Summary
In Ticketmaster, the ticket seller made tickets available to the public on its website subject to terms of use that barred the use of robots, programs, and other automated devices ("bots") to make purchases.
Summary of this case from Domain Name Comm'n Ltd. v. DomainTools, LLCOpinion
Case No. 2:17–cv–07232–ODW–JC
2018-05-29
Alexandra Hill, Donald R. Brown, Mark Steven Lee, Robert H. Platt, Manatt Phelps and Phillips LLP, Los Angeles, CA, for Plaintiff. Benjamin K. Semel, Pryor Cashman LLP, New York, NY, Thomas H. Vidal, Benjamin S. Akley, Pryor Cashman LLP, Los Angeles, CA, for Defendant.
Alexandra Hill, Donald R. Brown, Mark Steven Lee, Robert H. Platt, Manatt Phelps and Phillips LLP, Los Angeles, CA, for Plaintiff.
Benjamin K. Semel, Pryor Cashman LLP, New York, NY, Thomas H. Vidal, Benjamin S. Akley, Pryor Cashman LLP, Los Angeles, CA, for Defendant.
ORDER DENYING DEFENDANTS' MOTION TO DISMISS PLAINTIFF'S FIRST AMENDED COMPLAINT [37]
OTIS D. WRIGHT, II, UNITED STATES DISTRICT JUDGE
I. INTRODUCTION
Ticketmaster L.L.C. ("Ticketmaster") brings this suit against Prestige Entertainment West, Inc., Renaissance Ventures LLC, Nicholas Lombardi, and Steven K. Lichtman (collectively, "Defendants"), alleging thirteen causes of action based on Defendants' use of automated programs generally known as bots, which navigate Ticketmaster's website and mobile app in order to purchase large quantities of tickets for resale at a profit. (See generally Compl., ECF No. 1.) Defendants moved to dismiss the Complaint, and the Court granted the motion in part with leave to amend. (ECF Nos. 24, 32.) Ticketmaster filed its First Amended Complaint on February 21, 2018. (First Am. Compl. ("FAC"), ECF No. 36.) Defendants now move to dismiss the First Amended Complaint in its entirety. (Mot. 1, ECF No. 37.) The parties submitted briefs in support of their positions, and the Court heard the parties' arguments on April 9, 2018 at 1:30 p.m. (Mot.; Opp'n, ECF No. 39; Reply, ECF No. 41; ECF No. 42.) For the foregoing reasons, the Court DENIES Defendants' Motion to Dismiss.
Ticketmaster's original Complaint also listed Prestige Entertainment, Inc. as a defendant, but Ticketmaster voluntarily dismissed this Defendant before filing its First Amended Complaint. (Compl. 1; Not. Dismissal, ECF No. 35.)
II. BACKGROUND
A. Factual Background
Ticketmaster sells tickets for live entertainment events to the general public on behalf of its clients through its website, mobile app, and telephone call centers. (FAC ¶ 17.) Consumer demand for tickets to a given event often exceeds the supply available through Ticketmaster. (FAC ¶ 18.) This results in intense competition among consumers, who try to purchase tickets the moment that the tickets become available for sale on Ticketmaster's website and mobile app. (FAC ¶ 18.)
Ticketmaster has employed various measures in an effort to ensure a fair and equitable ticket purchasing process for its consumers. (FAC ¶ 19.) For instance, Ticketmaster requires each user to create a password-protected account before the user can purchase a ticket. (FAC ¶ 42.) This allows Ticketmaster to better regulate ticket sales, and it also functions as a form of password protection against unauthorized access to the Ticketmaster platform. (FAC ¶ 42.) Ticketmaster also limits the number of tickets that may be purchased in a single transaction and regulates the speed with which users may refresh their requests to search for, reserve, and purchase tickets. (FAC ¶ 19.)
Defendants are an enterprise that seeks to profit off the intense competition for tickets that Ticketmaster's platforms engender. They do this by purchasing large quantities of tickets from Ticketmaster and selling them at a markup on StubHub.com and other ticket resale sites. (FAC ¶ 47.) In order to gain an unfair advantage in searching for and buying these tickets, Defendants have employed robots, programs, and other automated devices, generally known and referred to herein as "bots." (FAC ¶¶ 3, 5.) These bots inundate Ticketmaster's website and mobile app with page requests and ticket reserve requests at a far higher rate than would be possible for a human alone. (FAC ¶¶ 3, 5.)
In an effort to put a stop to bots Ticketmaster has employed several countermeasures, including:
• CAPTCHA, a security program whose purpose is to distinguish between human users and bots by requiring the purchaser to retype a series of random, partially obscured characters, a task designed to be impossible for a bot to accomplish (FAC ¶ 20);
• Splunk and other commercial data compilation and analysis services, which help Ticketmaster analyze its sales data and detect patterns that indicate that tickets have been purchased by bots (FAC ¶ 21);
• Over Ticket Limit, a proprietary feature created to automatically block, in real time, the purchase of tickets that appear to be coming from bots (FAC ¶ 22).
Despite Ticketmaster's efforts, Defendants have found ways to circumvent these countermeasures by using, among other things, colocation facilities with high speed bandwidth, random number and letter generators, cookie trading, and CAPTCHA farms. (FAC ¶¶ 43–44, 47, 51, 52.)
Defendants' enterprise seems to have achieved its goals. Defendants used their bots to acquire tens of thousands of tickets for the New York stage play Hamilton , often purchasing thirty to forty percent of the entire amount of tickets available for a given performance. (FAC ¶ 5.) Defendants' bots also procured a majority of tickets available through Ticketmaster to the high-profile Mayweather v. Pacquiao boxing match in Las Vegas in 2015. (FAC ¶ 5.) In total, Ticketmaster estimates that between January 2015 and September 2016, Defendants generated 9,047 dummy user accounts and 313,528 ticket orders, sending a total of six million requests to the Ticketmaster website and mobile app. (FAC ¶¶ 42, 51, 58.)
Use of Ticketmaster's website is governed by its Terms of Use. (FAC ¶ 24.) Users must agree to the Terms of Use before they can view and use Ticketmaster's platforms, and both the website and mobile app repeatedly remind users that the Terms of Use govern the use of Ticketmaster's services. (FAC ¶¶ 25, 27.) The Terms of Use grant users a "limited, conditional no-cost, non-exclusive, non-transferable, non-sublicensable license to view Ticketmaster's site to purchase tickets as permitted by these Terms for non-commercial purposes only if" the user agrees not to conduct certain activities. (FAC ¶ 30.) These activities include:
• using "any robot ... or any other ... device, tool, or process to retrieve, index, data mine, or in any way reproduce or circumvent the navigational structure or presentation of the Content or the Site, including with respect to any CAPTCHA displayed on the site,"
• using any "automated software or computer system to search for, reserve, buy, or otherwise obtain tickets,"
• accessing, reloading, or refreshing transactional event or ticketing pages, or making any other request to transactional servers, more than once during any three-second interval,
• requesting "more than 1,000 pages of the Site in any 24–hour period, whether alone or with a group of individuals;" and
• reproducing, modifying, displaying, publicly performing, distributing, or creating derivative works of the Site or its Content.
(FAC ¶ 30.)
Ticketmaster owns registered copyrights in its website and mobile app. (FAC ¶ 28.) According to the express language in the Terms of Use, any of the above activities constitutes copyright, patent, and trademark infringement, because engaging in any prohibited activity revokes the user's permission to use the Ticketmaster website and mobile app. (FAC, Ex. A at 56.) Continued use of the Ticketmaster website without permission to do so, says the Terms of Use, constitutes infringement. (FAC ¶ 32.)
Ticketmaster diligently attempts to identify and stop the users of bots, but Defendants' sophisticated techniques have hindered Ticketmaster's ability to do so. (FAC ¶ 58.) After tracing the bot-related ticket purchases for the Mayweather–Pacquiao boxing match to Renaissance, Ticketmaster sent a cease-and-desist letter (the "Letter") in May 2015 addressed to Nicholas Lombardi describing some of the evidence Ticketmaster had uncovered that linked him, his colleagues, and their companies to the improper ticket purchases. (FAC ¶ 59, Ex. E.) The Letter demanded that Defendants "cease and desist from any further violations of Ticketmaster's rights." (FAC ¶ 59, Ex. E at 72.)
Lombardi acknowledged receiving the Letter, but Defendants continued their enterprise. (FAC ¶ 60.) On October 2, 2017, Ticketmaster initiated this lawsuit against Defendants and several Doe Defendants. Does 7 and 8 are the computer programmers and developers that created, marketed, and provided the named Defendants with the bots, and they are referred to herein as the Bot Developers. (FAC ¶ 6.) Does 9 and 10 are those entities who assisted and conspired with Prestige West by purchasing the improperly procured tickets from Defendants for later resale. (FAC ¶ 7.) These Doe defendants are referred to herein as the Additional Purchasers.
