Ticketmaster L.L.C. v. Prestige Entertainment Inc. et al

Filing 48


Download PDF
O 1 2 3 4 5 6 7 United States District Court Central District of California 8 9 10 11 TICKETMASTER L.L.C., a Virginia 12 limited liability company, 13 14 Plaintiff, Case No. 2:17-cv-07232-ODW-JC ORDER DENYING DEFENDANTS’ v. MOTION TO DISMISS 15 PRESTIGE ENTERTAINMENT WEST, PLAINTIFF’S FIRST AMENDED 16 INC., a California corporation, COMPLAINT [37] 17 RENAISSANCE VENTURES LLC, a 18 Connecticut limited liability company, 19 NICHOLAS LOMBARDI, STEVEN K. 20 LICHTMAN, and DOES 1 through 10, 21 inclusive, 22 Defendants. 23 I. INTRODUCTION 24 Ticketmaster L.L.C. (“Ticketmaster”) brings this suit against Prestige 25 Entertainment West, Inc., Renaissance Ventures LLC, Nicholas Lombardi, and Steven 26 27 28 1 K. Lichtman1 (collectively, “Defendants”), alleging thirteen causes of action based on 2 Defendants’ use of automated programs generally known as bots, which navigate 3 Ticketmaster’s website and mobile app in order to purchase large quantities of tickets 4 for resale at a profit. (See generally Compl., ECF No. 1.) Defendants moved to dismiss 5 the Complaint, and the Court granted the motion in part with leave to amend. (ECF 6 Nos. 24, 32.) Ticketmaster filed its First Amended Complaint on February 21, 2018. 7 (First Am. Compl. (“FAC”), ECF No. 36.) Defendants now move to dismiss the First 8 Amended Complaint in its entirety. (Mot. 1, ECF No. 37.) The parties submitted briefs 9 in support of their positions, and the Court heard the parties’ arguments on April 9, 2018 10 at 1:30 p.m. (Mot.; Opp’n, ECF No. 39; Reply, ECF No. 41; ECF No. 42.) For the 11 foregoing reasons, the Court DENIES Defendants’ Motion to Dismiss. II. 12 13 A. BACKGROUND Factual Background 14 Ticketmaster sells tickets for live entertainment events to the general public on 15 behalf of its clients through its website, mobile app, and telephone call centers. (FAC 16 ¶ 17.) Consumer demand for tickets to a given event often exceeds the supply available 17 through Ticketmaster. 18 consumers, who try to purchase tickets the moment that the tickets become available 19 for sale on Ticketmaster’s website and mobile app. (FAC ¶ 18.) (FAC ¶ 18.) This results in intense competition among 20 Ticketmaster has employed various measures in an effort to ensure a fair and 21 equitable ticket purchasing process for its consumers. (FAC ¶ 19.) For instance, 22 Ticketmaster requires each user to create a password-protected account before the user 23 can purchase a ticket. (FAC ¶ 42.) This allows Ticketmaster to better regulate ticket 24 sales, and it also functions as a form of password protection against unauthorized access 25 to the Ticketmaster platform. (FAC ¶ 42.) Ticketmaster also limits the number of 26 27 28 1 Ticketmaster’s original Complaint also listed Prestige Entertainment, Inc. as a defendant, but Ticketmaster voluntarily dismissed this Defendant before filing its First Amended Complaint. (Compl. 1; Not. Dismissal, ECF No. 35.) 2 1 tickets that may be purchased in a single transaction and regulates the speed with which 2 users may refresh their requests to search for, reserve, and purchase tickets. (FAC ¶ 19.) 3 Defendants are an enterprise that seeks to profit off the intense competition for 4 tickets that Ticketmaster’s platforms engender. They do this by purchasing large 5 quantities of tickets from Ticketmaster and selling them at a markup on StubHub.com 6 and other ticket resale sites. (FAC ¶ 47.) In order to gain an unfair advantage in 7 searching for and buying these tickets, Defendants have employed robots, programs, 8 and other automated devices, generally known and referred to herein as “bots.” (FAC 9 ¶¶ 3, 5.) These bots inundate Ticketmaster’s website and mobile app with page requests 10 and ticket reserve requests at a far higher rate than would be possible for a human alone. 11 (FAC ¶¶ 3, 5.) 12 13 In an effort to put a stop to bots Ticketmaster has employed several countermeasures, including: 14 ● CAPTCHA, a security program whose purpose is to distinguish between human 15 users and bots by requiring the purchaser to retype a series of random, partially 16 obscured characters, a task designed to be impossible for a bot to accomplish 17 (FAC ¶ 20); 18 ● Splunk and other commercial data compilation and analysis services, which help 19 Ticketmaster analyze its sales data and detect patterns that indicate that tickets 20 have been purchased by bots (FAC ¶ 21); 21 ● Over Ticket Limit, a proprietary feature created to automatically block, in real 22 time, the purchase of tickets that appear to be coming from bots (FAC ¶ 22). 23 Despite Ticketmaster’s efforts, Defendants have found ways to circumvent these 24 countermeasures by using, among other things, colocation facilities with high speed 25 bandwidth, random number and letter generators, cookie trading, and CAPTCHA 26 farms. (FAC ¶¶ 43–44, 47, 51, 52.) 27 Defendants’ enterprise seems to have achieved its goals. Defendants used their 28 bots to acquire tens of thousands of tickets for the New York stage play Hamilton, often 3 1 purchasing thirty to forty percent of the entire amount of tickets available for a given 2 performance. (FAC ¶ 5.) Defendants’ bots also procured a majority of tickets available 3 through Ticketmaster to the high-profile Mayweather v. Pacquiao boxing match in Las 4 Vegas in 2015. (FAC ¶ 5.) In total, Ticketmaster estimates that between January 2015 5 and September 2016, Defendants generated 9,047 dummy user accounts and 313,528 6 ticket orders, sending a total of six million requests to the Ticketmaster website and 7 mobile app. (FAC ¶¶ 42, 51, 58.) 8 Use of Ticketmaster’s website is governed by its Terms of Use. (FAC ¶ 24.) 9 Users must agree to the Terms of Use before they can view and use Ticketmaster’s 10 platforms, and both the website and mobile app repeatedly remind users that the Terms 11 of Use govern the use of Ticketmaster’s services. (FAC ¶¶ 25, 27.) The Terms of Use 12 grant users a “limited, conditional no-cost, non-exclusive, non-transferable, non-sub- 13 licensable license to view Ticketmaster’s site to purchase tickets as permitted by these 14 Terms for non-commercial purposes only if” the user agrees not to conduct certain 15 activities. (FAC ¶ 30.) These activities include: 16 ● using “any robot . . . or any other . . . device, tool, or process to 17 retrieve, index, data mine, or in any way reproduce or circumvent 18 the navigational structure or presentation of the Content or the 19 Site, including with respect to any CAPTCHA displayed on the 20 site,” 21 22 ● using any “automated software or computer system to search for, reserve, buy, or otherwise obtain tickets,” 23 ● accessing, reloading, or refreshing transactional event or 24 ticketing pages, or making any other request to transactional 25 servers, more than once during any three-second interval, 26 27 ● requesting “more than 1,000 pages of the Site in any 24-hour period, whether alone or with a group of individuals;” and 28 4 1 ● reproducing, modifying, displaying, publicly performing, 2 distributing, or creating derivative works of the Site or its 3 Content. 4 (FAC ¶ 30.) 5 Ticketmaster owns registered copyrights in its website and mobile app. (FAC 6 ¶ 28.) According to the express language in the Terms of Use, any of the above 7 activities constitutes copyright, patent, and trademark infringement, because engaging 8 in any prohibited activity revokes the user’s permission to use the Ticketmaster website 9 and mobile app. (FAC, Ex. A at 56.) Continued use of the Ticketmaster website 10 without permission to do so, says the Terms of Use, constitutes infringement. (FAC 11 ¶ 32.) 12 Ticketmaster diligently attempts to identify and stop the users of bots, but 13 Defendants’ sophisticated techniques have hindered Ticketmaster’s ability to do so. 14 (FAC ¶ 58.) After tracing the bot-related ticket purchases for the Mayweather-Pacquiao 15 boxing match to Renaissance, Ticketmaster sent a cease-and-desist letter (the “Letter”) 16 in May 2015 addressed to Nicholas Lombardi describing some of the evidence 17 Ticketmaster had uncovered that linked him, his colleagues, and their companies to the 18 improper ticket purchases. (FAC ¶ 59, Ex. E.) The Letter demanded that Defendants 19 “cease and desist from any further violations of Ticketmaster’s rights.” (FAC ¶ 59, Ex. 20 E at 72.) 21 Lombardi acknowledged receiving the Letter, but Defendants continued their 22 enterprise. (FAC ¶ 60.) On October 2, 2017, Ticketmaster initiated this lawsuit against 23 Defendants and several Doe Defendants. Does 7 and 8 are the computer programmers 24 and developers that created, marketed, and provided the named Defendants with the 25 bots, and they are referred to herein as the Bot Developers. (FAC ¶ 6.) Does 9 and 10 26 are those entities who assisted and conspired with Prestige West by purchasing the 27 improperly procured tickets from Defendants for later resale. (FAC ¶ 7.) These Doe 28 defendants are referred to herein as the Additional Purchasers. 5 1 B. Procedural History 2 In its initial Complaint, Ticketmaster brought claims for: (1) breach of contract; 3 (2) copyright infringement in violation of 17 U.S.C. § 101 et seq.; (3) violation of the 4 Digital Millennium Copyright Act (“DMCA”), 17 U.S.C. § 1201 et seq.; (4) fraud; (5) 5 aiding and abetting fraud; (6) inducing breach of contract; (7) intentional interference 6 with contractual relations; (8) violation of the Computer Fraud and Abuse Act 7 (“CFAA”), 18 U.S.C. § 1030 et seq.; (9) violation of the California Computer Data 8 Access and Fraud Act (“CDAFA”), California Penal Code section 502 et seq.; and (10) 9 violation of the New York Anti-Scalping Law, New York Arts and Cultural Affairs 10 Law section 25.01 et seq. 11 After Ticketmaster filed its Complaint, Defendants moved to dismiss seven of 12 Ticketmaster’s ten claims. (ECF No. 24.) The Court granted Defendants’ motion in 13 part, dismissing the copyright infringement claim, the CFAA claim, and the California 14 CDAFA claim. (Order Mot. Dismiss (“Order”) 9, 14, ECF No. 32.) Dismissal was 15 granted with leave to amend, except to the extent that the copyright infringement claim 16 was based on Defendants’ excess of the limitations on page refreshes and ticket requests 17 imposed by the Terms of Use. (Order 9.) The Court also denied Defendants’ motion 18 in part, finding that Ticketmaster’s initial Complaint stated a claim with respect to the 19 Digital Millennium Copyright Act, breach of contract, and fraud. (Order 11, 16, 18.) 