We're stretching the limits of "IP" in today's IP/DE post, but I thought it was a fun case, and there's nothing anyone can do to stop me.
(Eds. Note - Andrew actually knows how the website works, so he could probably stop me)
Today's case is RyanAir DAC v. Booking Holdings Inc., C.A. No. 20-1191-WCB, D.I. 399 (D. Del. Aug. 7, 2024). For those unfamiliar, RyanAir is sort of the Irish version of Spirit airlines, although I believe they represent a significantly less wintry ring of hell (I understand they do not charge extra for a seat that did not previously contain an incontinent cat). Booking is a third-party website for booking airfare and accommodations -- similar to Expedia for our American readers.
Apparently, it was undisputed that Booking paid contractors to scrub RyanAir's website via screengrabs to get prices to post on their site. RyanAir sued, alleging that this amounted to a violation of the Computer Fraud and Abuse Act ("CFAA") because, in collecting the screencaps, Booking and its contractors "intentionally accessed a computer without authorization or exceeded authorized access, and thereby obtained information from any protected computer."
So I mean, its pretty close to IP.
The issue was that RyanAir's website was, unsurprisingly, open to the flying public. They ran various anti-spyware measures to prevent bots from scrubbing their website for prices and blacklisted known bots, but any normal person was free to peruse at their leisure. The dispute thus centered on whether running bots to grab the prices, in contravention of terms of service and in an active attempt to circumvent the security measures, constituted access to the website "without authorization." Judge Bryson found that it did not:
A decision revoking access to the website for noncompliance with the website’s terms of use does not transform the website into a private page under the hiQ Labs framework. The defendants are therefore correct that any user can access any page on Ryanair’s website without any prior authorization (except for the final payment page of the my Ryanair portion of the website). In sum, the defendants’ access to the Ryanair website is not “without authorization” as that term is used in the CFAA.
Id. at 13.
Defendants thus prevailed on summary judgement the initial pages did not violate this section of the CFAA. There was a wrinkle, however. As you may have gathered from the above, the final step of the purchasing process at RyanAir involved creating an account at Myryanair.com. This required making an account with a verified email address. The question was then whether this greater security was enough to grant the website protection under the CFAA. Judge Bryson found that it was:
When a party is required to create an account and select a password, the website owner potentially has more control over whether to admit the party, particularly if the website owner conditions creation of the account on some kind of verification process, such as Ryanair’s requirement of email confirmation. It may be that the verification process is not infallible, but that is merely to say that the party seeking access may be able to obtain unauthorized access by some form of dissembling regarding its identity
. . .
Accessing the payment page of the myRyanair portion of the Ryanair website requires authorization. That is, the myRyanair portion of the website uses an authorization scheme that permits some users to create accounts but blocks others. Accessing that portion of the myRyanair website depends on the user being permitted to create an account and then passing a password gate based on having an account. As I noted in my order denying the defendants’ motion to dismiss, cease-and-desist letters can withdraw authorization to access a protected portion of a website when an authentication mechanism protects access to that portion of the website. Accordingly, if the defendants accessed the password-protected portion of the myRyanair website after Ryanair issued cease-and-desist letters to them, they could be found liable for accessing myRyanair “without authorization” within the meaning of 18 U.S.C. § 1030(a).
Id. at 16, 19.
The real crux of the issue on this latter point was whether a website that did the usual "make an account and confirm your email" rigamarole was really gating access to the content to the extent that it deserved the same CFAA protections as something like a private intranet that strictly limited access to known entities. Judge Bryson found that they might be, but declined to grant summary judgment to either party on the issue.
If you enjoyed this post, consider subscribing to receive free e-mail updates about new posts.