B. Procedural History
In its initial Complaint, Ticketmaster brought claims for: (1) breach of contract; (2) copyright infringement in violation of 17 U.S.C. § 101 et seq. ; (3) violation of the Digital Millennium Copyright Act ("DMCA"), 17 U.S.C. § 1201 et seq. ; (4) fraud; (5) aiding and abetting fraud; (6) inducing breach of contract; (7) intentional interference with contractual relations; (8) violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030 et seq. ; (9) violation of the California Computer Data Access and Fraud Act ("CDAFA"), California Penal Code section 502 et seq. ; and (10) violation of the New York Anti–Scalping Law, New York Arts and Cultural Affairs Law section 25.01 et seq.
After Ticketmaster filed its Complaint, Defendants moved to dismiss seven of Ticketmaster's ten claims. (ECF No. 24.) The Court granted Defendants' motion in part, dismissing the copyright infringement claim, the CFAA claim, and the California CDAFA claim. (Order Mot. Dismiss ("Order") 9, 14, ECF No. 32.) Dismissal was granted with leave to amend, except to the extent that the copyright infringement claim was based on Defendants' excess of the limitations on page refreshes and ticket requests imposed by the Terms of Use. (Order 9.) The Court also denied Defendants' motion in part, finding that Ticketmaster's initial Complaint stated a claim with respect to the Digital Millennium Copyright Act, breach of contract, and fraud. (Order 11, 16, 18.)
Ticketmaster's First Amended Complaint asserts a new theory of copyright infringement, and adds new allegations regarding the CFAA and CDAFA claims. (See FAC ¶¶ 94–104; 160–165; 166–178.) On March 7, 2018, Defendants moved to dismiss the First Amended Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). (Mot. 1.)
III. LEGAL STANDARD
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6)"tests the sufficiency of a claim." Navarro v. Block , 250 F.3d 729, 732 (9th Cir. 2001). Dismissal is appropriate when a complaint "lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory." Mendiondo v. Centinela Hosp. Med. Ctr. , 521 F.3d 1097, 1104 (9th Cir. 2008).
In ruling on a motion to dismiss under Rule 12(b)(6), the Court assumes all factual allegations in the complaint to be true, viewing those allegations in the light most favorable to the nonmoving party. Thompson v. Davis , 295 F.3d 890, 895 (9th Cir. 2002) ; Cahill v. Liberty Mut. Ins. Co. , 80 F.3d 336, 337–38 (9th Cir. 1996). While a plaintiff need not give "detailed factual allegations," the plaintiff must plead sufficient facts that, if true, "raise a right to relief above the speculative level." Bell Atlantic Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). Moreover, a court need not "accept as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences." Sprewell v. Golden State Warriors , 266 F.3d 979, 988 (9th Cir. 2001). Ultimately, "[t]he claim must be sufficiently plausible that ‘it is not unfair to require the opposing party to be subjected to the expense of discovery and continued litigation.’ " Mora v. U.S. Bank , No. CV 15–02436 DDP (AJWx), 2015 WL 4537218, at *2 (C.D. Cal July 27, 2015) (quoting Starr v. Baca , 652 F.3d 1202, 1216 (9th Cir. 2011) ).
IV. DISCUSSION
Defendants argue that Ticketmaster has failed to state a claim with respect to copyright infringement, the DMCA, the CFAA, and the California CDAFA. (Mot. 1.) Defendants argue that the Court lacks subject matter jurisdiction over the remaining claims. (Mot. 1.) They also argue that the Court should dismiss the Doe defendants because Ticketmaster has failed to timely serve them. (Mot. 4.) The Court first addresses Defendants' Motion to Dismiss the Doe defendants, because some of Ticketmaster's claims against Defendants rest on the viability of its claims against the Doe defendants.
A. Doe Defendants
As discussed in further detail below, Ticketmaster's claim for secondary copyright infringement against the moving Defendants rests on their direct infringement claim against Doe defendants 7 and 8. Defendants argue that such Doe pleading is improper, and that the Court should dismiss these Doe defendants because Ticketmaster has failed to identify or serve them. (Mot. 4.) Defendants seek dismissal of the Doe defendants pursuant to Rule 4(m), governing dismissal of unserved defendants, and not under 12(b)(6) for failure to state a claim. (Mot. 4;) see also Fed. R. Civ. P. 4(m).
Defendants cite Buckheit v. Dennis , 713 F.Supp.2d 910, 918 n.4 (N.D. Cal. 2010), for the observation that "[g]enerally, ‘Doe’ pleading is improper in federal court." Although there is no provision in the Federal Rules permitting the use of fictitious defendants, Fifty Associates v. Prudential Ins. Co. , 446 F.2d 1187, 1191 (9th Cir. 1970), there is a provision in the Local Rules of the Central District of California allowing the practice of pleading up to 10 Doe defendants without the need for the leave of the Court. C.D. Cal. L.R. 19–1. This alone shows that, at least in some circumstances in the Central District of California, Doe pleading is proper.
Here, although Doe defendants 7 and 8 are fictitiously named, they are anything but fictitious. Does 7 and 8 are the individuals or entities who assisted Defendants in creating and developing the bots, and the very fact that the bots exist is proof that Does 7 and 8 exist as well. Ticketmaster has identified with specificity the roles that Does 7–8 and Does 9–10 played in the alleged enterprise. (FAC ¶¶ 6–7.)
When the identity of alleged defendants will not be known prior to the filing of a complaint, "the plaintiff should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds." Gillespie v. Civiletti , 629 F.2d 637, 642 (9th Cir. 1980). Doe pleading is therefore particularly appropriate when, as here, the viability of a claim against a known party depends on the actions of a party whose identity is unknown at the time of the pleading. As discussed below, Ticketmaster's copyright claim against the moving Defendants depends on direct infringement by Does 7 and 8, whose identities Ticketmaster does not yet know. Ticketmaster's lack of information prevents it from identifying the Bot Developers and the Additional Purchasers, but, as discussed below in greater detail, it knows circumstantially that these individuals or entities must exist, so it impleads them as Doe defendants. This is perfectly acceptable. There is a reasonable probability that Ticketmaster, by propounding discovery with tools such as interrogatories and requests for inspection of electronically stored information, will succeed at uncovering the identities of the Bot Developers and the Additional Purchasers. The Court will give Ticketmaster the opportunity to do so.
Defendants maintain that Federal Rule of Civil Procedure 4(m) requires a court to dismiss a defendant who has not been served within 90 days after the Complaint was filed. Fed. R. Civ. P. 4(m). However, according to that same rule, "if the plaintiff shows good cause for the failure, the court must extend the time for service for an appropriate period." Id.
Good cause exists in this case to allow Ticketmaster additional time to serve the unidentified Defendants. The Court has yet to enter a scheduling order in this case or set a deadline for moving for leave to amend the pleadings. Moreover, as the Ninth Circuit in Gillespie implicitly recognized, an information deficit, where discovery would correct that deficit, is good cause to allow a plaintiff an extended period of time to identify and serve unknown defendants. 629 F.2d at 642. Such a deficit exists here, and the fact that Ticketmaster has indicated that it is ready to name one of the Doe defendant Bot Developers supports the conclusion that further discovery will allow Ticketmaster to identify the remaining Doe defendants. (Opp'n 23.) Ticketmaster has shown good cause, and the Court DENIES Defendants' motion to dismiss the Doe defendants from this case pursuant to Federal Rule of Civil Procedure 4(m).
B. Copyright Infringement
Defendants move to dismiss Ticketmaster's secondary copyright infringement claim against Prestige West, Renaissance, and the Additional Purchasers. (FAC ¶¶ 94–99.) To establish secondary infringement, Ticketmaster must first allege direct infringement of its copyright. MDY Indus., LLC v. Blizzard Entm't, Inc. , 629 F.3d 928, 937 (9th Cir. 2010). Ticketmaster alleges that Doe defendants 7 and 8, the entities that assisted the named Defendants by creating, marketing, and providing bots, are the direct infringers in this case. (FAC ¶¶ 100–04.) Although Defendants do not move to dismiss the claim against the Bot Developers, the Court analyzes Ticketmaster's claim against the Bot Developers under the same standard as that used in a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), because the sufficiency of Ticketmaster's claim for secondary infringement depends on the sufficiency of Ticketmaster's claim for direct infringement.
" ‘Anyone who violates any of the exclusive rights of the copyright owner,’ that is, anyone who trespasses into his exclusive domain by using or authorizing the use of the copyrighted work in one of the five ways set forth in the statute, ‘is an infringer of the copyright.’ " Sony Corp. of Am. v. Universal City Studios, Inc. , 464 U.S. 417, 433, 104 S.Ct. 774, 78 L.Ed.2d 574 (1984) (quoting 17 U.S.C. § 501(a) ). Thus, to state a claim for direct infringement, Ticketmaster must show (1) that it owns a valid copyright in the allegedly infringed material and (2) that Doe defendants 7 and 8, the Bot Developers, violated at least one exclusive right granted to copyright holders under 17 U.S.C. § 106. See A & M Records, Inc. v. Napster, Inc. , 239 F.3d 1004, 1013 (9th Cir. 2001). These rights include the exclusive right to reproduce the copyrighted work. 17 U.S.C. § 106(1).