20 Ticketmaster’s First Amended Complaint asserts a new theory of copyright 21 infringement, and adds new allegations regarding the CFAA and CDAFA claims. (See 22 FAC ¶¶ 94–104; 160–165; 166–178.) On March 7, 2018, Defendants moved to dismiss 23 the First Amended Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6). 24 (Mot. 1.) 25 III. LEGAL STANDARD 26 A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) “tests the 27 sufficiency of a claim.” Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). Dismissal 28 is appropriate when a complaint “lacks a cognizable legal theory or sufficient facts to 6 1 support a cognizable legal theory.” Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 2 1097, 1104 (9th Cir. 2008). 3 In ruling on a motion to dismiss under Rule 12(b)(6), the Court assumes all 4 factual allegations in the complaint to be true, viewing those allegations in the light 5 most favorable to the nonmoving party. Thompson v. Davis, 295 F.3d 890, 895 (9th 6 Cir. 2002); Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336, 337–38 (9th Cir. 1996). While 7 a plaintiff need not give “detailed factual allegations,” the plaintiff must plead sufficient 8 facts that, if true, “raise a right to relief above the speculative level.” Bell Atlantic Corp. 9 v. Twombly, 550 U.S. 544, 555 (2007). Moreover, a court need not “accept as true 10 allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable 11 inferences.” Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). 12 Ultimately, “[t]he claim must be sufficiently plausible that ‘it is not unfair to require the 13 opposing party to be subjected to the expense of discovery and continued litigation.’” 14 Mora v. U.S. Bank, No. CV 15–02436 DDP (AJWx), 2015 WL 4537218, at *2 (C.D. 15 Cal July 27, 2015) (quoting Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011)). IV. 16 DISCUSSION 17 Defendants argue that Ticketmaster has failed to state a claim with respect to 18 copyright infringement, the DMCA, the CFAA, and the California CDAFA. (Mot. 1.) 19 Defendants argue that the Court lacks subject matter jurisdiction over the remaining 20 claims. (Mot. 1.) They also argue that the Court should dismiss the Doe defendants 21 because Ticketmaster has failed to timely serve them. (Mot. 4.) The Court first 22 addresses Defendants’ Motion to Dismiss the Doe defendants, because some of 23 Ticketmaster’s claims against Defendants rest on the viability of its claims against the 24 Doe defendants. 25 A. Doe Defendants 26 As discussed in further detail below, Ticketmaster’s claim for secondary 27 copyright infringement against the moving Defendants rests on their direct infringement 28 claim against Doe defendants 7 and 8. Defendants argue that such Doe pleading is 7 1 improper, and that the Court should dismiss these Doe defendants because Ticketmaster 2 has failed to identify or serve them. (Mot. 4.) Defendants seek dismissal of the Doe 3 defendants pursuant to Rule 4(m), governing dismissal of unserved defendants, and not 4 under 12(b)(6) for failure to state a claim. (Mot. 4;) see also Fed. R. Civ. P. 4(m). 5 Defendants cite Buckheit v. Dennis, 713 F. Supp. 2d 910, 918 n.4 (N.D. Cal. 6 2010), for the observation that “[g]enerally, ‘Doe’ pleading is improper in federal 7 court.” Although there is no provision in the Federal Rules permitting the use of 8 fictitious defendants, Fifty Associates v. Prudential Ins. Co., 446 F.2d 1187, 1191 (9th 9 Cir. 1970), there is a provision in the Local Rules of the Central District of California 10 allowing the practice of pleading up to 10 Doe defendants without the need for the leave 11 of the Court. C.D. Cal. L.R. 19-1. This alone shows that, at least in some circumstances 12 in the Central District of California, Doe pleading is proper. 13 Here, although Doe defendants 7 and 8 are fictitiously named, they are anything 14 but fictitious. Does 7 and 8 are the individuals or entities who assisted Defendants in 15 creating and developing the bots, and the very fact that the bots exist is proof that Does 16 7 and 8 exist as well. Ticketmaster has identified with specificity the roles that Does 17 7–8 and Does 9–10 played in the alleged enterprise. (FAC ¶¶ 6–7.) 18 When the identity of alleged defendants will not be known prior to the filing of a 19 complaint, “the plaintiff should be given an opportunity through discovery to identify 20 the unknown defendants, unless it is clear that discovery would not uncover the 21 identities, or that the complaint would be dismissed on other grounds.” Gillespie v. 22 Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). Doe pleading is therefore particularly 23 appropriate when, as here, the viability of a claim against a known party depends on the 24 actions of a party whose identity is unknown at the time of the pleading. As discussed 25 below, Ticketmaster’s copyright claim against the moving Defendants depends on 26 direct infringement by Does 7 and 8, whose identities Ticketmaster does not yet know. 27 Ticketmaster’s lack of information prevents it from identifying the Bot Developers and 28 the Additional Purchasers, but, as discussed below in greater detail, it knows 8 1 circumstantially that these individuals or entities must exist, so it impleads them as Doe 2 defendants. 3 Ticketmaster, by propounding discovery with tools such as interrogatories and requests 4 for inspection of electronically stored information, will succeed at uncovering the 5 identities of the Bot Developers and the Additional Purchasers. The Court will give 6 Ticketmaster the opportunity to do so. This is perfectly acceptable. There is a reasonable probability that 7 Defendants maintain that Federal Rule of Civil Procedure 4(m) requires a court 8 to dismiss a defendant who has not been served within 90 days after the Complaint was 9 filed. Fed. R. Civ. P. 4(m). However, according to that same rule, “if the plaintiff 10 shows good cause for the failure, the court must extend the time for service for an 11 appropriate period.” Id. 12 Good cause exists in this case to allow Ticketmaster additional time to serve the 13 unidentified Defendants. The Court has yet to enter a scheduling order in this case or 14 set a deadline for moving for leave to amend the pleadings. Moreover, as the Ninth 15 Circuit in Gillespie implicitly recognized, an information deficit, where discovery 16 would correct that deficit, is good cause to allow a plaintiff an extended period of time 17 to identify and serve unknown defendants. 629 F.2d at 642. Such a deficit exists here, 18 and the fact that Ticketmaster has indicated that it is ready to name one of the Doe 19 defendant Bot Developers supports the conclusion that further discovery will allow 20 Ticketmaster to identify the remaining Doe defendants. (Opp’n 23.) Ticketmaster has 21 shown good cause, and the Court DENIES Defendants’ motion to dismiss the Doe 22 defendants from this case pursuant to Federal Rule of Civil Procedure 4(m). 23 B. Copyright Infringement 24 Defendants move to dismiss Ticketmaster’s secondary copyright infringement 25 claim against Prestige West, Renaissance, and the Additional Purchasers. (FAC ¶¶ 94– 26 99.) 27 infringement of its copyright. MDY Indus., LLC v. Blizzard Entm’t, Inc., 629 F.3d 928, 28 937 (9th Cir. 2010). Ticketmaster alleges that Doe defendants 7 and 8, the entities that To establish secondary infringement, Ticketmaster must first allege direct 9 1 assisted the named Defendants by creating, marketing, and providing bots, are the direct 2 infringers in this case. (FAC ¶¶ 100–04.) Although Defendants do not move to dismiss 3 the claim against the Bot Developers, the Court analyzes Ticketmaster’s claim against 4 the Bot Developers under the same standard as that used in a motion to dismiss pursuant 5 to Federal Rule of Civil Procedure 12(b)(6), because the sufficiency of Ticketmaster’s 6 claim for secondary infringement depends on the sufficiency of Ticketmaster’s claim 7 for direct infringement. 8 “‘Anyone who violates any of the exclusive rights of the copyright owner,’ that 9 is, anyone who trespasses into his exclusive domain by using or authorizing the use of 10 the copyrighted work in one of the five ways set forth in the statute, ‘is an infringer of 11 the copyright.’” Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 433 12 (1984) (quoting 17 U.S.C. § 501(a)). Thus, to state a claim for direct infringement, 13 Ticketmaster must show (1) that it owns a valid copyright in the allegedly infringed 14 material and (2) that Doe defendants 7 and 8, the Bot Developers, violated at least one 15 exclusive right granted to copyright holders under 17 U.S.C. § 106. See A & M Records, 16 Inc. v. Napster, Inc., 239 F.3d 1004, 1013 (9th Cir. 2001). These rights include the 17 exclusive right to reproduce the copyrighted work. 17 U.S.C. § 106(1). 18 However, one who reproduces the work of another is not an infringer of the 19 copyright if the copyright holder has granted authorization to reproduce. See Sony 20 Corp., 464 U.S. at 433. Specifically, a valid license is an affirmative defense to a claim 21 of copyright infringement, so long as the licensee has not exceeded the scope of the 22 license granted by the copyright holder. See LGS Architects, Inc. v. Concordia Homes 23 of Nev., 434 F.3d 1150, 1156 (9th Cir. 2006). 24 1. Protectability of Website 25 Ticketmaster alleges that the Bot Developers, in the course of developing the bots 26 later used by Defendants to purchase tickets, downloaded, recorded, and stored on their 27 computer systems for extended periods of time the pages and code associated with 28 Ticketmaster’s website and mobile app. (FAC ¶ 66.) A threshold issue is whether 10 1 United States copyright law provides copyright protection to the pages and code that 2 the Bot Developers allegedly copied. See SOFA Entm’t, Inc. v. Dodger Prods., Inc., 3 709 F.3d 1273, 1279 (9th Cir. 2013) (“Copyright only attaches to an original work fixed 4 in a tangible medium of expression, never in the underlying ideas or facts.”). 5 Defendants argue that websites are not subject to copyright protection, but this argument 6 is without merit. (Mot. 8.) 