argument that they should not be relegated to a "horse and buggy" technique in making fair use of DVD movies,[35] the DMCA does not impose even an arguable limitation on the opportunity to make a variety of traditional fair uses of DVD movies, such as commenting on their content, quoting excerpts from their screenplays, and even recording portions of the video images and sounds on film or tape by pointing a camera, a camcorder, or a microphone at a monitor as it displays the DVD movie. The fact that the resulting copy will not be as perfect or as manipulable as a digital copy obtained by having direct access to the DVD movie in its digital form, provides no basis for a claim of unconstitutional limitation of fair use. A film critic making fair use of a movie by quoting selected lines of dialogue has no constitutionally valid claim that the review (in print or on television) would be technologically superior if the reviewer had not been prevented from using a movie camera in the theater, nor has an art student a valid constitutional claim to fair use of a painting by photographing it in a museum. Fair use has never been held to be a guarantee of access to copyrighted material in order to copy it by the fair user's preferred technique or in the format of the original.

    Conclusion

    We have considered all the other arguments of the Appellants and conclude that [460] they provide no basis for disturbing the District Court's judgment. Accordingly, the judgment is affirmed.

    [*] Honorable Alvin W. Thompson, United States District Court for the District of Connecticut, sitting by designation.

    [1] DVDs are similar to compact disks (CDs), but differ, among other things, in that they hold far more data. For detailed information concerning DVDs and CDs, see "Fast Guide to CD/DVD" at http://searchWindowsManageability.techtarget.com/sDefinition/0,,sid_gci514667,00.html (last updated Aug. 3, 2001).

    [2] "2600" has special significance to the hacker community. It is the hertz frequency ("a unit of frequency of a periodic process equal to one cycle per second," Webster's Third New International Dictionary 1061 (1993)) of a signal that some hackers formerly used to explore the entire telephone system from "operator mode," which was triggered by the transmission of a 2600 hertz tone across a telephone line, Trial Tr. at 786-87, or to place telephone calls without incurring long-distance toll charges, United States v. Brady, 820 F. Supp. 1346, 1355 & n.18 (D. Utah 1993). One such user reportedly discovered that the sound of a toy whistle from a box of Cap'n Crunch cereal matched the telephone company's 2600 hertz tone perfectly. Id. at 1355 n.18.

    [3] By the end of 1997, most if not all DVDs that were released were encrypted with CSS. Trial Tr. at 409; Universal I, 111 F. Supp. 2d at 310. Moreover, DVD players were projected to be in ten percent of United States homes by the end of 2000. Trial Tr. at 442; Universal I, 111 F. Supp. 2d at 310. In fact, as of 2000, about thirty-five percent of one studio's worldwide revenues from movie distribution was attributable to DVD sales and rentals. Trial Tr. at 403; Universal I, 111 F. Supp. 2d at 310 n.69.

    [4] An operating system works with the computer to perform the application's instructions. Generally, an executable application can be played only on the operating system for which it is designed, although interoperability has been improving. At the time of the trial, DeCSS could be run only on the Microsoft Windows operating system. Trial Tr. at 245 (Testimony of Robert W. Schumann).

    [5] An item of some controversy, both in this litigation and elsewhere, is the extent to which CSS-encrypted DVDs can be copied even without DeCSS. The record leaves largely unclear how CSS protects against the copying of a DVD, as contrasted with the playing of a DVD on an unlicensed player. The Defendants' experts insisted that there is nothing about the way CSS operates that prevents the copying of a DVD. Declaration of Frank Stevenson ¶ 23 ("Bit-for-bit copying, which precisely duplicates the content of one DVD to another, results in a fully-playable product."); Trial Tr. at 751 (Testimony of Professor Edward Felten) (CSS "could [not] have prevented the encrypted content from being copied to somewhere else"); Deposition of Barbara Simons at 48-49, 77. Some of the Plaintiffs' experts countered simply that "copying to a hard drive is something that compliant DVD players are not allowed to do," without explaining why. Trial Tr. at 37 (Testimony of Dr. Michael I. Shamos); see also Deposition of John J. Hoy at 347-48; Deposition of Fritz Attaway at 83. Another expert indicated that while a DVD movie can be copied to a computer's hard drive in encrypted form, the movie cannot be played without a DVD actually present in the DVD drive. Deposition of Robert W. Schumann at 153; Second Supplemental Declaration of Robert W. Schumann ¶ 15. This expert did not identify the mechanism that prevents someone from copying encrypted DVDs to a hard drive in the absence of a DVD in the disk drive. However, none of this detracts from these undisputed findings: some feature of either CSS itself, or another (unidentified) safeguard implemented by DVD manufacturers pursuant to their obligations under the CSS licensing scheme, makes it difficult to copy a CSS-encrypted DVD to a hard drive and then compress that DVD to the point where transmission over the Internet is practical. See Universal I, 111 F. Supp. 2d at 338. Conversely, a DVD movie file without CSS encryption is easily copied, manipulated, and transferred. See id. at 313. In other words, it might very well be that copying is not blocked by CSS itself, but by some other protection implemented by the DVD player manufacturers. Nonetheless, in decrypting CSS, the DeCSS program (perhaps incidentally) sidesteps whatever it is that blocks copying of the files. While there may be alternative means of extracting a non-encrypted, copyable movie from a DVD—for example, by copying the movie along with its encryption "bit-by-bit," or "ripping" a DVD by siphoning movie file data after CSS has already been decrypted by a licensed player—DeCSS is the superior means of acquiring easily copyable movies, see id. at 342, and in fact, is recommended by a DVD compression web site as the preferred tool for obtaining a decrypted DVD suitable for compression and transmission over the Internet, see id. We acknowledge the complexity and the rapidly changing nature of the technology involved in this case, but it is clear that the Defendants have presented no evidence to refute any of these carefully considered findings by the District Court.

    [6] The District Court determined that even at high speeds, typical of university networks, transmission times ranged from three minutes to six hours. The Court noted, however, that "the availability of high speed network connections in many businesses and institutions, and their growing availability in homes, make Internet and other network traffic in pirated copies a growing threat." Universal I, 111 F. Supp. 2d at 315.

    [7] Defendant 2600 Enterprises, Inc., is the company Corley incorporated to run the magazine, maintain the web site, and manage related endeavors like merchandising.

    [8] The lawsuit was filed against Corley, Shawn C. Reimerdes, and Roman Kazan. 2600 Enterprises, Inc., was later added as a defendant. At an earlier stage of the litigation, the action was settled as to Reimerdes and Kazan. See Universal II, 111 F. Supp. 2d at 346.

    [9] For convenience, all references to the DMCA are to the United State Code sections.

    [10] In a supplemental Order, the Court corrected a typographical error in its opinion in Universal I by changing the first sentence of the first full paragraph at 111 F. Supp. 2d 328 to read "Restrictions on the nonspeech elements of expressive conduct fall into the content-neutral category." Universal City Studios, Inc. v. Reimerdes, No. 00 Civ. 0277 (LAK) (S.D.N.Y. Aug. 17, 2001).

    [11] For example, advertisements for pirated DVDs rose dramatically in number after the release of DeCSS on the web, and DVD file compression web sites recommend the use of DeCSS. Universal I, 111 F. Supp. 2d at 342.

    [12] In Part IV, infra, we consider the Appellants' claim that the DMCA is unconstitutional because of its effect on opportunities for fair use of copyrighted materials.

    [13] The legislative history of the enacted bill makes quite clear that Congress intended to adopt a "balanced" approach to accommodating both piracy and fair use concerns, eschewing the quick fix of simply exempting from the statute all circumventions for fair use. H.R. Rep. No. 105-551, pt. 2, at 25 (1998). It sought to achieve this goal principally through the use of what it called a "fail-safe" provision in the statute, authorizing the Librarian of Congress to exempt certain users from the anti-circumvention provision when it becomes evident that in practice, the statute is adversely affecting certain kinds of fair use. See 17 U.S.C. § 1201(a)(1)(C); H.R. Rep. No. 105-551, pt. 2, at 36 ("Given the threat of a diminution of otherwise lawful access to works and information, the Committee on Commerce believes that a 'fail-safe' mechanism is required. This mechanism would . . . allow the . . . [waiver of the anti-circumvention provisions], for limited time periods, if necessary to prevent a diminution in the availability to individual users of a particular category of copyrighted materials."). Congress also sought to implement a balanced approach through statutory provisions that leave limited areas of breathing space for fair use. A good example is subsection 1201(d), which allows a library or educational institution to circumvent a digital wall in order to determine whether it wishes legitimately to obtain the material behind the wall. See H.R. Rep. No. 105-551, pt. 2, at 41. It would be strange for Congress to open small, carefully limited windows for circumvention to permit fair use in subsection 1201(d) if it then meant to exempt in subsection 1201(c)(1) any circumvention necessary for fair use.

    [14] This is actually what subsection 1201(a)(3)(A) means when read in conjunction with the anti-circumvention provisions. When read together with the anti-trafficking provisions, subsection 1201(a)(3)(A) frees an individual to traffic in encryption technology designed or marketed to circumvent an encryption measure if the owner of the material protected by the encryption measure authorizes that circumvention.

    [15] Even if the Defendants had been able to offer such evidence, and even if they could have demonstrated that DeCSS was "primarily designed . . . for the purpose of" playing DVDs on multiple platforms (and therefore not for the purpose of "circumventing a technological measure"), a proposition questioned by Judge Kaplan, see Universal I, 111 F. Supp. 2d at 311 n.79, the Defendants would defeat liability only under subsection 1201(a)(2)(A). They would still be vulnerable to liability under subsection 1201(a)(2)(C), because they "marketed" DeCSS for the copying of DVDs, not just for the playing of DVDs on multiple platforms. See, e.g., Trial Tr. at 820.

    [16] For example, a program (or part of a program) will give a computer the direction to "launch" a word-processing program like WordPerfect when the icon for WordPerfect is clicked; a program like WordPerfect will give the computer directions to display letters on a screen and manipulate them according to the computer user's preferences whenever the appropriate keys are struck.

    [17] We note that instructions are of varied types. See Vartuli, 228 F.3d at 111. "Orders" from one member of a conspiracy to another member, or from a superior to a subordinate, might resemble instructions but nonetheless warrant less or even no constitutional protection because their capacity to inform is meager, and because it is unlikely that the recipient of the order will engage in the "intercession of . . . mind or . . . will" characteristic of the sort of communication between two parties protected by the Constitution, see id. at 111-12 (noting that statements in the form of orders, instructions, or commands cannot claim "talismanic immunity from constitutional limitations" but "should be subjected to careful and particularized analysis to ensure that no speech entitled to First Amendment protection fails to receive it"); Kent Greenawalt, Speech and Crime, Am. B. Found. Res. J. 645, 743-44 (1980).

    [18] These cases almost always concern instructions on how to commit illegal acts. Several courts have concluded that such instructions fall outside the First Amendment. However, these conclusions never rest on the fact that the speech took the form of instructions, but rather on the fact that the instructions counseled the listener how to commit illegal acts. See, e.g., Rice v. Paladin Enterprises, Inc., 128 F.3d 233, 247-49 (4th Cir. 1997); United States v. Barnett, 667 F.2d 835, 842 (9th Cir. 1982). None of these opinions even hints that instructions are a form of speech categorically outside the First Amendment.

    [19] Of course, we do not mean to suggest that the communication of "information" is a prerequisite of protected "speech." Protected speech may communicate, among other things, ideas, emotions, or thoughts. We identify "information" only because this is what computer programs most often communicate, in addition to giving directions to a computer.

    [20] However, in the rare case where a human's mental faculties do not intercede in executing the instructions, we have withheld protection. See Vartuli, 228 F.3d at 111.

    [21] Programmers use snippets of code to convey their ideas for new programs; economists and other creators of computer models publish the code of their models in order to demonstrate the models' vigor. Brief of Amici Curiae Dr. Harold Abelson et al. at 17; Brief of Amici Curiae Steven Bellovin et al. at 12-13; see also Bernstein v. United States Department of Justice, 176 F.3d 1132, 1141 (9th Cir.) (concluding that computer source code is speech because it is "the preferred means" of communication among computer programmers and cryptographers), reh'g in banc granted and opinion withdrawn, 192 F.3d 1308 (9th Cir. 1999).

    [22] Reinforcing the conclusion that software programs qualify as "speech" for First Amendment purposes—even though they instruct computers—is the accelerated blurring of the line between "source code" and conventional "speech." There already exist programs capable of translating English descriptions of a program into source code. Trial Tr. at 1101-02 (Testimony of Professor Andrew Appel). These programs are functionally indistinguishable from the compilers that routinely translate source code into object code. These new programs (still apparently rudimentary) hold the potential for turning "prose" instructions on how to write a computer program into the program itself. Even if there were an argument for exempting the latter from First Amendment protection, the former are clearly protected for the reasons set forth in the text. As technology becomes more sophisticated, instructions to other humans will increasingly be executable by computers as well.

    [23] Vartuli reasoned that the interaction between "programming commands as triggers and semiconductors as a conduit," even though communication, is not "speech" within the meaning of the First Amendment and that the communication between Recurrence and a customer using it as intended was similarly not "speech." Vartuli, 228 F.2d at 111.

    [24] The reasoning of Junger has recently been criticized. See Orin S. Kerr, Are We Overprotecting Code? Thoughts on First-Generation Internet Law, 57 Wash. & Lee L. Rev. 1287 (2000). Prof. Kerr apprehends that if encryption code is First Amendment speech because it conveys "ideas about cryptography," Junger, 209 F.3d at 484, all code will be protected "because code will always convey information about itself." Kerr, supra, at 1291. That should not suffice, he argues, because handing someone an object, for example, a padlock, is a good way of communicating how that object works, yet a padlock is not speech. Id. at 1291-92. However, code does not cease to be speech just because some objects that convey information are not speech. Both code and a padlock can convey information, but only code, because it uses a notational system comprehensible by humans, is communication that qualifies as speech. Prof. Kerr might be right that making the communication of ideas or information the test of whether code is speech provides First Amendment coverage to many, perhaps most, computer programs, but that is a consequence of the information-conveying capacity of the programs, not a reason for denying them First Amendment coverage.

    [25] The Supreme Court has used slightly different formulations to express the narrow tailoring requirement of a content-neutral regulation. In O'Brien, the formulation was "if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest." 391 U.S. at 377. In Ward, the formulation was "'so long as the . . . regulation promotes a substantial government interest that would be achieved less effectively absent the regulation.'" 491 U.S. at 799 (quoting United States v. Albertini, 472 U.S. 675, 689 (1985)). Ward added, however, that the regulation may not "burden substantially more speech than is necessary to further the government's legitimate interests." Id. (emphasis added). Turner Broadcasting quoted both the "no greater than is essential" formulation from O'Brien, see Turner Broadcasting, 512 U.S. at 662, and the "would be achieved less effectively" formulation from Ward, see id. Turner Broadcasting made clear that the narrow tailoring requirement is less demanding than the least restrictive means requirement of a content-specific regulation, id., and appears to have settled on the "substantially more" phrasing from Ward as the formulation that best expresses the requirement, id. That is the formulation we will apply.

    [26] This argument is elaborated by some of the amici curiae. "In the absence of human intervention, code does not function, it engages in no conduct. It is as passive as a cake recipe." Brief of Amici Curiae Dr. Harold Abelson et al. at 26.

    [27] More dramatically, the Government calls DeCSS "a digital crowbar." Brief for Intervenor United States at 19.

    [28] Briefs of some of the amici curiae discuss the possibility of adequate protection against copying of copyrighted materials by adopting the approach of the Audio Home Recording Act of 1992, 17 U.S.C. § 1002(a), which requires digital audio tape recorders to include a technology that prevents serial copying, but permits making a single copy. See, e.g., Brief of Amici Curiae Benkler and Lessig at 15. However, the Defendants did not present evidence of the current feasibility of a similar solution to prevent serial copying of DVDs over the Internet. Even if the Government, in defending the DMCA, must sustain a burden of proof in order to satisfy the standards for content-neutral regulation, the Defendants must adduce enough evidence to create fact issues concerning the current availability of less intrusive technological solutions. They did not do so in the District Court. Moreover, we note that when Congress opted for the solution to serial copying of digital audio tapes, it imposed a special royalty on manufacturers of digital audio recording devices to be distributed to appropriate copyright holders. See 17 U.S.C. §§ 1003-1007. We doubt if the First Amendment required Congress to adopt a similar technology/royalty scheme for regulating the copying of DVDs, but in any event the record in this case provides no basis for invalidating the anti-trafficking provisions of the DMCA or the injunction for lack of such an alternative approach.

    [29] We have considered the opinion of a California intermediate appellate court in DVD Copy Control Ass'n v. Bunner, 93 Cal.App.4th 648, 113 Cal.Rptr.2d 338 (2001) (Cal. Ct. App., 6th Dist. Nov. 1, 2001), declining, on First Amendment grounds, to issue a preliminary injunction under state trade secrets law prohibiting a web site operator from posting DeCSS. To the extent that DVD Copy Control disagrees with our First Amendment analysis, we decline to follow it.

    [30] "Hyperlinks" are also called "hypertext links" or "active links."

    [31] "Linking" not accomplished by a hyperlink would simply involve the posting of the Internet address ("URL") of another web page. A "link" of this sort is sometimes called an "inactive link." With an inactive link, the linked web page would be only four clicks away, one click to select the URL address for copying, one click to copy the address, one click to "paste" the address into the text box for URL addresses, and one click (or striking the "enter" key) to instruct the computer to call up the linked web site.

    [32] We acknowledge that the prohibition on linking restricts more than Corley's ability to facilitate instant access to DeCSS on linked web sites; it also restricts his ability to facilitate access to whatever protected speech is available on those sites. However, those who maintain the linked sites can instantly make their protected material available for linking by Corley by the simple expedient of deleting DeCSS from their web sites.

    [33] Although we have recognized that the First Amendment provides no entitlement to use copyrighted materials beyond that accorded by the privilege of fair use, except in "an extraordinary case," Twin Peaks Productions, Inc. v. Publications International, Ltd., 996 F.2d 1366, 1378 (2d Cir. 1993), we have not ruled that the Constitution guarantees any particular formulation or minimum availability of the fair use defense.

    [34] As expressed in their supplemental papers, the position of the Appellants is that "fair use extends to works in whatever form they are offered to the public," Supplemental Brief for Appellants at 20, by which we understand the Appellants to contend not merely that fair use may be made of DVD movies but that the fair user must be permitted access to the digital version of the DVD in order to directly copy excerpts for fair use in a digital format.

    [35] In their supplemental papers, the Appellants contend, rather hyperbolically, that a prohibition on using copying machines to assist in making fair use of texts could not validly be upheld by the availability of "monks to scribe the relevant passages." Supplemental Brief for Appellants at 20.

    8.5 OIL Casebook: Digital Locks II 8.5 OIL Casebook: Digital Locks II

    8.5.1 Digital Millennium Copyright Act: 37 CFR 201.40 - EXEMPTION TO PROHIBITION AGAINST CIRCUMVENTION. 8.5.1 Digital Millennium Copyright Act: 37 CFR 201.40 - EXEMPTION TO PROHIBITION AGAINST CIRCUMVENTION.

    Note that this list changes every two years, and is an example of some of the Copyright Office exceptions

    § 201.40 Exemption to prohibition against circumvention.

    (a)

    General. 

    This section prescribes the classes of copyrighted works for which the Librarian of Congress has determined, pursuant to 17 U.S.C. 1201(a)(1)(C) and (D), that noninfringing uses by persons who are users of such works are, or are likely to be, adversely affected. The prohibition against circumvention of technological measures that control access to copyrighted works set forth in 17 U.S.C. 1201(a)(1)(A) shall not apply to such users of the prescribed classes of copyrighted works.

    (b)

    Classes of copyrighted works. 

    Pursuant to the authority set forth in 17 U.S.C. 1201(a)(1)(C) and (D), and upon the recommendation of the Register of Copyrights, the Librarian has determined that the prohibition against circumvention of technological measures that effectively control access to copyrighted works set forth in 17 U.S.C. 1201(a)(1)(A) shall not apply to persons who engage in noninfringing uses of the following classes of copyrighted works:

    (1)

    Motion pictures on DVDs that are lawfully made and acquired and that are protected by the Content Scrambling System when circumvention is accomplished solely in order to accomplish the incorporation of short portions of motion pictures into new works for the purpose of criticism or comment, and where the person engaging in circumvention believes and has reasonable grounds for believing that circumvention is necessary to fulfill the purpose of the use in the following instances:

    (i)

    Educational uses by college and university professors and by college and university film and media studies students;

    (ii)

    Documentary filmmaking;

    (iii)

    Noncommercial videos.

    (2)

    Computer programs that enable wireless telephone handsets to execute software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset.

    (3)

    Computer programs, in the form of firmware or software, that enable used wireless telephone handsets to connect to a wireless telecommunications network, when circumvention is initiated by the owner of the copy of the computer program solely in order to connect to a wireless telecommunications network and access to the network is authorized by the operator of the network.

    (4)

    Video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works, when circumvention is accomplished solely for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities, if:

    (i)

    The information derived from the security testing is used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and

    (ii)

    The information derived from the security testing is used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law.

    (5)

    Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace.

    (6)

    Literary works distributed in ebook format when all existing ebook editions of the work (including digital text editions made available by authorized entities) contain access controls that prevent the enabling either of the book's read-aloud function or of screen readers that render the text into a specialized format.

    (c)

    Definition. 

    “Specialized format,” “digital text” and “authorized entities” shall have the same meaning as in 17 U.S.C. 121.

    65 FR 64574

    68 FR 62018

    71 FR 68479

    74 FR 55139

    75 FR 43839

    75 FR 47465

    8.5.2 Lexmark Int'l, Inc. v. Static Control Components, Inc. 8.5.2 Lexmark Int'l, Inc. v. Static Control Components, Inc.

    United States Court of Appeals for the Sixth Circuit
    387 F.3d 522
    No. 03-5400
    2004-10-26

    387 F.3d 522 (2004)

    LEXMARK INTERNATIONAL, INC., Plaintiff-Appellee,
    v.
    STATIC CONTROL COMPONENTS, INC., Defendant-Appellant.

    No. 03-5400.

    United States Court of Appeals, Sixth Circuit.

    Argued: January 30, 2004.
    Decided and Filed: October 26, 2004.

    [523] [524] [525] [526] [527] [528] ARGUED: Seth D. Greenstein, McDermott, Will & Emery, Washington, DC, for Appellant. Christopher J. Renk, Banner & Witcoff, Chicago, IL, for Appellee. ON BRIEF: Seth D. Greenstein, M. Miller Baker, Melise R. Blakeslee, McDermott, Will & Emery, Washington, DC, W. Craig Robertson III, E. Christine Lewis, Wyatt, Tarrant & Combs, Lexington, KY, William L. London, Static Control Components, Inc., Sanford, North Carolina, for Appellant. Christopher J. Renk, Binal J. Patel, Jason S. Shull, Timothy C. Meece, Banner & Witcoff, Chicago, Illinois, Joseph M. Potenza, Bradley C. Wright, Banner & Witcoff, Washington, DC, Charles E. Shivel, Jr., Steven B. Loy, Hanly A. Ingram, Stoll, Keenon & Park, Lexington, KY, for Appellee.

    Before: MERRITT and SUTTON, Circuit Judges; FEIKENS, District Judge.[1]

    SUTTON, J., delivered the opinion of the court. MERRITT, J. (pp. 551-53), delivered a separate concurring opinion. FEIKENS, D.J. (pp. 553-65), delivered a separate opinion concurring in part and dissenting in part.

    OPINION

    SUTTON, Circuit Judge.

    This copyright dispute involves two computer programs, two federal statutes and three theories of liability. The first computer program, known as the "Toner Loading Program," calculates toner level in printers manufactured by Lexmark International. The second computer program, known as the "Printer Engine Program," controls various printer functions on Lexmark printers.

    The first statute, the general copyright statute, 17 U.S.C. § 101 et seq., has been with us in one form or another since 1790 and grants copyright protection to "original works of authorship fixed in any tangible medium of expression," id. § 102(a), but does not "extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery," id. § 102(b). The second federal statute, the Digital Millenium Copyright Act (DMCA), 17 U.S.C. § 1201 et seq., was enacted in 1998 and proscribes the sale of products that may be used to "circumvent a technological measure that effectively controls access to a work" protected by the copyright statute.

    [529] These statutes became relevant to these computer programs when Lexmark began selling discount toner cartridges for its printers that only Lexmark could re-fill and that contained a microchip designed to prevent Lexmark printers from functioning with toner cartridges that Lexmark had not re-filled. In an effort to support the market for competing toner cartridges, Static Control Components (SCC) mimicked Lexmark's computer chip and sold it to companies interested in selling remanufactured toner cartridges.

    Lexmark brought this action to enjoin the sale of SCC's computer chips and raised three theories of liability in doing so. Lexmark claimed that SCC's chip copied the Toner Loading Program in violation of the federal copyright statute. It claimed that SCC's chip violated the DMCA by circumventing a technological measure designed to control access to the Toner Loading Program. And it claimed that SCC's chip violated the DMCA by circumventing a technological measure designed to control access to the Printer Engine Program.

