Last week, software giant Oracle sued enterprise vendor SAP for unauthorized access to its website. The outcome of the Oracle/SAP case could have a real impact beyond each company's market share: The case will decide how much control a software vendor has over support information for its product, and asks the court to consider whether borrowing someone else's password is illegal.
According to the allegations in the complaint, filed last Thursday, SAP borrowed Oracle customer passwords to get access to support and service manuals stored on Oracle's Customer Connection website. Oracle claims this violated the federal Computer Fraud and Abuse Act, or CFAA, and the California computer crime statute, in addition to an assortment of civil business torts.
Allegedly, SAP employees logged on to Oracle's customer website using the log-in credentials of customers with expired or expiring support rights. These customers apparently gave SAP their credentials because they were about to switch from Oracle's software support services to become customers of SAP. SAP employees then downloaded thousands of Oracle support files containing information that would help SAP compete in offering support for Oracle products, particularly new Oracle products that would otherwise take SAP employees time to learn.
Business software providers make money licensing their software, charging to install the software and train people in its use, and selling support contracts for patches and upgrades. Oracle has a natural advantage in supplying support and training services to the users of its software, so competitors try to learn as much as they can as quickly as they can, and mostly compete on price.
This wouldn't be in court if the support information was delivered to customers as a series of written manuals; SAP clearly would have been able to purchase the manuals from Oracle's current customers. If the customer had promised not to resell the books, perhaps Oracle would have a breach of contract claim against that customer, but SAP would not have violated any statutes. And I doubt that buying printed manuals would have constituted an unfair business practice. Oracle would have been left trying to argue that SAP interfered with Oracle's contract with the customer. Not a very sexy case.
Move the same information to a password-protected computer, and everything changes. The CFAA and the California computer crime statute, like all state computer crime laws, prohibit accessing a computer without authorization. There are important language differences in the statutes which matter a lot to lawyers and their clients, but are not particularly relevant here. Generally, concepts of "access" and "authorization" have been read very broadly, in such a way that the owner of a networked computer has a powerful right to exclude unwanted communication with his machine.
Because so much information today is stored on networked computers, the CFAA can give server owners immense control over who can access and use information. Moreover, the computer owner can exercise this control in the absence of any copyright or other proprietary interest in the stored data. Oracle, for example, has not claimed that its support documents were copyright protected or that they contained trade secrets.
If Oracle successfully uses computer crime laws in this way, it greatly magnifies the company's advantage over competitors for support contracts. Should the law help them monopolize information that would allow competitors learn what the company already knows?
There's nothing inherently wrong with a software company also making money from service contracts. Oracle does it, and so do most Linux distributors. The question, rather, is whether there's a level playing field. If the computer crime statutes don't apply, Oracle has a knowledge advantage -- but that advantage occurs naturally, and competitors can try and combat it by setting a lower price. But if computer crime statutes do apply, the legal regime puts a finger on Oracle's side of the scale.
I'm not predicting whether or not Oracle will be successful, but there is precedent for this type of claim. In Konop v. Hawaiian Airlines, a 2001 case, the U.S. 9th Circuit Court of Appeals held that an employer who borrowed an employee's login information and accessed a password-protected union website may have violated criminal provisions of the Electronic Communications Privacy Act. Oracle did not allege the same claims as the successful plaintiff in Konop, but the facts of the cases are similar.
In 2002, I worked on an appeal in the Tarrant County, Texas case of American Airlines v. Farechase. The airline sued a company that created a search tool that looked for internet-only webfares on the AA.com website. The trial court allowed the claim that Farechase had violated the Texas computer crime statute, and granted an injunction stopping Farechase from creating software that searched the airline's site, even though the site was not password protected, simply on the grounds that the searches were contrary to the site's terms of use.
On the other hand, the recent 5th Circuit case of United States v. Phillips defined "authorization" in terms of "expected norms of intended use." This definition suggests that a court will look beyond whether a particular use offended the computer owner, to outside norms and values. With this legal underpinning, a court may find that what SAP did wasn't much different from getting a customer to give them a bunch of manuals.
I don't like a law that gives Oracle an artificial competitive advantage, and I don't like a law that makes unlawful behavior contingent on what a judge or jury might think is an "expected norm" on the internet. There's no doubt companies need legal protection for their data, and ours, stored on a networked computer. But the CFAA and other computer crime statutes are blunt instruments for delicate questions.
My hope is that the courts will see that Oracle's claim that customers can't give their passwords away has implications far beyond the clear and intended meaning of these criminal statutes, and will take seriously the question of whether SAP's activities were unfair, or merely a little healthy competition.
FBI Slips Demand Patriot Act Cuts
Patently Bad Move Gags Critics
Oracle Eyes Novell Acquisition