7 Copyright law protects “original works of authorship,” 17 U.S.C. §§ 101–103, 8 and the typical commercial website readily qualifies for copyright protection under this 9 standard. See Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096, 10 1104 (“A website may constitute a work of authorship fixed in a tangible medium of 11 expression . . . .”) (quoting Integrative Nutrition, Inc. v. Academy of Healing Nutrition, 12 476 F. Supp. 2d 291, 296 (S.D.N.Y. 2007)). In Integrative Nutrition, the Southern 13 District of New York recognized that “[c]opyright protection for a website may extend 14 to both the screen displays and the computer code for the website.” 476 F. Supp. 2d at 15 296. The Ninth Circuit has recognized in an analogous context that computer software 16 contains three distinct layers of content: literal elements, individual non-literal 17 elements, and dynamic non-literal elements. See MDY Indus., 629 F.3d at 952–54. All 18 three are works of authorship that can merit copyright protection. Id. This three-tiered 19 approach works equally well with respect to websites, because the only functional 20 difference between software and websites is that the underlying code for the former is 21 stored on the user’s local system whereas the underlying code for the latter is stored on 22 a remote server. 23 First, both websites and software are comprised of literal elements. The MDY 24 court defined literal elements as the “source code stored on players’ hard drives,” 629 25 F.3d at 952, which, in the context of websites, is the “computer code for the website,” 26 Integrative Nutrition, 476 F. Supp. 2d at 296. 27 Websites also contain individual non-literal elements and dynamic non-literal 28 elements, which the Integrative Nutrition court described as the “screen displays” of 11 1 the site. Id. A website’s individual non-literal elements are the individual audiovisual 2 components of the website, including the website’s logos, images, fonts, videos and 3 sound effects. Accord MDY, 629 F.3d at 952 (describing a video game’s individual 4 non-literal elements as the “discrete visual and audible components of the game, such 5 as a visual image of a monster or its audible roar”). A website’s dynamic non-literal 6 elements include the experience of the website as presented to the individual user. 7 Accord id. (describing a video game’s dynamic non-literal elements as the “real-time 8 experience of traveling through different worlds, hearing their sounds, viewing their 9 structures, encountering their inhabitants and monsters, and encountering other 10 players”). Nearly all modern websites contain dynamic non-literal elements because 11 nearly all websites are interactive. The user’s experience of the website is “dynamic” 12 in that the site responds to the user’s input by generating a unique presentation of 13 content and information for each user. For example, on social media websites, the 14 user’s content feed is a dynamic non-literal element because it is a collection of content 15 and information generated uniquely and specifically for that user based on the user’s 16 past interactions with the social media platform. 17 The terms “pages” and “code” in Ticketmaster’s First Amended Complaint refer, 18 at the very least, to the literal, code-level elements of the Ticketmaster website and 19 mobile app. (FAC ¶ 66.) “Pages” and “code” may also refer to additional non-literal 20 elements, depending on exactly what the Bot Developers downloaded and stored. Each 21 of these elements is a work of authorship, which gets copyright protection, as long as it 22 contains the required modicum of originality. See Feist Publn’s v. Rural Tel. Servs., 23 499 U.S. 340, 345 (1991) (“The vast majority of works make the grade quite easily, as 24 they possess some creative spark, no matter how crude, humble, or obvious it might 25 be.”) (internal quotation marks omitted). The numerous proprietary functions and 26 features that Ticketmaster has built into its website and mobile app allow the Court to 27 plausibly infer that all three layers of Ticketmaster’s website contain content that the 28 copyright laws recognize as original. (See, e.g., FAC ¶¶ 4, 22, 49.) Ticketmaster has 12 1 demonstrated that the pages and code of its website and mobile app, contain protectable 2 content. 3 2. Ownership of Copyright 4 Having shown that the material the Bot Developers allegedly copied is subject to 5 copyright protection, Ticketmaster must also show that it owns a copyright in the copied 6 material. See A & M Records, 239 F.3d at 1013. A copyright registration certificate 7 constitutes prima facie evidence of the validity of the copyright and the facts stated on 8 the certificate, including the fact that the plaintiff owns a copyright. Lamps Plus, Inc. 9 v. Seattle Lighting Fixture Co., 345 F.3d 1140, 1144 (9th Cir. 2003); see 9th Circuit 10 Model Jury Instruction 17.5. Ticketmaster lists the registration numbers and 11 registration dates for 22 components of its website and mobile app, including 12 Ticketmaster.com’s Homepage, Event Ticket Order Pages, Order Information page, 13 Android Platform, and iOS Platform. (FAC ¶ 28.) These allegations establish a 14 presumption that Ticketmaster’s copyrights in its website and mobile app are valid, and 15 that it is the owner of said copyrights. Since nothing in the First Amended Complaint 16 rebuts this presumption, the Court concludes that Ticketmaster has sufficiently pled 17 ownership of copyright in the allegedly copied pages and code. 18 3. Direct Infringement by Bot Developers 19 Ticketmaster claims that the Bot Developers have directly infringed 20 Ticketmaster’s reproduction right. (FAC ¶ 102.) United States Copyright law gives the 21 owner of a valid copyright “the exclusive right to . . . reproduce the copyrighted work 22 in copies . . . .” 17 U.S.C. § 106. Copies, in turn, are “material objects . . . in which a 23 work is fixed by any method now known or later developed, and from which the work 24 can be perceived, reproduced, or otherwise communicated, either directly or with the 25 aid of a machine or device.” 17 U.S.C. § 101; CoStar Realty Info., Inc. v. Field, 737 F. 26 Supp. 2d 496, 507 (D. Md. 2010). The act of downloading and storing the pages and 27 code of a website qualifies as making a “copy” under the Copyright Act because the 28 pages and code becomes fixed on a hard drive, from which they can later be perceived 13 1 and reproduced with the aid of a computer. See 17 U.S.C. § 101. Ninth Circuit courts 2 agree that downloading and storing constitutes reproduction. See Columbia Pictures 3 Indus., Inc. v. Fung, 710 F.3d 1020, 1034 (9th Cir. 2013) (recognizing that downloading 4 copyrighted material violates a copyright holder’s right to reproduction); see also 5 Oracle USA, Inc. v. Rimini Street, Inc., 879 F.3d 948, 955–56 (9th Cir. 2018) (finding 6 infringement of reproduction right when a software servicer downloaded and 7 maintained copies of a software developer’s program on the servicer’s own computers, 8 in excess of the servicer’s license to do so). Thus, if the Bot Developers have indeed 9 downloaded and stored Ticketmaster’s pages and code on their local systems as 10 Ticketmaster alleges, then Ticketmaster has a claim for copyright infringement. 11 Ticketmaster possesses no direct evidence of this copying, so it must present 12 circumstantial evidence. 13 Ticketmaster’s pleadings are sufficient to permit the Court to plausibly infer that the 14 Bot Developers have copied Ticketmaster’s pages and code. 15 i. The only issue at this stage, however, is whether Sufficiency of Showing of Copying 16 Defendants contend that Ticketmaster’s copyright claim must fail because 17 Ticketmaster has failed to allege with particularity which components of its website are 18 original, which components were copied, and exactly when. (Reply 4, ECF No. 41.) 19 Defendants’ argument overstates the pleading requirements for direct copyright 20 infringement. It is enough if Ticketmaster alleges facts which plausibly lead to the 21 conclusion that at least one Defendant downloaded and stored portions of the 22 Ticketmaster website or mobile app, with sufficient specificity to put Defendants on 23 “fair notice of the allegations against it.” See Perfect 10, Inc. v. Cybernet Ventures, 24 Inc., 167 F. Supp. 2d 1114, 1120–21 (C.D. Cal. 2001) (recognizing that a complaint 25 that alleges present ownership of copyright, proper registration, and infringement by a 26 defendant is typically sufficient under pleading rules). 27 Ticketmaster, like many copyright plaintiffs, does not possess direct evidence 28 that any Defendant copied the literal elements of its website or mobile app. See Three 14 1 Boys Music Corp v. Bolton, 212 F.3d 477, 481 (9th Cir. 2000) (“Proof of copyright 2 infringement is often highly circumstantial . . . .”) Absent direct evidence of copying, 3 a plaintiff may show infringement circumstantially, by alleging that (1) the defendant 4 had access to the plaintiff’s work prior to the alleged copying and (2) the defendant’s 5 work and the plaintiff’s work are substantially similar. See Unicolors, Inc. v. Urban 6 Outfitters, 853 F.3d 980, 984–85 (9th Cir. 2017). This method of proving copying 7 circumstantially is grounded in the notion that an accused work can be so similar to the 8 copyrighted work that at a certain point the factfinder’s only reasonable conclusion must 9 be that the defendant copied the work. See Airframe Sys., Inc. v. L-3 Commcn’s Corp., 10 658 F.3d 100, 106 (1st Cir. 2011) (describing the substantial similarity test as turning 11 on whether a reasonable, ordinary observer, upon examination of the two works, would 12 conclude that the defendant unlawfully appropriated the plaintiff’s protectable 13 expression). 14 Ticketmaster alleges circumstantial proof of copying, albeit by a slightly different 15 route than the familiar two-pronged test of access and substantial similarity. 16 Specifically, Ticketmaster alleges that (1) the Bot Developers developed bots that 17 proved highly capable of purchasing large quantities of tickets, and (2) Ticketmaster’s 18 website and mobile app are complex platforms that each contain several layers of 19 protection and security measures. 20 developing such capable bots would necessarily require deep study and analysis of the 21 pages and code of Ticketmaster’s website and mobile app, which means that the Bot 22 Developers must have downloaded and stored literal or non-literal elements of 23 Ticketmaster’s website and mobile app on their local systems in the course of 24 developing these bots. (FAC ¶¶ 66, 102.) (FAC ¶¶ 54–55.) Ticketmaster asserts that 25 Ticketmaster’s argument about the striking compatibility of Defendants’ bots 26 with Ticketmaster’s platforms is a compelling variation on the well-known “substantial 27 similarity” test for circumstantial proof of copyright infringement. Ticketmaster’s 28 15 1 theory is based on the legally sound (and rather unremarkable) proposition that 2 circumstantial evidence can create a plausible inference that copying has occurred. 