A recent unpublished decision by the Eleventh Circuit Court of Appeals serves as a strong reminder of the importance of clear and complete terms of use for digital services, and presenting those terms to users early and often.
In EarthCam, Inc. v. OxBlue Corp., et al., 2017 WL 3188453 (11th Cir. 2017), a marketer of web-based camera systems, EarthCam, brought a lawsuit against a competitor, OxBlue, and certain OxBlue executives and employees, alleging various forms of corporate espionage and misappropriation of trade secrets. Among EarthCam’s claims was a claim for violation of the federal Computer Fraud and Abuse Act (the “CFAA”).
The CFAA generally prohibits accessing a computer (or computer system) and obtaining information from that computer without authorization or by exceeding authorized access. And while the CFAA does not define “without authorization,” it defines “exceeds authorized access” to mean: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 28 U.S.C. § 1030(e)(6).
EarthCam argued that OxBlue violated the CFAA by using an OxBlue customer’s EarthCam username and password to access the customer’s EarthCam account and take screenshots of EarthCam’s webpage and user interface. EarthCam’s customers are required to enter into an End User License Agreement (commonly known as a “EULA”) that prohibits the unauthorized access, display, and copying of EarthCam’s information. However, EarthCam’s EULA does not prohibit its customers from sharing their login credentials with a third party. And there was no evidence that OxBlue was aware of the terms of EarthCam’s EULA when it accessed the customer account.
The trial court granted summary judgment to OxBlue against EarthCam’s CFAA claim, and the Eleventh Circuit affirmed. Two key facts were dispositive: (1) EarthCam’s EULA did not prohibit its customers from sharing their login credentials with third parties; and (2) because the EULA was not presented to the user on each log in, it could not be shown that OxBlue was aware of the terms of the EULA when it accessed its customer’s EarthCam account. Accordingly, OxBlue could not be held civilly liable under the CFAA because it could not be proven that its access of EarthCam’s website was either unauthorized, or that OxBlue exceeded authorized access. In other words, because OxBlue itself never agreed to the terms of the EULA and was not presented with them upon logging in with its customer’s EarthCam account, it was not bound by the EULA’s terms that limited the user’s authorized access.
In today’s digital world, we frequently accept the terms of service of the dozens of websites that we use on a daily basis – either implicitly or explicitly. It is easy to think that these terms of use contain mere boilerplate language, without consider the legal rights and obligations that come with them. But this case should serve as a reminder that those terms of use exist for a reason: to protect the respective interests of the service provider and its users.
As this case demonstrates, if you offer web-based services to your customers, you should review the terms of use that your customers agree to, and ensure that those terms clearly identify what your users are and are not authorized to do with their login credentials and use of your site and computer system. Of course, if you would like assistance in reviewing your business’s terms of service, we are happy to help.
