Friday, June 4, 2021

What Does it Mean to Exceed Authorized Access?

After years of debate and prosecutorial overreach, the Supreme Court has now narrowed the Computer Fraud and Abuse Act (CFAA). In Van Buren v. U.S., the Court ruled that obtaining information by "exced[ing] authorized access" is limited to information on the computer that one is not authorized to access at all, rather than to information simply gathered for an improper purpose.

To explain, consider the facts of Van Buren. Van Buren had rightful access to a database of DMV license plate information. He accessed that database using valid credentials, but looked up information for an improper purpose. He was convicted under the CFAA for exceeding his authorized access. I have blogged about this issue before. The broad reading that sent him to jail is a really scary interpretation of the statute, one in which many ordinary people could go to jail for innocuous use of the internet.

The Court narrowed the meaning, and held that the language of the statute: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” cannot be read to cover the purpose of gathering the information. Instead, "entitled so to obtain" must mean entitled to obtain in the manner prior referenced, which means obtained by access to a computer with authorization. Based on this reading, Van Buren cannot be guilty because he accessed records that he was already entitled to access. But he might have been guilty if he looked at personnel files on the same computer.

The Court leaves open the question whether access to other information must be barred by code or merely policy. In the hypo above, if Van Buren bypasses a password on the computer to which he has access in order to obtain the personnel records, there's no question that such conduct would be barred. But what if the files were there for all to see if they merely looked, and it was simply policy that barred access? The court leaves that question open. The legislative history, which I discuss here, makes clear that the policy based bar was contemplated at the time of the statute, because "exceeds authorized access" was left out of some provisions of the CFAA to keep unwary employees from being ensnared: "It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data." (S. Rep. 99-472)

This brings me to my discomfort with the opinion. I'm thrilled at the outcome. The CFAA is much too broad, and this is one way to narrow the scope of it. Otherwise, it made all sorts of innocuous activity illegal. But from a textual standpoint, I've never been convinced that this is the proper reading of the words of the statute.

So long as the Court allows policy-based access restrictions (which is not crazy given the legislative history, even if it's not great policy), my view continues to be that the actual statutory interpretation part of it is not nearly as clear as the Court would have it. 

As noted above, the Court envisions two situations: 

    1. You may access the computer. You may access file A but (by policy) not file B, even though technically your access to the computer allows you to download file B. This exceeds authorized access. 

    2. You may access the computer. You may access file A, but (by policy) only for a particular purpose, even though technically your access to the computer allows you to download file A for any purpose. This does not exceed authorized access. 

For many policy reasons this is a better outcome than saying No. 2 exceeds authorized access. But the Court offers little support for the conceptual (or textual) notion that these two scenarios are distinct. There is nothing in the “entitled so to obtain” discussion that differentiates what is entitled by access once given and what is not. Both of these scenarios are types of information you could get with your access, but have no right to get under the terms of your access. 

The only difference is that as a matter of policy we don’t want to impose a purpose based limitation on that right. Even if you accept the Court’s reading of the statute wholesale, you do not get to (quoting the Court's new rule): “an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”  So long as “off-limits” is not code based, this is a common law gloss rather than a textual one. I’m fine with that, but would rather the Court say that, or alternatively limit liability for all policy based breaches.

To illustrate the point that we cannot differentiate policy limits, as I noted in this post years ago: what is to stop everyone from rewriting their agreements conditionally: "Your access to this server is expressly conditioned on your intent at the time of access. If your intent is to use the information for nefarious purposes, then your access right is revoked." Problem solved, Van Buren goes to jail. If this seems far-fetched, consider Google's terms of service at the time of the Nosal case:  "You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .”  That sounds like an access restriction to me. I can see everyone rewriting policy to match; but this shows the folly of it all.

As a final note, the Court's appeal to the civil provisions is unavailing – standard hacking, captcha breaking, password guessing and any number of other things that might give unauthorized access to information are illegal yet cause no damage or loss as the Court describes those provisions. Further, the Court ignores the ridiculous, “we spent money finding the leak and that’s loss” that lower courts have upheld. That type of loss would apply to a broader definition of "exceeds authorized access" as well. 

In sum, this is a good outcome even if I'm not entirely convinced it's the technically proper one. I'm good with that.

Thursday, June 3, 2021

What’s the difference between vaccine approval (BLA) and authorization (EUA)?

