Page 232 - A Study on the Role of UGC Platforms in Copyright Law:An Intermediary-oriented Approach
P. 232
A Study on the Role of UGC Platforms in Copyright Law: Chapter 7 Platform Users’ Entitlement to UGCs: Human Use and Web Scraping
An Intermediary-oriented Approach
freedom to restrict access or revoke access authorisation provided that such restriction is
within the scope of antitrust law. The revocation should take the form of imposing a code-
based authorisation system. Other methods such as sending cease and desist letters, imposing
IP address blocks and setting CAPTCHA do not constitute an effective revocation of
149
authorisation.
Recent controversies over the revocation of access authorisation have arisen in situations
where the defendant has obtained the password to the code-based authorisation system
from the plaintiff’s employees or the plaintiff website’s users, and the plaintiff claims to
have revoked this permission. The courts have appeared to be more solicitous of plaintiff’s
websites when the defendant’s access authorisation has come from the password provided
by a third party, even in a lawful way. For example, in Facebook v. Power Ventures, Power
Ventures was a social media aggregator that provided a service allowing users to view their
information from all social networking sites in one place. This relieved users of the burden of
constantly switching between services like Facebook, LinkedIn and Twitter. As a prerequisite
to providing the service, Power Ventures required Facebook users to share their Facebook
usernames and passwords. Facebook claimed to revoke Power Ventures’ authorisation by
sending cease and desist letters to Power Ventures and imposing IP address blocks. The court
confirmed that the cease and desist letters and IP address blocks were sufficient to establish
Facebook’s ‘express revocation of permission’. 150
In another case handed down by the same court, United States v. Nosal (II), the
defendant gained authorisation from a current employee of the plaintiff to access an internal
company database. The majority opinion held that ‘authorisation’ under the CFAA strictly
referred to authorisation from the ‘system owner’. Any other interpretation would
151
152
‘render meaningless the concept of authorisation’ Acknowledging that ‘Nosal received
particularised notice of his revoked access following a prolonged negotiation’, the court
upheld the plaintiff website’s revocation, finding that its cease and desist letters had properly
153
revoked the defendant’s access.
However, the opinion that authorisation can only originate with the plaintiff website is,
in practice, impossible to enforce. Nor does it resonate with the password sharing routine on
154
the Web. It would be difficult to prohibit a user from sharing his/her password with family
149 hiQ Labs, Inc. v. LinkedIn Corp., 273 F. Supp. 3d 1099, 1118 (N.D. Cal. 2017); CouponCabin LLC v. Savings, No. 2:14-CV-
39-TLS, 2017 WL 83337, at *9 (N.D. Ind. 11 Jan. 10, 2017) (the court acknowledged that the plaintiff has taken ‘affirmative
steps to restrict and/or revoke the Defendants' access to its website by "block[ing] the access of all traffic, including legitimate
users, emanating from certain cloud computing providers and internet service providers identified as being used particularly
heavily by the De-fendants to conduct scraping activities," though the court did not indicate what the kind of “blocking the
access of all traffic’ is).
150 Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1068 (9th Cir. 2016).
151 United States v. Nosal, 844 F.3d 1024, 1051 (9th Cir. 2016).
152 Ibid 1036.
153 Ibid 1030.
154 Williams, ‘Automation Is Not “Hacking”’ (n 118) 433.
• 218 •