    After an evidentiary hearing, the district court decided that Lexmark had shown a likelihood of success on each claim and entered a preliminary injunction against SCC. As we view Lexmark's prospects for success on each of these claims differently, we vacate the preliminary injunction and remand the case for further proceedings.

    I.

    A.

    The Parties. Headquartered in Lexington, Kentucky, Lexmark is a leading manufacturer of laser and inkjet printers and has sold printers and toner cartridges for its printers since 1991. Lexmark is a publicly traded corporation and reported $4.8 billion in revenue for 2003.

    Static Control Components is a privately held company headquartered in Sanford, North Carolina. Started in 1987, it currently employs approximately 1,000 workers and makes a wide range of technology products, including microchips that it sells to third-party companies for use in remanufactured toner cartridges.

    The Two Computer Programs. The first program at issue is Lexmark's "Toner Loading Program," which measures the amount of toner remaining in the cartridge based on the amount of torque (rotational force) sensed on the toner cartridge wheel. Maggs Aff. ¶ 24, JA 709. The Toner Loading Program relies upon eight program commands — "add," "sub" (an abbreviation for subtract), "mul" (multiply), "pct" (take a percent), "jump," "if," "load," and "exit" — to execute one of several mathematical equations that convert the torque reading into an approximation of toner level. Goldberg Aff. ¶ 21, JA 578; Maggs Aff. ¶ 24, JA 709. If the torque is less than a certain threshold value, the program executes one equation to calculate the toner level, and if the torque equals or exceeds that threshold, the program executes a different equation to calculate the toner level. Goldberg Aff. ¶ 19, JA 576-77. The exact code of the Toner Loading Program varies slightly for each printer model, and this case involves two versions of the program — one for Lexmark's T520 and T522 printer models and another for Lexmark's T620 and T622 printer models. The Toner Loading Program for the T520/522 printers comprises 33 program instructions and occupies 37 bytes of memory, while the Toner Loading Program for the T620/622 printers comprises 45 program commands and uses 55 bytes of memory. To illustrate the modest size of this computer program, the phrase "Lexmark International, Inc. vs. Static Control Components, Inc." in ASCII format [530] would occupy more memory than either version of the Toner Loading Program. Burchette Aff. ¶ 13, JA 106. The Toner Loading Program is located on a microchip contained in Lexmark's toner cartridges.

    The second program is Lexmark's "Printer Engine Program." The Printer Engine Program occupies far more memory than the Toner Loading Program and translates into over 20 printed pages of program commands. The program controls a variety of functions on each printer — e.g., paper feed and movement, and printer motor control. D. Ct. Op. ¶ 24, at 5. Unlike the Toner Loading Program, the Printer Engine Program is located within Lexmark's printers.

    Lexmark obtained Certificates of Registration from the Copyright Office for both programs. Neither program is encrypted and each can be read (and copied) directly from its respective memory chip. Id. ¶ 44, at 8.

    Lexmark's Prebate and Non-Prebate Cartridges. Lexmark markets two types of toner cartridges for its laser printers: "Prebate" and "Non-Prebate." Prebate cartridges are sold to business consumers at an up-front discount. In exchange, consumers agree to use the cartridge just once, then return the empty unit to Lexmark; a "shrink-wrap" agreement on the top of each cartridge box spells out these restrictions and confirms that using the cartridge constitutes acceptance of these terms. Id. ¶¶ 13-14, at 3. Non-Prebate cartridges are sold without any discount, are not subject to any restrictive agreements and may be re-filled with toner and reused by the consumer or a third-party remanufacturer. Id. ¶¶ 15-18, at 3-4.

    To ensure that consumers adhere to the Prebate agreement, Lexmark uses an "authentication sequence" that performs a "secret handshake" between each Lexmark printer and a microchip on each Lexmark toner cartridge. Both the printer and the chip employ a publicly available encryption algorithm known as "Secure Hash Algorigthm-1" or "SHA-1," which calculates a "Message Authentication Code" based on data in the microchip's memory. If the code calculated by the microchip matches the code calculated by the printer, the printer functions normally. If the two values do not match, the printer returns an error message and will not operate, blocking consumers from using toner cartridges that Lexmark has not authorized. Yaro Decl. ¶ 7, JA 82 ("To prevent unauthorized toner cartridges from being used with Lexmark's T520/522 and T620/622 laser printers, Lexmark utilizes an authentication sequence.").

    SCC's Competing Microchip. SCC sells its own microchip — the "SMARTEK" chip — that permits consumers to satisfy Lexmark's authentication sequence each time it would otherwise be performed, i.e., when the printer is turned on or the printer door is opened and shut. SCC's advertising boasts that its chip breaks Lexmark's "secret code" (the authentication sequence), which "even on the fastest computer available today ... would take Years to run through all of the possible 8-byte combinations to break." D. Ct. Op. ¶ 103, at 19. SCC sells these chips to third-party cartridge remanufacturers, permitting them to replace Lexmark's chip with the SMARTEK chip on refurbished Prebate cartridges. These recycled cartridges are in turn sold to consumers as a low-cost alternative to new Lexmark toner cartridges.

    Each of SCC's SMARTEK chips also contains a copy of Lexmark's Toner Loading Program, which SCC claims is necessary to make its product compatible with Lexmark's printers. The SMARTEK chips thus contain an identical copy of the Toner Loading Program that is appropriate [531] for each Lexmark printer, and SCC acknowledges that it "slavishly copied" the Toner Loading Program "in the exact format and order" found on Lexmark's cartridge chip. Id. ¶¶ 92, 96, at 18. A side-by-side comparison of the two data sequences reveals no differences between them. Able Decl. ¶¶ 10-15, JA 502-05.

    The parties agree that Lexmark's printers perform a second calculation independent of the authentication sequence. After the authentication sequence concludes, the Printer Engine Program downloads a copy of the Toner Loading Program from the toner cartridge chip onto the printer in order to measure toner levels. Before the printer runs the Toner Loading Program, it performs a "checksum operation," a "commonly used technique" to ensure the "integrity" of the data downloaded from the toner cartridge microchip. D. Ct. Op. ¶ 77, at 14. Under this operation, the printer compares the result of a calculation performed on the data bytes of the transferred copy of the Toner Loading Program with the "checksum value" located elsewhere on the toner cartridge microchip. If the two values do not match, the printer assumes that the data was corrupted in the program download, displays an error message and ceases functioning. If the two values do match, the printer continues to operate.

    The Lawsuit. On December 30, 2002, Lexmark filed a complaint in the United States District Court for the Eastern District of Kentucky seeking to enjoin SCC (on a preliminary and permanent basis) from distributing the SMARTEK chips. The complaint contained three theories of liability. First, Lexmark alleged that SCC violated the copyright statute, 17 U.S.C. § 106, by reproducing the Toner Loading Program on its SMARTEK chip. Second, it alleged that SCC violated the DMCA by selling a product that circumvents access controls on the Toner Loading Program. Third, it alleged that SCC violated the DMCA by selling a product that circumvents access controls on the Printer Engine Program.

    B.

    The district court initially concluded that Lexmark had established a likelihood of success on its copyright infringement claim for SCC's copying of its Toner Loading Program. Computer programs are "literary works" entitled to copyright protection, the court reasoned, and the "requisite level of creativity" necessary to establish the originality of the programs "is extremely low." D. Ct. Op. ¶¶ 9, 11, at 23. Because the Toner Loading Program could be written in multiple ways, the district court added, SCC had not rebutted the presumption of validity created by Lexmark's copyright registration for the Toner Loading Program. Id. ¶ 13-14, at 24; see also 17 U.S.C. § 410(c).

    In coming to this conclusion, the district court rejected each of the defenses asserted by SCC. First, the district court determined that the Toner Loading Program was not a "lock-out code" (and unprotectable because its elements are dictated by functional compatibility requirements) since "the use of any Toner Loading Program could still result in a valid authentication sequence and a valid checksum." Id. ¶ 22, at 26. But even if the Toner Loading Program were a "lock-out code," the district court believed copyright infringement had still taken place because "`[s]ecurity systems are just like any other computer program and are not inherently unprotectable.'" Id. ¶ 25, at 27 (quoting Atari Games Corp. v. Nintendo of Am., Inc., Nos. 88-4805 & 89-0027, 1993 WL 214886, at *7 (N.D.Cal. Apr.15, 1993) ("Atari II")). Second, the court rejected SCC's fair use defense in view of the commercial [532] purpose of the copying, the wholesale nature of the copying and the effect of the copying on the toner cartridge market. Id. at 28-30. Third, the district court rejected SCC's argument that Lexmark was "misus[ing]" the copyright laws "to secure an exclusive right or limited monopoly not expressly granted by copyright law." Id. at 38-39.

    The district court next determined that Lexmark had established a likelihood of success on its two DMCA claims, one relating to the Toner Loading Program, the other relating to the Printer Engine Program. Observing that the anti-trafficking provision of the DMCA, 17 U.S.C. § 1201(a)(2), "prohibits any product or device that circumvents a technological measure that prevents unauthorized access to a copyrighted work," D. Ct. Op. ¶ 64, at 40, the district court concluded that Lexmark had established a likelihood of success that SCC's SMARTEK chip did this very thing. In the district court's view, Lexmark's authentication sequence (not the checksum calculation) constitutes a "technological measure" that "effectively controls access" to two copyrighted works — the Toner Loading Program and the Printer Engine Program. The authentication sequence, it determined, "controls access" because it "controls the consumer's ability to make use of these programs." Id. ¶ 71, at 41. Because SCC designed the SMARTEK chip to circumvent Lexmark's authentication sequence, because circumvention was the sole commercial purpose of the SMARTEK chip and because SCC markets these chips as performing that function, the court reasoned that SCC likely had violated the DMCA's prohibitions on marketing circumvention devices. Id. at 42-43. See 17 U.S.C. 1201(a)(2).

    Finally, the district court determined that the DMCA's "reverse engineering" exception to liability did not apply. D. Ct. Op. at 47-48; see 17 U.S.C. § 1201(f)(2), (3). Under the exception, circumvention devices may be produced and made available to others "solely for the purpose of enabling interoperability of an independently created program with other programs." 17 U.S.C. § 1201(f)(3). The court deemed this defense inapplicable because "SCC's SMARTEK microchips cannot be considered independently created computer programs." D. Ct. Op. ¶ 94, at 47.

    Because Lexmark had established a likelihood of success on the merits, the district court presumed irreparable harm, id. at 48-49, and concluded that the public interest would favor an injunction against SCC, id. at 50-51. After weighing other potential hardships, the district court concluded that the preliminary injunction should issue.

    II.

    We apply an abuse-of-discretion standard in reviewing a district court's entry of a preliminary injunction. Performance Unlimited, Inc. v. Questar Publishers, Inc., 52 F.3d 1373, 1378 (6th Cir. 1995). A district court abuses its discretion if it relies upon clearly erroneous findings of fact, employs an incorrect legal standard or improperly applies the correct law to the facts. See id.

    Four factors govern whether a district court should enter a preliminary injunction: (1) the plaintiff's likelihood of success on the merits; (2) the possibility of irreparable harm to the plaintiff in the absence of an injunction; (3) public interest considerations; and (4) potential harm to third parties. Forry, Inc. v. Neundorfer, Inc., 837 F.2d 259, 262 (6th Cir.1988). In the copyright context, much rests on the first factor because irreparable harm is presumed once a likelihood of success has been established, id. at 267, and because [533] an injunction likely will serve the public interest once a claimant has demonstrated a likelihood of success in this setting, Concrete Mach. Co. v. Classic Lawn Ornaments, Inc., 843 F.2d 600, 612 (1st Cir. 1988). We see no reason why a similar presumption of irreparable harm should not apply to claims under the DMCA. See Universal City Studios, Inc. v. Reimerdes, 82 F.Supp.2d 211, 215 (S.D.N.Y.2000). Like the district court before us, we accordingly focus on the likelihood that Lexmark will succeed on its claims under the general copyright statute and the DMCA.

    III.

    A.

    The Constitution expressly gives Congress the power to grant protection to original works of authorship. See U.S. Const. art. I, § 8, cl. 8. Relying on that authority, Congress has established the following standard for copyright protection:

    (a) Copyright protection subsists ... in original works of authorship fixed in any tangible medium of expression.... Works of authorship include the following categories: (1) literary works; (2) musical works ...; (3) dramatic works...; (4) pantomimes and choreographic works; (5) pictorial, graphic, and sculptural works; (6) motion pictures and other audiovisual works; (7) sound recordings; and (8) architectural works.

    (b) In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.

    17 U.S.C. § 102 (emphasis added). The copyright statute grants owners of protected works the exclusive right to use them in certain ways. See id. § 106 (granting copyright owners the exclusive right to reproduce copyrighted works, to create derivative works based on original works, to distribute copies of the works, and to perform or display the works publicly).

    As this case comes to the court, the parties agree that computer programs may be entitled to copyright protection as "literary works" under 17 U.S.C. § 101 and may be protected from infringement under 17 U.S.C. § 106. And that is true with respect to a computer program's object code (the binary code — a series of zeros and ones — that computers can read) and its source code (the spelled-out program commands that humans can read). See 17 U.S.C. § 101 (defining "computer program[s]" as "set[s] of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result"); 17 U.S.C. § 117(a) (describing "limitations on exclusive rights" for "computer programs" and providing that infringement does not occur when a copy of a computer program is made either "as an essential step in the utilization of the computer program" or "for archival purposes"); H.R.Rep. No. 1476 (1976), reprinted in 1976 U.S.C.C.A.N. 5659, 5667 [hereinafter House Report] ("The term `literary works' ... includes ... computer programs to the extent that they incorporate authorship in the programmer's expression of original ideas, as distinguished from the ideas themselves."); accord Atari Games Corp. v. Nintendo of Am., Inc., 975 F.2d 832, 838 (Fed.Cir.1992) ("Atari I"); Johnson Controls, Inc. v. Phoenix Control Sys., Inc., 886 F.2d 1173, 1175 (9th Cir. 1989); Apple Computer, Inc. v. Franklin Computer Corp., 714 F.2d 1240, 1247-49 (3d Cir.1983).

    The parties also agree that Lexmark has registered the Toner Loading Program with the Copyright Office, which is an [534] infringement suit prerequisite, see 17 U.S.C. § 411(a), and which constitutes prima facie evidence of the copyright's validity, see id. § 410(c). And the parties agree that SCC shoulders the burden of rebutting the presumptive validity of Lexmark's copyright. See Hi-Tech Video Prods., Inc. v. Capital Cities/ABC, Inc., 58 F.3d 1093, 1095 (6th Cir.1995).

    The parties also share common ground when it comes to most of the general principles of copyright infringement applicable to this case. A plaintiff may establish a claim of copyright infringement by showing (1) ownership of a valid copyright in the computer program at issue (here, the Toner Loading Program) and (2) that the defendant copied protectable elements of the work. See Feist Publ'ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 361, 111 S.Ct. 1282, 113 L.Ed.2d 358 (1991); Kohus v. Mariol, 328 F.3d 848, 853 (6th Cir.2003). The first prong tests the originality and non-functionality of the work, see M.M. Bus. Forms Corp. v. Uarco, Inc., 472 F.2d 1137, 1139 (6th Cir.1973), both of which are presumptively established by the copyright registration. The second prong tests whether any copying occurred (a factual matter) and whether the portions of the work copied were entitled to copyright protection (a legal matter). See Kepner-Tregoe, Inc. v. Leadership Software, Inc., 12 F.3d 527, 534-35 & n. 14 (5th Cir.1994); see generally M. Nimmer & D. Nimmer, Nimmer on Copyright § 13.01[B] (2003) [hereinafter Nimmer]. If no direct evidence of copying is available, a claimant may establish this element by showing that the defendant had access to the copyrighted work and that the copyrighted work and the allegedly copied work are substantially similar. Kohus, 328 F.3d at 853-54.

    As to the first prong, the Supreme Court has instructed that "[o]riginal ... means only that the work was independently created by the author (as opposed to copied from other works), and that it possesses at least some minimal degree of creativity," even if the work is not a "novel" one. Feist, 499 U.S. at 345-46 (originality requires both "independent creation plus a modicum of creativity"). And although constitutionally mandated, the threshold showing of originality is not a demanding one. Id. at 345, 111 S.Ct. 1282 ("To be sure, the requisite level of creativity is extremely low; even a slight amount will suffice.").

    But even if a work is in some sense "original" under § 102(a), it still may not be copyrightable because § 102(b) provides that "[i]n no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of [its] form." 17 U.S.C. § 102(b). This provision embodies the common-law idea-expression dichotomy that distinguishes the spheres of copyright and patent law. "[U]nlike a patent, a copyright gives no exclusive right to the art disclosed; protection is given only to the expression of the idea — not the idea itself." Mazer v. Stein, 347 U.S. 201, 217, 74 S.Ct. 460, 98 L.Ed. 630 (1954); see also Baker v. Selden, 101 U.S. 99, 101-02, 25 L.Ed. 841 (1879) (explaining that while a book describing a bookkeeping system is worthy of copyright protection, the underlying method described is not); Computer Assocs. Int'l, Inc. v. Altai, Inc., 982 F.2d 693, 703 (2d Cir.1992) ("It is a fundamental principle of copyright law that a copyright does not protect an idea, but only the expression of the idea."). While this general principle applies equally to computer programs, id.; see also House Report at 5667 (extending copyright protection to computer programs only "to the extent that they incorporate authorship in programmer's [535] expression of original ideas, as distinguished from ideas themselves"), the task of separating expression from idea in this setting is a vexing one, see Altai, 982 F.2d at 704 ("The essentially utilitarian nature of a computer program further complicates the task of distilling its idea from its expression."); Sega Enters., Ltd. v. Accolade, Inc., 977 F.2d 1510, 1524 (9th Cir.1992); see also Lotus Dev. Corp. v. Borland Int'l, Inc., 49 F.3d 807, 819-20 (1st Cir.1995) (Boudin, J., concurring). "[C]ompared to aesthetic works, computer programs hover even more closely to the elusive boundary line described in § 102(b)." Altai, 982 F.2d at 704.

    In ascertaining this "elusive boundary line" between idea and expression, between process and non-functional expression, courts have looked to two other staples of copyright law — the doctrines of merger and scènes à faire. Where the "expression is essential to the statement of the idea," CCC Info. Servs., Inc. v. Maclean Hunter Mkt. Reports, Inc., 44 F.3d 61, 68 (2d Cir.1994); see also Lotus Dev., 49 F.3d at 816 ("If specific words are essential to operating something, then they are part of a `method of operation' and, as such, are unprotectable."), or where there is only one way or very few ways of expressing the idea, Warren Publ'g, Inc. v. Microdos Data Corp., 115 F.3d 1509, 1519 n. 27 (11th Cir.1997), the idea and expression are said to have "merged." In these instances, copyright protection does not exist because granting protection to the expressive component of the work necessarily would extend protection to the work's uncopyrightable ideas as well. See Gates Rubber Co. v. Bando Chem. Indus., Ltd., 9 F.3d 823, 838 (10th Cir.1993); see also Murray Hill Publ'ns, Inc. v. Twentieth Century Fox Film Corp., 361 F.3d 312, 319 n. 2 (6th Cir.2004) (noting that where idea and expression are intertwined and where non-protectable ideas predominate, expression is not protected); see generally Nimmer § 13.03[B][3]. For computer programs, "if the patentable process is embodied inextricably in the line-by-line instructions of the computer program, [] then the process merges with the expression and precludes copyright protection." Atari I, 975 F.2d at 839-40; see, e.g., PRG-Schultz Int'l, Inc. v. Kirix Corp., No. 03 C 1867, 2003 WL 22232771, at *4 (N.D.Ill. Sept.22, 2003) (determining that copyright infringement claim failed because expression merged with process in computer software that performed auditing tasks).

    For similar reasons, when external factors constrain the choice of expressive vehicle, the doctrine of "scènes à faire" — "scenes," in other words, "that must be done" — precludes copyright protection. See Twentieth Century Fox Film, 361 F.3d at 319-20; see generally Nimmer § 13.03[B][4]. In the literary context, the doctrine means that certain phrases that are "standard, stock, ... or that necessarily follow from a common theme or setting" may not obtain copyright protection. Gates Rubber, 9 F.3d at 838. In the computer-software context, the doctrine means that the elements of a program dictated by practical realities — e.g., by hardware standards and mechanical specifications, software standards and compatibility requirements, computer manufacturer design standards, target industry practices, and standard computer programming practices — may not obtain protection. Id. (citing case examples); see Sega Enters., 977 F.2d at 1524 ("To the extent that a work is functional or factual, it may be copied."); Brown Bag Software v. Symantec Corp., 960 F.2d 1465, 1473 (9th Cir.1992) (affirming district court's finding that "[p]laintiffs may not claim copyright protection of an... expression that is, if not standard, [536] then commonplace in the computer software industry"). As "an industry-wide goal," programming "[e]fficiency" represents an external constraint that figures prominently in the copyrightability of computer programs. Altai, 982 F.2d at 708.

    Generally speaking, "lock-out" codes fall on the functional-idea rather than the original-expression side of the copyright line. Manufacturers of interoperable devices such as computers and software, game consoles and video games, printers and toner cartridges, or automobiles and replacement parts may employ a security system to bar the use of unauthorized components. To "unlock" and permit operation of the primary device (i.e., the computer, the game console, the printer, the car), the component must contain either a certain code sequence or be able to respond appropriately to an authentication process. To the extent compatibility requires that a particular code sequence be included in the component device to permit its use, the merger and scènes à faire doctrines generally preclude the code sequence from obtaining copyright protection. See Sega Enters., 977 F.2d at 1524 ("When specific instructions, even though previously copyrighted, are the only and essential means of accomplishing a given task, their later use by another will not amount to infringement.") (quoting National Commission on New Technological Uses of Copyrighted Works, Final Report 20 (1979)) (emphasis added); Atari Games Corp. v. Nintendo of Am., Inc., Nos. 88-4805 & 89-0027, 1993 WL 207548, at *1 (N.D.Cal. May 18, 1993) ("Atari III") ("Program code that is strictly necessary to achieve current compatibility presents a merger problem, almost by definition, and is thus excluded from the scope of any copyright.").

    In trying to discern whether these doctrines apply, courts tend to "focus on whether the idea is capable of various modes of expression." Mason v. Montgomery Data, Inc., 967 F.2d 135, 138 (5th Cir.1992) (quoting Franklin Computer, 714 F.2d at 1253); Atari I, 975 F.2d at 840 ("The unique arrangement of computer program expression which generates [the] data stream does not merge with the process so long as alternate expressions are available."). The question, however, is not whether any alternatives theoretically exist; it is whether other options practically exist under the circumstances. See Altai, 982 F.2d at 708 ("While, hypothetically, there might be a myriad of ways in which a programmer may effectuate certain functions within a program ... efficiency concerns may so narrow the practical range of choice as to make only one or two forms of expression workable options."); Atari I, 975 F.2d at 840 (noting that "no external factor dictated the bulk of the program" and finding the program copyrightable). In order to characterize a choice between alleged programming alternatives as expressive, in short, the alternatives must be feasible within real-world constraints.

    The Supreme Court's decision in Feist helps to illustrate the point. In Feist, the alleged infringer had included 1,309 of the plaintiff's alphabetically-organized telephone book listings in its own telephone directory. 499 U.S. at 344, 111 S.Ct. 1282. The facts comprising these listings, it was clear, theoretically could have been organized in other ways — for instance, by street address or phone number, or by the age or height of the individual. But by virtue of tradition and settled expectations, the familiar alphabetical structure copied by the defendant amounted to the only organizational option available to the defendant. Id. at 363, 111 S.Ct. 1282. For these reasons, the Supreme Court determined that alphabetical phone listings did not satisfy the low threshold of originality [537] for copyright protection. Id.; see Altai, 982 F.2d at 711 (noting that although Feist dealt with factual compilations under 17 U.S.C. § 101, the decision's "underlying tenets apply to much of the work involved in computer programming" under 17 U.S.C. § 102(a)).

    One last principle applies here. Even if the prerequisites for infringement are met — the copyright is valid and SCC copied protectable elements of the work — Congress has established a fair use defense to infringement claims to ensure that copyright protection advances rather than thwarts the essential purpose of copyright: "[t]o promote the Progress of Science and useful Arts." U.S. Const. art. I, § 8, cl. 8; see also Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 577, 114 S.Ct. 1164, 127 L.Ed.2d 500 (1994). Congress has permitted others to use copyright-protected works, "including ... by reproduction," when courts determine the use to be "fair" according to a non-exhaustive list of factors:

    (1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work.

    17 U.S.C. § 107. With respect to computer programs, "fair use doctrine preserves public access to the ideas and functional elements embedded in copyrighted computer software programs." Sony Computer Entm't, Inc. v. Connectix Corp., 203 F.3d 596, 603 (9th Cir.2000).

    B.