However, one who reproduces the work of another is not an infringer of the copyright if the copyright holder has granted authorization to reproduce. See Sony Corp. , 464 U.S. at 433, 104 S.Ct. 774. Specifically, a valid license is an affirmative defense to a claim of copyright infringement, so long as the licensee has not exceeded the scope of the license granted by the copyright holder. See LGS Architects, Inc. v. Concordia Homes of Nev. , 434 F.3d 1150, 1156 (9th Cir. 2006).
1. Protectability of Website
Ticketmaster alleges that the Bot Developers, in the course of developing the bots later used by Defendants to purchase tickets, downloaded, recorded, and stored on their computer systems for extended periods of time the pages and code associated with Ticketmaster's website and mobile app. (FAC ¶ 66.) A threshold issue is whether United States copyright law provides copyright protection to the pages and code that the Bot Developers allegedly copied. See SOFA Entm't, Inc. v. Dodger Prods., Inc. , 709 F.3d 1273, 1279 (9th Cir. 2013) ("Copyright only attaches to an original work fixed in a tangible medium of expression, never in the underlying ideas or facts."). Defendants argue that websites are not subject to copyright protection, but this argument is without merit. (Mot. 8.) Copyright law protects "original works of authorship," 17 U.S.C. §§ 101 – 103, and the typical commercial website readily qualifies for copyright protection under this standard. See Ticketmaster L.L.C. v. RMG Technologies, Inc. , 507 F.Supp.2d 1096, 1104 ("A website may constitute a work of authorship fixed in a tangible medium of expression ....") (quoting Integrative Nutrition, Inc. v. Academy of Healing Nutrition , 476 F.Supp.2d 291, 296 (S.D.N.Y. 2007) ). In Integrative Nutrition , the Southern District of New York recognized that "[c]opyright protection for a website may extend to both the screen displays and the computer code for the website." 476 F.Supp.2d at 296. The Ninth Circuit has recognized in an analogous context that computer software contains three distinct layers of content: literal elements, individual non-literal elements, and dynamic non-literal elements. See MDY Indus. , 629 F.3d at 952–54. All three are works of authorship that can merit copyright protection. Id. This three-tiered approach works equally well with respect to websites, because the only functional difference between software and websites is that the underlying code for the former is stored on the user's local system whereas the underlying code for the latter is stored on a remote server.
First, both websites and software are comprised of literal elements. The MDY court defined literal elements as the "source code stored on players' hard drives," 629 F.3d at 952, which, in the context of websites, is the "computer code for the website," Integrative Nutrition , 476 F.Supp.2d at 296.
Websites also contain individual non-literal elements and dynamic non-literal elements, which the Integrative Nutrition court described as the "screen displays" of the site. Id. A website's individual non-literal elements are the individual audiovisual components of the website, including the website's logos, images, fonts, videos and sound effects. Accord MDY , 629 F.3d at 952 (describing a video game's individual non-literal elements as the "discrete visual and audible components of the game, such as a visual image of a monster or its audible roar"). A website's dynamic non-literal elements include the experience of the website as presented to the individual user. Accord id. (describing a video game's dynamic non-literal elements as the "real-time experience of traveling through different worlds, hearing their sounds, viewing their structures, encountering their inhabitants and monsters, and encountering other players"). Nearly all modern websites contain dynamic non-literal elements because nearly all websites are interactive. The user's experience of the website is "dynamic" in that the site responds to the user's input by generating a unique presentation of content and information for each user. For example, on social media websites, the user's content feed is a dynamic non-literal element because it is a collection of content and information generated uniquely and specifically for that user based on the user's past interactions with the social media platform.
The terms "pages" and "code" in Ticketmaster's First Amended Complaint refer, at the very least, to the literal, code-level elements of the Ticketmaster website and mobile app. (FAC ¶ 66.) "Pages" and "code" may also refer to additional non-literal elements, depending on exactly what the Bot Developers downloaded and stored. Each of these elements is a work of authorship, which gets copyright protection, as long as it contains the required modicum of originality. See Feist Publn's v. Rural Tel. Servs. , 499 U.S. 340, 345, 111 S.Ct. 1282, 113 L.Ed.2d 358 (1991) ("The vast majority of works make the grade quite easily, as they possess some creative spark, no matter how crude, humble, or obvious it might be.") (internal quotation marks omitted). The numerous proprietary functions and features that Ticketmaster has built into its website and mobile app allow the Court to plausibly infer that all three layers of Ticketmaster's website contain content that the copyright laws recognize as original. (See, e.g. , FAC ¶¶ 4, 22, 49.) Ticketmaster has demonstrated that the pages and code of its website and mobile app, contain protectable content.
2. Ownership of Copyright
Having shown that the material the Bot Developers allegedly copied is subject to copyright protection, Ticketmaster must also show that it owns a copyright in the copied material. See A & M Records, 239 F.3d at 1013. A copyright registration certificate constitutes prima facie evidence of the validity of the copyright and the facts stated on the certificate, including the fact that the plaintiff owns a copyright. Lamps Plus, Inc. v. Seattle Lighting Fixture Co. , 345 F.3d 1140, 1144 (9th Cir. 2003) ; see 9th Circuit Model Jury Instruction 17.5. Ticketmaster lists the registration numbers and registration dates for 22 components of its website and mobile app, including Ticketmaster.com's Homepage, Event Ticket Order Pages, Order Information page, Android Platform, and iOS Platform. (FAC ¶ 28.) These allegations establish a presumption that Ticketmaster's copyrights in its website and mobile app are valid, and that it is the owner of said copyrights. Since nothing in the First Amended Complaint rebuts this presumption, the Court concludes that Ticketmaster has sufficiently pled ownership of copyright in the allegedly copied pages and code.
3. Direct Infringement by Bot Developers
Ticketmaster claims that the Bot Developers have directly infringed Ticketmaster's reproduction right. (FAC ¶ 102.) United States Copyright law gives the owner of a valid copyright "the exclusive right to ... reproduce the copyrighted work in copies ...." 17 U.S.C. § 106. Copies, in turn, are "material objects ... in which a work is fixed by any method now known or later developed, and from which the work can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device." 17 U.S.C. § 101 ; CoStar Realty Info., Inc. v. Field , 737 F.Supp.2d 496, 507 (D. Md. 2010). The act of downloading and storing the pages and code of a website qualifies as making a "copy" under the Copyright Act because the pages and code becomes fixed on a hard drive, from which they can later be perceived and reproduced with the aid of a computer. See 17 U.S.C. § 101. Ninth Circuit courts agree that downloading and storing constitutes reproduction. See Columbia Pictures Indus., Inc. v. Fung , 710 F.3d 1020, 1034 (9th Cir. 2013) (recognizing that downloading copyrighted material violates a copyright holder's right to reproduction); see also Oracle USA, Inc. v. Rimini Street, Inc. , 879 F.3d 948, 955–56 (9th Cir. 2018) (finding infringement of reproduction right when a software servicer downloaded and maintained copies of a software developer's program on the servicer's own computers, in excess of the servicer's license to do so). Thus, if the Bot Developers have indeed downloaded and stored Ticketmaster's pages and code on their local systems as Ticketmaster alleges, then Ticketmaster has a claim for copyright infringement. Ticketmaster possesses no direct evidence of this copying, so it must present circumstantial evidence. The only issue at this stage, however, is whether Ticketmaster's pleadings are sufficient to permit the Court to plausibly infer that the Bot Developers have copied Ticketmaster's pages and code.
i. Sufficiency of Showing of Copying
Defendants contend that Ticketmaster's copyright claim must fail because Ticketmaster has failed to allege with particularity which components of its website are original, which components were copied, and exactly when. (Reply 4, ECF No. 41.) Defendants' argument overstates the pleading requirements for direct copyright infringement. It is enough if Ticketmaster alleges facts which plausibly lead to the conclusion that at least one Defendant downloaded and stored portions of the Ticketmaster website or mobile app, with sufficient specificity to put Defendants on "fair notice of the allegations against it." See Perfect 10, Inc. v. Cybernet Ventures, Inc. , 167 F.Supp.2d 1114, 1120–21 (C.D. Cal. 2001) (recognizing that a complaint that alleges present ownership of copyright, proper registration, and infringement by a defendant is typically sufficient under pleading rules).
Ticketmaster, like many copyright plaintiffs, does not possess direct evidence that any Defendant copied the literal elements of its website or mobile app. See Three Boys Music Corp v. Bolton , 212 F.3d 477, 481 (9th Cir. 2000) ("Proof of copyright infringement is often highly circumstantial ....") Absent direct evidence of copying, a plaintiff may show infringement circumstantially, by alleging that (1) the defendant had access to the plaintiff's work prior to the alleged copying and (2) the defendant's work and the plaintiff's work are substantially similar. See Unicolors, Inc. v. Urban Outfitters , 853 F.3d 980, 984–85 (9th Cir. 2017). This method of proving copying circumstantially is grounded in the notion that an accused work can be so similar to the copyrighted work that at a certain point the factfinder's only reasonable conclusion must be that the defendant copied the work. See Airframe Sys., Inc. v. L–3 Commcn's Corp. , 658 F.3d 100, 106 (1st Cir. 2011) (describing the substantial similarity test as turning on whether a reasonable, ordinary observer, upon examination of the two works, would conclude that the defendant unlawfully appropriated the plaintiff's protectable expression).