3 Ticketmaster pleads several facts that together make a strong case for its “striking 4 compatibility” argument. The bots enable Defendants to launch thousands of 5 concurrent and recurring reserve requests for tickets for specific events. (FAC ¶ 45.) 6 The bots are calibrated such that when the reserve request expires, the bot is able to 7 regenerate a new ticket reserve request at a far greater speed than any legitimate human 8 could manage, thus preventing any human from reserving or purchasing the ticket. 9 (FAC ¶ 45.) Moreover, the bots can trade information so that purchases coming from 10 multiple computers would appear to be coming from the same computer, allowing the 11 bots to hide themselves by more closely mirroring what Ticketmaster’s algorithms 12 considered normal human use. (FAC ¶ 47.) Finally, the bots are able to escape 13 detection when ordering tickets through the mobile app interface, which Ticketmaster 14 alleges is not possible without first obtaining certain lines of code called security tokens 15 embedded deep within the code of the Ticketmaster mobile app. (FAC ¶ 56.) 16 These allegations show that Defendants’ bots were remarkably effective at 17 circumventing a leading online ticketing platform’s best defenses. It strains credulity 18 to think that the Bot Developers could have developed such successful bots without 19 downloading and storing Ticketmaster’s pages and code. The bots’ effectiveness is 20 circumstantial evidence that plausibly supports the conclusion that at some point the 21 Bot Developers copied protected portions of the Ticketmaster website and mobile app 22 onto its own servers, in order to develop bots that could successfully circumvent 23 Ticketmaster’s myriad security measures. Under the federal standards for notice 24 pleading, Ticketmaster’s allegations of copying are sufficient. 25 ii. License defense 26 Defendants assert a license defense, arguing that Ticketmaster’s Terms of Use 27 agreement (“TOU”) provides users a license to copy Ticketmaster’s website. (Reply 28 3.) A 12(b)(6) motion tests the sufficiency of a complaint, and as such, it is generally 16 1 not the appropriate stage to assert affirmative defenses. Scott v. Kuhlmann, 746 F.2d 2 1377, 1378 (9th Cir. 1984). But if an affirmative defense is obvious from the face of 3 the pleadings, a defendant may raise that defense in a motion to dismiss. Clifton v. 4 Houghton Mifflin Harcourt Publishing Co., 152 F. Supp. 3d 1221, 1225 (N.D. Cal. 5 2015); see Rodriguez v. Swartz, 111 F. Supp. 3d 1025, 1030 (D. Ariz. 2015). 6 The Court finds that nothing in the Complaint, including Ticketmaster’s Terms 7 of Use attached thereto as Exhibit E, shows that Ticketmaster granted Defendants, or 8 any other users, a license to download and store Ticketmaster’s pages and code on the 9 user’s local system. The section of the Terms of Use entitled “Ownership of Content 10 and Grant of Conditional License” describes exactly what rights Ticketmaster grants its 11 users, and nowhere does Ticketmaster grant its users a right to download and copy. The 12 relevant section of the Terms of Use provide: 13 The Site and all data, text, designs, pages, print screens, images, 14 artwork, photographs, audio and video clips, and HTML code, 15 source code, or software that reside or are viewable or otherwise 16 discoverable on the Site, and all tickets obtained from the Site, 17 (collectively, the “Content”) are owned by us or our licensors. . . 18 . 19 We grant you a limited, conditional, no-cost, non-exclusive, non- 20 transferable, non-sublicensable license to view this Site and its 21 Content as permitted by these Terms for non-commercial 22 purposes only if, as a condition precedent, you agree that you will 23 not [engage in one of several prohibited activities.]2 24 (FAC, Ex. E at 55.) These Terms of Use give Ticketmaster users the right to “view” 25 Ticketmaster’s website. While the Terms of Use do indicate that the website’s HTML 26 code and source code may be “viewable or otherwise discoverable,” such descriptive 27 28 2 Other provisions of the Terms of Use contain minor provisions regarding the scope of the user’s license, but these two paragraphs contain all the material provisions of the user’s license. 17 1 language does not amount to a grant of a license. Under no reasonable interpretation 2 do these Terms of Use grant Defendants a license to download and store Ticketmaster’s 3 pages and code. 4 At Defendants’ motion to dismiss Ticketmaster’s original Complaint, both the 5 Court and the parties devoted considerable attention to whether the provisions of 6 Ticketmaster’s Terms of Use were conditions or covenants. (Prior Mot. 7–8, ECF No. 7 24-1; Prior Opp’n 10, ECF No. 25; Order 8–9.) Defendants now reiterate that, pursuant 8 to this Court’s prior order, the provisions of the Terms of Use are covenants, and that, 9 under MDY, the violation of a covenant gives rise only to a contract claim and not to a 10 claim for copyright infringement. (Mot. 6; Order 9.) In so arguing, Defendants 11 misconstrue MDY and the underlying copyright laws. Under MDY, a violation of a 12 provision of a Terms of Use is copyright infringement if the violation implicates one of 13 the copyright holder’s exclusive rights, regardless of whether the violated provision is 14 a covenant or a condition. See MDY Indus., 629 F.3d at 940. Ticketmaster’s new theory 15 of direct infringement is based on the Bot Developers’ violation of its exclusive 16 statutory right of reproduction, and under MDY, this is sufficient. (FAC ¶ 102.) The 17 condition-versus-covenant issue is moot in a scenario where, as here, the defendant has 18 violated the plaintiff’s exclusive statutory right. 19 The MDY court’s concern with the condition-versus-covenant distinction arose 20 from public policy concerns that are not present in this case. The plaintiff in MDY was 21 the developer of an online multiplayer game, and the defendant was the developer of a 22 bot that ordinary gamers could purchase to automatically play the early stages of the 23 game on behalf of the gamer. Id. at 935. The plaintiff claimed that the direct infringers 24 were the gamers who used the bots. Id. at 937–38. Because the game’s Terms of Use 25 declared that playing the game with a bot was unauthorized use of the game, any gamer 26 who used a bot was a direct infringer of the plaintiff’s copyright, by virtue of the fact 27 that the gamer’s computer made an unauthorized “copy” of the game in the gamer’s 28 local computer memory (RAM) while the game was being played. Id. at 939. The court 18 1 rejected this analysis, refusing to recognize common bot use by ordinary gamers as 2 copyright infringement. To hold these gamers liable, the court reasoned, would allow 3 “any software copyright holder [to] designate any disfavored conduct during software 4 use as copyright infringement, by purporting to condition the license on the player’s 5 abstention from the disfavored conduct.” Id. at 941. 6 The concerns of the MDY court are not implicated by Ticketmaster’s First 7 Amended Complaint. Ticketmaster is alleging direct infringement by a small number 8 of sophisticated software developers and marketers. (FAC ¶ 6.) This is a completely 9 different theory of direct infringement than that alleged by the MDY plaintiff. MDY, 10 629 F.3d at 939. A finding of direct infringement in this case will not expose masses 11 of Ticketmaster users to copyright liability merely because they violated Ticketmaster’s 12 own house rules. Thus, the holding of MDY does not directly control today’s outcome. 13 Ticketmaster has plausibly alleged that the Bot Developers infringed 14 Ticketmaster’s statutory right of reproduction, and Defendants have not established that 15 they had a license to reproduce Ticketmaster’s pages and code by downloading and 16 storing them on a local system. As the Court explained in its prior order, under MDY, 17 this constitutes copyright infringement. (Order 7;) see also MDY, 629 F.3d at 940 (“To 18 recover for copyright infringement based on breach of a license agreement, (1) the 19 copying must exceed the scope of the defendant’s license and (2) the copyright owner’s 20 complaint must be grounded in an exclusive right of copyright . . . .”) Ticketmaster’s 21 claim survives not because the Bot Developers violated Ticketmaster’s Terms of Use, 22 but rather because they reproduced Ticketmaster’s website in violation of 17 U.S.C. 23 § 106, without possessing a license to do so. The Court therefore concludes that 24 Ticketmaster has stated a claim for direct copyright infringement on the part of the Bot 25 Developers. 26 4. Secondary Infringement by Moving Defendants 27 Having alleged direct infringement, Ticketmaster proceeds to accuse Defendants 28 of secondary copyright infringement. (FAC ¶¶ 94–99.) A defendant may commit 19 1 secondary infringement in one of two ways: contributorily, “by intentionally inducing 2 or encouraging direct infringement,” or vicariously, “by profiting from direct 3 infringement while declining to exercise a right to stop or limit it.” Metro–Goldwyn– 4 Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 930–931 (2005). Although “[t]he 5 Copyright Act does not expressly render anyone liable for infringement committed by 6 another, these doctrines of secondary liability emerged from common law principles 7 and are well established in the law.” 8 committed secondary infringement by inducing, causing, or materially contributing to 9 the Bot Developers’ creation of bots, with knowledge that the Bot Developers would 10 have to infringe Ticketmaster’s copyrights in its website and mobile app in order to 11 create the bots. (FAC ¶ 96.) The Court finds that Ticketmaster has stated a claim for 12 Defendants’ contributory infringement based on the direct infringement of the Bot 13 Developers. Id. Ticketmaster alleges that Defendants 14 “[O]ne contributorily infringes when he (1) has knowledge of another’s 15 infringement and (2) either (a) materially contributes to or (b) induces that 16 infringement.” Perfect 10, Inc. v. Visa Int’l Serv. Ass’n, 494 F.3d 788, 795 (9th Cir. 17 2007); see also A & M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1019 (9th Cir. 18 2001) (defining contributory infringement as “personal conduct that encourages or 19 assists the infringement”). The Ninth Circuit and the Supreme Court have announced 20 various formulations of this same basic test for contributory liability. Visa Int’l, 494 21 F.3d at 795. In synthesizing those formulations, the Ninth Circuit reviews the details 22 of the actual ‘cases and controversies’ in each of the test-defining cases and the actual 23 holdings in those cases to determine whether the factual scenario presented in the case 24 before it is analogous. VHT, Inc. v. Zillow Grp., Inc., No. C15-1096JLR, 2017 WL 25 2654583, at *14 (W.D. Wash. June 20, 2017) (ellipsis and some internal quotation 26 marks removed). 