    In applying these requirements to this case, it helps to clarify the terms of debate between the parties. Lexmark claims copyright protection in, and infringement of, the code that composes its Toner Loading Program. It has not alleged that SCC copied any other portion of its chip, including any of the data on which the SHA-1 algorithm — the authentication sequence or "secret handshake" — appear. Presumably that is because SCC replaced Lexmark's SHA-1 function with a different publicly available encryption program to enable interoperability of its chip with Lexmark's printers. Burchette Aff. ¶ 9, JA 104. Nor does it matter whether SCC copied the Toner Loading Program knowingly or innocently because copyright infringement does not have a scienter requirement. See Repp v. Webber, 132 F.3d 882, 889 (2d Cir.1997). Finally, when it comes to the merits of the infringement claim, the parties primarily debate whether the Toner Loading Program satisfies the originality requirement (prong one), as distinct from whether any copying by SCC is substantially similar to the Lexmark chip (prong two). That is because the parties agree that SCC's SMARTEK chip copied all aspects of the Toner Loading Program.

    In our view, the district court committed three related legal errors in determining that Lexmark had a likelihood of prevailing on its copyright claim with respect to the Toner Loading Program. First, the district court concluded that, because the Toner Loading Program "could be written in a number of different ways," it was entitled to copyright protection. D. Ct. Op. ¶ 40, at 32. In refusing to consider whether "external factors such as compatibility requirements, industry standards, and efficiency" circumscribed the number of forms that the Toner Loading Program could take, the district court believed that the idea-expression divide and accompanying principles of merger and [538] scènes à faire play a role only in the "substantial similarity" analysis and do not apply when the first prong of the infringement test (copyrightability) is primarily at issue. Id. ¶ 37, at 31. In taking this path, the district court relied on cases invoking Nimmer's pronouncement that the idea-expression divide "constitutes not so much a limitation on the copyrightability of works, as it is a measure of the degree of similarity that must exist between a copyrightable work and an unauthorized copy." Nimmer § 2.03[D]; see D. Ct. Op. at 31. And in concluding more generally that the copyrightability of a computer program turns solely on the availability of other options for writing the program, the court relied on several cases from other circuits. See, e.g., Apple Computer, Inc. v. Formula Int'l, Inc., 725 F.2d 521, 525 (9th Cir.1984); Franklin Computer, 714 F.2d at 1253; Whelan Assocs., Inc. v. Jaslow Dental Lab., Inc., 797 F.2d 1222, 1240 (3d Cir. 1986); E.F. Johnson Co. v. Uniden Corp. of Am., 623 F.Supp. 1485, 1502 (D.Minn. 1985).

    This reasoning, to start with, conflicts with Feist. As the Supreme Court's recent decision suggests, one does not satisfy the originality requirement for copyright protection merely by showing that the work could have been put together in different ways. Just as it failed to suffice in Feist that the author of the competing telephone book could have organized the listings in some manner other than the individual's last name, so it does not suffice here that SCC could have written the Toner Loading Program in some other way. As in Feist, the court must ask whether the alternative ways of putting together the competing work are feasible in that setting.

    Nor does Nimmer support the district court's "a number of different ways" reasoning. As a matter of practice, Nimmer is correct that courts most commonly discuss the idea-expression dichotomy in considering whether an original work and a partial copy of that work are "substantially similar" (as part of prong two of the infringement test), since the copyrightability of a work as a whole (prong one) is less frequently contested. But the idea-expression divide figures into the substantial similarity test not as a measure of "similarity"; it distinguishes the original work's protectable elements from its unprotectable ones, a distinction that allows courts to determine whether any of the former have been copied in substantial enough part to constitute infringement. Both prongs of the infringement test, in other words, consider "copyrightability," which at its heart turns on the principle that copyright protection extends to expression, not to ideas. See Brown Bag Software, 960 F.2d at 1475-76 (noting that copyrightability is an aspect of both parts of the infringement test); see also Bateman v. Mnemonics, Inc., 79 F.3d 1532, 1545 (11th Cir.1996) (deciding that district court erred by not permitting consideration of merger, scènes à faire doctrines in instance of literal copying); Lotus Dev., 49 F.3d at 815 (assessing whether the literally copied menu command structure is copyrightable in light of § 102(b)'s limitation); Whelan Assocs., 797 F.2d at 1236-37 (discussing scènes à faire doctrine in considering copyrightability of computer program structure); Franklin Computer, 714 F.2d at 1253 (discussing merger in context of copyrightability of computer operating system program). When a work itself constitutes merely an idea, process or method of operation, or when any discernible expression is inseparable from the idea itself, or when external factors dictate the form of expression, copyright protection does not extend to the work. See Bateman, 79 F.3d at 1546 n. 28 ("Compatibility [539] and other functionality challenges to originality ... are applied so as to deny copyright protection to a particular work or portion of a work.") (emphasis added); Mason, 967 F.2d at 138 n. 5 (rejecting argument that merger doctrine applies only to question of infringement and noting that "this court has applied the merger doctrine to the question of copyrightability").

    Neither do the cited cases support the district court's initial frame of reference. Franklin Computer, 714 F.2d 1240, and Formula International, 725 F.2d 521, involved copies of Apple's operating system program — a program whose size and complexity is to the Toner Loading Program what the Sears Tower is to a lamppost. Given the nature of the Apple program, it would have been exceedingly difficult to say that practical alternative means of expression did not exist and indeed no defendant in the cases advanced that argument. And Franklin Computer, 714 F.2d at 1253, and Whelan Assocs., 797 F.2d at 1236-37, do not establish that any variation in the modes of expression establishes copyrightability, as they acknowledge the potential relevance of the merger and scènes à faire doctrines. While E.F. Johnson rejected the defendant's argument that the computer software program at issue was not protectable because it was needed for "compatibility" with a certain radio system, it did so only after finding that "the exact duplication of the [program] ... was not the `only and essential' means of achieving compatibility." 623 F.Supp. at 1502.

    Second, given the district court's mistaken view of the legal standard for distinguishing protectable expression from unprotectable ideas, the constraints on the Toner Loading Program established by the evidence need to be reconsidered. To discern whether "originality" exists in the work, the court should ask whether the ideas, methods of operation and facts of the program could have been expressed in any form other than that chosen by the programmer, taking into consideration the functionality, compatibility and efficiency demanded of the program.

    In presenting evidence in support of its motion for a preliminary injunction, Lexmark focused on establishing that the Toner Loading Program could have been written in other ways. Dr. Maggs, Lexmark's expert, described several possible alternatives in his declaration: (1) different constants and equations could be used; (2) a lookup table could be used in lieu of equations; (3) some measure other than torque could be used to approximate toner level (e.g., the number of pages printed); or (4) the same equations could be used in a different sequence. Maggs Decl., JA 709-10. He concluded that over 50 different programs could be written to substitute for the Toner Loading Program. Maggs Hr'g Test., JA 940.

    Dr. Goldberg, SCC's expert, acknowledged that certain changes could be made to the program, for example, by changing the sequence of elements in the program, Hr'g Test., JA 1021, or by writing the Toner Loading Program in a different programming language altogether, JA 1023. But Dr. Goldberg conceded this point only as a theoretical matter, as he concluded that functionality and efficiency considerations precluded any material changes to the Toner Loading Program. JA 1021.

    Dr. Goldberg concluded that several external constraints limit the options available in designing the Toner Loading Program. For one, the Printer Engine Program that downloads and executes the program understands only a single programming language composed of eight simple commands. JA 1018-19. For another, the program must consist of only 55 bytes because the printer downloads [540] only these particular bytes. JA 1019. Efficiency considerations and the physical realities of the printer and toner cartridge also restrict the forms that the Toner Loading Program could take. Id. As a result, Dr. Goldberg concluded, these external factors together "dictate the way that the simple toner loading program looks," and the resulting program is a "no-thought translation of the formulas to the language that the internal loading program must be written in, and [the programmer doesn't] have much choice." Id. Dr. Goldberg responded to Dr. Maggs' testimony that the Toner Loading Program could take alternative forms by noting that Dr. Maggs' proposed changes were trivial — that they did not make any "substantial difference to the nature of the program" — or that they were so inefficient and repetitive as to be "ridiculous." JA 1021. Instead, Dr. Goldberg concluded, the Toner Loading Program as it is written is the most "straightforward, efficient, natural way to express the program." Id. By contrast, Dr. Maggs' testimony did not reference any of these functional considerations discussed by Goldberg, meaning that the record fails to establish any affirmative support for the contention that Dr. Maggs' proposed alternatives satisfy the memory restrictions of the program.

    Even aside from Dr. Goldberg's testimony that the Toner Loading Program is the most efficient means of calculating toner levels, the alternatives suggested by Dr. Maggs do not appear to support the district court's initial conclusion that the program is expressive. Dr. Maggs' first and third suggestions — that different equations and values or a different means of measuring toner level altogether could have been used — do not appear to represent alternative means of expressing the ideas or methods of operations embodied in the Toner Loading Program; they appear to be different ideas or methods of operation altogether. Selection from among competing ideas or methods of operation generally does not result in copyright-protectable expression. See Bateman, 79 F.3d at 1546 n.29 ("Generally there is more than one method of operation or process that can be used to perform a particular computer program function. However, methods of operation and processes are not copyrightable."); see also Am. Dental Ass'n v. Delta Dental Plans Ass'n, 126 F.3d 977, 980 (7th Cir.1997) ("A lamp may be entirely original, but if the novel elements are also functional the lamp cannot be copyrighted."). Nor would the use of a "lookup table" appear to differ meaningfully from the use of other equations directly. Instead of executing a mathematical formula on a given input, this program merely "looks up" in a data table the output of that same formula for the given input value. Finally, Dr. Maggs' fourth suggestion — that the same equations could be reordered — does not appear to show originality because such alterations may be too trivial to support a finding of creative expression. See M.M. Bus. Forms, 472 F.2d at 1140 (holding that paraphrasing of words on legal forms does not contain the requisite originality for copyright protection).

    To the extent these alternatives suggest any originality in the Toner Loading Program, at any rate, the quantum of originality may well be de minimis and accordingly insufficient to support the validity of Lexmark's copyright in the work. See Mitel, Inc. v. Iqtel, Inc., 124 F.3d 1366, 1373-74 (10th Cir.1997) (determining that plaintiff's "arbitrary selection" of several numbers required only "de minimis creative effort" and did not "evince enough originality to distinguish authorship") (quotation omitted); cf. Sega Enters., 977 F.2d at 1524 n. [541] 7 (noting that 20-byte code is of de minimis length and therefore likely a "word" or "short phrase" that is not protected by copyright law); Murray Hill Publ'ns, Inc. v. ABC Comm'ns, Inc., 264 F.3d 622, 633 (6th Cir.2001) (noting that short movie line was "a phrase or slogan not worthy of copyright protection in its own right"). Because the district court initially looked at these issues and this evidence through the wrong frame of reference, its conclusion that the Toner Loading Program had sufficient originality to obtain copyright protection does not support the preliminary injunction. At the permanent injunction stage of this dispute, we leave it to the district court in the first instance to decide whether the Toner Loading Program has sufficient originality to warrant copyright protection.

    Third, and perhaps most significantly, the district court erred in assessing whether the Toner Loading Program functions as a lock-out code. Even if the constraints described by Dr. Goldberg — the programming language, the program size, efficiency concerns — did not dictate the content of the Toner Loading Program, the fact that it also functions as a lock-out code undermines the conclusion that Lexmark had a probability of success on its infringement claim.

    The Toner Loading Program, recall, serves as input to the checksum operation that is performed each time the printer is powered on or the printer door is opened and closed (i.e., for toner cartridge replacement). After downloading a copy of the Toner Loading Program to calculate toner levels, the Printer Engine Program runs a calculation — the checksum — using every data byte of the Toner Loading Program as input. The program then compares the result of that calculation with a "checksum value" that is located elsewhere on Lexmark's toner cartridge chip. If any single byte of the Toner Loading Program is altered, the checksum value will not match the checksum calculation result. Only if the checksum value is correspondingly changed to accommodate any alterations in the data bytes will the printer function.

    In addition to its general conclusion that external constraints on the program were not relevant, the district court concluded that the checksum operation did not operate as a strict constraint on the content of the Toner Loading Program because "SCC's identical copying of Lexmark's Toner Loading Programs went beyond that which was necessary for compatibility." D. Ct. Op. ¶ 27, at 27. According to the district court, the program could be altered rather simply, even in view of the checksum operation, because reasonable trial and error of no more than 256 different data combinations would have enabled SCC to discover and encode the correct checksum value on its chip. D. Ct. Op. ¶ 86, at 16. In reaching this conclusion, the court downplayed the significance of Dr. Goldberg's testimony regarding the importance of contextual information to the ease or difficulty of guessing the correct checksum value, saying that Dr. Goldberg called the task "extraordinarily difficult," then dismissing his testimony without further explanation. Dr. Goldberg, however, did not describe this endeavor as "extraordinarily difficult" but as "computationally impossible," Hr'g Test., JA 1012 (emphasis added) — a point that Lexmark did not then, and does not now, refute. Contrary to Judge Feikens' suggestion, moreover, Lexmark offered no evidence to show that the task of "turning off" the checksum operation altogether (without contextual information) would be any different from, or any less arduous than, the task of altering the checksum value to accommodate another program.

    [542] The difficulty of deriving the proper checksum value and the corresponding degree to which the checksum operation acts as a constraint on the content of the bytes comprising the Toner Loading Program may be an open question at the permanent injunction phase. But for purposes of the preliminary injunction, Dr. Goldberg's unchallenged testimony that it would be "computationally impossible" to modify the checksum value without contextual information suffices to establish that the checksum operation imposes a compatibility constraint in the most literal sense possible: if any single byte of the Toner Loading Program is altered, the printer will not function. On this record, pure compatibility requirements justified SCC's copying of the Toner Loading Program.

    C.

    In defense of the district court's decision, Lexmark raises several other arguments, all unavailing. First, Lexmark notes that it "creatively inserted" in the Toner Loading Program a computer code representation of its stock ticker symbol, "LXK." Lexmark Br. at 24. Lexmark describes this segment as "non-functional" because it does not translate into source code contributing to the toner-calculating program. It is not clear whether these three letters would support a finding of creative expression in the work as a whole. See Sega Enters., 977 F.2d at 1524 n. 7 (noting that Sega's 20-byte initialization code is of de minimis length and therefore likely a "word" or "short phrase" that is not protected by copyright law as described in 37 C.F.R. § 202.1(a)); see also Feist, 499 U.S. at 344, 111 S.Ct. 1282 (concluding that phone book listings are not copyrightable even though the listings contained four fictitious listings that the plaintiff included for infringement detection purposes). What is clear is that the bytes containing the "LXK" reference are functional in the sense that they, like the rest of the Toner Loading Program, also serve as input to the checksum operation and as a result amount to a lock-out code that the merger and scènes à faire doctrines preclude from obtaining protection.

    Second, Lexmark argues that if the Toner Loading Program is not copyrightable, then "most computer programs would not be copyrightable." Lexmark Br. at 17. But the slope of this decision is neither as slippery nor as steep as Lexmark suggests. Most computer programs do not simultaneously operate as a lock-out code that is "computationally impossible" to alter without input from the programmer; and most programs are not as brief as this one, see Burchette Aff. ¶ 13, JA 106 (noting that storing "Lexmark International, Inc. v. Static Control Components, Inc." in ASCII format would require more bytes of memory than the Toner Loading Program comprises); Goldberg Aff. ¶ 14, JA 575 ("The simplest programs, such as those written on the first day of [an introductory programming class], are often of a similar complexity to the Toner Loading Program.").

    In reaching this conclusion, we do not mean to say that brief computer programs are ineligible for copyright protection. Short programs may reveal high levels of creativity and may present simple, yet unique, solutions to programming quandaries. Just as a mathematician may develop an elegant proof, or an author may express ideas in a spare, simple, but creative manner, see, e.g., e.e. cummings, Selected Poems (Richard S. Kennedy ed., 1994), so a computer programmer may develop a program that is brief and eligible for protection. But unless a creative flair is shown, a very brief program is less likely to be copyrightable because it affords fewer opportunities for original [543] expression. See Nimmer § 2.01[B] (concluding that creativity and effort are reciprocally related — that the smaller the effort, the greater the creativity required to invoke copyright protection); see generally Julie E. Cohen, Reverse Engineering and the Rise of Electronic Vigilantism: Intellectual Property Implications of "Lock-Out" Programs, 68 S. Cal. L.Rev. 1091, 1139-1141 (1995) (describing how "a programmer may be efficient, in the sense of getting a task done, without being at all creative, if the most efficient way [of accomplishing the task] ... is standard within the industry"; therefore, "industry-standard, efficient routines" in computer programs are not protectable expression unless the programmer incorporates some "idiosyncratic features"); cf. 37 C.F.R. § 202.1(a) (listing "[w]ords and short phrases" as an example of "works not subject to copyright").

    Third, invoking the Federal Circuit's decision in Atari I, 975 F.2d at 840, Lexmark argues that even if the Toner Loading Program amounts to a lock-out code, it still may be eligible for protection. Lexmark Br. at 22; see also D. Ct. Op. ¶ 25, at 27 ("Security systems are just like any other computer program and are not inherently unprotectable.") (quotation omitted). In Atari I, Nintendo developed a program (known as "10NES") that blocked its game console from accepting unauthorized game cartridges. 975 F.2d at 836. Relying on this program, Nintendo sold game cartridges that generated a data stream that "unlocked" the game console, allowing it to load and run the game. Id. at 836, 840. The Federal Circuit determined that the 10NES program was copyrightable despite arguments that the program constituted unprotectable ideas rather than expression and that the merger doctrine precluded copyright protection. Id. at 840.

    The Federal Circuit's rationale for accepting copyright protection for the 10NES program does not undermine our conclusion because the 10NES program was not a "lock out" code in the same sense that the Toner Loading Program is. In Atari, the data bytes of the 10NES program did not themselves do the "unlocking" of the game console; the program, when executed, generated an arbitrary stream of data that in turn enabled the console to function. That same data stream, the court concluded, could have been produced by a number of alternative programs; for this reason, the expression contained in the computer program did not "merge" with the process. Id. ("The unique arrangement of computer program expression which generates that data stream does not merge with the process so long as alternate expressions are available. In this case, Nintendo has produced expert testimony showing a multitude of different ways to generate a data stream which unlocks the NES console.") (citation omitted); id. ("[N]o external factor dictated the bulk of the [10NES] program."). Here, by contrast, the data bytes comprising the Toner Loading Program themselves act as the input to the checksum operation that must be successfully completed for the printer to operate. None of these bytes of the program can be altered without impeding printer functionality given the compatibility requirements created by the checksum operation. See Atari III, 1993 WL 207548, at *1 (distinguishing current compatibility requirements from future ones, and excluding program code "that is strictly necessary" to comply with the former from copyright protection under the merger concept). Compatibility requirements in Atari, in short, did not preclude the possibility of substituting other programs for the 10NES, while they do here.

    [544] For like reasons, Judge Feikens is correct that a poem in the abstract could be copyrightable. But that does not mean that the poem receives copyright protection when it is used in the context of a lock-out code. Similarly, a computer program may be protectable in the abstract but not generally entitled to protection when used necessarily as a lock-out device.

    D.

    In view of our conclusion on this preliminary-injunction record that the Toner Loading Program is not copyrightable, we need not consider SCC's fair-use defense. Yet because this defense could regain relevance at the permanent injunction phase of the case (e.g., if further evidence undermines our conclusion that the program is not copyrightable), two related aspects of the district court's discussion deserve comment.

    The district court correctly outlined the four factors for determining whether SCC fairly used Lexmark's Toner Loading Program: (1) the purpose and character of the use, including whether it is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work. 17 U.S.C. § 107. All of these factors except the second, the district court reasoned, counseled against a finding of fair use, and the second factor favored SCC's position only "slightly." D. Ct. Op. at 29-30. As a result, the court concluded, the fair-use defense did not apply. Id. ¶ 35, at 30-31.

    With respect to the first factor — the purpose of the use — it is true that a profit-making purpose generally militates against a finding of fair use. See Campbell, 510 U.S. at 585, 114 S.Ct. 1164. But it is not the case that any profit-making purpose weighs against fair use, as the "crux" of this factor "is not whether the sole motive of the use is monetary gain." Harper & Row, Publishers, Inc. v. Nation Enters., 471 U.S. 539, 562, 105 S.Ct. 2218, 85 L.Ed.2d 588 (1985). The question is whether "the user stands to profit from exploitation of the copyrighted material without paying the customary price." Id. (emphasis added); see also Kelly v. Arriba Soft Corp., 336 F.3d 811, 818-19 (9th Cir. 2003) (determining that commercial use did not weigh against fair use where it was "more incidental and less exploitative in nature" because the copies were used for a different purpose from the originals). In copying the Toner Loading Program into each of its SMARTEK chips, SCC was not seeking to exploit or unjustly benefit from any creative energy that Lexmark devoted to writing the program code. As in Kelly, SCC's chip uses the Toner Loading Program for a different purpose, one unrelated to copyright protection. Rather than using the Toner Loading Program to calculate toner levels, the SMARTEK chip uses the content of the Toner Loading Program's data bytes as input to the checksum operation and to permit printer functionality. Under these circumstances, it is far from clear that SCC copied the Toner Loading Program for its commercial value as a copyrighted work — at least on the preliminary-injunction record we have before us.

    With respect to the fourth factor — the effect of the use on the value of the copyrighted material — the relevant question likewise is whether the infringement impacted the market for the copyrighted work itself. See Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 450, 104 S.Ct. 774, 78 L.Ed.2d 574 (1984) ("[A] use that has no demonstrable effect upon the potential market [545] for, or the value of, the copyrighted work need not be prohibited in order to protect the author's incentive to create."); see also Campbell, 510 U.S. at 590, 114 S.Ct. 1164 (the question is "whether `unrestricted and widespread conduct of the sort engaged in by the defendant ... would result in a substantially adverse impact on the potential market' for the original.") (quoting Nimmer § 13.05[A][4]). In Kelly, for example, the Ninth Circuit concluded that the fourth factor favored a finding of fair use because the Internet search engine's utilization of the plaintiff's copyrighted images did not harm the value or marketability of the original photos. 336 F.3d at 821-22. Here, the district court focused on the wrong market: it focused not on the value or marketability of the Toner Loading Program, but on Lexmark's market for its toner cartridges. Lexmark's market for its toner cartridges and the profitability of its Prebate program may well be diminished by the SMARTEK chip, but that is not the sort of market or value that copyright law protects. See Connectix, 203 F.3d at 607 ("Sony understandably seeks control over the market for devices that play games Sony produces or licenses. The copyright law, however, does not confer such a monopoly."). Lexmark has not introduced any evidence showing that an independent market exists for a program as elementary as its Toner Loading Program, and we doubt at any rate that the SMARTEK chip could have displaced any value in this market.

    IV.

    A.

    Enacted in 1998, the DMCA has three liability provisions. The statute first prohibits the circumvention of "a technological measure that effectively controls access to a work protected [by copyright]." 17 U.S.C. § 1201(a)(1). The statute then prohibits selling devices that circumvent access-control measures:

    No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that —

    (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a [copyrighted work];

    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a [copyrighted work]; or

    (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a [copyrighted work].

    Id. § 1201(a)(2). The statute finally bans devices that circumvent "technological measures" protecting "a right" of the copyright owner. Id. § 1201(b). The last provision prohibits devices aimed at circumventing technological measures that allow some forms of "access" but restrict other uses of the copyrighted work, see Universal City Studios, Inc. v. Corley, 273 F.3d 429, 441 (2d Cir.2001); United States v. Elcom Ltd., 203 F.Supp.2d 1111, 1120 (N.D.Cal.2002), such as streaming media, which permits users to view or watch a copyrighted work but prevents them from downloading a permanent copy of the work, see RealNetworks, Inc. v. Streambox, Inc., No. 2:99CV02070, 2000 WL 127311, at *1-2 (W.D.Wash. Jan.18, 2000).

    The statute also contains three "reverse engineering" defenses. A person may circumvent an access control measure "for the sole purpose of identifying and analyzing those elements of the program that are [546] necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to [that person]." 17 U.S.C. § 1201(f)(1). A person "may develop and employ technological means" that are "necessary" to enable interoperability. Id. § 1201(f)(2). And these technological means may be made available to others "solely for the purpose of enabling interoperability of an independently created computer program with other programs." Id. § 1201(f)(3). All three defenses apply only when traditional copyright infringement does not occur and only when the challenged actions (in the case of the third provision) would not violate other "applicable law[s]." Id.

    In filing its complaint and in its motion for a preliminary injunction, Lexmark invoked the second liability provision — the ban on distributing devices that circumvent access-control measures placed on copyrighted works. See id. § 1201(a)(2). According to Lexmark, SCC's SMARTEK chip is a "device" marketed and sold by SCC that "circumvents" Lexmark's "technological measure" (the SHA-1 authentication sequence, not the checksum operation), which "effectively controls access" to its copyrighted works (the Toner Loading Program and Printer Engine Program). Lexmark claims that the SMARTEK chip meets all three tests for liability under § 1201(a)(2): (1) the chip "is primarily designed or produced for the purpose of circumventing" Lexmark's authentication sequence, 17 U.S.C. § 1201(a)(2)(A); (2) the chip "has only limited commercially significant purpose or use other than to circumvent" the authentication sequence, id. § 1201(a)(2)(B); and (3) SCC "market[s]" the chip "for use in circumventing" the authentication sequence, id. § 1201(a)(2)(C). The district court agreed and concluded that Lexmark had shown a likelihood of success under all three provisions.

    B.

