A recent decision from the US Court of Appeals for the 11th Circuit has held that web scraping data from a public website can, under some circumstances, be deemed a misappropriation of trade secrets. See Compulife Software, Inc. v. Newman, Case Nos. 18-12004, 18-12007 (11th Cir. May 20, 2020). The case was decided under the Florida version of the Uniform Trade Secrets Act (“UTSA”). 47 states have enacted the UTSA, so the case has potential applicability in most jurisdictions in the country and is relevant also for cases filed pursuant to the federal Defend Trade Secrets Act (DTSA).
Web Scraping is a technique for extracting data from publicly accessible websites. It is not a traditional form of “hacking,” which involves breach of some security protocol. In theory, web scraping is done “with permission” in the sense that access to the website and the data is allowed. The person engaged in web scraping uses a code software application, or a “bot,” to request information from a server using ordinary commands. An individual can use these commands to obtain data and information from the website’s server. The bot, however, can use the commands to obtain data from the website at the rate of several queries per second. Each query is technically made one at a time, but the automated nature of the bot allows the web scraper to extract tremendous amounts of data in a very short amount of time. As the court explained in Compulife, by formulating queries in an orderly fashion and recording the resulting information, the bot can create a copy of a database underlying a website.
That is what was alleged in the Compulife case. Compulife operates a web-based life insurance quote service that allows registered users to compare life insurance quotes offered by various insurance companies. The plaintiff alleged that the web scraper, an individual hired by a competitor, used a bot to run millions of queries that effectively duplicated the relevant Compulife databases in about four days.
In the lawsuit, among many legal causes of action, Compulife alleged that the defendants misappropriated Compulife’s trade secrets through this web scraping technique. To state a cause of action for trade secret misappropriation, the trade secret owner must allege and prove
- Possession of a trade secret and
- That the secret was misappropriated by improper means
In response to the trade secret claim, the defendants argued that the data was not “secret” since it was available to the public, and that web scraping was not “improper” because it was just an automated version of what users were allowed to do.
At the trial level, the assigned Magistrate Judge agreed with the defendants. The Magistrate held that the data was not protectible under the trade secret laws because each quote obtained by the web scraping queries was publicly available and, therefore, not “secret.” Likewise, even if the quotes were subject to the trade secret laws, there was no misappropriation because there was no “improper means.” If an individual could make the query, then using a bot to make the same queries was not misappropriation of trade secrets.
On appeal, the 11th Circuit disagreed. It was conceded by Compulife that the result of a single query was not a trade secret. However, the court held that the status of an individual query as a “secret” might be different from the status of the entire database. Reasonable security measures are needed for data to be deemed a “trade secret.” Although public availability was one factor suggesting that the data was not securely protected, public availability did not automatically strip the database of its trade secret status. More evidence was needed on other security measures put in place by Compulife.
Likewise, on the question of misappropriation, the court held that more evidence was needed. The legal issue is whether the web scraping can be deemed as an “improper means.” Trade secret law has long held that activities which might otherwise be independently lawful, such as aerial reconnaissance, might still constitute improper means for purposes of trade secret misappropriation. Further, while executing one query might not be misappropriation, at some point, executing a sufficient quantity of queries might be. The court also reasoned that intent and permission were relevant in that Compulife might have consented to multiple queries by an individual or company — even thousands of queries — but that consent did not automatically mean that Compulufe consented to millions of queries. All of these factors were relevant to whether web scraping was an “improper means.” The case was returned to the Magistrate Judge for further proceedings.
This is an important case since web scraping has become more and more common. The case provides some practical lessons for companies allowing public access to their data. For example, at a minimum, the relevant Terms of Service Agreement should explicitly limit the allowable access to the data and forbid duplication and storage. Such contractual limitations will constitute a form of “reasonable security measure” that will help protect the database as a “trade secret.” If you have questions about protecting your trade secrets or if you need to initiate trade secret litigation, contact the trade secret lawyers at Revision Legal at 231-714-0100.