By Jacob S. Sherkow, Lisa Larrimore Ouellette, Nicholson Price, and Rachel Sachs

Recently, Pfizer and BioNTech and Moderna announced that they are seeking full FDA approval for their mRNA COVID-19 vaccines—filing, in FDA parlance, a Biologics License Application (BLA). Johnson & Johnson plans to file its own BLA later this year. But currently, all three vaccines are being distributed under a different FDA mechanism, the Emergency Use Authorization (EUA). What’s the difference, under the hood, between these two mechanisms? Why would these companies want to go through the BLA process? And what tools can policymakers use to make the EUA to BLA shift better?

Monday, May 17, 2021

Guy Rub: Copyright or Contract?

Using software often means you have to sign a contract as a condition for using the software. This "end user license agreement," called a EULA, will lay out the terms under which the software can be used. For example, the EULA you sign to play a video game might say: "The player of this video game cannot cheat while playing the game."  What if you breach the EULA by playing the game using a commercially available cheating "bot"?  Is this copyright infringement? Or is this just a breach of contract?  This may seem obscure, but the question matters a lot.  For one thing, in this example, if the video game publisher has a copyright claim against the cheater, not just a contract claim, this could mean very large statutory damages versus no damages at all.

This is just one of many scenarios in which copyright owners use contracts to control the conditions of use, and whose breach may, or may not, give rise to copyright infringement. In his new article, Against Copyright Customization, Guy Rub addresses this thorny question—copyright or contract?—along with many closely related questions. For example: when is a software user a mere licensee versus an owner?  (Spoiler alert:  almost always!)  The article is forthcoming in Iowa Law Review and a draft can be downloaded on SSRN.

I interviewed Guy about the article. Here is a transcription.

Monday, May 3, 2021

What can policymakers learn from the UK’s RECOVERY trial to improve clinical research for COVID-19 and beyond?

By Rachel Sachs, Jacob S. Sherkow, Lisa Larrimore Ouellette, and Nicholson Price

We have written before about the challenges of making decisions under scientific uncertainty and the simultaneous importance and difficulty of developing high-quality clinical evidence under pandemic circumstances. To address these problems, scientists and regulators in the UK developed a national-scale trial, the Randomised Evaluation of COVID-19 Therapy (RECOVERY) trial, with the goal of rigorously testing the most promising potential therapies for patients who have been hospitalized with COVID-19. In this post, we consider how the design and success of the RECOVERY trial yield important lessons for U.S. policymakers to consider going forward.

Friday, April 9, 2021

How can Congress create infrastructure for the next pandemic?

By Nicholson Price, Rachel Sachs, Jacob S. Sherkow, and Lisa Larrimore Ouellette

After approximately 200 Infrastructure Weeks, policymakers now appear to be actually talking about passing legislation about infrastructure! Congress also seems like it might take action to lay the groundwork for combatting the next pandemic; bipartisan efforts are underway. Putting the two together: how should Congress think about creating innovation infrastructure, broadly defined, to help combat the next pandemic? 

Even before COVID-19, experts were sounding alarms about insufficient infrastructure to address the foreseeable risk of a global pandemic. In 2019, an expert group convened by the World Bank and WHO concluded that “[t]he world is not prepared” for the “very real threat of a rapidly moving, highly lethal pandemic of a respiratory pathogen,” among other things because “[t]oo many places lack even the most rudimentary health-care infrastructure.” COVID-19 has magnified these global health inequalities. But inadequate infrastructure investment is not just a problem in low-income countries: COVID-19 has also drawn increased attention to long-apparent weaknesses in many U.S. infrastructure sectors. We suggest priorities for three types of infrastructure: physical infrastructure, knowledge infrastructure, and human infrastructure (recognizing that these categories may overlap).

Tuesday, April 6, 2021

Google v. Oracle - The Final Shoe Drops

The Supreme Court ruled yesterday in Google v. Oracle that Google did not infringe Oracle's copyright in its APIs by virtue of fair use. The vote was 6-2, with Justice Breyer writing for the Court, and Justices Thomas and Alito dissenting. 

The opinion was straightforward and went to great lengths to attempt to explain the technology at issue. I thought it did a decent job of it (definitely more Godot than Guffman), even as the opinion continued to struggle for a good analogy. The Court adopted the file cabinet/drawer/folder analogy presented in Google's brief, which I thought was a terrible analogy...so I guess there's no accounting for taste (or winning advocacy). The court's fair use analysis was influenced by Judge Boudin's concurrence in Lotus v. Borland, though that concurrence didn't actually call it fair use, but instead "privileged use."