    We initially consider Lexmark's DMCA claim concerning the Printer Engine Program, which (the parties agree) is protected by the general copyright statute. In deciding that Lexmark's authentication sequence "effectively controls access to a work protected under [the copyright provisions]," the district court relied on a definition in the DMCA saying that a measure "effectively controls access to a work" if, "in the ordinary course of operation," it "requires the application of information, or a process or treatment, with the authority of the copyright owner, to gain access to the work." 17 U.S.C. § 1201(a)(3). Because Congress did not explain what it means to "gain access to the work," the district court relied on the "ordinary, customary meaning" of "access": "the ability to enter, to obtain, or to make use of," D. Ct. Op. at 41 (quoting Merriam-Webster's Collegiate Dictionary 6 (10th ed.1999)). Based on this definition, the court concluded that "Lexmark's authentication sequence effectively `controls access' to the Printer Engine Program because it controls the consumer's ability to make use of these programs." D. Ct. Op. at 41 (emphasis added).

    We disagree. It is not Lexmark's authentication sequence that "controls access" to the Printer Engine Program. See 17 U.S.C. § 1201(a)(2). It is the purchase of a Lexmark printer that allows "access" to the program. Anyone who buys a Lexmark printer may read the literal code of the Printer Engine Program directly from the printer memory, with or without the benefit of the authentication sequence, and the data from the program may be translated into readable source code after which copies may be freely distributed. Maggs [547] Hr'g Test., JA 928. No security device, in other words, protects access to the Printer Engine Program Code and no security device accordingly must be circumvented to obtain access to that program code.

    The authentication sequence, it is true, may well block one form of "access" — the "ability to ... make use of" the Printer Engine Program by preventing the printer from functioning. But it does not block another relevant form of "access" — the "ability to [] obtain" a copy of the work or to "make use of" the literal elements of the program (its code). Because the statute refers to "control[ling] access to a work protected under this title," it does not naturally apply when the "work protected under this title" is otherwise accessible. Just as one would not say that a lock on the back door of a house "controls access" to a house whose front door does not contain a lock and just as one would not say that a lock on any door of a house "controls access" to the house after its purchaser receives the key to the lock, it does not make sense to say that this provision of the DMCA applies to otherwise-readily-accessible copyrighted works. Add to this the fact that the DMCA not only requires the technological measure to "control[] access" but also requires the measure to control that access "effectively," 17 U.S.C. § 1201(a)(2), and it seems clear that this provision does not naturally extend to a technological measure that restricts one form of access but leaves another route wide open. See also id. § 1201(a)(3) (technological measure must "require [] the application of information, or a process or a treatment ... to gain access to the work") (emphasis added). See The Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178, at *1183, 2004 U.S.App. LEXIS 18513, at *52 (Fed.Cir. Aug. 31, 2004) ("Chamberlain's proposed construction of the DMCA ignores the significant differences between defendants whose accused products enable copying and those, like Skylink, whose accused products enable only legitimate uses of copyrighted software.").

    Nor are we aware of any cases that have applied this provision of the DMCA to a situation where the access-control measure left the literal code or text of the computer program or data freely readable. And several cases apply the provision in what seems to us its most natural sense. See, e.g., 321 Studios v. Metro Goldwyn Mayer Studios, Inc., 307 F.Supp.2d 1085, 1095 (N.D.Cal.2004) (deciding that the "CSS" encryption program, which prevents viewing of DVD movies and copying of the data encoded on the DVD, effectively controls access to copyrighted DVD movies); Universal City Studios, Inc. v. Reimerdes, 111 F.Supp.2d 294, 318 (S.D.N.Y.2000), aff'd sub nom., Corley, 273 F.3d 429; Sony Computer Entm't Am. Inc. v. Gamemasters, 87 F.Supp.2d 976, 987 (N.D.Cal.1999) (deciding that technological measure on PlayStation game console, which prevented unauthorized games from being played, effectively controlled access to copyrighted CD-ROM video games, which the facts of the case do not describe as either encrypted or unencrypted); see also RealNetworks, 2000 WL 127311, at *3 (noting that the technological measure at issue was a "successful means of protecting against unauthorized duplication and distribution" of copyrighted digital works); Pearl Investments, LLC v. Standard I/O, Inc., 257 F.Supp.2d 326, 349-50 (D.Me.2003) (determining that plaintiff's "encrypted, password-protected virtual private network," which blocked access to data including plaintiff's copyrighted computer software, was a technological measure that effectively controlled access to that work).

    Lexmark defends the district court's contrary ruling on several grounds. [548] First, it contends that SCC waived this argument by failing to raise it in the district court. The premise of this argument remains unclear. Below, SCC indeed claimed that the DMCA by its terms did not cover its conduct. While SCC may not have anticipated the district court's specific reliance on the "to make use of" definition of "access" in its preliminary injunction ruling, the district court's ruling also does not say that SCC conceded the point. Under these circumstances, it is well within our discretion to allow SCC to explain why the district court's resolution of this purely legal question — an interpretation of a statute — is mistaken. See McFarland v. Henderson, 307 F.3d 402, 407 (6th Cir. 2002).

    Second, Lexmark counters that several cases have embraced a "to make use of" definition of "access" in applying the DMCA. While Lexmark is partially correct, these cases (and others as well) ultimately illustrate the liability line that the statute draws and in the end explain why access to the Printer Engine Program is not covered.

    In the essential setting where the DMCA applies, the copyright protection operates on two planes: in the literal code governing the work and in the visual or audio manifestation generated by the code's execution. For example, the encoded data on CDs translates into music and on DVDs into motion pictures, while the program commands in software for video games or computers translate into some other visual and audio manifestation. In the cases upon which Lexmark relies, restricting "use" of the work means restricting consumers from making use of the copyrightable expression in the work. See 321 Studios, 307 F.Supp.2d at 1095 (movies contained on DVDs protected by an encryption algorithm cannot be watched without a player that contains an access key); Reimerdes, 111 F.Supp.2d at 303 (same); Gamemasters, 87 F.Supp.2d at 981 (Sony's game console prevented operation of unauthorized video games). As shown above, the DMCA applies in these settings when the product manufacturer prevents all access to the copyrightable material and the alleged infringer responds by marketing a device that circumvents the technological measure designed to guard access to the copyrightable material.

    The copyrightable expression in the Printer Engine Program, by contrast, operates on only one plane: in the literal elements of the program, its source and object code. Unlike the code underlying video games or DVDs, "using" or executing the Printer Engine Program does not in turn create any protected expression. Instead, the program's output is purely functional: the Printer Engine Program "controls a number of operations" in the Lexmark printer such as "paper feed[,] paper movement[,] [and] motor control." Lexmark Br. at 9; cf. Lotus Dev., 49 F.3d at 815 (determining that menu command hierarchy is an "uncopyrightable method of operation"). And unlike the code underlying video games or DVDs, no encryption or other technological measure prevents access to the Printer Engine Program. Presumably, it is precisely because the Printer Engine Program is not a conduit to protectable expression that explains why Lexmark (or any other printer company) would not block access to the computer software that makes the printer work. Because Lexmark's authentication sequence does not restrict access to this literal code, the DMCA does not apply.

    Lexmark next argues that access-control measures may "effectively control access" to a copyrighted work within the meaning of the DMCA even though the measure may be evaded by an "`enterprising [549] end-user.'" Lexmark Br. at 46 (quoting RealNetworks, 2000 WL 127311, at *9). Doubtless, Lexmark is correct that a precondition for DMCA liability is not the creation of an impervious shield to the copyrighted work. See RealNetworks, 2000 WL 127311, at *9; Reimerdes, 111 F.Supp.2d at 317-18 (rejecting argument that an encryption measure does not "effectively control access" because it is only a "weak cipher"); see also 17 U.S.C. § 1201(a)(3). Otherwise, the DMCA would apply only when it is not needed.

    But our reasoning does not turn on the degree to which a measure controls access to a work. It turns on the textual requirement that the challenged circumvention device must indeed circumvent something, which did not happen with the Printer Engine Program. Because Lexmark has not directed any of its security efforts, through its authentication sequence or otherwise, to ensuring that its copyrighted work (the Printer Engine Program) cannot be read and copied, it cannot lay claim to having put in place a "technological measure that effectively controls access to a work protected under [the copyright statute]." 17 U.S.C. § 1201(a)(2)(B).

    Nor can Lexmark tenably claim that this reading of the statute fails to respect Congress's purpose in enacting it. Congress enacted the DMCA to implement the Copyright Treaty of the World Intellectual Property Organization, and in doing so expressed concerns about the threat of "massive piracy" of digital works due to "the ease with which [they] can be copied and distributed worldwide virtually instantaneously." S.Rep. No. 105-190, at 8 (1998). As Congress saw it, "copyrighted works will most likely be encrypted and made available to consumers once payment is made for access to a copy of the work. [People] will try to profit from the works of others by decoding the encrypted codes protecting copyrighted works, or engaging in the business of providing devices or services to enable others to do so." H.R.Rep. No. 105-551, pt. 1, at 10. Backing with legal sanctions "the efforts of copyright owners to protect their works from piracy behind digital walls such as encryption codes or password protections," Corley, 273 F.3d at 435, Congress noted, would encourage copyright owners to make digital works more readily available, see S.Rep. No. 105-190, at 8. See also Nimmer § 12A.02[B][1].

    Nowhere in its deliberations over the DMCA did Congress express an interest in creating liability for the circumvention of technological measures designed to prevent consumers from using consumer goods while leaving the copyrightable content of a work unprotected. In fact, Congress added the interoperability provision in part to ensure that the DMCA would not diminish the benefit to consumers of interoperable devices "in the consumer electronics environment." 144 Cong. Rec. E2136 (daily ed. Oct. 13, 1998) (remarks of Rep. Bliley). See generally Anti-Circumvention Rulemaking Hearing, at 44-56, at http://www.copyright.gov/1201/2003/hearings/transcript-may9.pdf (testimony of Professor Jane Ginsburg) (Section 1201(a) does not "cover[] the circumvention of a technological measure that controls access to a work not protected under [the Copyright] title. And if we're talking about ball point pen cartridges, printer cartridges, garage doors and so forth, we're talking about works not protected under this title.").

    C.

    In view of our conclusion regarding the Printer Engine Program, we can dispose quickly of Lexmark's DMCA claim regarding the Toner Loading Program. The SCC chip does not provide [550] "access" to the Toner Loading Program but replaces the program. And to the extent a copy of the Toner Loading Program appears on the Printer Engine Program, Lexmark fails to overcome the same problem that undermines its DMCA claim with respect to the Printer Engine Program: Namely, it is not the SCC chip that permits access to the Printer Engine Program but the consumer's purchase of the printer. One other point deserves mention. All three liability provisions of this section of the DMCA require the claimant to show that the "technological measure" at issue "controls access to a work protected under this title," see 17 U.S.C. § 1201(a)(2)(A)-(C), which is to say a work protected under the general copyright statute, id. § 102(a). To the extent the Toner Loading Program is not a "work protected under [the copyright statute]," which the district court will consider on remand, the DMCA necessarily would not protect it.

    D.

    The district court also rejected SCC's interoperability defense — that its replication of the Toner Loading Program data is a "technological means" that SCC may make "available to others" "solely for the purpose of enabling interoperability of an independently created computer program with other programs." 17 U.S.C. § 1201(f)(3). In rejecting this defense, the district court said that "SCC's SMARTEK microchips cannot be considered independently created computer programs. [They] serve no legitimate purpose other than to circumvent Lexmark's authentication sequence and ... cannot qualify as independently created when they contain exact copies of Lexmark's Toner Loading Programs." D. Ct. Op. ¶ 94, at 47.

    Because the issue could become relevant at the permanent injunction stage of this dispute, we briefly explain our disagreement with this conclusion. In particular, the court did not explain why it rejected SCC's testimony that the SMARTEK chips do contain other functional computer programs beyond the copied Toner Loading Program data. The affidavit of Lynn Burchette, an SCC manager, states that "[the SMARTEK] chip has a microprocessor, with software routines we developed that control its operation and function. Our chip supports additional functionality performed by our software beyond that of [the chip on Lexmark's toner cartridges]." JA 103. And Dr. Goldberg testified that "Static Control has written a substantial amount of software for managing this chip; for not only providing the int[er]operability features, but also for managing the additional functionality that the [chip manufacturer] provides and which the remanufacturers may want." JA 1023.

    Instead of showing why these statements are wrong, Lexmark contends that this is not "credible evidence" that "independently created computer programs" exist on the SMARTEK chip. Yet Lexmark bears the burden of establishing its likelihood of success on the merits of the DMCA claims. See Leary v. Daeschner, 228 F.3d 729, 739 (6th Cir.2000). Because Lexmark has offered no reason why the testimony of SCC's experts is not "credible evidence" on this point and has offered no evidence of its own to dispute or even overcome the statements of Burchette and Goldberg, SCC also has satisfied the "independently created computer programs" requirement and may benefit from the interoperability defense, at least in the preliminary injunction context.

    Lexmark argues alternatively that if independently created programs do exist, (1) they must have existed prior to the "reverse engineering" of Lexmark's Toner Loading Program, and (2) the technological [551] means must be "necessary or absolutely needed" to enable interoperability of SCC's SMARTEK chip with Lexmark's Printer Engine Program. As to the first argument, nothing in the statute precludes simultaneous creation of an interoperability device and another computer program; it just must be "independently" created. As to the second argument, the statute is silent about the degree to which the "technological means" must be necessary, if indeed they must be necessary at all, for interoperability. The Toner Loading Program copy satisfies any such requirement, however, because without that program the checksum operation precludes operation of the printer (and, accordingly, operation of the Printer Engine Program), unless the checksum value located elsewhere on the chip is modified — which appears to be a computational impossibility without the contextual information that Lexmark does not disclose. See supra.

    Also unavailing is Lexmark's final argument that the interoperability defense in § 1201(f)(3) does not apply because distributing the SMARTEK chip constitutes infringement and violates other "applicable law" (including tortious interference with prospective economic relations or contractual relations). Because the chip contains only a copy of the thus-far unprotected Toner Loading Program and does not contain a copy of the Printer Engine Program, infringement is not an issue. And Lexmark has offered no independent, let alone persuasive, reason why SCC's SMARTEK chip violates any state tort or other state law.

    V.

    Because Lexmark failed to establish a likelihood of success on any of its claims, whether under the general copyright statute or under the DMCA, we vacate the district court's preliminary injunction and remand the case for further proceedings consistent with this opinion.

    MERRITT, Circuit Judge, concurring.

    I agree with the Court's opinion as far as it goes; but, on the record now before us, I would go further in limiting the scope of the remand. As the Court explains, the Toner Loading Program is not copyrightable because of the merger and scenes a faire doctrines, and even if it were copyrightable SCC's use of the program in this case appears to fall under the fair use exception. Its purpose, though commercial in nature, was only to sell cartridges that could be used by Lexmark printers rather than to profit by infringing any Lexmark copyright. The fact that the Toner Loading Program is not copyrightable defeats both Lexmark's direct claim to copyright infringement and its DMCA claim based on the Toner Loading Program (because the DMCA only prevents the circumvention of measures that protect copyright-protected works). And I agree that Lexmark's DMCA claim based on the clearly copyright-protected Printer Engine Program fails because the authentication sequence does not, and is not intended to, "effectively control[] access" to the Printer Engine Program.

    I write separately to emphasize that our holding should not be limited to the narrow facts surrounding either the Toner Loading Program or the Printer Engine Program. We should make clear that in the future companies like Lexmark cannot use the DMCA in conjunction with copyright law to create monopolies of manufactured goods for themselves just by tweaking the facts of this case: by, for example, creating a Toner Loading Program that is more complex and "creative" than the one here, or by cutting off other access to the Printer Engine Program. The crucial point is that the DMCA forbids anyone [552] from trafficking in any technology that "is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a [protected] work." 17 U.S.C. § 1201(2)(A) (emphasis added). The key question is the "purpose" of the circumvention technology. The microchip in SCC's toner cartridges is intended not to reap any benefit from the Toner Loading Program — SCC's microchip is not designed to measure toner levels — but only for the purpose of making SCC's competing toner cartridges work with printers manufactured by Lexmark.

    By contrast, Lexmark would have us read this statute in such a way that any time a manufacturer intentionally circumvents any technological measure and accesses a protected work it necessarily violates the statute regardless of its "purpose." Such a reading would ignore the precise language — "for the purpose of" — as well as the main point of the DMCA — to prohibit the pirating of copyright-protected works such as movies, music, and computer programs. If we were to adopt Lexmark's reading of the statute, manufacturers could potentially create monopolies for replacement parts simply by using similar, but more creative, lock-out codes. Automobile manufacturers, for example, could control the entire market of replacement parts for their vehicles by including lock-out chips. Congress did not intend to allow the DMCA to be used offensively in this manner, but rather only sought to reach those who circumvented protective measures "for the purpose" of pirating works protected by the copyright statute. Unless a plaintiff can show that a defendant circumvented protective measures for such a purpose, its claim should not be allowed to go forward. If Lexmark wishes to utilize DMCA protections for (allegedly) copyrightable works, it should not use such works to prevent competing cartridges from working with its printer.

    Reading the DMCA in pari materia with the rest of the copyright code supports this interpretation. The DMCA should be used as part of the copyright code as it applies to computer software codes and other digital media. To this extent, the specific "purpose" language of the DMCA modifies the more abstract language of the previous copyright law. As the Court explains, the fair use exception in copyright law explicitly looks to the purpose of the one making the copy in determining whether or not such copying violates the statute, and the DMCA itself contains a reverse engineering exception that also demonstrates Congress's aim merely to prevent piracy. I agree with the Court that both exceptions apply to SCC's actions in this case. But we should be wary of shifting the burden to a rival manufacturer to demonstrate that its conduct falls under such an exception in cases where there is no indication that it has any intention of pirating a protected work. See, e.g., Lawrence Lessig, Free Culture 187 (2004) (noting the danger that "in America fair use simply means the right to hire a lawyer to defend your right to create"). A monopolist could enforce its will against a smaller rival simply because the potential cost of extended litigation and discovery where the burden of proof shifts to the defendant is itself a deterrent to innovation and competition. Misreading the statute to shift the burden in this way could allow powerful manufacturers in practice to create monopolies where they are not in principle supported by law. Instead, a better reading of the statute is that it requires plaintiffs as part of their burden of pleading and persuasion to show a purpose to pirate on the part of defendants. Only then need the defendants invoke the [553] statutory exceptions, such as the reverse engineering exception. In this case, even if the Toner Loading Program were protected by copyright, and even if the access to the Printer Engine Program were "effectively" controlled, there has been no showing that SCC circumvented the authentication sequence for the purpose of accessing these programs. Indeed, the proof so far shows that SCC had no interest in those programs other than ensuring that their own cartridges would work with Lexmark's printers.

    Finally, this reading of the DMCA is also supported by the provision in the Constitution that grants Congress the power to regulate copyright. Article I, section 8, of the Constitution gives Congress the power to regulate copyright in order to "promote the Progress of Science and useful Arts." U.S. Const. art. I, § 8, cl. 8. Congress gives authors and programmers exclusive rights to their expressive works (for a limited time) so that they will have an incentive to create works that promote progress. Lexmark's reading of the extent of these rights, however, would clearly stifle rather than promote progress. It would allow authors exclusive control over not only their own expression, but also over whatever functional use they can make of that expression in manufactured goods. Giving authors monopolies over manufactured goods as well as over their creative expressions will clearly not "promote the Progress of Science and the useful Arts," but rather would stifle progress by stamping out competition from manufacturers who may be able to design better or less expensive replacement parts like toner cartridges.

    For these additional reasons, I concur in the Court's opinion reversing the judgment of the district court. On remand the first question should be whether Lexmark can show the requisite "primary purpose" to pirate a copyrighted work rather than to ensure that their own cartridges work with Lexmark's printer. If not, its case against SCC should be dismissed.

    FEIKENS, District Judge, Concurring in part and Dissenting in part.

    I begin this opinion by noting that my colleagues and I agree on a number of points regarding this case. We agree that this opinion does not foreclose any outcome on the case in chief; instead, its decisions are limited to the grant of the preliminary injunction below. We also agree that Plaintiff Lexmark failed to demonstrate a likelihood of success on the merits of success on the third count, which deals with the Printer Engine Program (PEP) (although I write to explain my own reasoning as to why that is, I also agree with the reasoning of my colleagues). We agree that the Digital Millennium Copyright Act (DMCA) was not intended by Congress to be used to create a monopoly in the secondary markets for parts or components of products that consumers have already purchased. Finally, we agree on the outcome of the second count, although we come to that conclusion for different reasons.

    For the reasons explained below, however, I dissent as to the majority's decision on the first count, regarding the copyrightability and infringement of the Toner Loading Program (TLP).

    I. Count One

    The first count before us deals with the question of whether the Toner Loading Program (TLP) at issue here is copyrightable. My colleagues give three reasons for their findings: first, that the TLP is not sufficiently original to qualify for copyright protection; second, that the district court erroneously failed to apply the doctrines of merger and scènes à faire to the copyrightability [554] question; and third, the district court erred in assessing whether the TLP functions as a lock-out code.

    I feel that the record could support a finding that there was enough original expression in the TLP to qualify it for copyright protection. Second, although I agree that the district court erred in its factual findings supporting the conclusion that the TLP was not functioning as a lock-out code, I feel the record offers support for the proposition that it is possible and practical for competitors to make toner cartridges that function with the printer without copying the Toner Loading Program, and therefore, I would remand that issue to the district court to make a determination in the first instance. Third, although I agree with my colleagues that the district court erred in applying the law of the doctrine of merger and scènes à faire, I would apply the doctrines in this case differently.

    A. Whether the TLP Contains Original Expression

    I agree with my colleagues that in discerning whether a work is "original" as required by 17 U.S.C. § 102(a), and not unprotectable under 17 U.S.C. § 102(b), the court should ask whether the ideas, methods of operation, and facts of the program could have been expressed in any form other than that chosen by the programmer, taking into consideration the functionality, compatibility, and efficiency demanded of the program. However, I part ways on the question of whether the record could support the district court's initial finding that the TLP was sufficiently original to be copyrightable.

    My colleagues rely on testimony from Defendant's expert Goldberg, who concluded that external factors dictated the way the TLP was written and that the proposals for alternative ways of writing the TLP offered by Plaintiff's expert Maggs were inefficient and repetitive. My colleagues find both that a lookup table does not "differ meaningfully" from the use of equations and that as a matter of law, the equations that were used in the TLP, alternative equations, and a lookup table are "different ideas or methods of operation altogether". I am at a loss to understand how two things that do not differ meaningfully are altogether different. I would hold that each of these alternatives are different expressions of the same idea (monitoring and reporting on toner levels). I would also find that there is factual support in the record for the proposition that there are a variety of expressions that are practical options given the external factors that constrain the program. Nothing in the record suggests that a look up table could not be expressed in the limited number of bytes or the requisite computer language. In fact, given that sample code was provided for alternatives, in my mind, I think it is entirely possible that the district court could conclude, based on this record, that a TLP using (for instance) a lookup table could be written efficiently and practically. Therefore, I would uphold the district court's decision on originality, or at most, remand the case for the district court to reconsider its decision on originality and make more specific factual findings to support its preliminary injunction.

    B. Whether the TLP Is a Lock-Out Code

    My colleagues and I agree that the district court's finding of fact # 79 is inadequate to support the conclusion the district court drew about the practical possibility or impossibility of using the printer without copying the TLP verbatim.[2] (If verbatim [555] copying was necessary, then the TLP essentially acted as a "password" or a lock-out code.) However, while my colleagues see the record as supporting only the finding of impossibility, I find the record decidedly mixed on the issue.

    There are three ways to make a chip that achieves compatibility between a refilled Prebate cartridge and the printers at issue: (1) copy Lexmark's chip (and therefore the TLP) verbatim; (2) replace the TLP with a different program and change the checksum value accordingly; or (3) turn the entire TLP sequence "off" with the flip of a single bit. Here, Defendant chose the first option. My colleagues rely on Dr. Goldberg's testimony that the second method is "computationally impossible", and though I do not agree that the record is unchallenged on this point,[3] I agree that the record leans strongly toward impossibility as a practical matter. However, I depart from the opinion of my colleagues sharply when I consider the third option.

    As I explain below, I believe the record offers strong evidence that the third option is possible, even without contextual information as to the location of the "off" switch. Therefore, although my colleagues appear to believe that the checksum operation must conclude successfully for the printer to operate, I do not believe the record supports this finding. I believe there is uncontroverted evidence in the record that it is possible to manufacture a chip that never triggers the checksum sequence, and the printer can still operate — in fact, this is exactly what occurs with the non-Prebate cartridges. Further, I believe that the record offers evidence that it was unnecessary for Defendant to copy the TLP to make the cartridge compatible with the printer, even with no contextual information about the location or existence of the "off switch", and would remand to the district court to make new factual findings and determine that question for itself.

    Lexmark offered evidence that the third option was possible. In the testimony of Maggs, when the questioning turned to the third option of turning the entire TLP process off with the flip of a single bit, he said it would take "a few days or a few weeks maybe" of trial and error to find the bit that turned off the TLP process. JA 0953 — 4. When asked about the one-bit off switch, Goldberg only stated that he did not know it existed, because Defendants could not determine what the bit did. JA 1030. However, Goldberg stated previously that Defendant ran a very similar test as part of its attempt at reverse engineering, [556] in which it flipped one of every eight bits in the TLP. JA 0575.