27 Ticketmaster has sufficiently pled Defendants’ contributory liability for the 28 copying committed by the Bot Developers. First, Ticketmaster alleges that the moving 20 1 Defendants directed the Bot Developers to download and store on their computer 2 systems large portions of Ticketmaster’s copyrighted Site and App. (FAC ¶ 67.) 3 Ticketmaster has therefore alleged facts that show that Defendants had knowledge of 4 the Bot Developers’ infringing activities. 5 Ticketmaster has also shown that the named Defendants induced or materially 6 contributed to the Bot Developers’ infringement. Ticketmaster alleges that the Bot 7 Developers created, marketed, and provided the bots. (FAC ¶ 6.) Defendants then used 8 those bots to purchase large quantities of tickets. (FAC ¶ 5.) These facts indicate a 9 relationship between Defendants and the Bot Developers of mutual benefit to both 10 parties, and it is reasonable to infer that Defendants contributed to the Bot Developers’ 11 infringement as part of this relationship. Without more knowledge about the nature of 12 the relationship between Defendants and the Bot Developers, Ticketmaster cannot be 13 expected to plead with any greater specificity. A 12(b)(6) motion tests the sufficiency 14 of a complaint, not the sufficiency of the available evidence. 15 Because the Court has determined that Ticketmaster has successfully pled the 16 moving Defendants’ contributory liability for copyright infringement, the Court need 17 not consider whether the moving Defendants are also vicariously liable under the facts 18 as alleged. For these reasons, the Court DENIES Defendants’ motion to dismiss 19 20 Ticketmaster’s Second Claim for Relief. 21 C. DMCA 22 Defendants move to dismiss Ticketmaster’s Fifth Claim for Relief for violations 23 of the Digital Millennium Copyright Act, 17 U.S.C. § 1201 et seq. This Court, in its 24 prior Order, found that Ticketmaster’s original Complaint stated a claim under the 25 DMCA, and denied Defendants’ motion to dismiss on that ground. (Order 11.) Under 26 the doctrine of law of the case, a court is generally precluded from reconsidering an 27 issue that has already been decided by the same court or a higher court in the identical 28 case, absent a material change in circumstances. See Thomas v. Bible, 983 F.2d 152, 21 1 154–155 (9th Cir. 1993). Ticketmaster’s First Amended Complaint does contain new 2 factual allegations, but none of those allegations disturb the sufficiency of its DMCA 3 claim. In accordance with its prior order, the Court therefore DENIES Defendants’ 4 motion to dismiss Ticketmaster’s Fifth Claim for Relief. 5 The Court will briefly address Defendants’ main argument against the DMCA 6 claim as pressed in its brief in support of this Motion. The relevant provision of the 7 DMCA provides that “[n]o person shall circumvent a technological measure that 8 effectively controls access to a [copyrighted] work . . . .” 17 U.S.C. § 1201(a)(1). 9 Ticketmaster alleges that Ticketmaster’s security measures, including CAPTCHA, are 10 technological measures that control access to Ticketmaster’s copyrighted webpages, 11 and that Defendants’ bots and other efforts circumvent those measures in violation of 12 the DMCA. (FAC ¶ 52, 111.) Defendants’ main argument is that Ticketmaster has 13 failed to indicate any copyrighted work to which any of Ticketmaster’s technological 14 measures were effectively controlling access. (Mot. 10; Reply 5.) 15 Defendants’ argument fails because Ticketmaster’s CAPTCHA controls non- 16 human access to Ticketmaster’s ticket purchase pages and ticket confirmation pages, 17 both of which are copyrighted works. The three-tiered analytical framework for 18 copyrightable content as discussed above and as articulated by the Ninth Circuit in MDY 19 makes this abundantly clear. 629 F.3d at 942–43. 20 The defendant in MDY argued that the bots he developed simply helped players 21 play a game, and that there wasn’t any copyrighted material that his bots were accessing 22 in circumvention of a security measure. The court did agree with the defendant that the 23 game’s literal and individual non-literal elements did not qualify as access-controlled 24 works under the statute. Id. at 952. The court reasoned that there was no technological 25 measure controlling access to the literal and individual non-literal elements of the game 26 because those elements were readily accessible to any player who had installed the game 27 on their computers. Id. With respect to the game’s dynamic non-literal elements, 28 though, the court found a DMCA violation. Id. at 954. The individual experience of 22 1 the game—the particular configuration of shapes, colors, and sounds presented on the 2 screen as the gamer plays the game—was copyrightable expression, to which only a 3 human had authorized access. Id. The plaintiff put security measures in place to keep 4 bots from playing the game—that is, from accessing the game’s copyrighted dynamic 5 non-literal elements—and when the bots circumvented those measures, they 6 circumvented an access control to a copyrighted work. Id. 7 Defendants’ bots in this case do the very same thing. In order to purchase tickets 8 from Ticketmaster, one must work through Ticketmaster’s security measures, including 9 CAPTCHA. Ticketmaster designs these security measures so that only a human can 10 progress through Ticketmaster’s pages and ultimately purchase a ticket. Each of these 11 pages is a unique page, tailored specifically to the customer and what that customer is 12 trying to accomplish. The process is familiar to anyone who has shopped online. For 13 example, the purchase confirmation page of an online store will contain an 14 individualized presentation of details, including the purchaser’s shipping and billing 15 information, information about the product or service purchased, and a purchase 16 confirmation number. 17 constitutes dynamic non-literal content which is subject to copyright protection. 18 Moreover, the source code used to generate the purchase confirmation page is literal 19 content which is also subject to copyright protection. Thus, when Defendants used bots 20 to progress through Ticketmaster’s security measures and ultimately gain access to 21 ticket confirmation pages and data, they circumvented a technological measure that 22 Ticketmaster had put in place to control access to Ticketmaster’s copyrighted ticket 23 confirmation pages and data. These pages and data are dynamic non-literal content and 24 literal content, respectively, both of which, as discussed above, are protected by 25 Ticketmaster’s copyrights. Defendants’ activities therefore satisfy the textual elements 26 of the DMCA, 17 U.S.C. § 1201(a)(1). This unique, individualized presentation of information 27 The Court’s finding falls in line with the growing number of courts that have 28 concluded that circumvention of CAPTCHA and similar measures designed to 23 1 distinguish between humans and non-humans violates the DMCA. In Ticketmaster 2 L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007), the court 3 considered Ticketmaster’s CAPTCHA feature, observing that it “controls access to a 4 protected work because a user cannot proceed to copyright[-]protected webpages 5 without solving CAPTCHA.” RMG, 507 F. Supp. 2d at 1112; see also Craigslist, Inc. 6 v. Kerbel, No. C–11–3309 EMC, 2012 WL 3166798, at *10 (N.D. Cal. Aug. 2, 2012) 7 (denying dismissal of DMCA claim where defendant marketed auto-posting services 8 that enabled users to circumvent Craigslist’s CAPTCHA, and collecting other Craigslist 9 cases making the same finding. Plaintiffs have stated a claim for relief under the DMCA. The Court therefore 10 11 DENIES Defendants’ motion to dismiss Ticketmaster’s Fifth Claim for Relief. 12 D. CFAA 13 Defendants move to dismiss Ticketmaster’s Eleventh Claim for Relief for 14 violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. The CFAA 15 prohibits computer trespass by those who are not authorized users or who exceed 16 authorized use. Facebook, Inc. v. Power Ventures, 844 F.3d 1058, 1065–66 (9th Cir. 17 2016) (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA is primarily a criminal-law 18 statute, but a civil action is available for “[a]ny person who suffers damage or loss by 19 reason of a violation” of the CFAA. The CFAA lists thirteen categories of offense that 20 constitute a violation, and includes a conspiracy clause. 18 U.S.C. § 1030 (a)–(b). 21 Ticketmaster alleges that Defendants “knowingly and intentionally accessed 22 Ticketmaster’s computers without authorization or in excess of authorization” and that 23 by so doing, they “obtained valuable, unauthorized information from Ticketmaster’s 24 ticketing systems.” (FAC ¶¶ 162–63.)3 These allegations signal a potential violation 25 26 27 28 3 Defendants maintain that this Court’s prior order, which dismissed Ticketmaster’s CFAA claim, constitutes law of the case that requires dismissal of Ticketmaster’s CFAA claim on this Motion as well. (Mot. 13.) Ticketmaster’s First Amended Complaint identifies specific ways that Defendants accessed the Ticketmaster website without authorization or in excess of authorization that were not identified in the original Complaint. (See, e.g., FAC ¶ 163.) In light of Ticketmaster’s new factual allegations, the Court finds it appropriate to consider Ticketmaster’s CFAA claim anew. 24 1 under two of the CFAA’s thirteen categories of offense. The first category prohibits 2 “intentionally accessing a computer without authorization or exceeding authorized 3 access, and thereby obtaining . . . information from any protected computer.” 