Ticketmaster alleges circumstantial proof of copying, albeit by a slightly different route than the familiar two-pronged test of access and substantial similarity. Specifically, Ticketmaster alleges that (1) the Bot Developers developed bots that proved highly capable of purchasing large quantities of tickets, and (2) Ticketmaster's website and mobile app are complex platforms that each contain several layers of protection and security measures. (FAC ¶¶ 54–55.) Ticketmaster asserts that developing such capable bots would necessarily require deep study and analysis of the pages and code of Ticketmaster's website and mobile app, which means that the Bot Developers must have downloaded and stored literal or non-literal elements of Ticketmaster's website and mobile app on their local systems in the course of developing these bots. (FAC ¶¶ 66, 102.)
Ticketmaster's argument about the striking compatibility of Defendants' bots with Ticketmaster's platforms is a compelling variation on the well-known "substantial similarity" test for circumstantial proof of copyright infringement. Ticketmaster's theory is based on the legally sound (and rather unremarkable) proposition that circumstantial evidence can create a plausible inference that copying has occurred.
Ticketmaster pleads several facts that together make a strong case for its "striking compatibility" argument. The bots enable Defendants to launch thousands of concurrent and recurring reserve requests for tickets for specific events. (FAC ¶ 45.) The bots are calibrated such that when the reserve request expires, the bot is able to regenerate a new ticket reserve request at a far greater speed than any legitimate human could manage, thus preventing any human from reserving or purchasing the ticket. (FAC ¶ 45.) Moreover, the bots can trade information so that purchases coming from multiple computers would appear to be coming from the same computer, allowing the bots to hide themselves by more closely mirroring what Ticketmaster's algorithms considered normal human use. (FAC ¶ 47.) Finally, the bots are able to escape detection when ordering tickets through the mobile app interface, which Ticketmaster alleges is not possible without first obtaining certain lines of code called security tokens embedded deep within the code of the Ticketmaster mobile app. (FAC ¶ 56.)
These allegations show that Defendants' bots were remarkably effective at circumventing a leading online ticketing platform's best defenses. It strains credulity to think that the Bot Developers could have developed such successful bots without downloading and storing Ticketmaster's pages and code. The bots' effectiveness is circumstantial evidence that plausibly supports the conclusion that at some point the Bot Developers copied protected portions of the Ticketmaster website and mobile app onto its own servers, in order to develop bots that could successfully circumvent Ticketmaster's myriad security measures. Under the federal standards for notice pleading, Ticketmaster's allegations of copying are sufficient.
ii. License defense
Defendants assert a license defense, arguing that Ticketmaster's Terms of Use agreement ("TOU") provides users a license to copy Ticketmaster's website. (Reply 3.) A 12(b)(6) motion tests the sufficiency of a complaint, and as such, it is generally not the appropriate stage to assert affirmative defenses. Scott v. Kuhlmann , 746 F.2d 1377, 1378 (9th Cir. 1984). But if an affirmative defense is obvious from the face of the pleadings, a defendant may raise that defense in a motion to dismiss. Clifton v. Houghton Mifflin Harcourt Publishing Co. , 152 F.Supp.3d 1221, 1225 (N.D. Cal. 2015) ; see Rodriguez v. Swartz , 111 F.Supp.3d 1025, 1030 (D. Ariz. 2015).
The Court finds that nothing in the Complaint, including Ticketmaster's Terms of Use attached thereto as Exhibit E, shows that Ticketmaster granted Defendants, or any other users, a license to download and store Ticketmaster's pages and code on the user's local system. The section of the Terms of Use entitled "Ownership of Content and Grant of Conditional License" describes exactly what rights Ticketmaster grants its users, and nowhere does Ticketmaster grant its users a right to download and copy. The relevant section of the Terms of Use provide:
The Site and all data, text, designs, pages, print screens, images, artwork, photographs, audio and video clips, and HTML code, source code, or software that reside or are viewable or otherwise discoverable on the Site, and all tickets obtained from the Site, (collectively, the "Content") are owned by us or our licensors....
We grant you a limited, conditional, no-cost, non-exclusive, non-transferable, non-sublicensable license to view this Site and its Content as permitted by these Terms for non-commercial purposes only if, as a condition precedent, you agree that you will not [engage in one of several prohibited activities.]
Other provisions of the Terms of Use contain minor provisions regarding the scope of the user's license, but these two paragraphs contain all the material provisions of the user's license.
(FAC, Ex. E at 55.) These Terms of Use give Ticketmaster users the right to "view" Ticketmaster's website. While the Terms of Use do indicate that the website's HTML code and source code may be "viewable or otherwise discoverable," such descriptive language does not amount to a grant of a license. Under no reasonable interpretation do these Terms of Use grant Defendants a license to download and store Ticketmaster's pages and code.
At Defendants' motion to dismiss Ticketmaster's original Complaint, both the Court and the parties devoted considerable attention to whether the provisions of Ticketmaster's Terms of Use were conditions or covenants. (Prior Mot. 7–8, ECF No. 24–1; Prior Opp'n 10, ECF No. 25; Order 8–9.) Defendants now reiterate that, pursuant to this Court's prior order, the provisions of the Terms of Use are covenants, and that, under MDY , the violation of a covenant gives rise only to a contract claim and not to a claim for copyright infringement. (Mot. 6; Order 9.) In so arguing, Defendants misconstrue MDY and the underlying copyright laws. Under MDY , a violation of a provision of a Terms of Use is copyright infringement if the violation implicates one of the copyright holder's exclusive rights, regardless of whether the violated provision is a covenant or a condition. See MDY Indus. , 629 F.3d at 940. Ticketmaster's new theory of direct infringement is based on the Bot Developers' violation of its exclusive statutory right of reproduction, and under MDY , this is sufficient. (FAC ¶ 102.) The condition-versus-covenant issue is moot in a scenario where, as here, the defendant has violated the plaintiff's exclusive statutory right.
The MDY court's concern with the condition-versus-covenant distinction arose from public policy concerns that are not present in this case. The plaintiff in MDY was the developer of an online multiplayer game, and the defendant was the developer of a bot that ordinary gamers could purchase to automatically play the early stages of the game on behalf of the gamer. Id. at 935. The plaintiff claimed that the direct infringers were the gamers who used the bots. Id. at 937–38. Because the game's Terms of Use declared that playing the game with a bot was unauthorized use of the game, any gamer who used a bot was a direct infringer of the plaintiff's copyright, by virtue of the fact that the gamer's computer made an unauthorized "copy" of the game in the gamer's local computer memory (RAM) while the game was being played. Id. at 939. The court rejected this analysis, refusing to recognize common bot use by ordinary gamers as copyright infringement. To hold these gamers liable, the court reasoned, would allow "any software copyright holder [to] designate any disfavored conduct during software use as copyright infringement, by purporting to condition the license on the player's abstention from the disfavored conduct." Id. at 941.
The concerns of the MDY court are not implicated by Ticketmaster's First Amended Complaint. Ticketmaster is alleging direct infringement by a small number of sophisticated software developers and marketers. (FAC ¶ 6.) This is a completely different theory of direct infringement than that alleged by the MDY plaintiff. MDY , 629 F.3d at 939. A finding of direct infringement in this case will not expose masses of Ticketmaster users to copyright liability merely because they violated Ticketmaster's own house rules. Thus, the holding of MDY does not directly control today's outcome.
Ticketmaster has plausibly alleged that the Bot Developers infringed Ticketmaster's statutory right of reproduction, and Defendants have not established that they had a license to reproduce Ticketmaster's pages and code by downloading and storing them on a local system. As the Court explained in its prior order, under MDY , this constitutes copyright infringement. (Order 7;) see also MDY , 629 F.3d at 940 ("To recover for copyright infringement based on breach of a license agreement, (1) the copying must exceed the scope of the defendant's license and (2) the copyright owner's complaint must be grounded in an exclusive right of copyright ....") Ticketmaster's claim survives not because the Bot Developers violated Ticketmaster's Terms of Use, but rather because they reproduced Ticketmaster's website in violation of 17 U.S.C. § 106, without possessing a license to do so. The Court therefore concludes that Ticketmaster has stated a claim for direct copyright infringement on the part of the Bot Developers.
4. Secondary Infringement by Moving Defendants
Having alleged direct infringement, Ticketmaster proceeds to accuse Defendants of secondary copyright infringement. (FAC ¶¶ 94–99.) A defendant may commit secondary infringement in one of two ways: contributorily, "by intentionally inducing or encouraging direct infringement," or vicariously, "by profiting from direct infringement while declining to exercise a right to stop or limit it." Metro–Goldwyn–Mayer Studios Inc. v. Grokster, Ltd. , 545 U.S. 913, 930–931, 125 S.Ct. 2764, 162 L.Ed.2d 781 (2005). Although "[t]he Copyright Act does not expressly render anyone liable for infringement committed by another, these doctrines of secondary liability emerged from common law principles and are well established in the law." Id. Ticketmaster alleges that Defendants committed secondary infringement by inducing, causing, or materially contributing to the Bot Developers' creation of bots, with knowledge that the Bot Developers would have to infringe Ticketmaster's copyrights in its website and mobile app in order to create the bots. (FAC ¶ 96.) The Court finds that Ticketmaster has stated a claim for Defendants' contributory infringement based on the direct infringement of the Bot Developers.