    My colleagues argue that Lexmark has introduced no evidence that option three, finding the off switch, was "less arduous" than option two, finding a working checksum. This is simply false. Lexmark's expert testified that it would take a "few days or a few weeks" to reverse engineer the one-bit "off switch" by "brute force," assuming you did not know where the "off switch" was. JA 0954. Given this testimony, I think it is improper for my colleagues to decide that reverse engineering a working chip was impossible, instead of remanding this question to the district court.

    However, even without Maggs' testimony, I think it is evident from this record that option three is considerably less arduous than option two. The undisputed evidence in the record about the chip's design offers more than enough evidence for a court to find that option three is vastly easier than option two.

    The record states that the off switch works regardless of what the values of all other bits on the chip are. JA 0708. Therefore, the maximum number of tests that must be run to find the off switch can be represented as two times the number of bits that might be the off switch (since there are only two values of each bit, 0 and 1). In contrast, the checksum's operation is relative to the values of other bits on the chip. In other words, in contrast to the off switch, a working checksum value depends on the position of 55 other bytes,[4] or 440 other bits. JA 0706. This means that no bit can be tested independently, and instead, the tester must search for a "match" between a particular setting of the TLP bytes and the checksum value. Thus, even though there is clearly more than one way to set all the bits to have the chip function, basic principles of mathematics tell us that the number of tests that must be done to find a working checksum and arrangement of bits rises exponentially[5] in comparison to the test for single, independently-functioning off switch. Therefore, I think this record amply supports the proposition that it is much simpler to find the off switch than it is to find a working checksum.

    The record with regard to what I describe as the third option, reverse-engineering the off switch for the TLP process, could reasonably support the finding that it is possible to find that switch without contextual information, and hence to reverse-engineer a working chip even without a memory map or other contextual information. The factual determination of whether such reverse engineering is possible in turn decides the factual question of whether or not the TLP is a lock-out code. This factual finding significantly impacts any decision about the use of the merger doctrine as a defense to infringement by Defendant, and therefore the likelihood of success on the merits by Plaintiff. Because of the importance of the question, and the insufficiency of the factual findings made by the district court on this question, I would remand to the district court for it to make that finding in the first instance.

    C. Doctrines of Merger and Scènes à Faire

    1. Merger

    I believe my colleagues offer a good description of the law of merger, and I will not restate that law here. However, there is one aspect of merger my colleagues do not decide that I believe is important to [557] this case: a Circuit split regarding the law of merger.

    Simply put, there is some disagreement about whether the merger doctrine acts as a bar to copyrightability, or simply as a defense to particular types of infringement. See Nimmer 13.03[B][3]; Mason v. Montgomery Data, Inc., 967 F.2d 135, 138, fn. 5 (5th Cir.1992); Kregos v. Associated Press, 937 F.2d 700, 705 (2nd Cir.1991). The Sixth Circuit has not previously taken a position on this question. The Second and Ninth Circuits have taken the position that merger operates only as a defense to infringement. Kregos v. Associated Press, 937 F.2d 700, 705 (2d Cir.1991); Ets-Hokin v. Skyy Spirits, Inc., 225 F.3d 1068, 1082 (9th Cir.2000). The Fifth Circuit holds that merger determines copyrightability. Mason, 967 F.2d 135, 138, fn. 5.

    As I read the majority's opinion, my colleagues have declined to take a position on this split, but I would do so, because of the importance of this decision to the DMCA count. As I discuss later in my analysis of Count II, the DMCA only protects works that are protected by Title 17 of the U.S.Code or in which the copyright owner has a right under Title 17. 17 U.S.C. 1201(a)(1)(A); 17 U.S.C. 1201(b)(A). Therefore, if the doctrine of merger is applied at the copyrightability stage, and merger is found to have occurred, Plaintiff will have failed to state a claim on which relief can be granted under the DMCA. However, if the doctrine of merger is applied at the infringement stage, then even if merger is found to have occurred, some analysis of the DMCA's scope of protection of the TLP is in order. Therefore, in my view, it is essential to decide whether merger of a work with a method of operation determines the initial question of copyrightability of the work, or operates only as a defense to infringement.

    Although I would exercise judicial economy and limit the holding to the case of merger with a method of operation (which is the question I believe this case presents[6]), for the reasons below, I would find the merger doctrine can operate only as a defense to infringement in that context, and as such has no bearing on the question of copyrightability.[7]

    The Copyright Act denies copyright protection to, among other things, methods of operation. 17 U.S.C. § 102(b). However, an otherwise copyrightable text can be used as a method of operation of a computer — for instance, an original, copyrightable poem could be used as a password, or a computer program as a lock-out code. In my view, therefore, it is necessary to know what the potential infringer is doing with the material in order to know if merger has occurred. In other words, if I use my own copyrighted poem as a password or lock-out code, an individual who published the poem as part of a book could not escape a finding of liability for infringement. The rationale for the merger doctrine is that without it, certain ideas or methods of operation would be removed from the public realm because all ways of expressing them would be copyrighted. When a poem or program is used as a lock-out code, it is being used as a step in a method of operation of the thing it is locking. Therefore, to protect a work from copying when it is used as a password [558] would be to prevent the public from using a method of operation.

    Under this reasoning, an individual who copied a poem solely to use as a password would not have infringed the copyright, because in that scenario, the alleged infringer would have the defense that the poem has "merged" with a method of operation (the password). By contrast, someone who copied the poem for expressive purposes (for instance, as part of a book of poetry) would not have this defense. For these reasons, I would hold that in cases where the merger is with a method of operation, the merger doctrine should be applied as a defense to infringement only, and not as informing the question of copyrightability of the work itself.

    Applying that reasoning to this case, the TLP can remain copyrightable as a computer program, and therefore retain some of the protections of copyright law, even if it is a lock-out code. Defendant can still avoid infringement, however, if it uses the TLP only as a method of operation. For instance, Defendant can only claim this defense to infringement if it uses the TLP to interface with the Lexmark printers at issue, and if it is a necessary method of operation of the machine. It would not be able to assert the same merger defense to infringement if it manufactured its own printers and inserted the copied TLP as part of its own Printer Loading Program, even if it originally copied the TLP for the purpose of interfacing with Lexmark printers. Importantly, as this case is concerned, Defendant could not successfully assert this defense if (as a practical matter and not as a theoretical question) the printer could be operated without copying the TLP. In my view, any finding of merger with a method of operation in this case would act as a defense to infringement, but leave the TLP potentially copyrightable (and therefore allow it to qualify for the additional protections of the DMCA).

    I support a remand on the question of whether or not the TLP is operating as a lock-out code on the chips in question. Therefore, I would also remand the question of whether the TLP has merged with a method of operation in Defendant's SMARTEK chip, because the two questions are essentially equivalent.

    2. Scènes à Faire

    In computer programs, the scènes à faire doctrine has been restated as a determination of whether external constraints on the size and content of a program, and standard programming practices, are so deterministic of the content of program that the contents of the program are analogous to the "stock scenes" of literature. Gates Rubber Co. v. Bando Chem. Indus., Ltd., 9 F.3d 823, 838 (10th Cir.1993). Courts have recognized that a rare work may be entirely made up of scènes à faire, but many works will be a combination of scènes à faire and more original elements. See, e.g., Reed-Union Corp. v. Turtle Wax, Inc., 77 F.3d 909, 914 (7th Cir.1996).

    As I read it, Defendant's argument is essentially that because the equations involved in the TLP are standard and their arrangement involved no creativity, the program was one of those rare works that is entirely made up of scènes à faire and the arrangement of those non-copyrightable elements is not creative enough to allow the work any protections of copyright. The record is undisputed on the point that there are elements of the program (some code that translates to LMX) that do not play a functional role and appear to be installed for the purpose of proving verbatim copying in an action like this one. I think it is unquestionable that these elements are not scènes à faire, and they were copied. Thus, I believe that [559] regardless of any other finding, there is a likelihood that some portion of the work would not be classified scènes à faire. However, because it is not clear whether that portion alone would be creative enough to merit copyright, I will discuss the scènes à faire doctrine's application to this case, as I see it.

    I believe Feist stands for the proposition that a creative enough arrangement of otherwise uncopyrightable elements would in fact be copyrightable. Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 111 S.Ct. 1282, 113 L.Ed.2d 358 (1991). In that situation, a wholesale copying of the program (such as we have in this case) might still constitute infringement, even though the program is entirely made up of scènes à faire, because the copyrightable arrangement would be copied. In addition, a program (like the one before us) may be a blend of scènes à faire and material that is not dictated by norms or constraints, and in my mind, copying either a substantial part of an original arrangement or copying enough of the non-scènes à faire elements would still constitute infringement.

    Finally, there is a Circuit split regarding the stage at which to apply the scènes à faire doctrine that parallels the split as to the merger doctrine. 4 Nimmer § 13.03[B][4], at 13-76 — 7 n. 180.1; Reed-Union Corp. v. Turtle Wax, Inc., 77 F.3d 909, 914 (7th Cir.1996) (holding the doctrine of scènes à faire is separate from the doctrine regarding the validity of a copyright); Ets-Hokin v. Skyy Spirits, Inc., 225 F.3d 1068, 1082 (9th Cir.2000) (recognizing the split and citing Reed-Union favorably on this question); Taylor Corp. v. Four Seasons Greetings LLC, 315 F.3d 1039, 1042-3 (8th Cir.2003) (finding that the scènes à faire doctrine determined whether substantial similarity existed); Hoehling v. Universal City Studios, Inc., 618 F.2d 972 (2nd Cir.1980), cert. denied, 449 U.S. 841, 101 S.Ct. 121, 66 L.Ed.2d 49 (1980) (holding that scènes à faire are not copyrightable). The Sixth Circuit has not explicitly taken a position on this split, although in a case regarding "stock scenes" in a movie decided after this case was argued, the Sixth Circuit held that scènes à faire are "too general to qualify for copyright protection" and applied the doctrine before considering substantial similarity. Stromback v. New Line Cinema, 384 F.3d 283, 296 (6th Cir.2004). The district court took the position that the scènes à faire doctrine should be applied as a defense to infringement, and therefore, on that position alone, this case would require remand for consideration in light of Stromback, 384 F.3d at 304-05. My colleagues take the position that Stromback did, namely that the scènes à faire doctrine determines copyrightability.

    Clearly, this panel is bound to follow the decision in Stromback. However, I believe that Stromback can and should be distinguished in the area of computer programming. The doctrine of scènes à faire has been expanded in the area of computing beyond the traditional literary "stock scenes" to include those elements that are dictated by external constraints. Gates Rubber Co. v. Bando Chem. Indus., Ltd., 9 F.3d 823, 838 (10th Cir.1993). Therefore, in this area, application of the scènes à faire doctrine does require some understanding of how the element is being used: as I read the case law, if an otherwise copyrightable arrangement was dictated by external constraints, it would classified as scènes à faire. However, if external constraints, norms, etc. did not dictate a particular arrangement in a defendant's work, but a defendant copied a particular arrangement anyway, it is not clear to me that the case law would still classify that same arrangement as scènes à faire — instead, the work might qualify for some [560] protection from infringement. Thus, I think when applying the extension of the scènes à faire doctrine for computer programs, the district court's rule is superior because it is necessary to understand the circumstances of the copying in order to know whether or not the scènes à faire doctrine applies. Therefore, I would distinguish Stromback and take the other side of the Circuit split for cases regarding the application of the scènes à faire doctrine, when its extension regarding external constraints for computer programs is at issue.

    D. Fair Use

    I agree with my colleagues that the question in the first element of the fair use defense is "whether the user stands to profit from exploitation of the copyrighted material without paying the customary price." Harper & Row, Publishers, Inc. v. Nation Enters., 471 U.S. 539, 562, 105 S.Ct. 2218, 85 L.Ed.2d 588 (1985) (emphasis added). I part ways with my colleagues, however, in their application of that doctrine here.

    Here, we have the curious situation that Defendant says it did not know the TLP existed, while arguing that the use is fair. Thus, while Defendant undoubtedly had the purpose of selling exact copies of the Lexmark chip (which contained the TLP) "for private commercial gain" (which weighs against a fair use defense), it apparently did not have the purpose of selling the TLP itself (although it did so).

    Harper & Row does say that the defendant's use in that case "had not merely the incidental effect but the intended purpose of supplanting the copyright holder's commercially valuable right." Id. at 562, 105 S.Ct. 2218 (emphasis in original). Thus, I believe, my colleagues read the case to say that Plaintiff, in order to prove a likelihood of success, must show that the user intended to benefit from the copying of the TLP, and not simply intended to benefit from the sale of an exact copy of the Lexmark chip that happened to contain the TLP.

    Here, I part ways. I think that Defendant had the intended purpose of making money from an exact copy of Plaintiff's chip. I do not think that this prong can or should be transformed into a prong weighing in favor of "fair use" because Plaintiff's alleged violation of copyright protections was done unknowingly.[8] The Court in Harper & Row said it could not "ignore [the defendant's] stated purpose of first publication." Id. Likewise, I think we should not ignore that this Defendant knew it was making an exact copy of a computer chip, and it did so in order to benefit commercially from whatever content was on the chip. In other words, Defendant copied that chip for the purpose of gaining whatever commercial value such a chip had. Therefore, this factor is at best neutralized by the fact that Defendant did not know that the commercial value was potentially partly derived from copyright rights, and this factor therefore should not weigh against Lexmark.[9]

    [561] With respect to the fourth factor, which involves the effect Defendant's use had on the value of the copyrighted material, I disagree with my colleagues on the question of whether Plaintiff was required to introduce evidence of the independent market for TLPs, or if evidence that the market for the cartridges was impacted was enough. I agree that the Supreme Court instructs us that "[a] use that has no demonstrable effect upon the potential market for, or the value of, the copyrighted work need not be prohibited[...]." Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 450, 104 S.Ct. 774, 78 L.Ed.2d 574 (1984). My difference with my colleagues emerges from my belief that the words "or value of" suggest that in situations in which the market for the work itself does not necessarily represent the value of the work, the value of the work is what a court should consider. I believe the value of the TLP is represented by the market for toner cartridges, and therefore, it is not necessary for Plaintiff to introduce evidence about the TLP market in order to demonstrate a likelihood of success on this factor. In other words, the potential commercial benefit from copying the TLP accrues because the TLP on the chip at issue adds functionality to the toner cartridge, which in turn may enhance the market for the cartridge itself.

    I think the district court could easily find that a toner cartridge that accurately tells a user when the toner is running low is more valuable than one that does not. More specifically, unlike my colleagues, I think the market for SCC's cartridges containing the SMARTEK chip might have been impacted negatively if the printer inaccurately reported toner levels when using an SCC cartridge. Therefore, as I see it, the TLP on the chip increased the value of Defendant's toner cartridge if the TLP Defendant copied is better able to report on toner consumption than a chip without the TLP would be. If no TLP was on the chip, the printer would use the default TLP code in the Printer Engine Program to warn users of low toner levels. However, there is no evidence in the record that speaks to whether the default TLP that comes with the printer would be able to accurately report the amount of toner in a Prebate cartridge, or whether it would misreport the level of toner to the user. Thus, there is no evidence in the record one way or another regarding whether Defendant's cartridge is more valuable because the cartridge contains the TLP than it would be if the cartridge did not.

    In conclusion, I think the market for these cartridges may very well be impacted by the ability of the toner cartridges to make an accurate report of toner levels. I do not believe Lexmark needs to introduce evidence showing that an independent market exists for the TLP — I think the court can assume an impact to the primary market for the re-filled cartridges, provided that the copied TLP lent additional functionality to the cartridge. Therefore, because the benefit (or lack thereof) gained from copying the TLP on the chip instead of using the printer's default TLP is necessary to deciding the fair use question, and because the record is silent on this point, I would remand to the district court to gather the evidence necessary to make this determination and reconsider its findings on fair use in light of that additional evidence.

    [562] II. Count Two

    As discussed under Count I, the DMCA only offers its additional protections to those works that are already protected by Title 17 of the U.S.Code or those works in which the copyright owner has a protected right under Title 17. 17 U.S.C. 1201(a)(2)(A); 17 U.S.C. 1201(b)(A). Because I believe that this record does not allow the elimination of copyrightability on the grounds of originality, merger, or scènes à faire, I believe some analysis of the DMCA claim regarding the TLP is necessary. However, I note that the DMCA explicitly leaves the defenses to copyright infringement, including the fair use doctrine, unaltered. 17 U.S.C. § 1201(c). Therefore, if the district court on remand were to find that the merger, scènes à faire, or fair use doctrine supplied an adequate defense to infringement, given the copying that went on in this case, I do not believe Plaintiff could meet its burden to show likelihood of success under 17 U.S.C. § 1201(b), because there would be no "right of a copyright owner" to prevent the TLP's use in this fashion.

    I believe Plaintiff also failed to meet its burden under both 1201(a) and 1201(b), however, because it failed to present evidence that the chip was primarily designed or produced for the purpose of accessing the TLP.

    Interestingly, unlike traditional copyright law, there is an element of scienter present in the DMCA: in order to be a violation of the Act, any technology that is marketed must have been "primarily designed or produced for the purpose of circumventing" a technological measure or other protection of a work (or a portion of the work) protected under Title 17. 17 U.S.C. 1201(a)(2)(A); 17 U.S.C. 1201(b)(A). Here, I think the evidence before the trial court was overwhelming on the point that while Defendant "primarily designed" the chip to circumvent any protections of the Printer Engine Program, the chip was not "primarily designed or produced for the purpose of" circumventing protections for the TLP. Therefore, even if the checksum sequence can be categorized as a lock-out code that must be circumvented in order for the TLP on the chip to be used, or the primary authentication sequence is seen as a protection for both the TLP and the Printer Engine Program, because the chip was primarily designed to allow access to the Printer Engine Program[10] and not the TLP, I believe Plaintiff has not demonstrated a likelihood of success on this count.

    However, I emphasize the narrow bounds of my position. The record before the trial court at the preliminary injunction stage points overwhelmingly to the conclusion that Defendant did not realize the TLP was on the chip. If evidence showed Defendant knew or should have known that there was a program on the chip, and that it was practical for the Defendant to manufacture a chip that did not access (and therefore use) the TLP, in my mind, that would be a different case. Under that scenario, the defendant would know of the protection, be able to achieve the purpose of operating the printer without circumventing that protection, and yet still choose to circumvent those protections. On such a record, I think a court would have to carefully weigh whether such a situation means that Defendant's product was "produced for the purpose of circumventing" protections of the TLP.

    [563] My reasoning on this count is based on my belief that consumers did not have an implied license to use the copyrightable TLP beyond the first re-fill of the Prebate cartridge. With the assumption that the shrinkwrap agreement was valid and enforceable (I believe Lexmark can demonstrate a likelihood of success on that question[11]), I would conclude consumers' implied license to use the copyrighted TLP did not extend beyond the first re-fill of the Prebate cartridge. The TLP at issue is not present in the printer at purchase. Instead, the consumer gains access to using it by purchasing the Prebate toner cartridge (which stores the programs in its microchip). The Prebate toner cartridge is only sold under a special shrinkwrap agreement that requires that the cartridge be returned to Lexmark when it is empty and may not be re-filled by others for reuse. Since the consumer is only authorized to use the Prebate cartridge until the toner runs out, it follows that the license also blocks the consumer from using the TLP after that time.

    The TLP was part of the cartridge, and therefore, when the consumer was able to use the TLP after the cartridge had been emptied of toner and re-filled by Defendant (in violation of the shrinkwrap agreement), in my mind, he or she gained unauthorized access to the TLP. However, the record currently supports the finding that Defendant did not have the requisite knowledge of the TLP to form an intent to primarily design or produce a chip for the purpose of gaining access to it. Therefore, I concur on the outcome of the second count, although my reasoning would be different from that of my colleagues.

    III. Count Three

    In contrast to the TLP, I believe the consumer has a right to use the Printer Engine Program for the life of the printer. Because the consumer has this right, there is no right of the copyright owner to prevent the consumer from using the Printer Engine Program, and therefore, Defendants cannot be found to be in violation of the DMCA. Though the words are never used, I think the concept of this license is present in my colleagues opinion. I agree with their reasoning regarding this count, and write on this issue only because I believe it sheds additional light on my reasoning regarding Count Two.

    All the Lexmark printers at issue here come with the Printer Engine Program installed. In fact, it would be impossible [564] for the printer to work at all without such a program, just at it would be impossible for the printer to work without an engine. Therefore, when the consumer buys the printer, the consumer must be buying the right to use not just the physical printer components, but also the Printer Engine Program that allows those physical components to produce printed pages. By buying a Lexmark printer, the consumer acquires an implied license to use the Printer Engine Program for the life of that printer.

    The DMCA defines "circumventing a technological measure" to mean avoid, bypass, etc., "a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A) (emphasis mine). Therefore, under the plain meaning of the law, circumventing a technological measure it is only a violation of § 1201(a) if the device allows consumers access to a work that they are not otherwise permitted to have. Therefore, even if Defendant has circumvented the authentication sequence to gain access to the Printer Engine Program, or designed a chip with that as its main purpose, it has not violated the statute, because it has not given anyone access to the program who did not already have authority from Lexmark to use it. In fact, it would be impossible to use the toner cartridge's chip to gain illegal access to the Lexmark Printer Engine Program, because only consumers with Lexmark printers would use the toner cartridge, and they already own the right to use the Printer Engine Program.

    If this language of the statute were not enough, it is clear from the legislative history that Congress did not intend this provision to apply to devices that merely facilitated legitimate access. In the House of Representative's Commerce Committee's report on the DMCA, it stated explicitly that the aim of § 1201(b) was to restrict devices used primarily for piracy, and not those that facilitate legal use of products. In discussion of § 1201(b), the Committee stated, "This provision is not aimed at products that are capable of commercially significant non-infringing uses, such as consumer electronics, telecommunications, or computer products [...] used by businesses and consumers for perfectly legitimate purposes." HR Rep. 105-796 (October 8, 1998). The Committee also stated that § 1201(b)(1) seeks to prohibit "making or selling the technological means to overcome these protections and thereby facilitate copyright infringement" [emphasis mine]. Id. In its January 1999 report discussing § 1201(b), the Commerce Committee again clarified that the measure was intended to outlaw trade in "devices with no substantial non-infringing uses that are expressly intended to facilitate circumvention of technological measures for purposes of gaining access to or making a copy of a work" [emphasis mine]. HR Rep. 105-846 (Jan. 2, 1999). This understanding of § 1201(b) was also clear in the Senate discussions of the DMCA. It stated that the prohibitions in § 1201(a) were made "meaningful" through the provisions of § 1201(b), which were intended to enforce "the longstanding prohibitions on infringements." S. Rep. 105-190 (May 11, 1998). It reiterated that § 1201(b) is intended to attack those devices that "facilitate copyright infringement." Id. Because Defendant's chip can only make non-infringing uses of the Lexmark Printer Engine Program, it is clear Congress did not intend the DMCA to apply in this situation.

    IV. Conclusion

    For the reasons stated above, I dissent from the majority's opinion with regard to Count One. Although I concur with the result in Count Two, I do not agree with the reasoning of my colleagues and offer [565] my own approach. Finally, I concur with both the reasoning and result for Count Three, but give my own additional reasons for why that is so.

    [1] The Honorable John Feikens, United States District Judge for the Eastern District of Michigan, sitting by designation.

    [2] I also believe the district court made another clear error in the factual findings relating to the TLP, although it was harmless. In finding of fact # 40, the district count found that for one of the printers in question, "7 bytes of Toner Loading Program ... are used as an input to the SHA-1 [in the T620/622 printer model]." JA 0273. Yet in finding of fact # 67, the district court found that "the contents of the Toner Loading Program are irrelevant to the SHA-1 for calculating the MAC." JA 0278. I believe this second finding of fact is inaccurate; the TLP is not irrelevant to the SHA-1 if it is used as an input. However, because the chip's content dictates the input into the SHA-1, the authentication sequence will complete successfully regardless of the TLP content. Therefore, the district court's error is harmless.

    [3] On cross-examination, Lexmark's expert, Maggs, said "it wouldn't be easy" to figure out where and what the checksum value should be without contextual information. JA 0953. I read this as contradicting Goldberg's statement that it would be "impossible." In addition, Lexmark offered the statement of another manufacturer of toner cartridges, who said it was not impossible to achieve "a 100 percent working solution" for compatibility with the printer (presumably the 100 percent figure includes access to a program that would accurately report when toner was running low), although "it has become a much more difficult endeavor[...]". JA 0214.

    [4] For the larger of the two TLPs at issue here.

    [5] Or, depending on the method used to calculate the checksum, factorially.

    [6] In an analogous situation, the Ninth Circuit chose to address the copying of an access code using the fair use doctrine. Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (1993). I think this situation is better understood as a merger with a method of operation, and not as a fair use. However, I will discuss Sega further when I discuss the fair use doctrine.

    [7] Nimmer finds this is generally the better view of the merger doctrine. § 1303[B][3].

    [8] In my mind, this is consistent with the understanding that copyright infringement does not have an element of scienter.

