In EarthCam, Inc. v. OxBlue Corp., et al., 2017 WL 3188453 (11th Cir. 2017), a marketer of web-based camera systems, EarthCam, brought a lawsuit against a competitor, OxBlue, and certain OxBlue executives and employees, alleging various forms of corporate espionage and misappropriation of trade secrets. Among EarthCam’s claims was a claim for violation of the federal Computer Fraud and Abuse Act (the “CFAA”).
The CFAA generally prohibits accessing a computer (or computer system) and obtaining information from that computer without authorization or by exceeding authorized access. And while the CFAA does not define “without authorization,” it defines “exceeds authorized access” to mean: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 28 U.S.C. § 1030(e)(6).
EarthCam argued that OxBlue violated the CFAA by using an OxBlue customer’s EarthCam username and password to access the customer’s EarthCam account and take screenshots of EarthCam’s webpage and user interface. EarthCam’s customers are required to enter into an End User License Agreement (commonly known as a “EULA”) that prohibits the unauthorized access, display, and copying of EarthCam’s information. However, EarthCam’s EULA does not prohibit its customers from sharing their login credentials with a third party. And there was no evidence that OxBlue was aware of the terms of EarthCam’s EULA when it accessed the customer account.
The trial court granted summary judgment to OxBlue against EarthCam’s CFAA claim, and the Eleventh Circuit affirmed. Two key facts were dispositive: (1) EarthCam’s EULA did not prohibit its customers from sharing their login credentials with third parties; and (2) because the EULA was not presented to the user on each log in, it could not be shown that OxBlue was aware of the terms of the EULA when it accessed its customer’s EarthCam account. Accordingly, OxBlue could not be held civilly liable under the CFAA because it could not be proven that its access of EarthCam’s website was either unauthorized, or that OxBlue exceeded authorized access. In other words, because OxBlue itself never agreed to the terms of the EULA and was not presented with them upon logging in with its customer’s EarthCam account, it was not bound by the EULA’s terms that limited the user’s authorized access.