"[O]ne contributorily infringes when he (1) has knowledge of another's infringement and (2) either (a) materially contributes to or (b) induces that infringement." Perfect 10, Inc. v. Visa Int'l Serv. Ass'n , 494 F.3d 788, 795 (9th Cir. 2007) ; see also A & M Records, Inc. v. Napster, Inc. , 239 F.3d 1004, 1019 (9th Cir. 2001) (defining contributory infringement as "personal conduct that encourages or assists the infringement"). The Ninth Circuit and the Supreme Court have announced various formulations of this same basic test for contributory liability. Visa Int'l , 494 F.3d at 795. In synthesizing those formulations, the Ninth Circuit reviews the details of the actual ‘cases and controversies’ in each of the test-defining cases and the actual holdings in those cases to determine whether the factual scenario presented in the case before it is analogous. VHT, Inc. v. Zillow Grp., Inc. , No. C15-1096JLR, 2017 WL 2654583, at *14 (W.D. Wash. June 20, 2017) (ellipsis and some internal quotation marks removed).
Ticketmaster has sufficiently pled Defendants' contributory liability for the copying committed by the Bot Developers. First, Ticketmaster alleges that the moving Defendants directed the Bot Developers to download and store on their computer systems large portions of Ticketmaster's copyrighted Site and App. (FAC ¶ 67.) Ticketmaster has therefore alleged facts that show that Defendants had knowledge of the Bot Developers' infringing activities.
Ticketmaster has also shown that the named Defendants induced or materially contributed to the Bot Developers' infringement. Ticketmaster alleges that the Bot Developers created, marketed, and provided the bots. (FAC ¶ 6.) Defendants then used those bots to purchase large quantities of tickets. (FAC ¶ 5.) These facts indicate a relationship between Defendants and the Bot Developers of mutual benefit to both parties, and it is reasonable to infer that Defendants contributed to the Bot Developers' infringement as part of this relationship. Without more knowledge about the nature of the relationship between Defendants and the Bot Developers, Ticketmaster cannot be expected to plead with any greater specificity. A 12(b)(6) motion tests the sufficiency of a complaint, not the sufficiency of the available evidence.
Because the Court has determined that Ticketmaster has successfully pled the moving Defendants' contributory liability for copyright infringement, the Court need not consider whether the moving Defendants are also vicariously liable under the facts as alleged.
For these reasons, the Court DENIES Defendants' motion to dismiss Ticketmaster's Second Claim for Relief.
C. DMCA
Defendants move to dismiss Ticketmaster's Fifth Claim for Relief for violations of the Digital Millennium Copyright Act, 17 U.S.C. § 1201 et seq. This Court, in its prior Order, found that Ticketmaster's original Complaint stated a claim under the DMCA, and denied Defendants' motion to dismiss on that ground. (Order 11.) Under the doctrine of law of the case, a court is generally precluded from reconsidering an issue that has already been decided by the same court or a higher court in the identical case, absent a material change in circumstances. See Thomas v. Bible , 983 F.2d 152, 154–155 (9th Cir. 1993). Ticketmaster's First Amended Complaint does contain new factual allegations, but none of those allegations disturb the sufficiency of its DMCA claim. In accordance with its prior order, the Court therefore DENIES Defendants' motion to dismiss Ticketmaster's Fifth Claim for Relief.
The Court will briefly address Defendants' main argument against the DMCA claim as pressed in its brief in support of this Motion. The relevant provision of the DMCA provides that "[n]o person shall circumvent a technological measure that effectively controls access to a [copyrighted] work ...." 17 U.S.C. § 1201(a)(1). Ticketmaster alleges that Ticketmaster's security measures, including CAPTCHA, are technological measures that control access to Ticketmaster's copyrighted webpages, and that Defendants' bots and other efforts circumvent those measures in violation of the DMCA. (FAC ¶ 52, 111.) Defendants' main argument is that Ticketmaster has failed to indicate any copyrighted work to which any of Ticketmaster's technological measures were effectively controlling access. (Mot. 10; Reply 5.)
Defendants' argument fails because Ticketmaster's CAPTCHA controls non-human access to Ticketmaster's ticket purchase pages and ticket confirmation pages, both of which are copyrighted works. The three-tiered analytical framework for copyrightable content as discussed above and as articulated by the Ninth Circuit in MDY makes this abundantly clear. 629 F.3d at 942–43.
The defendant in MDY argued that the bots he developed simply helped players play a game, and that there wasn't any copyrighted material that his bots were accessing in circumvention of a security measure. The court did agree with the defendant that the game's literal and individual non-literal elements did not qualify as access-controlled works under the statute. Id. at 952. The court reasoned that there was no technological measure controlling access to the literal and individual non-literal elements of the game because those elements were readily accessible to any player who had installed the game on their computers. Id. With respect to the game's dynamic non-literal elements, though, the court found a DMCA violation. Id. at 954. The individual experience of the game—the particular configuration of shapes, colors, and sounds presented on the screen as the gamer plays the game—was copyrightable expression, to which only a human had authorized access. Id. The plaintiff put security measures in place to keep bots from playing the game—that is, from accessing the game's copyrighted dynamic non-literal elements—and when the bots circumvented those measures, they circumvented an access control to a copyrighted work. Id.
Defendants' bots in this case do the very same thing. In order to purchase tickets from Ticketmaster, one must work through Ticketmaster's security measures, including CAPTCHA. Ticketmaster designs these security measures so that only a human can progress through Ticketmaster's pages and ultimately purchase a ticket. Each of these pages is a unique page, tailored specifically to the customer and what that customer is trying to accomplish. The process is familiar to anyone who has shopped online. For example, the purchase confirmation page of an online store will contain an individualized presentation of details, including the purchaser's shipping and billing information, information about the product or service purchased, and a purchase confirmation number. This unique, individualized presentation of information constitutes dynamic non-literal content which is subject to copyright protection. Moreover, the source code used to generate the purchase confirmation page is literal content which is also subject to copyright protection. Thus, when Defendants used bots to progress through Ticketmaster's security measures and ultimately gain access to ticket confirmation pages and data, they circumvented a technological measure that Ticketmaster had put in place to control access to Ticketmaster's copyrighted ticket confirmation pages and data. These pages and data are dynamic non-literal content and literal content, respectively, both of which, as discussed above, are protected by Ticketmaster's copyrights. Defendants' activities therefore satisfy the textual elements of the DMCA, 17 U.S.C. § 1201(a)(1).
The Court's finding falls in line with the growing number of courts that have concluded that circumvention of CAPTCHA and similar measures designed to distinguish between humans and non-humans violates the DMCA. In Ticketmaster L.L.C. v. RMG Technologies, Inc. , 507 F.Supp.2d 1096 (C.D. Cal. 2007), the court considered Ticketmaster's CAPTCHA feature, observing that it "controls access to a protected work because a user cannot proceed to copyright[-]protected webpages without solving CAPTCHA." RMG , 507 F.Supp.2d at 1112 ; see also Craigslist, Inc. v. Kerbel , No. C-11-3309 EMC, 2012 WL 3166798, at *10 (N.D. Cal. Aug. 2, 2012) (denying dismissal of DMCA claim where defendant marketed auto-posting services that enabled users to circumvent Craigslist's CAPTCHA, and collecting other Craigslist cases making the same finding.
Plaintiffs have stated a claim for relief under the DMCA. The Court therefore DENIES Defendants' motion to dismiss Ticketmaster's Fifth Claim for Relief.
D. CFAA
Defendants move to dismiss Ticketmaster's Eleventh Claim for Relief for violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. The CFAA prohibits computer trespass by those who are not authorized users or who exceed authorized use. Facebook, Inc. v. Power Ventures , 844 F.3d 1058, 1065–66 (9th Cir. 2016) (citing 18 U.S.C. § 1030(a)(2)(C) ). The CFAA is primarily a criminal-law statute, but a civil action is available for "[a]ny person who suffers damage or loss by reason of a violation" of the CFAA. The CFAA lists thirteen categories of offense that constitute a violation, and includes a conspiracy clause. 18 U.S.C. § 1030 (a) – (b).
Ticketmaster alleges that Defendants "knowingly and intentionally accessed Ticketmaster's computers without authorization or in excess of authorization" and that by so doing, they "obtained valuable, unauthorized information from Ticketmaster's ticketing systems." (FAC ¶¶ 162–63.) These allegations signal a potential violation under two of the CFAA's thirteen categories of offense. The first category prohibits "intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining ... information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). The second category provides punishment for those who "knowingly and with intent to defraud, access[ ] a protected computer without authorization, or exceed[ ] authorized access, and by means of such conduct further[ ] the intended fraud and obtain[ ] anything of value." 18 U.S.C. § 1030(a)(4).