    [9] Moreover, my colleagues argue that SCC used the TLP for "a different purpose, one unrelated to copyright protection. Rather than using the Toner Loading Program to calculate toner levels...". The record is uncontested on the point that it is the copied TLP that calculates the toner levels for the refilled Prebate cartridges, and governs when the "toner low" message will be displayed. Therefore, Defendant's product did use the program for the same purpose as the Plaintiff's did — to monitor and report on toner levels — even if Defendant did not realize that it was doing so. Therefore, Defendant potentially benefited from the creative energy that Lexmark devoted to writing the program code. Although a commercial use does not necessarily block a finding of a fair use, Campbell v. Acuff-Rose Music Inc., 510 U.S. 569, 114 S.Ct. 1164, 127 L.Ed.2d 500 (1994), I think this type of commercial use is what Congress intended to weigh against a finding of fair use.

    [10] I discuss why I believe the DMCA does not reach the Printer Engine Program in my discussion of Count III.

    [11] SCC contends that such shrinkwrap agreements are not enforceable. In support of this, at least one amicus brief cites a 2001 Federal Circuit court decision that held there must be a "meeting of the minds" in order for restrictions in the agreement to be enforceable. Jazz Photo Corp. v. Int'l Trade Comm., 264 F.3d 1094, 1108 (Fed.Cir.2001), cert. denied, 536 U.S. 950, 122 S.Ct. 2644, 153 L.Ed.2d 823 (2002). Other circuits have upheld the validity of shrinkwrap agreements. See, e.g., ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir.1996) (holding that terms inside a box of software bind consumers who use the software after an opportunity to read the terms and to reject them by returning the product). Here, the shrinkwrap agreement was clear and the district court could find that it supports the conclusion that there was a meeting of the minds and the agreement is enforceable. To wit: "This all-new cartridge is sold at a special price subject to a restriction that it may be used only once. Following this initial use, you agree to return the empty cartridge only to Lexmark for remanufacturing and recycling. If you don't accept these terms, return the unopened package to your point of purchase. A regular price cartridge without these terms is available." Finally, I note this case is factually different from Hewlett-Packard Co. v. Repeat-O-Type Stencil Mfg. Corp. Inc., 123 F.3d 1445 (Fed.Cir.1997), in which the shrinkwrap agreement contained only a warning against refilling, and did not condition the sale on a promise not to refill.

    8.5.3 MDY Industries, LLC v. Blizzard Entertainment, Inc. 8.5.3 MDY Industries, LLC v. Blizzard Entertainment, Inc.

    United States Court of Appeals for the Ninth Circuit
    629 F.3d 928
    Nos. 09-15932, 09-16044
    2010-12-14

    629 F.3d 928 (2010)

    MDY INDUSTRIES, LLC, Plaintiff-counter-defendant-Appellant,
    v.
    BLIZZARD ENTERTAINMENT, INC. and Vivendi Games, Inc., Defendants-third-party-plaintiffs-Appellees,
    v.
    Michael Donnelly, Third-party-defendant-Appellant. [929]
    MDY Industries, LLC, Plaintiff-counter-defendant-Appellee,
    v.
    Blizzard Entertainment, Inc. and Vivendi Games, Inc., Defendants-third-party-plaintiffs-Appellants,
    v.
    Michael Donnelly, Third-party-defendant-Appellee.

    Nos. 09-15932, 09-16044.

    United States Court of Appeals, Ninth Circuit.

    Argued and Submitted June 7, 2010.

    Filed December 14, 2010.

    [934] Lance C. Venable (argued) and Joseph R. Meaney of Venable, Campillo, Logan & Meaney, P.C., for plaintiff-appellant/cross-appellee MDY Industries LLC and plaintiff-appellant/third-party-defendant-appellee Michael Donnelly.

    Christian S. Genetski (argued), Shane M. McGee, and Jacob A. Sommer of Sonnenschein Nath & Rosenthal LLP, for defendants-appellees/cross-appellants Blizzard Entertainment, Inc. and Vivendi Games, Inc.

    George A. Riley, David R. Eberhart, and David S. Almeling of O'Melveny & Myers LLP, for amicus curiae Business Software Alliance.

    Scott E. Bain, Keith Kupferschmid, and Mark Bohannon, for amicus curiae Software & Information Industry Association.

    Brian W. Carver of the University of California, Berkeley, School of Information, and Sherwin Siy and Jef Pearlman, for amicus curiae Public Knowledge.

    Robert H. Rotstein, Steven J. Metalitz, and J. Matthew Williams of Mitchell Silberberg & Knupp LLP, for amicus curiae Motion Picture Association of America, Inc.

    Before: WILLIAM C. CANBY, JR., CONSUELO M. CALLAHAN and SANDRA S. IKUTA, Circuit Judges.

    OPINION

    CALLAHAN, Circuit Judge:

    Blizzard Entertainment, Inc. ("Blizzard") is the creator of World of Warcraft ("WoW"), a popular multiplayer online role-playing game in which players interact in a virtual world while advancing through the game's 70 levels. MDY Industries, LLC and its sole member Michael Donnelly ("Donnelly") (sometimes referred to collectively as "MDY") developed and sold Glider, a software program that automatically plays the early levels of WoW for players.

    [935] MDY brought this action for a declaratory judgment to establish that its Glider sales do not infringe Blizzard's copyright or other rights, and Blizzard asserted counterclaims under the Digital Millennium Copyright Act ("DMCA"), 17 U.S.C. § 1201 et seq., and for tortious interference with contract under Arizona law. The district court found MDY and Donnelly liable for secondary copyright infringement, violations of DMCA § 1201(a)(2) and (b)(1), and tortious interference with contract. We reverse the district court except as to MDY's liability for violation of DMCA § 1201(a)(2) and remand for trial on Blizzard's claim for tortious interference with contract.

    I.

    A. World of Warcraft

    In November 2004, Blizzard created WoW, a "massively multiplayer online role-playing game" in which players interact in a virtual world. WoW has ten million subscribers, of which two and a half million are in North America. The WoW software has two components: (1) the game client software that a player installs on the computer; and (2) the game server software, which the player accesses on a subscription basis by connecting to WoW's online servers. WoW does not have single-player or offline modes.

    WoW players roleplay different characters, such as humans, elves, and dwarves. A player's central objective is to advance the character through the game's 70 levels by participating in quests and engaging in battles with monsters. As a player advances, the character collects rewards such as in-game currency, weapons, and armor. WoW's virtual world has its own economy, in which characters use their virtual currency to buy and sell items directly from each other, through vendors, or using auction houses. Some players also utilize WoW's chat capabilities to interact with others.

    B. Blizzard's use agreements

    Each WoW player must read and accept Blizzard's End User License Agreement ("EULA") and Terms of Use ("ToU") on multiple occasions. The EULA pertains to the game client, so a player agrees to it both before installing the game client and upon first running it. The ToU pertains to the online service, so a player agrees to it both when creating an account and upon first connecting to the online service. Players who do not accept both the EULA and the ToU may return the game client for a refund.

    C. Development of Glider and Warden

    Donnelly is a WoW player and software programmer. In March 2005, he developed Glider, a software "bot" (short for robot) that automates play of WoW's early levels, for his personal use. A user need not be at the computer while Glider is running. As explained in the Frequently Asked Questions ("FAQ") on MDY's website for Glider:

    Glider . . . moves the mouse around and pushes keys on the keyboard. You tell it about your character, where you want to kill things, and when you want to kill. Then it kills for you, automatically. You can do something else, like eat dinner or go to a movie, and when you return, you'll have a lot more experience and loot.

    Glider does not alter or copy WoW's game client software, does not allow a player to avoid paying monthly subscription dues to Blizzard, and has no commercial use independent of WoW. Glider was not initially designed to avoid detection by Blizzard.

    The parties dispute Glider's impact on the WoW experience. Blizzard contends that Glider disrupts WoW's environment [936] for non-Glider players by enabling Glider users to advance quickly and unfairly through the game and to amass additional game assets. MDY contends that Glider has a minimal effect on non-Glider players, enhances the WoW experience for Glider users, and facilitates disabled players' access to WoW by auto-playing the game for them.

    In summer 2005, Donnelly began selling Glider through MDY's website for fifteen to twenty-five dollars per license. Prior to marketing Glider, Donnelly reviewed Blizzard's EULA and client-server manipulation policy. He reached the conclusion that Blizzard had not prohibited bots in those documents.

    In September 2005, Blizzard launched Warden, a technology that it developed to prevent its players who use unauthorized third-party software, including bots, from connecting to WoW's servers. Warden was able to detect Glider, and Blizzard immediately used Warden to ban most Glider users. MDY responded by modifying Glider to avoid detection and promoting its new anti-detection features on its website's FAQ. It added a subscription service, Glider Elite, which offered "additional protection from game detection software" for five dollars a month.

    Thus, by late 2005, MDY was aware that Blizzard was prohibiting bots. MDY modified its website to indicate that using Glider violated Blizzard's ToU. In November 2005, Donnelly wrote in an email interview, "Avoiding detection is rather exciting, to be sure. Since Blizzard does not want bots running at all, it's a violation to use them." Following MDY's anti-detection modifications, Warden only occasionally detected Glider. As of September 2008, MDY had gross revenues of $3.5 million based on 120,000 Glider license sales.

    D. Financial and practical impact of Glider

    Blizzard claims that from December 2004 to March 2008, it received 465,000 complaints about WoW bots, several thousand of which named Glider. Blizzard spends $940,000 annually to respond to these complaints, and the parties have stipulated that Glider is the principal bot used by WoW players. Blizzard introduced evidence that it may have lost monthly subscription fees from Glider users, who were able to reach WoW's highest levels in fewer weeks than players playing manually. Donnelly acknowledged in a November 2005 email that MDY's business strategy was to make Blizzard's anti-bot detection attempts financially prohibitive:

    The trick here is that Blizzard has a finite amount of development and test resources, so we want to make it bad business to spend that much time altering their detection code to find Glider, since Glider's negative effect on the game is debatable. . . . [W]e attack th[is] weakness and try to make it a bad idea or make their changes very risky, since they don't want to risk banning or crashing innocent customers.

    E. Pre-litigation contact between MDY and Blizzard

    In August 2006, Blizzard sent MDY a cease-and-desist letter alleging that MDY's website hosted WoW screenshots and a Glider install file, all of which infringed Blizzard's copyrights. Donnelly removed the screenshots and requested Blizzard to clarify why the install file was infringing, but Blizzard did not respond. In October 2006, Blizzard's counsel visited Donnelly's home, threatening suit unless MDY immediately ceased selling Glider and remitted all profits to Blizzard. MDY immediately commenced this action.

    [937] II.

    On December 1, 2006, MDY filed an amended complaint seeking a declaration that Glider does not infringe Blizzard's copyright or other rights. In February 2007, Blizzard filed counterclaims and third-party claims against MDY and Donnelly for, inter alia, contributory and vicarious copyright infringement, violation of DMCA § 1201(a)(2) and (b)(1), and tortious interference with contract.

    In July 2008, the district court granted Blizzard partial summary judgment, finding that MDY's Glider sales contributorily and vicariously infringed Blizzard's copyrights and tortiously interfered with Blizzard's contracts. The district court also granted MDY partial summary judgment, finding that MDY did not violate DMCA § 1201(a)(2) with respect to accessing the game software's source code.

    In September 2008, the parties stipulated to entry of a $6 million judgment against MDY for the copyright infringement and tortious interference with contract claims. They further stipulated that Donnelly would be personally liable for the same amount if found personally liable at trial. After a January 2009 bench trial, the district court held MDY liable under DMCA § 1201(a)(2) and (b)(1). It also held Donnelly personally liable for MDY's copyright infringement, DMCA violations, and tortious interference with contract.

    On April 1, 2009, the district court entered judgment against MDY and Donnelly for $6.5 million, an adjusted figure to which the parties stipulated based on MDY's DMCA liability and post-summary judgment Glider sales. The district court permanently enjoined MDY from distributing Glider. MDY's efforts to stay injunctive relief pending appeal were unsuccessful. On April 29, 2009, MDY timely filed this appeal. On May 12, 2009, Blizzard timely cross-appealed the district court's holding that MDY did not violate DMCA § 1201(a)(2) and (b)(1) as to the game software's source code.

    III.

    We review de novo the district court's (1) orders granting or denying summary judgment; (2) conclusions of law after a bench trial; and (3) interpretations of state law. Padfield v. AIG Life Ins., 290 F.3d 1121, 1124 (9th Cir.2002); Twentieth Century Fox Film Corp. v. Entm't Distrib., 429 F.3d 869, 879 (9th Cir.2005); Laws v. Sony Music Entm't, Inc., 448 F.3d 1134, 1137 (9th Cir.2006). We review the district court's findings of fact for clear error. Twentieth Century Fox, 429 F.3d at 879.

    IV.

    We first consider whether MDY committed contributory or vicarious infringement (collectively, "secondary infringement") of Blizzard's copyright by selling Glider to WoW players.[1]See ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1454 (7th Cir.1996) ("A copyright is a right against the world. Contracts, by contrast, generally affect only their parties."). To establish secondary infringement, Blizzard must first demonstrate direct infringement. See A & M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1019, 1022 (9th Cir.2001). To establish direct infringement, Blizzard must demonstrate copyright ownership and violation of one of its exclusive rights by Glider users. Id. at 1013. MDY is liable for contributory infringement if it has "intentionally induc[ed] or encourag[ed] direct infringement" by [938] Glider users. MGM Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 930, 125 S.Ct. 2764, 162 L.Ed.2d 781 (2005). MDY is liable for vicarious infringement if it (1) has the right and ability to control Glider users' putatively infringing activity and (2) derives a direct financial benefit from their activity. Id. If Glider users directly infringe, MDY does not dispute that it satisfies the other elements of contributory and vicarious infringement.

    As a copyright owner, Blizzard possesses the exclusive right to reproduce its work. 17 U.S.C. § 106(1). The parties agree that when playing WoW, a player's computer creates a copy of the game's software in the computer's random access memory ("RAM"), a form of temporary memory used by computers to run software programs. This copy potentially infringes unless the player (1) is a licensee whose use of the software is within the scope of the license or (2) owns the copy of the software. See Sun Microsystems, Inc. v. Microsoft Corp., 188 F.3d 1115, 1121 (9th Cir.1999) ("Sun I"); 17 U.S.C. § 117(a). As to the scope of the license, ToU § 4(B), "Limitations on Your Use of the Service," provides:

    You agree that you will not . . . (ii) create or use cheats, bots, "mods," and/or hacks, or any other third-party software designed to modify the World of Warcraft experience; or (iii) use any third-party software that intercepts, "mines," or otherwise collects information from or through the Program or Service.

    By contrast, if the player owns the copy of the software, the "essential step" defense provides that the player does not infringe by making a copy of the computer program where the copy is created and used solely "as an essential step in the utilization of the computer program in conjunction with a machine." 17 U.S.C. § 117(a)(1).

    A. Essential step defense

    We consider whether WoW players, including Glider users, are owners or licensees of their copies of WoW software. If WoW players own their copies, as MDY contends, then Glider users do not infringe by reproducing WoW software in RAM while playing, and MDY is not secondarily liable for copyright infringement.

    In Vernor v. Autodesk, Inc., we recently distinguished between "owners" and "licensees" of copies for purposes of the essential step defense. Vernor v. Autodesk, Inc., 621 F.3d 1102, 1108-09 (9th Cir.2010); see also MAI Sys. Corp. v. Peak Computer, Inc., 991 F.2d 511, 519 n. 5 (9th Cir. 1993); Triad Sys. Corp. v. Se. Express Co., 64 F.3d 1330, 1333, 1335-36 (9th Cir.1995); Wall Data, Inc. v. Los Angeles County Sheriff's Dep't, 447 F.3d 769, 784-85 (9th Cir.2006). In Vernor, we held "that a software user is a licensee rather than an owner of a copy where the copyright owner (1) specifies that the user is granted a license; (2) significantly restricts the user's ability to transfer the software; and (3) imposes notable use" restrictions. 621 F.3d at 1111 (internal footnote omitted).

    Applying Vernor, we hold that WoW players are licensees of WoW's game client software. Blizzard reserves title in the software and grants players a non-exclusive, limited license. Blizzard also imposes transfer restrictions if a player seeks to transfer the license: the player must (1) transfer all original packaging and documentation; (2) permanently delete all of the copies and installation of the game client; and (3) transfer only to a recipient who accepts the EULA. A player may not sell or give away the account.

    Blizzard also imposes a variety of use restrictions. The game must be used only for non-commercial entertainment purposes and may not be used in cyber cafes and computer gaming centers without Blizzard's [939] permission. Players may not concurrently use unauthorized third-party programs. Also, Blizzard may alter the game client itself remotely without a player's knowledge or permission, and may terminate the EULA and ToU if players violate their terms. Termination ends a player's license to access and play WoW. Following termination, players must immediately destroy their copies of the game and uninstall the game client from their computers, but need not return the software to Blizzard.

    Since WoW players, including Glider users, do not own their copies of the software, Glider users may not claim the essential step defense. 17 U.S.C. § 117(a)(1). Thus, when their computers copy WoW software into RAM, the players may infringe unless their usage is within the scope of Blizzard's limited license.

    B. Contractual covenants vs. license conditions

    "A copyright owner who grants a nonexclusive, limited license ordinarily waives the right to sue licensees for copyright infringement, and it may sue only for breach of contract." Sun I, 188 F.3d at 1121 (internal quotations omitted). However, if the licensee acts outside the scope of the license, the licensor may sue for copyright infringement. Id. (citing S.O.S., Inc. v. Payday, Inc., 886 F.2d 1081, 1087 (9th Cir.1989)). Enforcing a copyright license "raises issues that lie at the intersection of copyright and contract law." Id. at 1122.

    We refer to contractual terms that limit a license's scope as "conditions," the breach of which constitute copyright infringement. Id. at 1120. We refer to all other license terms as "covenants," the breach of which is actionable only under contract law. Id. We distinguish between conditions and covenants according to state contract law, to the extent consistent with federal copyright law and policy. Foad Consulting Group v. Musil Govan Azzalino, 270 F.3d 821, 827 (9th Cir.2001).

    A Glider user commits copyright infringement by playing WoW while violating a ToU term that is a license condition. To establish copyright infringement, then, Blizzard must demonstrate that the violated term — ToU § 4(B) — is a condition rather than a covenant. Sun I, 188 F.3d at 1122. Blizzard's EULAs and ToUs provide that they are to be interpreted according to Delaware law. Accordingly, we first construe them under Delaware law, and then evaluate whether that construction is consistent with federal copyright law and policy.

    A covenant is a contractual promise, i.e., a manifestation of intention to act or refrain from acting in a particular way, such that the promisee is justified in understanding that the promisor has made a commitment. See Travel Centers of Am. LLC v. Brog, No. 3751-CC, 2008 Del. Ch. LEXIS 183, *9 (Del. Ch. Dec. 5, 2008); see also Restatement (Second) of Contracts § 2 (1981). A condition precedent is an act or event that must occur before a duty to perform a promise arises. AES P.R., L.P. v. Alstom Power, Inc., 429 F.Supp.2d 713, 717 (D.Del.2006) (citing Delaware state law); see also Restatement (Second) of Contracts § 224. Conditions precedent are disfavored because they tend to work forfeitures. AES, 429 F.Supp.2d at 717 (internal citations omitted). Wherever possible, equity construes ambiguous contract provisions as covenants rather than conditions. See Wilmington Tr. Co. v. Clark, 325 A.2d 383, 386 (Del.Ch.1974). However, if the contract is unambiguous, the court construes it according to its terms. AES, 429 F.Supp.2d at 717 (citing 17 Am.Jur.2d Contracts § 460 (2006)).

    Applying these principles, ToU § 4(B)(ii) and (iii)'s prohibitions against [940] bots and unauthorized third-party software are covenants rather than copyright-enforceable conditions. See Greenwood v. CompuCredit Corp., 615 F.3d 1204, 1212, (9th Cir.2010) ("[H]eadings and titles are not meant to take the place of the detailed provisions of the text," and . . . "the heading of a section cannot limit the plain meaning of the text." (quoting Bhd. of R.R. Trainmen v. Balt. & Ohio R.R., 331 U.S. 519, 528-29, 67 S.Ct. 1387, 91 L.Ed. 1646 (1947))). Although ToU § 4 is titled, "Limitations on Your Use of the Service," nothing in that section conditions Blizzard's grant of a limited license on players' compliance with ToU § 4's restrictions. To the extent that the title introduces any ambiguity, under Delaware law, ToU § 4(B) is not a condition, but is a contractual covenant. Cf. Sun Microsystems, Inc. v. Microsoft Corp., 81 F.Supp.2d 1026, 1031-32 (N.D.Cal.2000) ("Sun II") (where Sun licensed Microsoft to create only derivative works compatible with other Sun software, Microsoft's "compatibility obligations" were covenants because the license was not specifically conditioned on their fulfillment).

    To recover for copyright infringement based on breach of a license agreement, (1) the copying must exceed the scope of the defendant's license and (2) the copyright owner's complaint must be grounded in an exclusive right of copyright (e.g., unlawful reproduction or distribution). See Storage Tech. Corp. v. Custom Hardware Eng'g & Consulting, Inc., 421 F.3d 1307, 1315-16 (Fed.Cir.2005). Contractual rights, however, can be much broader:

    [C]onsider a license in which the copyright owner grants a person the right to make one and only one copy of a book with the caveat that the licensee may not read the last ten pages. Obviously, a licensee who made a hundred copies of the book would be liable for copyright infringement because the copying would violate the Copyright Act's prohibition on reproduction and would exceed the scope of the license. Alternatively, if the licensee made a single copy of the book, but read the last ten pages, the only cause of action would be for breach of contract, because reading a book does not violate any right protected by copyright law.

    Id. at 1316. Consistent with this approach, we have held that the potential for infringement exists only where the licensee's action (1) exceeds the license's scope (2) in a manner that implicates one of the licensor's exclusive statutory rights. See, e.g., Sun I, 188 F.3d at 1121-22 (remanding for infringement determination where defendant allegedly violated a license term regulating the creation of derivative works).[2]

    Here, ToU § 4 contains certain restrictions that are grounded in Blizzard's exclusive rights of copyright and other restrictions that are not. For instance, ToU § 4(D) forbids creation of derivative works based on WoW without Blizzard's consent. A player who violates this prohibition [941] would exceed the scope of her license and violate one of Blizzard's exclusive rights under the Copyright Act. In contrast, ToU § 4(C)(ii) prohibits a player's disruption of another player's game experience. Id. A player might violate this prohibition while playing the game by harassing another player with unsolicited instant messages. Although this conduct may violate the contractual covenants with Blizzard, it would not violate any of Blizzard's exclusive rights of copyright. The antibot provisions at issue in this case, ToU § 4(B)(ii) and (iii), are similarly covenants rather than conditions. A Glider user violates the covenants with Blizzard, but does not thereby commit copyright infringement because Glider does not infringe any of Blizzard's exclusive rights. For instance, the use does not alter or copy WoW software.

    Were we to hold otherwise, Blizzard — or any software copyright holder — could designate any disfavored conduct during software use as copyright infringement, by purporting to condition the license on the player's abstention from the disfavored conduct. The rationale would be that because the conduct occurs while the player's computer is copying the software code into RAM in order for it to run, the violation is copyright infringement. This would allow software copyright owners far greater rights than Congress has generally conferred on copyright owners.[3]

    We conclude that for a licensee's violation of a contract to constitute copyright infringement, there must be a nexus between the condition and the licensor's exclusive rights of copyright.[4] Here, WoW players do not commit copyright infringement by using Glider in violation of the ToU. MDY is thus not liable for secondary copyright infringement, which requires the existence of direct copyright infringement. Grokster, 545 U.S. at 930, 125 S.Ct. 2764.

    It follows that because MDY does not infringe Blizzard's copyrights, we need not resolve MDY's contention that Blizzard commits copyright misuse. Copyright misuse is an equitable defense to copyright infringement, the contours of which are still being defined. See Practice Mgmt. Info. Corp. v. Am. Med. Ass'n, 121 F.3d 516, 520 (9th Cir.1997). The remedy for copyright misuse is to deny the copyright holder the right to enforce its copyright during the period of misuse. Since MDY does not infringe, we do not consider whether Blizzard committed copyright misuse.

    We thus reverse the district court's grant of summary judgment to Blizzard on its secondary copyright infringement [942] claims. Accordingly, we must also vacate the portion of the district court's permanent injunction that barred MDY and Donnelly from "infringing, or contributing to the infringement of, Blizzard's copyrights in WoW software."

    V.

    After MDY began selling Glider, Blizzard launched Warden, its technology designed to prevent players who used bots from connecting to the WoW servers. Blizzard used Warden to ban most Glider users in September 2005. Blizzard claims that MDY is liable under DMCA § 1201(a)(2) and (b)(1) because it thereafter programmed Glider to avoid detection by Warden.

    A. The Warden technology

    Warden has two components. The first is a software module called "scan.dll," which scans a computer's RAM prior to allowing the player to connect to WoW's servers. If scan.dll detects that a bot is running, such as Glider, it will not allow the player to connect and play. After Blizzard launched Warden, MDY reconfigured Glider to circumvent scan.dll by not loading itself until after scan.dll completed its check. Warden's second component is a "resident" component that runs periodically in the background on a player's computer when it is connected to WoW's servers. It asks the computer to report portions of the WoW code running in RAM, and it looks for patterns of code associated with known bots or cheats. If it detects a bot or cheat, it boots the player from the game, which halts the computer's copying of copyrighted code into RAM.

