In a lengthy decision, the Eleventh Circuit held in Compulife v. Newman, No. 18-12004 (11th Cir. May 20, 2020), that a database may contain trade secret information even though the database contents can be accessed through a publicly available website.
The plaintiff, Compulife, sold access to a compilation of life insurers’ premium rate tables. One product it sold was an internet-quote engine called the “web quoter.” The web quoter allowed licensees to embed a feature on its own website that connected to Compulife’s database server. Prospective life-insurance purchasers visiting licensees’ website could enter their demographic information, and receive a responsive quote retrieved from Compulife’s database.
The defendants were also in the business of generating life-insurance quotes through their own website. Their “Life Insurance Quote Engine,” however, allegedly contained information copied from Compulife’s web quoter.
Among the alleged acts of espionage used, Compulife contended that the defendants hired a programmer to “scrape” data from Compulife’s server. The programmer created a “bot” that could make many requests automatically to Compulife’s web quoter service. Although the data could be obtained manually by the public through the licensees’ websites one request at a time, the bot’s speed allowed the defendants to partially copy the database behind Compulife’s web quoter. In all, the bot requested and saved insurance premium estimates totaling more than 43 million quotes—every possible combination of demographic data within two zip codes in New York and Florida. Compulife alleged that the defendants then used the scraped data as the basis for generating quotes on their own websites.
In a bench trial, the magistrate judge concluded that Compulife did not demonstrate, among other claims, trade secret misappropriation. Although the magistrate judge found Compulife’s database to be a trade secret, he determined that the defendants hadn’t misappropriated it.
On appeal, the Eleventh Circuit reversed. Its analysis focused on whether the database lost trade secret protection because the individual quotes it contained—and which the defendants scraped—were publicly available. The court stated it was correct for the magistrate to conclude that the scraped quotes were not individually protectable trade secrets because each is readily available to the public. Nevertheless, in effect, the database as a whole could be a trade secret if it was misappropriated. “Even if quotes aren’t trade secrets,” the court explained “taking enough of them must amount to misappropriation of the underlying secret at some point. Otherwise, there would be no substance to trade-secret protections for ‘compilations,’ which the law clearly provides.”
Importantly, the court looked to the means of acquisition: the web scraping bot. Certainly, Compulife had given implicit permission to obtain as many quotes as humanly possible, but not as much as a bot could obtain. But “while manually accessing quotes from Compulife’s database is unlikely ever to constitute improper means, using a bot to collect an otherwise infeasible amount of data may well be—in the same way that using aerial photography may be improper when a secret is exposed to view from above.” That there was no usage restriction on the website in place did not automatically render the scraping of the public website improper.
The Court identified two relevant cases that aided its analysis. The first was the classic case of E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1014 (5th Cir. 1970). In this case from the former Fifth Circuit, DuPont claimed that trade secrets had been misappropriated by photographers who took pictures of its methanol plant from a plane. The Fifth Circuit held that the aerial photography constituted improper means even though DuPont had left the its facility open to inspection from the air. Misappropriation occurred whenever a defendant acquires the secret from its owner “without his permission at a time when he is taking reasonable precautions to maintain its secrecy.”
The court also pointed to the district court case of Physicians Interactive v. Lathian Sys., Inc., CA 03-1193-A, 2003 WL 23018270, at *8 (E.D. Va. Dec. 5, 2003). It noted that the court there held that hacking a public-facing website with a bot amounted “improper means.” “There can be no doubt,” the district court wrote, “that the use of a computer software robot to hack into a computer system and to take or copy proprietary information is an improper means to obtain a trade secret, and thus is misappropriation….”
The Eleventh Circuit in Compulife stopped at whether the scraped data was a trade secret and did not reach the question of whether the actions in this case was in fact misappropriation. It remanded to answer whether the block of data the defendants took was large enough to constitute appropriation of Compulife’s database, and whether the bot used in this case was an improper means under the Florida trade secret statute.
This Compulife case may provide another legal avenue to protect websites and their content from scraping. Another avenue for improper scraping—the Computer Fraud and Abuse Act (CFAA)—has had mixed results in the circuits over the years. Most recently, in HiQ Labs Inc. v. LinkedIn Corp., 938 F. 3d 985, (9th Cir. 2019), the Ninth Circuit held that scraping data from public LinkedIn profiles did not amount to, effectively, “computer hacking” to warrant protection under that statute. LinkedIn has filed a petition for writ of certiorari with the Supreme Court.