Defendants maintain that this Court's prior order, which dismissed Ticketmaster's CFAA claim, constitutes law of the case that requires dismissal of Ticketmaster's CFAA claim on this Motion as well. (Mot. 13.) Ticketmaster's First Amended Complaint identifies specific ways that Defendants accessed the Ticketmaster website without authorization or in excess of authorization that were not identified in the original Complaint. (See, e.g. , FAC ¶ 163.) In light of Ticketmaster's new factual allegations, the Court finds it appropriate to consider Ticketmaster's CFAA claim anew.
In addition to showing a violation of one of the provisions of section 1030(a)(1)–(7), a private plaintiff bringing suit under the CFAA must show that the violation involved one of the five factors listed in subsection 1030(c)(4)(A)(i). See Custom Packaging Supply Inc. v. Phillips , Case No. 2:15-cv-04584-ODW-AGR, 2016 WL 1532220, at *4 (C.D. Cal. April 15, 2016). Ticketmaster alleges that Defendants' violations of the CFAA cost Ticketmaster "a loss of over $5000 in a one-year period." (FAC ¶ 164.) With this allegation, Ticketmaster seeks to avail itself of the first of the five factors, which allows for a civil action "if the offense caused ... loss to 1 or more persons during any 1–year period ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I). Ticketmaster does not allege any facts that suggest that any of the factors in subsections (II)–(V) are involved.
To start with, Defendants do not maintain that their access was unintentional or unknowing, or that the computers in question were not protected computers. See 18 U.S.C. § 1030(e)(2) (" ‘[P]rotected computer’ means a computer ... which is used in or affecting interstate or foreign commerce or communication ...."). Thus, the issues common to both putative violations are (1) whether Defendants accessed Ticketmaster's computers without authorization or in a manner that exceeded authorized access, and (2) whether such access caused Ticketmaster an aggregate ‘loss’ of $5,000 in any one-year period. 18 U.S.C. §§ 1030(a)(2)(C), (a)(4). If Ticketmaster has successfully pled both of these allegations, it need only further plead that Defendants obtained "information," thus violating section 1030(a)(2)(C), or that Defendants obtained "anything of value," thus violating section 1030(a)(4). 1. Accessing Without Authorization or Exceeding Authorized Access
Section 1030(a)(4) further specifies that a defendant who obtained only "the use of the computer," where the value of that use was not more than $5,000 in any one-year period, has not violated the CFAA. Since Defendants here allegedly did more than use Ticketmaster's computers, this exception does not apply.
The CFAA "provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly." Musacchio v. United States , ––– U.S. ––––, 136 S.Ct. 709, 713, 193 L.Ed.2d 639 (2016). The parties in this case characterize the CFAA as an anti-hacking statute, and argue vigorously that hacking has not or has occurred. (Mot. 13; Opp'n 12 n.9.) Defendants understand hacking to mean accessing a non-public part of a website without authorization, and repeatedly assert that no Defendant has accessed anything other than the public Ticketmaster website. (Mot. 14, 15.)
While it is true that "Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking," United States v. Nosal , 676 F.3d 854, 858 (9th Cir. 2012), the word "hack" does not appear anywhere in the statute's text. See generally 18 U.S.C. § 1030. In fact, courts in the Ninth Circuit have repeatedly recognized violations of the CFAA without characterizing the violations as hacking. For example, the defendant in Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058 (9th Cir. 2016) was a provider of an online dashboard that allowed the user to log in and manage several of the user's social media accounts at once. Id. at 1062. The defendant initiated a promotional campaign that made combined use of the defendant's own platform and Facebook's email system to promote the defendant's service. Id. at 1063. Facebook sent the defendant a cease-and-desist letter, instructing the defendant to end the campaign. Id. Defendants continued their campaign, and in doing so, they accessed Facebook's computers in a way that exceeded their authorization, because the cease-and-desist letter had specifically revoked that authorization. Id. at 1067. The court found a valid CFAA claim without needing to find that the defendants had hacked into anything. Id. at 1069 ; see also United States v. Nosal , 930 F.Supp.2d 1051, 1060 (N.D. Cal. 2013) (clarifying that the Ninth Circuit "did not ... explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute.... Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA ....").
Thus, Ticketmaster's successful pleading of a CFAA violation doesn't depend on whether any Defendant hacked anything. The proper inquiry is whether Ticketmaster has sufficiently pled that Defendants accessed Ticketmaster's computers, either without any authorization, or in excess of the authorization they did have. Ticketmaster argues that each use of a bot to purchase a ticket was a use in excess of authorization because an individualized cease-and-desist Letter sent to Prestige on May 7, 2015 explicitly prohibited Prestige and the other Defendants from using bots to access Ticketmaster's website. (FAC, Ex. E; Opp'n 17.) Defendants argue that they did no more than violate Ticketmaster's Terms of Use, and that under relevant Ninth Circuit jurisprudence a violation of a Terms of Use cannot provide the basis for CFAA liability. (Reply 8.)
Ticketmaster and Defendants both argue that United States v. Nosal ("Nosal "), 676 F.3d 854 (9th Cir. 2012) supports their respective positions. In that case, the court recognized that the terms of use that website owners impose upon visitors are often "vague and generally unknown," and that "website owners retain the right to change the terms at any time and without notice." Id. at 863. Many terms-of-use agreements, including Ticketmaster's, expressly condition their permission to use the website on compliance with the Terms of Use, such that the moment a user violates a single provision, that user no longer has permission to access the site. See id. at 858. The result is that each visit to the site constitutes access of the site without authorization, in violation of the CFAA. Id. at 859.
Such reasoning, the court explained, creates federal crimes out of ordinary, run-of-the-mill Terms of Use violations, an unacceptable result. Id. at 860. As the court further explained:
[C]onsider the numerous dating websites whose terms of use prohibit inaccurate or misleading information. Or eBay and Craigslist, where it's a violation of the terms of use to post items in an inappropriate category. Under the government's proposed interpretation of the CFAA, ... describing yourself as "tall, dark, and handsome," when you're actually short and homely, will earn you a handsome orange jumpsuit.
Id. at 861–62 (citations omitted). The court went on to hold that " ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions." Id. at 864.
Nosal was about an employee who violated his employer's information use policies, not a web surfer who violated a website's terms of use. Id. at 856. Nevertheless, courts in the Ninth Circuit have applied the Nosal holding to ordinary computer users visiting websites or using software governed by terms-of-use agreements. These courts have held that violation of a website's (or software's) Terms of Use, without more, cannot constitute a violation of the CFAA. See Synopsys, Inc. v. ATopTech, Inc. , No. C 13-cv-02965 SC, 2013 WL 5770542, at *9 (N.D. Cal Oct. 24, 2013) (dismissing a CFAA claim brought on the basis of a software license agreement violation); Matot v. CH , 975 F.Supp.2d 1191, 1194 (D. Or. 2013) (dismissing a CFAA claim brought on the basis of a website's Terms of Use violation).
Defendants insist that Ticketmaster's CFAA claim is based "entirely" on a violation of its Terms of Use, and that the holding of Nosal therefore requires dismissal of Ticketmaster's CFAA claim. (Mot. 13.) However, this case is distinguishable from Nosal in two ways. First, here, Ticketmaster sent an individualized Letter to Defendants instructing them to cease their activities, whereas the defendant in Nosal received no individualized notice, and merely violated his employer's pre-existing confidentiality policies. Nosal , 676 F.3d at 856. Second, the Nosal defendant was an ex-employee who convinced current employees to steal confidential company files. Id. at 856. When those current employees accessed their employer's database to download the files, they had authorization to do so as employees of the company. Id. The Ninth Circuit would not find that the defendant exceeded authorized access when the only agreement the current employees broke was their employer's confidentiality agreement. Id. at 863. Here, by contrast, Defendants have been told by Ticketmaster that the only kind of access that they, Defendants, are authorized to make is access that conforms to Ticketmaster's Terms of Use. (FAC, Ex. E at 71–72.) Ticketmaster's cease-and-desist Letter was of far greater practical and legal significance than a generally applicable "use restriction," see Nosal , 676 F.3d at 864. The Letter was, in effect, an individualized access policy that revoked authorization upon breach of the policy.
These distinctions render Nosal's bright-line rule about use restrictions inapplicable to this case. Far more applicable is the reasoning and holding of the Ninth Circuit in Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058 (9th Cir. 2016). Both this case and Facebook involve a commercial defendant whose business model is built on unauthorized use of the plaintiff's website. The Facebook court found that after receipt of an individualized cease-and-desist letter, the defendant "knew that it no longer had authorization to access Facebook's computers, but continued to do so anyway." Id. at 1067. Unlike the Nosal opinion, the Facebook opinion contains no discussion of the risk of turning Terms of Use violators into copyright infringers, because after receipt of an individualized cease-and-desist letter, the defendant's use—as here—is no longer a mere Terms of Use violation and is instead a violation of a set of permissions and prohibitions directly and individually imposed upon the defendant.