18 U.S.C. 4 § 1030(a)(2)(C). The second category provides punishment for those who “knowingly 5 and with intent to defraud, access[] a protected computer without authorization, or 6 exceed[] authorized access, and by means of such conduct further[] the intended fraud 7 and obtain[] anything of value.” 18 U.S.C. § 1030(a)(4). 8 In addition to showing a violation of one of the provisions of section 1030(a)(1)– 9 (7), a private plaintiff bringing suit under the CFAA must show that the violation 10 involved one of the five factors listed in subsection 1030(c)(4)(A)(i). See Custom 11 Packaging Supply Inc. v. Phillips, Case No. 2:15-cv-04584-ODW-AGR, 2016 WL 12 1532220, at *4 (C.D. Cal. April 15, 2016). Ticketmaster alleges that Defendants’ 13 violations of the CFAA cost Ticketmaster “a loss of over $5000 in a one-year period.” 14 (FAC ¶ 164.) With this allegation, Ticketmaster seeks to avail itself of the first of the 15 five factors, which allows for a civil action “if the offense caused . . . loss to 1 or more 16 persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. 17 § 1030(c)(4)(A)(i)(I). Ticketmaster does not allege any facts that suggest that any of 18 the factors in subsections (II)–(V) are involved. 19 To start with, Defendants do not maintain that their access was unintentional or 20 unknowing, or that the computers in question were not protected computers. See 18 21 U.S.C. § 1030(e)(2) (“‘[P]rotected computer’ means a computer . . . which is used in or 22 affecting interstate or foreign commerce or communication . . . .”). Thus, the issues 23 common to both putative violations are (1) whether Defendants accessed Ticketmaster’s 24 computers without authorization or in a manner that exceeded authorized access, and 25 (2) whether such access caused Ticketmaster an aggregate ‘loss’ of $5,000 in any one- 26 year period. 18 U.S.C. §§ 1030(a)(2)(C), (a)(4). If Ticketmaster has successfully pled 27 both of these allegations, it need only further plead that Defendants obtained 28 25 1 “information,” thus violating section 1030(a)(2)(C), or that Defendants obtained 2 “anything of value,” thus violating section 1030(a)(4).4 3 1. Accessing Without Authorization or Exceeding Authorized Access 4 The CFAA “provides two ways of committing the crime of improperly accessing 5 a protected computer: (1) obtaining access without authorization; and (2) obtaining 6 access with authorization but then using that access improperly.” Musacchio v. United 7 States, 136 S. Ct. 709, 713 (2016). The parties in this case characterize the CFAA as 8 an anti-hacking statute, and argue vigorously that hacking has not or has occurred. 9 (Mot. 13; Opp’n 12 n.9.) Defendants understand hacking to mean accessing a non- 10 public part of a website without authorization, and repeatedly assert that no Defendant 11 has accessed anything other than the public Ticketmaster website. (Mot. 14, 15.) 12 While it is true that “Congress enacted the CFAA in 1984 primarily to address 13 the growing problem of computer hacking,” United States v. Nosal, 676 F.3d 854, 858 14 (9th Cir. 2012), the word “hack” does not appear anywhere in the statute’s text. See 15 generally 18 U.S.C. § 1030. In fact, courts in the Ninth Circuit have repeatedly 16 recognized violations of the CFAA without characterizing the violations as hacking. 17 For example, the defendant in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 18 (9th Cir. 2016) was a provider of an online dashboard that allowed the user to log in 19 and manage several of the user’s social media accounts at once. Id. at 1062. The 20 defendant initiated a promotional campaign that made combined use of the defendant’s 21 own platform and Facebook’s email system to promote the defendant’s service. Id. at 22 1063. Facebook sent the defendant a cease-and-desist letter, instructing the defendant 23 to end the campaign. Id. Defendants continued their campaign, and in doing so, they 24 accessed Facebook’s computers in a way that exceeded their authorization, because the 25 cease-and-desist letter had specifically revoked that authorization. Id. at 1067. The 26 27 28 4 Section 1030(a)(4) further specifies that a defendant who obtained only “the use of the computer,” where the value of that use was not more than $5,000 in any one-year period, has not violated the CFAA. Since Defendants here allegedly did more than use Ticketmaster’s computers, this exception does not apply. 26 1 court found a valid CFAA claim without needing to find that the defendants had hacked 2 into anything. Id. at 1069; see also United States v. Nosal, 930 F. Supp. 2d 1051, 1060 3 (N.D. Cal. 2013) (clarifying that the Ninth Circuit “did not . . . explicitly hold that the 4 CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute. 5 . . . Hacking was only a shorthand term used as common parlance by the court to 6 describe the general purpose of the CFAA . . . .”). 7 Thus, Ticketmaster’s successful pleading of a CFAA violation doesn’t depend on 8 whether any Defendant hacked anything. The proper inquiry is whether Ticketmaster 9 has sufficiently pled that Defendants accessed Ticketmaster’s computers, either without 10 any authorization, or in excess of the authorization they did have. Ticketmaster argues 11 that each use of a bot to purchase a ticket was a use in excess of authorization because 12 an individualized cease-and-desist Letter sent to Prestige on May 7, 2015 explicitly 13 prohibited Prestige and the other Defendants from using bots to access Ticketmaster’s 14 website. (FAC, Ex. E; Opp’n 17.) Defendants argue that they did no more than violate 15 Ticketmaster’s Terms of Use, and that under relevant Ninth Circuit jurisprudence a 16 violation of a Terms of Use cannot provide the basis for CFAA liability. (Reply 8.) 17 Ticketmaster and Defendants both argue that United States v. Nosal (“Nosal”), 18 676 F.3d 854 (9th Cir. 2012) supports their respective positions. In that case, the court 19 recognized that the terms of use that website owners impose upon visitors are often 20 “vague and generally unknown,” and that “website owners retain the right to change the 21 terms at any time and without notice.” Id. at 863. Many terms-of-use agreements, 22 including Ticketmaster’s, expressly condition their permission to use the website on 23 compliance with the Terms of Use, such that the moment a user violates a single 24 provision, that user no longer has permission to access the site. See id. at 858. The 25 result is that each visit to the site constitutes access of the site without authorization, in 26 violation of the CFAA. Id. at 859. 27 28 27 1 Such reasoning, the court explained, creates federal crimes out of ordinary, run- 2 of-the-mill Terms of Use violations, an unacceptable result. Id. at 860. As the court 3 further explained: 4 [C]onsider the numerous dating websites whose terms of use 5 prohibit inaccurate or misleading information. Or eBay and 6 Craigslist, where it’s a violation of the terms of use to post items 7 in an inappropriate category. Under the government’s proposed 8 interpretation of the CFAA, . . . describing yourself as “tall, dark, 9 and handsome,” when you’re actually short and homely, will 10 earn you a handsome orange jumpsuit. 11 Id. at 861–62 (citations omitted). The court went on to hold that “‘exceeds authorized 12 access’ in the CFAA does not extend to violations of use restrictions.” Id. at 864. 13 Nosal was about an employee who violated his employer’s information use 14 policies, not a web surfer who violated a website’s terms of use. Id. at 856. 15 Nevertheless, courts in the Ninth Circuit have applied the Nosal holding to ordinary 16 computer users visiting websites or using software governed by terms-of-use 17 agreements. These courts have held that violation of a website’s (or software’s) Terms 18 of Use, without more, cannot constitute a violation of the CFAA. See Synopsis, Inc. v. 19 ATopTech, Inc., No. C 13–cv–02965 SC, 2013 WL 5770542, at *9 (N.D. Cal Oct. 24, 20 2013) (dismissing a CFAA claim brought on the basis of a software license agreement 21 violation); Matot v. CH, 975 F. Supp. 2d 1191, 1194 (D. Or. 2013) (dismissing a CFAA 22 claim brought on the basis of a website’s Terms of Use violation). 23 Defendants insist that Ticketmaster’s CFAA claim is based “entirely” on a 24 violation of its Terms of Use, and that the holding of Nosal therefore requires dismissal 25 of Ticketmaster’s CFAA claim. (Mot. 13.) However, this case is distinguishable from 26 Nosal in two ways. First, here, Ticketmaster sent an individualized Letter to Defendants 27 instructing them to cease their activities, whereas the defendant in Nosal received no 28 individualized notice, and merely violated his employer’s pre-existing confidentiality 28 1 policies. Nosal, 676 F.3d at 856. Second, the Nosal defendant was an ex-employee 2 who convinced current employees to steal confidential company files. Id. at 856. When 3 those current employees accessed their employer’s database to download the files, they 4 had authorization to do so as employees of the company. Id. The Ninth Circuit would 5 not find that the defendant exceeded authorized access when the only agreement the 6 current employees broke was their employer’s confidentiality agreement. Id. at 863. 7 Here, by contrast, Defendants have been told by Ticketmaster that the only kind of 8 access that they, Defendants, are authorized to make is access that conforms to 9 Ticketmaster’s Terms of Use. (FAC, Ex. E at 71–72.) Ticketmaster’s cease-and-desist 10 Letter was of far greater practical and legal significance than a generally applicable “use 11 restriction,” see Nosal, 676 F.3d at 864. The Letter was, in effect, an individualized 12 access policy that revoked authorization upon breach of the policy. 13 These distinctions render Nosal’s bright-line rule about use restrictions 14 inapplicable to this case. Far more applicable is the reasoning and holding of the Ninth 15 Circuit in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016). Both 16 this case and Facebook involve a commercial defendant whose business model is built 17 on unauthorized use of the plaintiff’s website. The Facebook court found that after 18 receipt of an individualized cease-and-desist letter, the defendant “knew that it no longer 19 had authorization to access Facebook’s computers, but continued to do so anyway.” Id. 20 at 1067. Unlike the Nosal opinion, the Facebook opinion contains no discussion of the 21 risk of turning Terms of Use violators into copyright infringers, because after receipt of 22 an individualized cease-and-desist letter, the defendant’s use—as here—is no longer a 23 mere Terms of Use violation and is instead a violation of a set of permissions and 24 prohibitions directly and individually imposed upon the defendant. 