Others have and will surely write about the fair use aspects and what this means for software APIs. Contrary to Oracle's ridiculous and vitriolic press statement yesterday, this case will likely not change the way anyone in the industry behaves in the least. APIs have been used and reused for decades, and will continue to be. And contrary to being a barrier to entry, reuse of APIs allows for competitive inroads and entry, including by Oracle, in its mimicry of Amazon's AWS API. (Indeed, the hubris of Oracle's statement in light of its implementation of another company's API is stunning, assuming it was unlicensed-I've been unable to verify one way or the other.)  

The opinion also has some nuggets for other fair use - discussion of transformation and art, definition of markets for determining harm, another reaffirmation of Campbell v. Acuff-Rose Music, fair use as a mixed question of law and fact (something I discussed in a prior blog post), and so forth.

Instead, I will focus on my hobby horse-whether the APIs are copyrighted, and if so how we get to non-infringement. The Supreme Court explicitly decided that the copyrightability of APIs is a third-rail and did not attempt to touch the issue. There are two ways to read the tea leaves. First, perhaps a majority of the court thought they were uncopyrightable, but feared the effects of saying so. Second (and my guess), perhaps a majority of the court (or a 4-4 split) thought that they were copyrightable, but fair use was an acceptable compromise. The second possibility is why I wrote and submitted my amicus brief, which was intended to give a path to non-infringement even if the APIs were copyrightable.

Alas, the court did not buy into the abstraction/filtration argument I made, which I believe was doctrinally appropriate, nor did the brief get a cite, as many that discussed the importance of APIs did. However, in a sense, the court adopted the methodology I suggested. From my brief:

But the copyrightability of an entire work does not answer the question of whether any particular portion of it, if used by another, is infringing. That analysis requires determining whether the defendant has taken too much expression and not ideas, systems, methods of operation, or the like. And such a determination cannot be made outside of the infringement analysis. Any functionally required aspects—including any expression necessary to practice the idea—should be removed from the comparison. 

What remains should then be compared. The advantage of this approach is that it recognizes that while entire software programs may be copyrightable in some contexts, their pieces might not be infringed in others. There need be no zero-sum game, but only a recognition that the scope of copyright depends, as it always has, on the accused’s use of the copyrighted work. 

...

[T]he Court need not decide whether any part of Oracle’s code is copyrightable standing alone. It should only determine that the scope of its copyright in the Java source code cannot extend to infringement through the reuse of declaring functions necessary to create a compiler or interpreter that accepts the same commands and parameter names to allow programmers to use the Java programming language.

The primary pushback on this argument that I received from smart colleagues asked this question: why should context matter in the infringement analysis? Justice Thomas's dissent is replete with this same concern. My answer was always the same - because use in a functional context may be a use of the idea/method, whereas use in a different context might not be.

But Justice Breyer has sidestepped this question to essentially reach the same result using fair use. The one place where we can be sure that context matters is fair use. The nature and character of the use is one of the factors, after all. The Court's analysis tracks many of the same issues in my brief - the functionality of the APIs, their use as a de facto standard, switching costs, etc.

And so the Court's final resolution is not that far off from what I had asked. Rather than excluding the APIs from infringement by filtering them out, the Court would instead exclude them from infringement under a fair use analysis that considers many of the same factors. I can live with this solution--way back in 1999, I published a paper that argued that "courts have been able to determine efficient economic outcomes based on the cases before them, but they have been unable to settle on a rule that definitely determines how much reuse to allow in each case." The article lays out a variety of economic factors that predict how cases come out, and you'll be shocked to find out that they favor Google in this case (e.g. switching costs, de facto standards, lack of slavish copying of the implementation, no breach of an underlying economic duty, public benefits of compatibility). Perhaps that's a reason this case has stuck in my craw for so long: it's about the only one that didn't fit with my 20+ year old model.

Despite my doctrinal sanguinity, the downside of the court's approach is that it might still lead to framing issues in the future. Litigants might still be subjected to juries asked to simply decide whether the APIs were used (for infringement) and then hope to rely on fair use as a defense. Then again, a judicial fair use inquiry might keep the question from ever getting to a jury, which is basically the same result I've advocated. But this case went to a jury, by appellate order, and it's unclear that it should have. It was certainly costly. However, the strong language of this opinion may apply the next time, as in the case I recently blogged about with control codes.


The end is near for my Oracle and Google blogging, a 9 year expedition. But I do have one more in me, a more technical post in a week or so about the so-called 170 lines of code that supposedly all that are necessary to implement Java.

Thursday, March 25, 2021

How are COVID-19 vaccine developers and regulators responding to variants?