Ticketmaster's Letter has the same effect as the letter in Facebook . Ticketmaster's Letter explicitly reminded Defendants that "use of the [Ticketmaster] website is conditioned on an agreement that the user will not ... use any automated ... computer system to ... buy ... tickets," and instructed Defendants to "cease and desist from any further violations of Ticketmaster's rights." (FAC, Ex. E at 71–72.)
To be clear, it is the violation of the terms of the Letter , not of Ticketmaster's Terms of Use, on which the Court bases its finding of a well-pled CFAA claim. The Facebook court required something "more" than mere violation of a website owner's terms of use to impose liability under the CFAA, and the Letter satisfies that requirement. Facebook , 844 F.3d at 1067. Ticketmaster's Letter accuses Defendants of particular unauthorized purchases of particular quantities of tickets on particular dates and times and contains a list of 47 fake email addresses that Defendants allegedly used to buy tickets. (FAC, Ex. E at 69–70.) The Letter, with its detailed factual allegations, is a "far cry from the permission skirmishes that ordinary Internet users face." See Facebook , 844 F.3d at 1069. Finding an individualized letter to be a basis for unauthorized use under the CFAA is fully consistent with the holding of the Nosal court, which was concerned specifically about violations arising from Terms of Use agreements imposed uniformly and adhesively upon a large number of end users.
Nor are Defendants "ordinary Internet users." Facebook , 844 F.3d at 1069. It is true that the Ninth Circuit will not use the CFAA to "transform[ ] otherwise innocuous behavior into federal crimes simply because a computer is involved," preferring to "prevent criminal liability for computer users who might be unaware that they were committing a crime." Id. But Defendants in this case are a sophisticated multi-entity business operation, not an employee on his way out the company, much less an overconfident eHarmony user or an innocuous eBay merchant struggling to determine the proper category in which to sell a trinket. See Nosal , 676 F.3d at 861–62. Defendants are anything but innocuous. They know that their entire business model is built on a scheme to evade Ticketmaster's policies for profit. (See ¶¶ 58, 122 (alleging 9,047 instances of fraud for each account Defendants created and 313,528 instances of fraud for each ticket order Defendants executed).)
Defendants attempt to distinguish this case from Facebook by pointing out that this Court previously found that Ticketmaster's Letter did not completely revoke access authority. (See Order 13 ("Ticketmaster's cease-and-desist letter appears to imply that Defendants could continue to use Ticketmaster's website so long as they abide by the TOU.") ) In Facebook , by contrast, the cease-and-desist letter sent by Facebook to the defendants appears to have revoked all authorization for defendants to use Facebook's website. 844 F.3d at 1067. Defendants make a distinction without a difference, because the CFAA penalizes both access without authorization and situations where a defendant possesses some authorization, but acts excess of that authorization. 18 U.S.C. § 1030 (a)(2)(c), (a)(4). Therefore, the fact that the Letter may have allowed Defendants to continue using Ticketmaster's website in a limited way does not allow Defendants to escape CFAA liability. After receipt of the Letter, each time Defendants purchased tickets with a bot, they accessed the Ticketmaster website in a manner explicitly forbidden to them, thus exceeding their authorization to use the Ticketmaster website. Defendants exceeded authorized access to Ticketmaster's computers when they received Ticketmaster's letter and nevertheless continued to use bots to purchase Ticketmaster tickets.
2. Loss
To sufficiently state its CFAA claim, Ticketmaster must plead facts that show that Defendants' conduct caused "loss to 1 or more persons during any 1–year period ... aggregating at least $5,000 in value." 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA defines "loss" as "any reasonable cost to any victim," and lists as examples "the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11). Defendants insist that the CFAA requires Ticketmaster to plead facts that show "interruption of service or impairment of data" and losses that flow directly therefrom. (Reply 11.) The Court disagrees with this reading of the statute's definition of "loss" for two reasons. First, the placement of the commas in the definition of "loss" indicates that "the cost of responding to an offense" does not have to be caused by "interruption of service." See 18 U.S.C. 1030(e)(11). These two clauses are separated by seven commas, and a strained reading is required to conclude that the last clause controls the first. The cost of "responding to an offense," on its own, qualifies as loss under the CFAA, without any need to connect it to an interruption of service.
The Court is mindful of a split among the circuits over what constitutes "loss" under the CFAA. Namely, some district courts have held that "loss" under the CFAA must "relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data." Cassetica Software, Inc. v. Computer Scis. Corp. , No. 09 C 0003, 2009 WL 1703015, at *4 (N.D. Ill. June 18, 2009) ; see also Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd. , 387 F.Supp.2d 378, 381 (S.D.N.Y. 2005) (synthesizing cases and determining that " ‘losses’ under the CFAA are compensable only when they result from damage to, or the inoperability of, the accessed computer system"). This narrow definition of loss under the CFAA permits recovery of costs related to damage assessment or recovery only "when the costs are related to an interruption of service." Cassetica Software , 2009 WL 1703015, at *4.
Courts in the Ninth Circuit, on the other hand, do not read "loss" so narrowly. The defendant in SuccessFactors v. Softscape, Inc. , 544 F.Supp.2d 975 (N.D. Cal. 2008) was a departing employee who stole proprietary company information from a company computer and used the information to attempt to tarnish the reputation of his former employer. Id. at 977–78. The SuccessFactors court examined some of the cases that applied the narrower definition of "loss," but found them inapposite, because in cases like the one before it, "where the offense involves unauthorized access and the use of protected information, the reasonable "cost of responding to [the] offense," 18 U.S.C. § 1030 [ (e)(11) ], will be different from such cost in a case where the primary concern is the damage to the plaintiff's computer system itself." Id. at 981. The court further reasoned that "where the offender has ... accessed protected information, discovering who has that information and what information he or she has is essential to remedying the harm," and concluded that the plaintiff was likely to prevail on its CFAA claim. Id.
The Facebook court disposed of the issue in two sentences, finding "loss" under the CFAA in light of the fact that the plaintiff's "employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding" to the defendant's actions. Facebook , 844 F.3d at 1066. The Facebook court did not require the plaintiff's losses to flow either from "impairment of service" or from actual loss or unavailability of data. 18 U.S.C. § 1030(e)(11). To the Facebook court, costs spent analyzing, investigating, and responding to a defendant's unauthorized access, even when that access led to no actual loss or unavailability of data, qualify as "the cost of responding to an offense" and therefore provide the basis for a civil action under the CFAA. 844 F.3d at 1066.
A careful reading of the statute supports the reasoning of the SuccessFactors and Facebook courts. Under the CFAA, loss is "any reasonable cost to any victim." 18 U.S.C. § 1030(e)(1). This definition is followed by a list of costs that qualify as loss, but the word "including" indicates that this list is not exhaustive. Id. The nine types of loss in the statutory definition are provided merely as examples, not as limitations on what qualifies as "loss" under the CFAA.
Ticketmaster's allegations are sufficient in the Ninth Circuit to show "loss" under the CFAA. Under federal notice pleading standards, it is enough if Ticketmaster's allegations allow the Court to plausibly infer that Ticketmaster's "loss" exceeds $5,000. See Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). Ticketmaster need not, as Defendants contend, allege with detail "which Defendant allegedly did what and when and how and what it was that [Ticketmaster] allegedly did in response that caused it to incur any loss." (Mot. 18.) Ticketmaster has alleged a panoply of costs necessitated by Defendants' unauthorized access, including the costs of identifying Defendants (FAC ¶ 58), expanding security to identify and block bots (FAC ¶¶ 54–55, 60), and hiring third-party consultants to implement additional bot mitigation measures (FAC ¶ 54).
Defendants maintain that Custom Packaging Supply, Inc. v. Phillips , No. 2:15-cv-04584-ODW-AGR, 2016 WL 1532220, at *1 (C.D. Cal. Apr. 15, 2016) requires the opposite result. (Mot. 18.) The Phillips defendants were employees who stole their employer's proprietary company information in order "to compile an illegal library that they then passed on" to a competitor. 2016 WL 1532220, at *1. The plaintiff claimed that its "loss" arose from the fact that its employees had to spend several days taking action in wake of the theft of information. Id. at *5. However, in that case, the defendant's violation was a one-time act, and the money spent by the plaintiff in response was spent to diminish any consequential damages that might arise as a result of a single violation by a known violator. Id. Ticketmaster's money, by contrast, was spent identifying Defendants and trying to put a stop to their fraudulent enterprise. These are direct losses flowing from an unknown defendant's continued breach, as opposed to consequential losses flowing from a known defendant's one-time breach, as were present in Phillips . Accord Doyle v. Taylor , No. CV-09-158-RHW, 2010 WL 2163521, at *1 (E.D. Wash. May 24, 2010), aff'd sub nom. Doyle v. Chase , 434 F. App'x 656 (9th Cir. 2011) (observing that "loss" under the CFAA must flow from "something more: the costs associated with assessing a hacked system for damage, upgrading a system's defenses to prevent future unauthorized access, or the lost revenue caused by the misappropriation of trade secrets."). The loss alleged by the Custom Packaging Supply plaintiff was of a different species than the loss alleged here by Ticketmaster. The direct costs Ticketmaster incurred putting a stop to an ongoing offense qualify as "loss" under the CFAA. Moreover, Ticketmaster alleges that these direct costs far exceeded $5,000, as required by the CFAA, and provides sufficient support for that allegation with facts about the heightened security measures it put in place. 18 U.S.C. § 1030(c)(4)(A)(i)(I).