25 Ticketmaster’s Letter has the same effect as the letter in Facebook. 26 Ticketmaster’s Letter explicitly reminded Defendants that “use of the [Ticketmaster] 27 website is conditioned on an agreement that the user will not . . . use any automated . . . 28 29 1 computer system to . . . buy . . . tickets,” and instructed Defendants to “cease and desist 2 from any further violations of Ticketmaster’s rights.” (FAC, Ex. E at 71–72.) 3 To be clear, it is the violation of the terms of the Letter, not of Ticketmaster’s 4 Terms of Use, on which the Court bases its finding of a well-pled CFAA claim. The 5 Facebook court required something “more” than mere violation of a website owner’s 6 terms of use to impose liability under the CFAA, and the Letter satisfies that 7 requirement. Facebook, 844 F.3d at 1067. Ticketmaster’s Letter accuses Defendants 8 of particular unauthorized purchases of particular quantities of tickets on particular 9 dates and times and contains a list of 47 fake email addresses that Defendants allegedly 10 used to buy tickets. (FAC, Ex. E at 69–70.) The Letter, with its detailed factual 11 allegations, is a “far cry from the permission skirmishes that ordinary Internet users 12 face.” See Facebook, 844 F.3d at 1069. Finding an individualized letter to be a basis 13 for unauthorized use under the CFAA is fully consistent with the holding of the Nosal 14 court, which was concerned specifically about violations arising from Terms of Use 15 agreements imposed uniformly and adhesively upon a large number of end users. 16 Nor are Defendants “ordinary Internet users.” Facebook, 844 F.3d at 1069. It is 17 true that the Ninth Circuit will not use the CFAA to “transform[] otherwise innocuous 18 behavior into federal crimes simply because a computer is involved,” preferring to 19 “prevent criminal liability for computer users who might be unaware that they were 20 committing a crime.” Id. But Defendants in this case are a sophisticated multi-entity 21 business operation, not an employee on his way out the company, much less an 22 overconfident eHarmony user or an innocuous eBay merchant struggling to determine 23 the proper category in which to sell a trinket. See Nosal, 676 F.3d at 861–62. 24 Defendants are anything but innocuous. They know that their entire business model is 25 built on a scheme to evade Ticketmaster’s policies for profit. (See ¶¶ 58, 122 (alleging 26 9,047 instances of fraud for each account Defendants created and 313,528 instances of 27 fraud for each ticket order Defendants executed).) 28 30 1 Defendants attempt to distinguish this case from Facebook by pointing out that 2 this Court previously found that Ticketmaster’s Letter did not completely revoke access 3 authority. (See Order 13 (“Ticketmaster’s cease-and-desist letter appears to imply that 4 Defendants could continue to use Ticketmaster’s website so long as they abide by the 5 TOU.”)) In Facebook, by contrast, the cease-and-desist letter sent by Facebook to the 6 defendants appears to have revoked all authorization for defendants to use Facebook’s 7 website. 844 F.3d at 1067. Defendants make a distinction without a difference, because 8 the CFAA penalizes both access without authorization and situations where a defendant 9 possesses some authorization, but acts excess of that authorization. 18 U.S.C. § 1030 10 (a)(2)(c), (a)(4). Therefore, the fact that the Letter may have allowed Defendants to 11 continue using Ticketmaster’s website in a limited way does not allow Defendants to 12 escape CFAA liability. After receipt of the Letter, each time Defendants purchased 13 tickets with a bot, they accessed the Ticketmaster website in a manner explicitly 14 forbidden to them, thus exceeding their authorization to use the Ticketmaster website. 15 Defendants exceeded authorized access to Ticketmaster’s computers when they 16 received Ticketmaster’s letter and nevertheless continued to use bots to purchase 17 Ticketmaster tickets. 18 2. Loss 19 To sufficiently state its CFAA claim, Ticketmaster must plead facts that show 20 that Defendants’ conduct caused “loss to 1 or more persons during any 1-year period . 21 . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA 22 defines “loss” as “any reasonable cost to any victim,” and lists as examples “the cost of 23 responding to an offense, conducting a damage assessment, and restoring the data, 24 program, system, or information to its condition prior to the offense, and any revenue 25 lost, cost incurred, or other consequential damages incurred because of interruption of 26 service.” 27 Ticketmaster to plead facts that show “interruption of service or impairment of data” 28 and losses that flow directly therefrom. (Reply 11.) The Court disagrees with this 18 U.S.C. § 1030(e)(11). Defendants insist that the CFAA requires 31 1 reading of the statute’s definition of “loss” for two reasons. First, the placement of the 2 commas in the definition of “loss” indicates that “the cost of responding to an offense” 3 does not have to be caused by “interruption of service.” See 18 U.S.C. 1030(e)(11). 4 These two clauses are separated by seven commas, and a strained reading is required to 5 conclude that the last clause controls the first. The cost of “responding to an offense,” 6 on its own, qualifies as loss under the CFAA, without any need to connect it to an 7 interruption of service. 8 The Court is mindful of a split among the circuits over what constitutes “loss” 9 under the CFAA. Namely, some district courts have held that “loss” under the CFAA 10 must “relate to the investigation or repair of a computer system following a violation 11 that caused impairment or unavailability of data.” Cassetica Software, Inc. v. Computer 12 Scis. Corp., No. 09 C 0003, 2009 WL 1703015, at *4 (N.D. Ill. June 18, 2009); see also 13 Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd., 387 F. Supp. 2d 378, 381 (S.D.N.Y. 14 2005) (synthesizing cases and determining that “‘losses’ under the CFAA are 15 compensable only when they result from damage to, or the inoperability of, the accessed 16 computer system”). This narrow definition of loss under the CFAA permits recovery 17 of costs related to damage assessment or recovery only “when the costs are related to 18 an interruption of service.” Cassetica Software, 2009 WL 1703015, at*4. 19 Courts in the Ninth Circuit, on the other hand, do not read “loss” so narrowly. 20 The defendant in SuccessFactors v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 21 2008) was a departing employee who stole proprietary company information from a 22 company computer and used the information to attempt to tarnish the reputation of his 23 former employer. Id. at 977–78. The SuccessFactors court examined some of the cases 24 that applied the narrower definition of “loss,” but found them inapposite, because in 25 cases like the one before it, “where the offense involves unauthorized access and the 26 use of protected information, the reasonable “cost of responding to [the] offense,” 18 27 U.S.C. § 1030[(e)(11)], will be different from such cost in a case where the primary 28 concern is the damage to the plaintiff’s computer system itself.” Id. at 981. The court 32 1 further reasoned that “where the offender has . . . accessed protected information, 2 discovering who has that information and what information he or she has is essential to 3 remedying the harm,” and concluded that the plaintiff was likely to prevail on its CFAA 4 claim. Id. 5 The Facebook court disposed of the issue in two sentences, finding “loss” under 6 the CFAA in light of the fact that the plaintiff’s “employees spent many hours, totaling 7 more than $5,000 in costs, analyzing, investigating, and responding” to the defendant’s 8 actions. Facebook, 844 F.3d at 1066. The Facebook court did not require the plaintiff’s 9 losses to flow either from “impairment of service” or from actual loss or unavailability 10 of data. 18 U.S.C. § 1030(e)(11). To the Facebook court, costs spent analyzing, 11 investigating, and responding to a defendant’s unauthorized access, even when that 12 access led to no actual loss or unavailability of data, qualify as “the cost of responding 13 to an offense” and therefore provide the basis for a civil action under the CFAA. 844 14 F.3d at 1066. 15 A careful reading of the statute supports the reasoning of the SuccessFactors and 16 Facebook courts. Under the CFAA, loss is “any reasonable cost to any victim.” 18 17 U.S.C. § 1030(e)(1). This definition is followed by a list of costs that qualify as loss, 18 but the word “including” indicates that this list is not exhaustive. Id. The nine types of 19 loss in the statutory definition are provided merely as examples, not as limitations on 20 what qualifies as “loss” under the CFAA. 21 Ticketmaster’s allegations are sufficient in the Ninth Circuit to show “loss” under 22 the CFAA. Under federal notice pleading standards, it is enough if Ticketmaster’s 23 allegations allow the Court to plausibly infer that Ticketmaster’s “loss” exceeds $5,000. 24 See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Ticketmaster need not, as Defendants 25 contend, allege with detail “which Defendant allegedly did what and when and how and 26 what it was that [Ticketmaster] allegedly did in response that caused it to incur any 27 loss.” 28 Defendants’ unauthorized access, including the costs of identifying Defendants (FAC (Mot. 18.) Ticketmaster has alleged a panoply of costs necessitated by 33 1 ¶ 58), expanding security to identify and block bots (FAC ¶¶ 54–55, 60), and hiring 2 third-party consultants to implement additional bot mitigation measures (FAC ¶ 54). 3 Defendants maintain that Custom Packaging Supply, Inc. v. Phillips, No. 2:15- 4 cv-04584-ODW-AGR, 2016 WL 1532220, at *1 (C.D. Cal. Apr. 15, 2016) requires the 5 opposite result. (Mot. 18.) The Phillips defendants were employees who stole their 6 employer’s proprietary company information in order “to compile an illegal library that 7 they then passed on” to a competitor. 2016 WL 1532220, at *1. The plaintiff claimed 8 that its “loss” arose from the fact that its employees had to spend several days taking 9 action in wake of the theft of information. Id. at *5. However, in that case, the 10 defendant’s violation was a one-time act, and the money spent by the plaintiff in 11 response was spent to diminish any consequential damages that might arise as a result 12 of a single violation by a known violator. Id. Ticketmaster’s money, by contrast, was 13 spent identifying Defendants and trying to put a stop to their fraudulent enterprise. 