By Lisa Larrimore Ouellette, Nicholson Price, Rachel Sachs, and Jacob S. Sherkow

The remarkable news of record-breaking COVID-19 vaccine development has been clouded by the increasing emergence of new variants of the SARS-CoV-2 virus. Like other viruses, SARS-CoV-2 mutates over time, due to random errors in copying its genetic sequence. When one of these mutations helps the virus survive and reproduce—such as by making the virus more transmissible—that variant will spread more rapidly than the original virus through natural selection. The global effort to control the pandemic has thus been framed as a race between the vaccines and the variants: can the world be vaccinated before the virus evolves to evade the vaccines? In this post, we examine how COVID-19 vaccine developers are responding to the spread of variants, how the FDA plans to regulate updates to the vaccines, and other innovation policies governments should consider to combat the variant spread.

Thursday, March 18, 2021

Advice about the patent bar for current and prospective law students

Guest post by Professor Eric E. Johnson (ericejohnson.com)

I recently asked fellow intellectual property professors and others about advice for law students interested in taking the patent bar. The IP community generously responded, and I have synthesized their wisdom and opinions here, with some of my own advice sprinkled in. Of course, opinions differ and things change, so students should consider this post as a jumping-off point for doing their own research and asking their own questions.

Wednesday, March 17, 2021

Waiting for Google

Google v. Oracle was argued (after being reset last term for additional briefing) on October 7, during the first week of this term. We still don't have an opinion, and the time delay makes me worry that the opinion(s) will be more Guffman than Godot.

While we wait (and it could be any time), I wanted to point to a recent case that illustrates the concern at issue in this case if Oracle wins. The facts of this case are remarkably similar to my remote control analogy, which I continue to think is the best analogy to date (and which I hope some Supreme Court clerk happened to read).

The case is Pyrotechnics Management, Inc. v. XFX Pyrotechnics LLC and FireTEK, a W.D. Pa. case that just issued a preliminary injunction. The facts for our purposes are not complicated. Both parties make a device used to control fireworks displays. The device issues and responds to commands, which are basically numbers sent along the wire. It's called a protocol by the plaintff (and anyone else familiar with this kind of technology). It's functionally no different than an API like that in Google v. Oracle - it's a set of commands that tells devices to do something.

Here, the copyrighted work isn't even software. The registration deposit materials is a manual that describes the protocol - send this command (number) with these optional parameters (more numbers) and things will happen. Here is the briefest of examples:

In other words, send a 12-byte message containing (in this case) 3 actual bytes of information. 0x23, 0x23,0x46, plus a CRC check (a common error check practice). Like the remote control in my analogy, it's sending 1s and 0s down the wire, in a particular order.

The plaintiff's expert said the copyrighted work must have been copied because how else could you make a device that sent these same numbers? The defendant's device sent and received these same numbers down the wire. There's not even a claim that the numbers were generated in the same way.

And the court agreed. It said the selection of numbers required originality, and there was no reason for a competitor to use the same numbers. Furthermore, the fact that the deposit wasn't even software didn't mean that it couldn't be copied in software if the same numbers were implemented. In short, the plaintiff now owns the set of remote control codes and nobody else can make a compatible remote control.

If you don't see why this is problematic, then nothing else I write will convince you otherwise - you are basically OK using copyright to obtain a 100 year backdoor patent on any device that sends and receives an arbitrary set of commands. But this is not a good result. Copyright policy - let alone the statute - simply should not allow for this outcome that uses copyright to limit functional information sharing in computer programs and electronic devices. 

As I advocated in my amicus brief and many other blog posts, I've got no quarrel with the argument that the set of numbers collected by the plaintiff may be copyrighted.  But that copyright cannot extend to enforcement against the method of using those numbers to operate devices. So, you can't copy the description of the protocol verbatim, perhaps, but it is not infringing to send numbers down a wire. The statute couldn't be more plain on this - methods of operation cannot be protected, no matter the form in which they are expressed. What else can the statute mean, if not this narrow meaning?

I'll end by noting that the district court here did not even mention Baker v. Selden, which explicitly endorses this rule - that the expression of a method is not infringed when others use the method:

The fact that the art described in the book by illustrations of lines and figures which are reproduced in practice in the application of the art, makes no difference. Those illustrations are the mere language employed by the author to convey his ideas more clearly. Had he used words of description instead of diagrams (which merely stand in the place of words), there could not be the slightest doubt that others, applying the art to practical use, might lawfully draw the lines and diagrams which were in the author's mind, and which he thus described by words in his book.

The copyright of a work on mathematical science cannot give to the author an exclusive right to the methods of operation which he propounds, or to the diagrams which he employs to explain them, so as to prevent an engineer from using them whenever occasion requires.