3. Obtaining Information and Obtaining Anything of Value
Ticketmaster's claim for relief under 18 U.S.C. § 1030(a)(2)(c) is complete if it can show that Defendants "obtained information" by accessing Ticketmaster's computers without authorization. By using their bots, Defendants obtained tickets to events. (FAC ¶ 5.) These tickets are "information" in two senses: (1) the tickets contain information on the face of the ticket that grants the bearer entrance to a particular event; and (2) the tickets themselves are transmitted through the internet in the form of computer code, which is itself information. Thus, Ticketmaster has stated a claim for relief under 18 U.S.C. § 1030(a)(2)(C).
Alternatively, Ticketmaster can show that Defendants obtained "something of value" to complete their claim for relief under 18 U.S.C. § 1030(a)(4). The tickets Defendants purchased undeniably have value, or else Defendants would not be running an ever-increasingly sophisticated business operation to obtain them. (FAC ¶¶ 6, 55.) Subsection (a)(4) also requires a showing of intent to defraud, and Defendants argue that Ticketmaster has not shown this intent under the heightened pleading standards of Federal Rule of Civil Procedure 9(b). (Mot. 15 n.6.) This Court, in its prior Order, explained that each of the 9,047 accounts created by Defendants, along with each of Defendant's 313,528 ticket purchases, was a particular instance of alleged fraud that satisfied the pleading requirements of Rule 9(b). (Order 17–18.) Ticketmaster's allegations of fraud were sufficient to survive Defendants' first motion to dismiss, and they are sufficient to survive this Motion as well.
For these reasons, the court DENIES Defendants' motion to dismiss Ticketmaster's Eleventh Claim for Relief.
E. CDAFA
Defendants move to dismiss Ticketmaster's Twelfth Claim for Relief for violations of the California Computer Data Access and Fraud Act. (Mot. 1.) The Court previously dismissed Ticketmaster's CDAFA claim as pled in the original Complaint. (Order 14.) The Court finds it appropriate to consider Ticketmaster's CDAFA claim anew, in light of Ticketmaster's new allegations regarding the Bot Developers' downloading and storing of Ticketmaster's pages and code.
The CDAFA is California's state-law analogue to the CFAA. The statute provides thirteen categories of activity that constitute an offense. Cal. Penal Code § 502(c)(1)–(13). Ticketmaster alleges that the Defendants have collectively committed acts that constitute violations under seven different subsections of the CDAFA. (FAC ¶¶ 167–173.) The Court finds that Ticketmaster has stated a claim with respect to three of these subsections. First, Ticketmaster has not stated a claim with respect to subsections (c)(1) and (c)(4), because those subsections both require that the Defendants have altered, damaged, deleted, or destroyed the data in some way. Id. § 502(c)(1), (4). Although Ticketmaster does allege that the Defendants' activities resulted in alteration, deletion, and destruction of data on the system, the allegation merely tracks the language of the statute itself, without providing facts to substantiate the claimed legal conclusions. (FAC ¶ 77.) Defendants' bots place a heavy load on Ticketmaster's system, and they cause Ticketmaster's system to relinquish tickets to Defendants against Ticketmaster's wishes, but Defendants' bots do not actually alter, damage, delete, or destroy data on Ticketmaster's systems. Precisely the opposite is true: the fact that Ticketmaster's systems continued to deliver tickets to Defendants' bots shows that Ticketmaster's systems continued to function as intended, without damage or alteration, while the bots operated. It is for this same reason that Ticketmaster has also failed to state a claim with respect to subsection (c)(5) of the CDAFA, which requires a showing of "disruption" or "denial" of computer services. Cal. Penal Code § 502(c)(5).
The Court will not read the phrase "or otherwise uses" in section 502(c)(1) as prohibiting anything other than use that is similar to alteration, damage, deletion, or destruction. Under the doctrine of eiusdem generis, when a list of two or more specific terms is followed by a more general term, the otherwise wide meaning of the general term must be restricted to the same class of the specific terms that precede it. See Circuit City Stores, Inc. v. Adams , 532 U.S. 105, 114–15, 121 S.Ct. 1302, 149 L.Ed.2d 234 (2001). The Court narrowly construes "otherwise uses" in section 502(c)(1) to refer to uses that involve data alteration, damage, deletion, and destruction.
Nor has Ticketmaster stated a claim with respect to subsection (c)(3) of the CDAFA. Under this section, knowingly using or causing the use of computer services without permission constitutes a violation. Id. § 502(c)(3). Under the CDAFA, " ‘[c]omputer services’ includes, but is not limited to, computer time, data processing or storage functions, or other uses of a computer ...." Id. § 502(b)(4). The services Ticketmaster's computers provide all relate to the sale of tickets. The sale of tickets is insufficiently similar to "computer time, data processing, or storage functions" to justify construing the "other uses" provision of the statutory definition of "computer services" to include ticket sale services. Id. Because Ticketmaster has not pled facts showing that it offers computer services, section 502(b)(4) does not provide Ticketmaster a basis for a CDAFA claim.
Ticketmaster's allegations with respect to subsections (c)(2), (c)(6), and (c)(7) of the CDAFA, on the other hand, are sufficient. The above-mentioned Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058, (9th Cir. 2016) controls the Court's holding with respect to subsection (c)(2). After sustaining the District Court's finding that the Facebook plaintiff stated a claim for a CFAA violation, the Ninth Circuit observed:
[D]espite differences in wording, the analysis under both [the CFAA and the CDAFA] is similar in the present case. Because [defendant] Power had implied authorization to access [plaintiff] Facebook's computers, it did not, at first, violate the statute. But when Facebook sent the cease and desist letter, Power, as it conceded, knew that it no longer had permission to access Facebook's computers at all. Power, therefore, knowingly accessed and without permission took, copied, and made use of Facebook's data. Accordingly, we affirm in part the district
court's holding that Power violated section 502.
Facebook, Inc. v. Power Ventures, Inc. , 844 F.3d 1058, 1069 (9th Cir. 2016), cert. denied, ––– U.S. ––––, 138 S.Ct. 313, 199 L.Ed.2d 206 (2017).
In accordance with the reasoning of the Ninth Circuit, Ticketmaster has stated a claim with respect to section 502(c)(2), which penalizes one who "[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer ...." Cal. Penal Code § 502(c)(2). Ticketmaster's Letter informed Defendants that they no longer had permission to use bots to purchase tickets from Ticketmaster. The fact that the Letter allowed Defendants to continue to make normal human use of the Ticketmaster website and app is of no consequence, because Defendants' subsequent ticket purchases constituted taking, copying, or making use of data, all done without Ticketmaster's permission by virtue of the fact that the purchases were powered by bots.
Next, subsection (c)(7) of the CDAFA prohibits knowing, unauthorized access of a computer. Id. § 502(c)(7). Ticketmaster's Letter revoked Defendants' authorization to use bots to access the Ticketmaster website in the same way that it revoked Defendants' authorization to use bots to take and make use of Ticketmaster tickets. For those reasons, supported by the Court's prior reasoning with respect to "exceeding authorized access" under the CFAA, Ticketmaster has stated a claim with respect to subsection (c)(7). See supra , Section IV.D.1.
Finally, subsection (c)(6) prohibits knowingly providing a means of accessing a computer system in violation of the CDAFA. Id. § 502(c)(6). The Bot Developers provided Defendants with bots, which Defendants used to commit violations of at least three other subsections of the CDAFA. Ticketmaster has therefore pled allegations sufficient to show the Bot Developers' violation of subsection (c)(6).
For these reasons, the Court DENIES Defendants' motion to dismiss Ticketmaster's Twelfth Claim for Relief.
F. Remaining Claims
Ticketmaster has stated claims for relief for violations of three different federal laws: copyright infringement, 17 U.S.C. § 101 et seq. , violation of the Digital Millennium Copyright Act, 17 U.S.C. § 1201 et seq. and violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Because the Court has original jurisdiction over these claims, the Court will continue to exercise supplemental jurisdiction over the remaining claims. Therefore, the Court DENIES Defendants' motion to dismiss Claims 1, 7, 8, 9, 10, and 13. Moreover, the Court will give Ticketmaster the opportunity to identify the Doe defendants through discovery. See supra Section IV.A. The Court therefore DENIES Defendants' motion to dismiss Claims 3, 4, and 6 against the Doe defendants.
V. CONCLUSION
For the reasons stated above, Defendants' Motion to Dismiss is DENIED. (ECF No. 37.) The Court finds:
(1) The First Amended Complaint alleges facts sufficient to state a claim for relief on the face of its pleading, as required by Federal Rule of Civil Procedure 8(a), with respect to Ticketmaster's Second, Fifth, Eleventh, and Twelfth Claims for Relief.
(2) This Court has subject-matter jurisdiction over Ticketmaster's state law claims.
(3) Doe defendants will not be dismissed.