    B. The Digital Millennium Copyright Act

    Congress enacted the DMCA in 1998 to conform United States copyright law to its obligations under two World Intellectual Property Organization ("WIPO") treaties, which require contracting parties to provide effective legal remedies against the circumvention of protective technological measures used by copyright owners. See Universal City Studios, Inc. v. Corley, 273 F.3d 429, 440 (2d Cir.2001). In enacting the DMCA, Congress sought to mitigate the problems presented by copyright enforcement in the digital age. Id. The DMCA contains three provisions directed at the circumvention of copyright owners' technological measures. The Supreme Court has yet to construe these provisions, and they raise questions of first impression in this circuit.

    The first provision, 17 U.S.C. § 1201(a)(1)(A), is a general prohibition against "circumventing a technological measure that effectively controls access to a work protected under [the Copyright Act]." The second prohibits trafficking in technology that circumvents a technological measure that "effectively controls access" to a copyrighted work. 17 U.S.C. § 1201(a)(2). The third prohibits trafficking in technology that circumvents a technological measure that "effectively protects" a copyright owner's right. 17 U.S.C. § 1201(b)(1).

    C. The district court's decision

    The district court assessed whether MDY violated DMCA § 1201(a)(2) and (b)(1) with respect to three WoW components. First, the district court considered the game client software's literal elements: the source code stored on players' hard drives. Second, the district court considered the game client software's individual non-literal elements: the 400,000+ discrete visual and audible components of the game, such as a visual image of a monster or its audible roar. Finally, it considered the game's dynamic non-literal [943] elements: that is, the "real-time experience of traveling through different worlds, hearing their sounds, viewing their structures, encountering their inhabitants and monsters, and encountering other players."

    The district court granted MDY partial summary judgment as to Blizzard's § 1201(a)(2) claim with respect to WoW's literal elements. The district court reasoned that Warden does not effectively control access to the literal elements because WoW players can access the literal elements without connecting to a game server and encountering Warden; they need only install the game client software on their computers. The district court also ruled for MDY following trial as to Blizzard's § 1201(a)(2) claim with respect to WoW's individual non-literal elements, reasoning that these elements could also be accessed on a player's hard drive without encountering Warden.

    The district court, however, ruled for Blizzard following trial as to its § 1201(a)(2) and (b)(1) claims with respect to WoW's dynamic non-literal elements, or the "real-time experience" of playing WoW. It reasoned that Warden effectively controlled access to these elements, which could not be accessed without connecting to Blizzard's servers. It also found that Glider allowed its users to circumvent Warden by avoiding or bypassing its detection features, and that MDY marketed Glider for use in circumventing Warden.

    We turn to consider whether Glider violates DMCA § 1201(a)(2) and (b)(1) by allowing users to circumvent Warden to access WoW's various elements. MDY contends that Warden's scan.dll and resident components are separate, and only scan.dll should be considered as a potential access control measure under § 1201(a)(2). However, in our view, an access control measure can both (1) attempt to block initial access and (2) revoke access if a secondary check determines that access was unauthorized. Our analysis considers Warden's scan.dll and resident components together because the two components have the same purpose: to prevent players using detectable bots from continuing to access WoW software.

    D. Construction of § 1201

    One of the issues raised by this appeal is whether certain provisions of § 1201 prohibit circumvention of access controls when access does not constitute copyright infringement. To answer this question and others presented by this appeal, we address the nature and interrelationship of the various provisions of § 1201 in the overall context of the Copyright Act.

    We begin by considering the scope of DMCA § 1201's three operative provisions, §§ 1201(a)(1), 1201(a)(2), and 1201(b)(1). We consider them side-by-side, because "[w]e do not . . . construe statutory phrases in isolation; we read statutes as a whole. Thus, the [term to be construed] must be read in light of the immediately following phrase. . . ." United States v. Morton, 467 U.S. 822, 828, 104 S.Ct. 2769, 81 L.Ed.2d 680 (1984); see also Padash v. I.N.S., 358 F.3d 1161, 1170 (9th Cir.2004) (we analyze the statutory provision to be construed "in the context of the governing statute as a whole, presuming congressional intent to create a coherent regulatory scheme").

    1. Text of the operative provisions

    "We begin, as always, with the text of the statute." Hawaii v. Office of Hawaiian Affairs, ___ U.S. ___, 129 S.Ct. 1436, 1443, 173 L.Ed.2d 333 (2009) (quoting Permanent Mission of India to United Nations v. City of New York, 551 U.S. 193, 197, 127 S.Ct. 2352, 168 L.Ed.2d 85 (2007)). Section 1201(a)(1)(A) prohibits "circumvent[ing] [944] a technological measure that effectively controls access to a work protected under this title." Sections 1201(a)(2) and (b)(1) provide that "[n]o person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that —

    § 1201(a)(2)                                  § 1201(b)(1)

(A)                                           (A)
is primarily designed or produced             is primarily designed or produced
for the purpose of                            for the purpose of
circumventing a technological measure         circumventing protection afforded
                                              by a technological measure
that effectively controls access              that effectively protects
to a work protected under this title;                 a right of a copyright owner;
(B)                                           (B)
has only limited commercially significant     has only limited commercially significant
purpose or use other than                     purpose of use other than
to circumvent a technological measure         to circumvent protection afforded by a
                                              technological measure
that effectively controls access              that effectively protects a
to a work protected under this title;         right of a copyright owner under this title
                                              in a work or portion thereof;
(C)                                           (C)
is marketed by a person or another acting     is marketed by that person or another acting
in concert with that person                   in concert with that person
with that person's knowledge for use          with that person's knowledge for use
in circumventing                              in circumventing protection afforded by
a technological measure that                  a technological measure that
effectively controls access to                effectively protects a
a work protected under this title.            right of a copyright owner under this title in
a                                             portion or work thereof."

    (emphasis added).

    2. Our harmonization of the DMCA's operative provisions

    For the reasons set forth below, we believe that § 1201 is best understood to create two distinct types of claims. First, § 1201(a) prohibits the circumvention of any technological measure that effectively controls access to a protected work and grants copyright owners the right to enforce that prohibition. Cf. Corley, 273 F.3d at 441 ("[T]he focus of subsection 1201(a)(2) is circumvention of technologies designed to prevent access to a work"). Second, and in contrast to § 1201(a), § 1201(b)(1) prohibits trafficking in technologies that circumvent technological measures that effectively protect "a right of a copyright owner." Section 1201(b)(1)'s prohibition is thus aimed at circumventions of measures that protect the copyright itself: it entitles copyright owners to protect their existing exclusive rights under the Copyright Act. Those exclusive rights are reproduction, distribution, public performance, public display, and creation of derivative works. 17 U.S.C. § 106. Historically speaking, preventing "access" to a protected work in itself has not been a right of a copyright owner arising from the Copyright Act.[5]

    Our construction of § 1201 is compelled by the four significant textual differences between § 1201(a) and (b). First, § 1201(a)(2) prohibits the circumvention of [945] a measure that "effectively controls access to a work protected under this title," whereas § 1201(b)(1) concerns a measure that "effectively protects a right of a copyright owner under this title in a work or portion thereof." (emphasis added). We read § 1201(b)(1)'s language — "right of a copyright owner under this title" — to reinforce copyright owners' traditional exclusive rights under § 106 by granting them an additional cause of action against those who traffic in circumventing devices that facilitate infringement. Sections 1201(a)(1) and (a)(2), however, use the term "work protected under this title." Neither of these two subsections explicitly refers to traditional copyright infringement under § 106. Accordingly, we read this term as extending a new form of protection, i.e., the right to prevent circumvention of access controls, broadly to works protected under Title 17, i.e., copyrighted works.

    Second, as used in § 1201(a), to "circumvent a technological measure" means "to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A). These two specific examples of unlawful circumvention under § 1201(a) — descrambling a scrambled work and decrypting an encrypted work — are acts that do not necessarily infringe or facilitate infringement of a copyright.[6] Descrambling or decrypting only enables someone to watch or listen to a work without authorization, which is not necessarily an infringement of a copyright owner's traditional exclusive rights under § 106. Put differently, descrambling and decrypting do not necessarily result in someone's reproducing, distributing, publicly performing, or publicly displaying the copyrighted work, or creating derivative works based on the copyrighted work.

    The third significant difference between the subsections is that § 1201(a)(1)(A) prohibits circumventing an effective access control measure, whereas § 1201(b) prohibits trafficking in circumventing devices, but does not prohibit circumvention itself because such conduct was already outlawed as copyright infringement. The Senate Judiciary Committee explained:

    This . . . is the reason there is no prohibition on conduct in 1201(b) akin to the prohibition on circumvention conduct in 1201(a)(1). The prohibition in 1201(a)(1) is necessary because prior to this Act, the conduct of circumvention was never before made unlawful. The device limitation on 1201(a)(2) enforces this new prohibition on conduct. The copyright law has long forbidden copyright infringements, so no new prohibition was necessary.

    S.Rep. No. 105-90, at 11 (1998). This difference reinforces our reading of § 1201(b) as strengthening copyright owners' traditional rights against copyright infringement and of § 1201(a) as granting copyright owners a new anti-circumvention right.

    Fourth, in § 1201(a)(1)(B)-(D), Congress directs the Library of Congress ("Library") to identify classes of copyrighted works for which "noninfringing uses by persons who are users of a copyrighted work are, or are likely to be, adversely affected, and the [anti-circumvention] prohibition contained in [§ 1201(a)(1)(A)] shall not apply to such users with respect to such classes of works for the ensuing 3-year period." There is no analogous provision in § 1201(b). We impute this lack of symmetry to Congress' need to balance [946] copyright owners' new anti-circumvention right with the public's right to access the work. Cf. H.R.Rep. No. 105-551, pt. 2, at 26 (1998) (specifying that the House Commerce Committee "endeavored to specify, with as much clarity as possible, how the right against anti-circumvention (sic) would be qualified to maintain balance between the interests of content creators and information users."). Sections 1201(a)(1)(B)-(D) thus promote the public's right to access by allowing the Library to exempt circumvention of effective access control measures in particular situations where it concludes that the public's right to access outweighs the owner's interest in restricting access.[7] In limiting the owner's right to control access, the Library does not, and is not permitted to, authorize infringement of a copyright owner's traditional exclusive rights under the copyright. Rather, the Library is only entitled to moderate the new anti-circumvention right created by, and hence subject to the limitations in, DMCA § 1201(a)(1).[8]

    Our reading of § 1201(a) and (b) ensures that neither section is rendered superfluous. A violation of § 1201(a)(1)(A), which prohibits circumvention itself, will not be a violation of § 1201(b), which does not contain an analogous prohibition on circumvention. A violation of § 1201(a)(2), which prohibits trafficking in devices that facilitate circumvention of access control measures, will not always be a violation of § 1201(b)(1), which prohibits trafficking in devices that facilitate circumvention of measures that protect against copyright infringement. Of course, if a copyright owner puts in place an effective measure that both (1) controls access and (2) protects against copyright infringement, a defendant who traffics in a device that circumvents that measure could be liable under both § 1201(a) and (b). Nonetheless, we read the differences in structure between § 1201(a) and (b) as reflecting Congress's intent to address distinct concerns by creating different rights with different elements.

    3. Our construction of the DMCA is consistent with the legislative history

    Although the text suffices to resolve the issues before us, we also consider the legislative history in order to address the parties' arguments concerning it. Our review of that history supports the view that Congress created a new anticircumvention right in § 1201(a)(2) independent of traditional copyright infringement and granted copyright owners a new weapon against copyright infringement in § 1201(b)(1). For instance, the Senate Judiciary Committee report explains that § 1201(a)(2) and (b)(1) are "not interchangeable": they were "designed to protect two distinct rights and to target two distinct classes of devices," and "many devices will be subject to challenge only under one of the subsections." [947] S.Rep. No. 105-190, at 12 (1998). That is, § 1201(a)(2) "is designed to protect access to a copyrighted work," while § 1201(b)(1) "is designed to protect the traditional copyright rights of the copyright owner." Id. Thus, the Senate Judiciary Committee understood § 1201 to create the following regime:

    [I]f an effective technological protection measure does nothing to prevent access to the plain text of the work, but is designed to prevent that work from being copied, then a potential cause of action against the manufacturer of a device designed to circumvent the measure lies under § 1201(b)(1), but not under § 1201(a)(2). Conversely, if an effective technological protection measure limits access to the plain text of a work only to those with authorized access, but provides no additional protection against copying, displaying, performing or distributing the work, then a potential cause of action against the manufacturer of a device designed to circumvent the measure lies under § 1201(a)(2), but not under § 1201(b).

    Id. The Senate Judiciary Committee proffered an example of § 1201(a) liability with no nexus to infringement, stating that if an owner effectively protected access to a copyrighted work by use of a password, it would violate § 1201(a)(2)(A)

    [T]o defeat or bypass the password and to make the means to do so, as long as the primary purpose of the means was to perform this kind of act. This is roughly analogous to making it illegal to break into a house using a tool, the primary purpose of which is to break into houses.

    Id. at 12. The House Judiciary Committee similarly states of § 1201(a)(2), "The act of circumventing a technological protection measure put in place by a copyright owner to control access to a copyrighted work is the electronic equivalent of breaking into a locked room in order to obtain a copy of a book." See H.R.Rep. No. 105-551, pt. 1, at 17 (1998). We note that bypassing a password and breaking into a locked room in order to read or view a copyrighted work would not infringe on any of the copyright owner's exclusive rights under § 106.

    We read this legislative history as confirming Congress's intent, in light of the current digital age, to grant copyright owners an independent right to enforce the prohibition against circumvention of effective technological access controls.[9] In § 1201(a), Congress was particularly concerned with encouraging copyright owners to make their works available in digital formats such as "on-demand" or "pay-per-view," which allow consumers effectively to "borrow" a copy of the work for a limited time or a limited number of uses. As the House Commerce Committee explained:

    [A]n increasing number of intellectual property works are being distributed using a "client-server" model, where the work is effectively "borrowed" by the user (e.g., infrequent users of expensive software purchase a certain number of uses, or viewers watch a movie on a pay-per-view basis). To operate in this environment, content providers will need both the technology to make new uses possible and the legal framework to ensure they can protect their work from piracy.

    [948] See H.R.Rep. No. 105-551 pt. 2, at 23 (1998).

    Our review of the legislative history supports our reading of § 1201: that section (a) creates a new anticircumvention right distinct from copyright infringement, while section (b) strengthens the traditional prohibition against copyright infringement.[10] We now review the decisions of the Federal Circuit that have interpreted § 1201 differently.

    4. The Federal Circuit's decisions

    The Federal Circuit has adopted a different approach to the DMCA. In essence, it requires § 1201(a) plaintiffs to demonstrate that the circumventing technology infringes or facilitates infringement of the plaintiff's copyright (an "infringement nexus requirement"). See Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178, 1203 (Fed.Cir.2004); Storage Tech. Corp. v. Custom Hardware Eng'g & Consulting, Inc., 421 F.3d 1307 (Fed.Cir.2005).[11]

    The seminal decision is Chamberlain, 381 F.3d 1178 (Fed.Cir.2004). In Chamberlain, the plaintiff sold garage door openers ("GDOs") with a "rolling code" security system that purportedly reduced the risk of crime by constantly changing the transmitter signal necessary to open the door. Id. at 1183. Customers used the GDOs' transmitters to send the changing signal, which in turn opened or closed their garage doors. Id.

    Plaintiff sued the defendant, who sold "universal" GDO transmitters for use with plaintiff's GDOs, under § 1201(a)(2). Id. at 1185. The plaintiff alleged that its GDOs and transmitters both contained copyrighted computer programs and that its rolling code security system was a technological measure that controlled access to those programs. Id. at 1183. Accordingly, plaintiff alleged that the defendant — by selling GDO transmitters that were compatible with plaintiff's GDOs — had trafficked in a technology that was primarily used for the circumvention of a technological measure (the rolling code security system) that effectively controlled access to plaintiff's copyrighted works. Id.

    The Federal Circuit rejected the plaintiff's claim, holding that the defendant did not violate § 1201(a)(2) because, inter alia, the defendant's universal GDO transmitters did not infringe or facilitate infringement of the plaintiff's copyrighted computer programs. Id. at 1202-03. The linchpin of the Chamberlain court's analysis is its conclusion that DMCA coverage is limited to a copyright owner's rights under the Copyright Act as set forth in § 106 of the Copyright Act. Id. at 1192-93. Thus, it held that § 1201(a) did not grant copyright owners a new anti-circumvention right, but instead, established new [949] causes of action for a defendant's unauthorized access of copyrighted material when it infringes upon a copyright owner's rights under § 106. Id. at 1192, 1194. Accordingly, a § 1201(a)(2) plaintiff was required to demonstrate a nexus to infringement — i.e., that the defendant's trafficking in circumventing technology had a "reasonable relationship" to the protections that the Copyright Act affords copyright owners. Id. at 1202-03. The Federal Circuit explained:

    Defendants who traffic in devices that circumvent access controls in ways that facilitate infringement may be subject to liability under § 1201(a)(2). Defendants who use such devices may be subject to liability under § 1201(a)(1) whether they infringe or not. Because all defendants who traffic in devices that circumvent rights controls necessarily facilitate infringement, they may be subject to liability under § 1201(b). Defendants who use such devices may be subject to liability for copyright infringement. And finally, defendants whose circumvention devices do not facilitate infringement are not subject to § 1201 liability.

    Id. at 1195 (emphasis added). Chamberlain concluded that § 1201(a) created a new cause of action linked to copyright infringement, rather than a new anti-circumvention right separate from copyright infringement, for six reasons.

    First, Chamberlain reasoned that Congress enacted the DMCA to balance the interests of copyright owners and information users, and an infringement nexus requirement was necessary to create an anti-circumvention right that truly achieved that balance. Id. at 1196 (citing H.R.Rep. No. 105-551, at 26 (1998)). Second, Chamberlain feared that copyright owners could use an access control right to prohibit exclusively fair uses of their material even absent feared foul use. Id. at 1201. Third, Chamberlain feared that § 1201(a) would allow companies to leverage their sales into aftermarket monopolies, in potential violation of antitrust law and the doctrine of copyright misuse. Id. (citing Eastman Kodak Co. v. Image Tech. Servs., 504 U.S. 451, 455, 112 S.Ct. 2072, 119 L.Ed.2d 265 (1992) (antitrust); Assessment Techs. of WI, LLC v. WIREdata, Inc., 350 F.3d 640, 647 (7th Cir.2003) (copyright misuse)). Fourth, Chamberlain viewed an infringement nexus requirement as necessary to prevent "absurd and disastrous results," such as the existence of DMCA liability for disabling a burglary alarm to gain access to a home containing copyrighted materials. Id.

    Fifth, Chamberlain stated that an infringement nexus requirement might be necessary to render Congress's exercise of its Copyright Clause authority rational. Id. at 1200. The Copyright Clause gives Congress "the task of defining the scope of the limited monopoly that should be granted to authors . . . in order to give the public appropriate access to their work product." Id. (citing Eldred v. Ashcroft, 537 U.S. 186, 204-05, 123 S.Ct. 769, 154 L.Ed.2d 683 (2003) (internal citation omitted)). Without an infringement nexus requirement, Congress arguably would have allowed copyright owners in § 1201(a) to deny all access to the public by putting an effective access control measure in place that the public was not allowed to circumvent.

    Finally, the Chamberlain court viewed an infringement nexus requirement as necessary for the Copyright Act to be internally consistent. It reasoned that § 1201(c)(1), enacted simultaneously, provides that "nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title." The Chamberlain court opined that if § 1201(a) creates liability for access without regard to the remainder of the Copyright Act, it "would [950] clearly affect rights and limitations, if not remedies and defenses." Id.

    Accordingly, the Federal Circuit held that a DMCA § 1201(a)(2) action was foreclosed to the extent that the defendant trafficked in a device that did not facilitate copyright infringement. Id.; see also Storage Tech., 421 F.3d 1307 (same).

    5. We decline to adopt an infringement nexus requirement

    While we appreciate the policy considerations expressed by the Federal Circuit in Chamberlain, we are unable to follow its approach because it is contrary to the plain language of the statute. In addition, the Federal Circuit failed to recognize the rationale for the statutory construction that we have proffered. Also, its approach is based on policy concerns that are best directed to Congress in the first instance, or for which there appear to be other reasons that do not require such a convoluted construction of the statute's language.

    i. Statutory inconsistencies

    Were we to follow Chamberlain in imposing an infringement nexus requirement, we would have to disregard the plain language of the statute. Moreover, there is significant textual evidence showing Congress's intent to create a new anticircumvention right in § 1201(a) distinct from infringement. As set forth supra, this evidence includes: (1) Congress's choice to link only § 1201(b)(1) explicitly to infringement; (2) Congress's provision in § 1201(a)(3)(A) that descrambling and decrypting devices can lead to § 1201(a) liability, even though descrambling and decrypting devices may only enable non-infringing access to a copyrighted work; and (3) Congress's creation of a mechanism in § 1201(a)(1)(B)-(D) to exempt certain non-infringing behavior from § 1201(a)(1) liability, a mechanism that would be unnecessary if an infringement nexus requirement existed.

    Though unnecessary to our conclusion because of the clarity of the statute's text, see United States v. Gallegos, 613 F.3d 1211, 1214 (9th Cir.2010), we also note that the legislative history supports the conclusion that Congress intended to prohibit even non-infringing circumvention and trafficking in circumventing devices. Moreover, in mandating a § 1201(a) nexus to infringement, we would deprive copyright owners of the important enforcement tool that Congress granted them to make sure that they are compensated for valuable non-infringing access — for instance, copyright owners who make movies or music available online, protected by an access control measure, in exchange for direct or indirect payment.

    The Chamberlain court reasoned that if § 1201(a) creates liability for access without regard to the remainder of the Copyright Act, it "would clearly affect rights and limitations, if not remedies and defenses." 381 F.3d at 1200. This perceived tension is relieved by our recognition that § 1201(a) creates a new anti-circumvention right distinct from the traditional exclusive rights of a copyright owner. It follows that § 1201(a) does not limit the traditional framework of exclusive rights created by § 106, or defenses to those rights such as fair use.[12] We are thus unpersuaded by Chamberlain's reading of the DMCA's text and structure.

    [951] ii. Additional interpretive considerations

    Though we need no further evidence of Congress's intent, the parties, citing Chamberlain, proffer several other arguments, which we review briefly in order to address the parties' contentions. Chamberlain relied heavily on policy considerations to support its reading of § 1201(a). As a threshold matter, we stress that such considerations cannot trump the statute's plain text and structure. Gallegos, 613 F.3d at 1214. Even were they permissible considerations in this case, however, they would not persuade us to adopt an infringement nexus requirement. Chamberlain feared that § 1201(a) would allow companies to leverage their sales into aftermarket monopolies, in tension with antitrust law and the doctrine of copyright misuse.[13]Id. (citing Eastman, 504 U.S. at 455, 112 S.Ct. 2072 (antitrust); Assessment Techs., 350 F.3d at 647 (copyright misuse)). Concerning antitrust law, we note that there is no clear issue of anti-competitive behavior in this case because Blizzard does not seek to put a direct competitor who offers a competing role-playing game out of business and the parties have not argued this issue. If a § 1201(a)(2) defendant in a future case claims that a plaintiff is attempting to enforce its DMCA anti-circumvention right in a manner that violates antitrust law, we will then consider the interplay between this new anti-circumvention right and antitrust law.

    Chamberlain also viewed an infringement nexus requirement as necessary to prevent "absurd and disastrous results," such as the existence of DMCA liability for disabling a burglary alarm to gain access to a home containing copyrighted materials. 381 F.3d at 1201. In addition, the Federal Circuit was concerned that, without an infringement nexus requirement, § 1201(a) would allow copyright owners to deny all access to the public by putting an effective access control measure in place that the public is not allowed to circumvent. 381 F.3d at 1200. Both concerns appear to be overstated,[14] but even accepting them, arguendo, as legitimate concerns, they do not permit reading the statute as requiring the imposition of an infringement nexus. As § 1201(a) creates a distinct right, it does not disturb the balance between public rights and the traditional rights of owners of copyright under the Copyright Act. Moreover, § 1201(a)(1)(B)-(D) allows the Library of Congress to create exceptions to the § 1201(a) anticircumvention right in the public's interest. If greater protection of the public's ability to access copyrighted works is required, Congress can provide such protection by amending the statute.

    [952] In sum, we conclude that a fair reading of the statute (supported by legislative history) indicates that Congress created a distinct anti-circumvention right under § 1201(a) without an infringement nexus requirement. Thus, even accepting the validity of the concerns expressed in Chamberlain, those concerns do not authorize us to override congressional intent and add a non-textual element to the statute. See In Re Dumont, 581 F.3d 1104, 1111 (9th Cir. 2009) ("[W]here the language of an enactment is clear or, in modern parlance, plain, and construction according to its terms does not lead to absurd or impracticable consequences, the words employed are to be taken as the final expression of the meaning intended."). Accordingly, we reject the imposition of an infringement nexus requirement. We now consider whether MDY has violated § 1201(a)(2) and (b)(1).