Furthermore, we will accept some copying of expression if that's the only way to use the idea:

And where the art it teaches cannot be used without employing the methods and diagrams used to illustrate the book, or such as are similar to them, such methods and diagrams are to be considered as necessary incidents to the art, and given therewith to the public; not given for the purpose of publication in other works explanatory of the art, but for the purpose of practical application.

Baker v. Selden also provides a direct analogy on the facts - there, the bookkeeping system was described in a document, but the plaintiff could not stop others from practicing the system. That rings true here, where the copyright is in a document explaining the system of numbers; from Selden: "The use of the art is a totally different thing from a publication of the book explaining it." Here, the commands were described in a document, but the plaintiff should not be able to stop others from practicing the commands: 

As an author, Selden explained the system in a particular way. It may be conceded that Baker makes and uses account-books arranged on substantially the same system; but the proof fails to show that he has violated the copyright of Selden's book, regarding the latter merely as an explanatory work; or that he has infringed Selden's right in any way, unless the latter became entitled to an exclusive right in the system.

The court's failure here to mention Baker v. Selden is problematic. I hope the same is not true in Google v. Oracle.

 

Wednesday, March 10, 2021

Charles Tait Graves: Idea Submission Cases, Desny Claims, and Trade Secret Law

I thoroughly enjoyed Charles Tait Graves new article: Should California’s Film Script Cases Be Merged into Trade Secret Law?, which was recently published in The Columbia Journal of Law & the Arts.  Graves is a partner at Wilson Sonsini and teaches trade secret law at UC Hastings Law.   

The article deals with so-called "idea submission" cases. The fact pattern is as follows. Plaintiff, who is sometimes called the "idea man" in older cases, shares an idea with Defendant, hoping for monetary compensation even though there's no express contract stating terms of payment. Defendant subsequently takes the idea and commercializes it without paying Plaintiff. (There's an excellent discussion of the idea submission cases in Chapter 4 of Elizabeth Rowe and Sharon Sandeen's Trade Secret Law casebook). 

At least in California, the Plaintiff-idea person will likely have two distinct types of legal claims in this scenario: (1) a claim for breach of an implied-in-fact contract, which in California is called a Desny claim; and (2) a claim for civil trade secret misappropriation, which since 2016 can be brought under both state law (e.g. under the California Uniform Trade Secret Act) and federal law via the Defend Trade Secrets Act (DTSA). Graves recounts in tremendous detail how these two different legal regimes developed on separate ends of the map of California, in Southern and Northern California, respectively. Graves' thesis is that, even though these two areas of law have been historically addressed separately, they have a lot in common and can learn a lot from one another.   

I interviewed Graves about the article, transcribed below.

Thursday, March 4, 2021

Are patents the cause of—or solution to—COVID-19 vaccine innovation problems? (No!)

By Jacob S. Sherkow, Lisa Larrimore Ouellette, Nicholson Price, and Rachel Sachs

Are patents the cause of—or solution to—COVID-19 vaccine innovation problems? A number of recent commentaries have suggested as much, and have advocated for either weakening or strengthening patents covering various aspects of COVID-19 vaccines. Turning to patent law to address innovation problems may seem natural, as legal scholars conventionally view patent law as “our primary policy tool to promote innovation.” But there is a reason we have written over thirty posts on COVID-19 innovation issues without a single post focused on patent law (until now): many other legal institutions have turned out to be far more important. This is particularly true for vaccines. In this post, we explain why either eliminating or strengthening patents would have little effect on the rollout of vaccines for this pandemic, and why non-patent institutions will play a far more important role than patent law in incentivizing innovation for the next pandemic.

Thursday, February 18, 2021

How can policymakers overcome the hurdles to scaling up antibody manufacturing?

By Rachel Sachs, Jacob S. Sherkow, Lisa Larrimore Ouellette, and Nicholson Price

In our last post, we introduced some of the clinical evidence supporting the use of therapeutic antibodies against COVID-19—including Regeneron’s casirivimab and imdevimab and Eli Lilly’s bamlanivimab—and analyzed the existing problems in the distribution and administration of those therapies. Even in just the last few weeks, further clinical evidence has supported the use of these technologies, leading the FDA to issue an additional emergency use authorization for Lilly’s bamlanivimab and etesevimab cocktail. In the near future, though, problems in administering our existing supply of these new drugs may give way to problems producing enough of them—a challenge that is also affecting the vaccine rollout. In this post, we consider the difficult manufacturing issues involved in the therapeutic antibody context (a subject we’ve previously explored regarding vaccines), and what might be done to address them.