14 These are direct losses flowing from an unknown defendant’s continued breach, as 15 opposed to consequential losses flowing from a known defendant’s one-time breach, as 16 were present in Phillips. Accord Doyle v. Taylor, No. CV-09-158-RHW, 2010 WL 17 2163521, at *1 (E.D. Wash. May 24, 2010), aff’d sub nom. Doyle v. Chase, 434 F. 18 App’x 656 (9th Cir. 2011) (observing that “loss” under the CFAA must flow from 19 “something more: the costs associated with assessing a hacked system for damage, 20 upgrading a system’s defenses to prevent future unauthorized access, or the lost revenue 21 caused by the misappropriation of trade secrets.”). The loss alleged by the Custom 22 Packaging Supply plaintiff was of a different species than the loss alleged here by 23 Ticketmaster. The direct costs Ticketmaster incurred putting a stop to an ongoing 24 offense qualify as “loss” under the CFAA. Moreover, Ticketmaster alleges that these 25 direct costs far exceeded $5,000, as required by the CFAA, and provides sufficient 26 support for that allegation with facts about the heightened security measures it put in 27 place. 18 U.S.C. § 1030(c)(4)(A)(i)(I). 28 34 1 3. Obtaining Information and Obtaining Anything of Value 2 Ticketmaster’s claim for relief under 18 U.S.C. § 1030(a)(2)(c) is complete if it 3 can show that Defendants “obtained information” by accessing Ticketmaster’s 4 computers without authorization. By using their bots, Defendants obtained tickets to 5 events. (FAC ¶ 5.) These tickets are “information” in two senses: (1) the tickets contain 6 information on the face of the ticket that grants the bearer entrance to a particular event; 7 and (2) the tickets themselves are transmitted through the internet in the form of 8 computer code, which is itself information. Thus, Ticketmaster has stated a claim for 9 relief under 18 U.S.C. § 1030(a)(2)(C). 10 Alternatively, Ticketmaster can show that Defendants obtained “something of 11 value” to complete their claim for relief under 18 U.S.C. § 1030(a)(4). The tickets 12 Defendants purchased undeniably have value, or else Defendants would not be running 13 an ever-increasingly sophisticated business operation to obtain them. (FAC ¶¶ 6, 55.) 14 Subsection (a)(4) also requires a showing of intent to defraud, and Defendants argue 15 that Ticketmaster has not shown this intent under the heightened pleading standards of 16 Federal Rule of Civil Procedure 9(b). (Mot. 15 n.6.) This Court, in its prior Order, 17 explained that each of the 9,047 accounts created by Defendants, along with each of 18 Defendant’s 313,528 ticket purchases, was a particular instance of alleged fraud that 19 satisfied the pleading requirements of Rule 9(b). (Order 17–18.) Ticketmaster’s 20 allegations of fraud were sufficient to survive Defendants’ first motion to dismiss, and 21 they are sufficient to survive this Motion as well. For these reasons, the court DENIES Defendants’ motion to dismiss 22 23 Ticketmaster’s Eleventh Claim for Relief. 24 E. CDAFA 25 Defendants move to dismiss Ticketmaster’s Twelfth Claim for Relief for 26 violations of the California Computer Data Access and Fraud Act. (Mot. 1.) The Court 27 previously dismissed Ticketmaster’s CDAFA claim as pled in the original Complaint. 28 (Order 14.) The Court finds it appropriate to consider Ticketmaster’s CDAFA claim 35 1 anew, in light of Ticketmaster’s new allegations regarding the Bot Developers’ 2 downloading and storing of Ticketmaster’s pages and code. 3 The CDAFA is California’s state-law analogue to the CFAA. The statute 4 provides thirteen categories of activity that constitute an offense. Cal. Penal Code 5 § 502(c)(1)–(13). 6 committed acts that constitute violations under seven different subsections of the 7 CDAFA. (FAC ¶¶ 167–173.) The Court finds that Ticketmaster has stated a claim with 8 respect to three of these subsections. Ticketmaster alleges that the Defendants have collectively 9 First, Ticketmaster has not stated a claim with respect to subsections (c)(1) and 10 (c)(4), because those subsections both require that the Defendants have altered, 11 damaged, deleted, or destroyed the data in some way.5 Id. § 502(c)(1), (4). Although 12 Ticketmaster does allege that the Defendants’ activities resulted in alteration, deletion, 13 and destruction of data on the system, the allegation merely tracks the language of the 14 statute itself, without providing facts to substantiate the claimed legal conclusions. 15 (FAC ¶ 77.) Defendants’ bots place a heavy load on Ticketmaster’s system, and they 16 cause Ticketmaster’s system to relinquish tickets to Defendants against Ticketmaster’s 17 wishes, but Defendants’ bots do not actually alter, damage, delete, or destroy data on 18 Ticketmaster’s systems. Precisely the opposite is true: the fact that Ticketmaster’s 19 systems continued to deliver tickets to Defendants’ bots shows that Ticketmaster’s 20 systems continued to function as intended, without damage or alteration, while the bots 21 operated. It is for this same reason that Ticketmaster has also failed to state a claim 22 with respect to subsection (c)(5) of the CDAFA, which requires a showing of 23 “disruption” or “denial” of computer services. Cal. Penal Code § 502(c)(5). 24 25 26 27 28 5 The Court will not read the phrase “or otherwise uses” in section 502(c)(1) as prohibiting anything other than use that is similar to alteration, damage, deletion, or destruction. Under the doctrine of eiusdem generis, when a list of two or more specific terms is followed by a more general term, the otherwise wide meaning of the general term must be restricted to the same class of the specific terms that precede it. See Circuit City Stores, Inc. v. Adams, 532 U.S. 105, 114–15 (2001). The Court narrowly construes “otherwise uses” in section 502(c)(1) to refer to uses that involve data alteration, damage, deletion, and destruction. 36 1 Nor has Ticketmaster stated a claim with respect to subsection (c)(3) of the 2 CDAFA. Under this section, knowingly using or causing the use of computer services 3 without permission constitutes a violation. Id. § 502(c)(3). Under the CDAFA, 4 “‘[c]omputer services’ includes, but is not limited to, computer time, data processing or 5 storage functions, or other uses of a computer . . . .” Id. § 502(b)(4). The services 6 Ticketmaster’s computers provide all relate to the sale of tickets. The sale of tickets is 7 insufficiently similar to “computer time, data processing, or storage functions” to justify 8 construing the “other uses” provision of the statutory definition of “computer services” 9 to include ticket sale services. Id. Because Ticketmaster has not pled facts showing 10 that it offers computer services, section 502(b)(4) does not provide Ticketmaster a basis 11 for a CDAFA claim. 12 Ticketmaster’s allegations with respect to subsections (c)(2), (c)(6), and (c)(7) of 13 the CDAFA, on the other hand, are sufficient. The above-mentioned Facebook, Inc. v. 14 Power Ventures, Inc., 844 F.3d 1058, (9th Cir. 2016) controls the Court’s holding with 15 respect to subsection (c)(2). After sustaining the District Court’s finding that the 16 Facebook plaintiff stated a claim for a CFAA violation, the Ninth Circuit observed: 17 [D]espite differences in wording, the analysis under both [the 18 CFAA and the CDAFA] is similar in the present case. Because 19 [defendant] Power had implied authorization to access [plaintiff] 20 Facebook’s computers, it did not, at first, violate the statute. But 21 when Facebook sent the cease and desist letter, Power, as it 22 conceded, knew that it no longer had permission to access 23 Facebook’s computers at all. Power, therefore, knowingly 24 accessed and without permission took, copied, and made use of 25 Facebook’s data. Accordingly, we affirm in part the district 26 court’s holding that Power violated section 502. 27 Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016), cert. 28 denied, 138 S. Ct. 313 (2017). 37 1 In accordance with the reasoning of the Ninth Circuit, Ticketmaster has stated a 2 claim with respect to section 502(c)(2), which penalizes one who “[k]nowingly accesses 3 and without permission takes, copies, or makes use of any data from a computer . . . .” 4 Cal. Penal Code § 502(c)(2). Ticketmaster’s Letter informed Defendants that they no 5 longer had permission to use bots to purchase tickets from Ticketmaster. The fact that 6 the Letter allowed Defendants to continue to make normal human use of the 7 Ticketmaster website and app is of no consequence, because Defendants’ subsequent 8 ticket purchases constituted taking, copying, or making use of data, all done without 9 Ticketmaster’s permission by virtue of the fact that the purchases were powered by bots. 10 Next, subsection (c)(7) of the CDAFA prohibits knowing, unauthorized access 11 of a computer. Id. § 502(c)(7). Ticketmaster’s Letter revoked Defendants’ 12 authorization to use bots to access the Ticketmaster website in the same way that it 13 revoked Defendants’ authorization to use bots to take and make use of Ticketmaster 14 tickets. For those reasons, supported by the Court’s prior reasoning with respect to 15 “exceeding authorized access” under the CFAA, Ticketmaster has stated a claim with 16 respect to subsection (c)(7). See supra, Section IV.D.1. 17 Finally, subsection (c)(6) prohibits knowingly providing a means of accessing a 18 computer system in violation of the CDAFA. Id. § 502(c)(6). The Bot Developers 19 provided Defendants with bots, which Defendants used to commit violations of at least 20 three other subsections of the CDAFA. Ticketmaster has therefore pled allegations 21 sufficient to show the Bot Developers’ violation of subsection (c)(6). For these reasons, the Court DENIES Defendants’ motion to dismiss 22 23 Ticketmaster’s Twelfth Claim for Relief. 24 F. Remaining Claims 25 Ticketmaster has stated claims for relief for violations of three different federal 26 laws: copyright infringement, 17 U.S.C. § 101 et seq., violation of the Digital 27 Millennium Copyright Act, 17 U.S.C. § 1201 et seq. and violation of the Computer 28 Fraud and Abuse Act, 18 U.S.C. § 1030. Because the Court has original jurisdiction 38

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?