    E. Blizzard's § 1201(a)(2) claim

    1. WoW's literal elements and individual non-literal elements

    We agree with the district court that MDY's Glider does not violate DMCA § 1201(a)(2) with respect to WoW's literal elements[15] and individual non-literal elements, because Warden does not effectively control access to these WoW elements. First, Warden does not control access to WoW's literal elements because these elements — the game client's software code — are available on a player's hard drive once the game client software is installed. Second, as the district court found:

    [WoW's] individual nonliteral components may be accessed by a user without signing on to the server. As was demonstrated during trial, an owner of the game client software may use independently purchased computer programs to call up the visual images or the recorded sounds within the game client software. For instance, a user may call up and listen to the roar a particular monster makes within the game. Or the user may call up a virtual image of that monster.

    Since a player need not encounter Warden to access WoW's individual non-literal elements, Warden does not effectively control access to those elements.

    Our conclusion is in accord with the Sixth Circuit's decision in Lexmark International v. Static Control Components, 387 F.3d 522 (6th Cir.2004). In Lexmark, the plaintiff sold laser printers equipped with an authentication sequence, verified by the printer's copyrighted software, that ensured that only plaintiff's own toner cartridges could be inserted into the printers. Id. at 530. The defendant sold microchips capable of generating an authentication sequence that rendered other manufacturers' cartridges compatible with plaintiff's printers. Id.

    The Sixth Circuit held that plaintiff's § 1201(a)(2) claim failed because its authentication sequence did not effectively control access to its copyrighted computer program. Id. at 546. Rather, the mere purchase of one of plaintiff's printers allowed "access" to the copyrighted program. Any purchaser could read the program code directly from the printer memory without encountering the authentication sequence. Id. The authentication sequence thus blocked only one form of access: the ability to make use of the printer. However, it left intact another form of access: the review and use of the computer program's literal code. Id. The Sixth Circuit explained:

    Just as one would not say that a lock on the back door of a house "controls access" to a house whose front door does not contain a lock and just as one would [953] not say that a lock on any door of a house "controls access" to the house after its purchaser receives the key to the lock, it does not make sense to say that this provision of the DMCA applies to otherwise-readily-accessible copyrighted works. Add to this the fact that the DMCA not only requires the technological measure to "control access" but requires the measure to control that access "effectively," 17 U.S.C. § 1201(a)(2), and it seems clear that this provision does not naturally extend to a technological measure that restricts one form of access but leaves another route wide open.

    Id. at 547.

    Here, a player's purchase of the WoW game client allows access to the game's literal elements and individual non-literal elements. Warden blocks one form of access to these elements: the ability to access them while connected to a WoW server. However, analogously to the situation in Lexmark, Warden leaves open the ability to access these elements directly via the user's computer. We conclude that Warden is not an effective access control measure with respect to WoW's literal elements and individual non-literal elements, and therefore, that MDY does not violate § 1201(a)(2) with respect to these elements.

    2. WoW's dynamic non-literal elements

    We conclude that MDY meets each of the six textual elements for violating § 1201(a)(2) with respect to WoW's dynamic non-literal elements. That is, MDY (1) traffics in (2) a technology or part thereof (3) that is primarily designed, produced, or marketed for, or has limited commercially significant use other than (4) circumventing a technological measure (5) that effectively controls access (6) to a copyrighted work. See 17 U.S.C. § 1201(a)(2).

    The first two elements are met because MDY "traffics in a technology or part thereof" — that is, it sells Glider. The third and fourth elements are met because Blizzard has established that MDY markets Glider for use in circumventing Warden, thus satisfying the requirement of § 1201(a)(2)(C).[16] Indeed, Glider has no function other than to facilitate the playing of WoW. The sixth element is met because, as the district court held, WoW's dynamic non-literal elements constitute a copyrighted work. See, e.g., Atari Games [954] Corp. v. Oman, 888 F.2d 878, 884-85 (D.C.Cir.1989) (the audiovisual display of a computer game is copyrightable independently from the software program code, even though the audiovisual display generated is partially dependent on user input).

    The fifth element is met because Warden is an effective access control measure. To "effectively control access to a work," a technological measure must "in the ordinary course of its operation, require[ ] the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work." 17 U.S.C. § 1201(a)(3)(B). Both of Warden's two components "require[ ] the application of information, or a process or a treatment . . . to gain access to the work." For a player to connect to Blizzard's servers which provide access to WoW's dynamic non-literal elements, scan. dll must scan the player's computer RAM and confirm the absence of any bots or cheats. The resident component also requires a "process" in order for the user to continue accessing the work: the user's computer must report portions of WoW code running in RAM to the server. Moreover, Warden's provisions were put into place by Blizzard, and thus, function "with the authority of the copyright owner." Accordingly, Warden effectively controls access to WoW's dynamic non-literal elements.[17] We hold that MDY is liable under § 1201(a)(2) with respect to WoW's dynamic non-literal elements.[18] Accordingly, we affirm the district court's entry of a permanent injunction against MDY to prevent future § 1201(a)(2) violations.

    F. Blizzard's § 1201(b)(1) claim

    Blizzard may prevail under § 1201(b)(1) only if Warden "effectively protect[s] a right" of Blizzard under the Copyright Act. Blizzard contends that Warden protects its reproduction right against unauthorized copying. We disagree.

    First, although WoW players copy the software code into RAM while playing the game, Blizzard's EULA and ToU authorize all licensed WoW players to do so. We have explained that ToU § 4(B)'s bot prohibition is a license covenant rather than a condition. Thus, a Glider user who violates this covenant does not infringe by continuing to copy code into RAM. Accordingly, MDY does not violate § 1201(b)(1) by enabling Glider users to avoid Warden's interruption of their authorized copying into RAM.

    Second, although WoW players can theoretically record game play by taking screen shots, there is no evidence that Warden detects or prevents such allegedly infringing copying.[19] This is logical, because [955] Warden was designed to reduce the presence of cheats and bots, not to protect WoW's dynamic non-literal elements against copying. We conclude that Warden does not effectively protect any of Blizzard's rights under the Copyright Act, and MDY is not liable under § 1201(b)(1) for Glider's circumvention of Warden.[20]

    VI.

    The district court granted Blizzard summary judgment on its claim against MDY for tortious interference with contract ("tortious interference") under Arizona law and held that Donnelly was personally liable for MDY's tortious interference. We review the district court's grant of summary judgment de novo. See Canyon Ferry Rd. Baptist Church of East Helena, Inc. v. Unsworth, 556 F.3d 1021, 1027 (9th Cir.2009). We view the evidence in the light most favorable to non-movant MDY in determining whether there are any genuine issues of material fact. Id. Because we conclude that there are triable issues of material fact, we vacate and remand for trial.

    A. Elements of Blizzard's tortious interference claim

    To recover for tortious interference under Arizona law, Blizzard must prove: (1) the existence of a valid contractual relationship; (2) MDY's knowledge of the relationship; (3) MDY's intentional interference in inducing or causing the breach; (4) the impropriety of MDY's interference; and (5) resulting damages. See Safeway Ins. Co. v. Guerrero, 106 P.3d 1020, 1025 (Ariz.2005); see also Antwerp Diamond Exch. of Am., Inc. v. Better Bus. Bur. of Maricopa County, Inc., 130 Ariz. 523, 637 P.2d 733, 740 (1981).

    Blizzard satisfies four of these five elements based on undisputed facts. First, a valid contractual relationship exists between Blizzard and its customers based on the operative EULA and ToU. Second, MDY was aware of this relationship: it does not contend that it was unaware of the operative EULA and ToU, or unaware that using Glider breached their terms. In fact, after Blizzard first attempted to ban Glider users, MDY modified its website to notify customers that using Glider violated the ToU. Third, MDY intentionally interfered with Blizzard's contracts. After Blizzard used Warden to ban a majority of Glider users in September 2005, MDY programmed Glider to be undetectable by Warden. Finally, Blizzard has proffered evidence that it was damaged by MDY's conduct.

    Thus, Blizzard is entitled to summary judgment if there are no triable issues of material fact as to the fourth element of its tortious interference claim: whether MDY's actions were improper. To determine whether a defendant's conduct was improper, Arizona employs the seven-factor test of Restatement (Second) of Torts § 767. See Safeway, 106 P.3d at 1027; see also Wagenseller v. Scottsdale Mem'l Hosp., 147 Ariz. 370, 710 P.2d 1025, 1042-43 (1985), superseded in other respects by A.R.S. § 23-1501. The seven factors are (1) the nature of MDY's conduct, (2) MDY's motive, (3) Blizzard's interests with which MDY interfered, (4) the interests MDY sought to advance, (5) the social interests in protecting MDY's freedom of action and Blizzard's contractual [956] interests, (6) the proximity or remoteness of MDY's conduct to the interference, and (7) the relations between MDY and Blizzard. Id. A court should give greatest weight to the first two factors. Id. We conclude that summary judgment was inappropriate here, because on the current record, taking the facts in the light most favorable to MDY, the first five factors do not clearly weigh in either side's favor, thus creating a genuine issue of material fact.

    1. Nature of MDY's conduct and MDY's motive

    The parties have presented conflicting evidence with respect to these two most important factors. Blizzard's evidence tends to demonstrate that MDY helped Glider users gain an advantage over other WoW players by advancing automatically to a higher level of the game. Thus, MDY knowingly assisted Glider users to breach their contracts, and then helped to conceal those breaches from Blizzard. Blizzard's evidence also supports the conclusion that Blizzard was negatively affected by MDY's Glider sales, because Glider use: (1) distorts WoW's virtual economy by flooding it with excess resources; (2) interferes with WoW players' ability to interact with other human players in the virtual world; and (3) strains Blizzard's servers because bots spend more continuous time in-game than do human players. Finally, Blizzard introduced evidence that MDY's motive was its three and a half to four million dollar profit.

    On the other hand, MDY proffered evidence that it created Glider in 2005, when Blizzard's ToU did not explicitly prohibit bots.[21] Glider initially had no anti-detection features. MDY added these features only after Blizzard added Warden to WoW. Blizzard did not change the EULA or ToU to proscribe bots such as Glider explicitly until after MDY began selling Glider. Finally, MDY has introduced evidence that Glider enhances some players' experience of the game, including players who might otherwise not play WoW at all. Taking this evidence in the light most favorable to MDY, there is a genuine issue of material fact as to these factors.

    2. Blizzard's interests with which MDY interferes; the interest that MDY seeks to advance; the social interest in protecting MDY's and Blizzard's respective interests

    Blizzard argues that it seeks to provide its millions of WoW players with a particular role-playing game experience that excludes bots. It contends, as the district court determined, that MDY's interest depends on inducing Blizzard's customers to breach their contracts. In contrast, MDY argues that Glider is an innovative, profitable software program that has positively affected its users' lives by advancing them to WoW's more interesting levels. MDY has introduced evidence that Glider allows players with limited motor skills to continue to play WoW, improves some users' romantic relationships by reducing the time that they spend playing WoW, and allows users who work long hours to play WoW. We further note that, if the fact-finder decides that Blizzard did not ban bots at the time that MDY created Glider, the fact-finder might conclude that MDY had a legitimate interest in continuing to sell Glider. Again, the parties' differing [957] evidence creates a genuine issue of material fact that precludes an award of summary judgment.

    3. Proximity of MDY's conduct to the interference; relationship between MDY and Blizzard

    MDY's Glider sales are the but-for cause of Glider users' breach of the operative ToU. Moreover, Blizzard and MDY are not competitors in the online role-playing game market; rather, MDY's profits appear to depend on the continued popularity of WoW. Blizzard, however, chose not to authorize MDY to sell Glider to its users. Even accepting that these factors favor Blizzard, we do not think that they independently warrant a grant of summary judgment to Blizzard. As noted, we cannot hold that five of the seven "impropriety" factors compel a finding in Blizzard's favor at this stage, including the two (nature of MDY's conduct and MDY's motive) that the Arizona courts deem most important. Accordingly, we vacate the district court's grant of summary judgment to Blizzard.[22]

    B. Copyright Act preemption

    MDY contends that Blizzard's tortious interference claim is preempted by the Copyright Act. The Copyright Act preempts state laws that confer rights equivalent to the exclusive rights of copyright under 17 U.S.C. § 106 (i.e., reproduction, distribution, public display, public performance, and creation of derivative works). 17 U.S.C. § 301(a). However, the Copyright Act does not preempt state law remedies with respect to "activities violating legal or equitable rights that are not equivalent to any of the exclusive rights [of copyright]." 17 U.S.C. § 301(b)(3).

    Whether, in these circumstances, tortious interference with contract is preempted by the Copyright Act is a question of first impression in this circuit. However, we have previously addressed a similar tortious interference cause of action under California law and found it not preempted. See Altera Corp. v. Clear Logic, Inc., 424 F.3d 1079, 1089-90 (9th Cir.2005). In so holding, we relied on the Seventh Circuit's analysis in ProCD, 86 F.3d 1447, which explained that because contractual rights are not equivalent to the exclusive rights of copyright, the Copyright Act's preemption clause usually does not affect private contracts. Altera, 424 F.3d at 1089; see ProCD, 86 F.3d at 1454 ("A copyright is a right against the world. Contracts, by contrast, generally affect only their parties; strangers may do as they please, so contracts do not create `exclusive rights.'"). The Fourth, Fifth, and Eighth Circuits have also held that the Copyright Act does not preempt a party's enforcement of its contractual rights. See Nat'l Car Rental Sys., Inc. v. Comp. Assoc. Int'l, Inc., 991 F.2d 426, 433 (8th Cir.1993); Taquino v. Teledyne Monarch Rubber, 893 F.2d 1488, 1501 (5th Cir.1990); Acorn Structures, Inc. v. Swantz, 846 F.2d 923, 926 (4th Cir.1988).

    This action concerns the anti-bot provisions of ToU § 4(b)(ii) and (iii), which we have held are contract-enforceable covenants rather than copyright-enforceable conditions. We conclude that since Blizzard seeks to enforce contractual rights that are not equivalent to any of its exclusive rights of copyright, the Copyright Act does not preempt its tortious interference claim. Cf. Altera, 424 F.3d at 1089-90. Accordingly, we hold that Blizzard's tortious interference claim under Arizona law is not preempted by the Copyright Act, [958] but we vacate the grant of summary judgment because there are outstanding issues of material fact.[23]

    VII.

    The district court found that Donnelly was personally liable for MDY's tortious interference with contract, secondary copyright infringement, and DMCA violations. We vacate the district court's decision because we determine that MDY is not liable for secondary copyright infringement and is liable under the DMCA only for violation of § 1201(a)(2) with respect to WoW's dynamic non-literal elements. In addition, we conclude that summary judgment is inappropriate as to Blizzard's claim for tortious interference with contract under Arizona law. Accordingly, on remand, the district court shall reconsider the issue of Donnelly's personal liability.[24] The district court's decision is VACATED and the case is REMANDED to the district court for further proceedings consistent with this opinion.

    Each side shall bear its own costs.

    [1] Alternatively, MDY asks that we determine whether there are any genuine issues of material fact that warrant a remand for trial on Blizzard's secondary copyright infringement claims. We find none.

    [2] See also S.O.S., 886 F.2d at 1089 (remanding for infringement determination where licensee exceeded the license's scope by preparing a modified version of software programs without licensor's authorization); LGS Architects, Inc. v. Concordia Homes, Inc., 434 F.3d 1150, 1154-57 (9th Cir.2006) (licensor likely to prove infringement where licensee used architectural plans for project outside the license's scope, where licensee's use may have included unauthorized reproduction, distribution, and public display of the plans); Frank Music Corp. v. Metro-Goldwyn-Mayer, Inc., 772 F.2d 505, 511 (9th Cir. 1985) (hotel infringed copyright by publicly performing copyrighted music with representations of movie scenes, where its public performance license expressly prohibited the use of accompanying visual representations).

    [3] A copyright holder may wish to enforce violations of license agreements as copyright infringements for several reasons. First, breach of contract damages are generally limited to the value of the actual loss caused by the breach. See 24 Richard A. Lord, Williston on Contracts § 65:1 (4th ed.2007). In contrast, copyright damages include the copyright owner's actual damages and the infringer's actual profits, or statutory damages of up to $150,000 per work. 17 U.S.C. § 504; see Frank Music Corp. v. MGM, Inc., 772 F.2d 505, 512 n. 5 (9th Cir.1985). Second, copyright law offers injunctive relief, seizure of infringing articles, and awards of costs and attorneys' fees. 17 U.S.C. §§ 502-03, 505. Third, as amicus Software & Information Industry Association highlights, copyright law allows copyright owners a remedy against "downstream" infringers with whom they are not in privity of contract. See ProCD, Inc., 86 F.3d at 1454.

    [4] A licensee arguably may commit copyright infringement by continuing to use the licensed work while failing to make required payments, even though a failure to make payments otherwise lacks a nexus to the licensor's exclusive statutory rights. We view payment as sui generis, however, because of the distinct nexus between payment and all commercial copyright licenses, not just those concerning software.

    [5] 17 U.S.C. § 106; see also Jay Dratler, Cyberlaw: Intellectual Prop. in the Digital Millennium, § 1.02 (2009) (stating that the DMCA's "protection is also quite different from the traditional exclusive rights of the copyright holder . . . [where the] exclusive rights never implicated access to the work, as such").

    [6] Perhaps for this reason, Congress did not list descrambling and decrypting as circumventing acts that would violate § 1201(b)(1). See 17 U.S.C. § 1201(b)(2)(A).

    [7] For instance, pursuant to § 1201(a), the Library of Congress recently approved circumvention of the technological measures contained on the iPhone and similar wireless phone handsets known as "smartphones," in order to allow users to install and run third-party software applications on these phones. See http://www.copyright.gov/fedreg/2010/75fr 43825.pdf.

    [8] In addition to these four textual differences, we note that § 1201(a)(2) prohibits the circumvention of "a technological measure," and § 1201(b)(1) prohibits the circumvention "of protection afforded by a technological measure." In our view, these terms have the same meaning, given the presumption that a "legislative body generally uses a particular word with a consistent meaning in a given context." Graham County Soil & Water Conservation Dist. v. United States ex rel. Wilson, ___ U.S. ___, 130 S.Ct. 1396, 176 L.Ed.2d 225, (2010) (quoting Erlenbaugh v. United States, 409 U.S. 239, 243, 93 S.Ct. 477, 34 L.Ed.2d 446 (1972)) (internal quotation marks omitted).

    [9] Indeed, the House Commerce Committee proposed, albeit unsuccessfully, to move § 1201 out of Title 17 altogether "because these regulatory provisions have little, if anything, to do with copyright law. The anticircumvention provisions (and the accompanying penalty provisions for violations of them) would be separate from, and cumulative to, the existing claims available to copyright owners." H.R.Rep. No. 105-551 (1998), pt. 2, at 23-24.

    [10] The Copyright Office has also suggested that § 1201(a) creates a new access control right independent from copyright infringement, by expressing its view that the fair use defense to traditional copyright infringement does not apply to violations of § 1201(a)(1). U.S. Copyright Office, The Digital Millennium Copyright Act of 1998: U.S. Copyright Office Summary 4 (1998), available at http://www. copyright.gov/legislation/dmca.pdf ("Since the fair use doctrine is not a defense to the act of gaining unauthorized access to a work, the act of circumventing a technological measure in order to gain access is prohibited.").

    [11] The Fifth Circuit in its subsequently withdrawn opinion in MGE UPS Systems, Inc. v. GE Consumer and Industrial, Inc., 95 U.S.P.Q.2d 1632, 1635 (5th Cir.2010), embraced the Federal Circuit's approach in Chamberlain. However, its revised opinion, 622 F.3d 361 (5th Cir.2010), avoids the issue by determining that MGE had not shown circumvention of its software protections. Notably, the revised opinion does not cite Chamberlain.

    [12] Like the Chamberlain court, we need not and do not reach the relationship between fair use under § 107 of the Copyright Act and violations of § 1201. Chamberlain, 381 F.3d at 1199 n. 14. MDY has not claimed that Glider use is a "fair use" of WoW's dynamic non-literal elements. Accordingly, we too leave open the question whether fair use might serve as an affirmative defense to a prima facie violation of § 1201. Id.

    [13] Copyright misuse is an equitable defense to copyright infringement that denies the copyright holder the right to enforce its copyright during the period of misuse. Practice Mgmt. Info. Corp. v. Am. Med. Ass'n, 121 F.3d 516, 520 (9th Cir.1997). Since we have held that § 1201(a) creates a right distinct from copyright infringement, we conclude that we need not address copyright misuse in this case.

    [14] The Chamberlain court's assertion that the public has a constitutional right to appropriately access copyright works during the copyright term, 381 F.3d at 1200, cited Eldred v. Ashcroft, 537 U.S. 186, 204-05, 123 S.Ct. 769, 154 L.Ed.2d 683 (2003). The Eldred decision, however, was quoting the Supreme Court's previous decision in Sony Corp. of America v. Universal City Studios, Inc., which discussed the public's right of access after the copyright term. 464 U.S. 417, 429, 104 S.Ct. 774, 78 L.Ed.2d 574 (1984) ("[T]he limited grant [of copyright] . . . is intended to motivate the creative activity of authors and inventors by the provision of a special reward, and to allow the public access to the products of their genius after the limited period of exclusive control has expired.").

    [15] We also agree with the district court that there are no genuine issues of material fact on Blizzard's § 1201(a)(2) claim regarding WoW's literal elements.

    [16] To "circumvent a technological measure" under § 1201(a) means to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A) (emphasis added). A circuit split exists with respect to the meaning of the phrase "without the authority of the copyright owner." The Federal Circuit has concluded that this definition imposes an additional requirement on a § 1201(a)(2) plaintiff: to show that the defendant's circumventing device enables third parties to access the copyrighted work without the copyright owner's authorization. See Chamberlain, 381 F.3d at 1193. The Second Circuit has adopted a different view, explaining that § 1201(a)(3)(A) plainly exempts from § 1201(a) liability those whom a copyright owner authorizes to circumvent an access control measure, not those whom a copyright owner authorizes to access the work. Corley, 273 F.3d at 444 & n. 15; see also 321 Studios v. MGM Studios, Inc., 307 F.Supp.2d 1085, 1096 (N.D.Cal.2004) (same).

    We find the Second Circuit's view to be the sounder construction of the statute's language, and conclude that § 1201(a)(2) does not require a plaintiff to show that the accused device enables third parties to access the work without the copyright owner's authorization. Thus, Blizzard has satisfied the "circumvention" element of a § 1201(a)(2) claim, because Blizzard has demonstrated that it did not authorize MDY to circumvent Warden.

    [17] The statutory definition of the phrase "effectively control access to a work" does not require that an access control measure be strong or circumvention-proof. Rather, it requires an access control measure to provide some degree of control over access to a copyrighted work. As one district court has observed, if the word "effectively" were read to mean that the statute protects "only successful or efficacious technological means of controlling access," it would "gut" DMCA § 1201(a)(2), because it would "limit the application of the statute to access control measures that thwart circumvention, but withhold protection for those measures that can be circumvented." See Universal City Studios v. Reimerdes, 111 F.Supp.2d 294, 318 (S.D.N.Y. 2000) ("Defendants would have the Court construe the statute to offer protection where none is needed but to withhold protection precisely where protection is essential.").

    [18] We note that the DMCA allows innocent violators to seek reduction or remittance of damages. See 17 U.S.C. § 1203(c)(5).

    [19] No evidence establishes that Glider users engage in this practice, and Glider itself does not provide a software mechanism for taking screenshots or otherwise reproducing copyrighted WoW material.

    [20] The district court permanently enjoined "MDY and Michael Donnelly from engaging in contributory or vicarious copyright infringement and from violating the DMCA with respect to Blizzard's copyrights in and rights to" WoW. Because we conclude that MDY is not liable under § 1201(b)(1), we vacate the aspect of the permanent injunction dealing with MDY's and Donnelly's § 1201(b)(1) liability.

    [21] When MDY created Glider in 2005, Blizzard's ToU prohibited the use of "cheats" and "unauthorized third-party software" in connection with WoW. The meaning of these contractual terms, including whether they prohibit bots such as Glider, is ambiguous. In Arizona, the construction of ambiguous contract provisions is a jury question. See Clark v. Compania, Ganadera de Cananea, S.A., 94 Ariz. 391, 385 P.2d 691, 697-98 (1963).

    [22] Because the district court entered a permanent injunction based on MDY's liability for tortious interference, we also vacate that permanent injunction.

    [23] Because we determine that there are triable issues of fact, we need not, and do not, address MDY's further contentions: that (1) Blizzard has unclean hands because it changed the ToU to ban bots after this litigation began; and (2) MDY is not liable for tortious interference because it only "honestly persuaded" people to buy Glider.

    [24] If MDY is found liable at trial for tortious interference with contract, the district court may consider Donnelly's personal liability for that tortious interference. Moreover, the district court may determine whether Donnelly is personally liable for MDY's violation of DMCA § 1201(a)(2). In light of the foregoing disposition regarding Donnelly's personal liability, we also vacate in toto the district court's permanent injunction against Donnelly, though the district court may consider the propriety of an injunction against Donnelly if it finds him liable for MDY's § 1201(a)(2) violations or for tortious interference with contract.