Ticketmaster L.L.C. v. Prestige Entertainment Inc. et al
Filing
48
ORDER DENYING DEFENDANTS MOTION TO DISMISS PLAINTIFFS FIRST AMENDEDCOMPLAINT 37 by Judge Otis D. Wright, II (lc)
O
1
2
3
4
5
6
7
United States District Court
Central District of California
8
9
10
11
TICKETMASTER L.L.C., a Virginia
12
limited liability company,
13
14
Plaintiff,
Case No. 2:17-cv-07232-ODW-JC
ORDER DENYING DEFENDANTS’
v.
MOTION TO DISMISS
15
PRESTIGE ENTERTAINMENT WEST,
PLAINTIFF’S FIRST AMENDED
16
INC., a California corporation,
COMPLAINT [37]
17
RENAISSANCE VENTURES LLC, a
18
Connecticut limited liability company,
19
NICHOLAS LOMBARDI, STEVEN K.
20
LICHTMAN, and DOES 1 through 10,
21
inclusive,
22
Defendants.
23
I.
INTRODUCTION
24
Ticketmaster L.L.C. (“Ticketmaster”) brings this suit against Prestige
25
Entertainment West, Inc., Renaissance Ventures LLC, Nicholas Lombardi, and Steven
26
27
28
1
K. Lichtman1 (collectively, “Defendants”), alleging thirteen causes of action based on
2
Defendants’ use of automated programs generally known as bots, which navigate
3
Ticketmaster’s website and mobile app in order to purchase large quantities of tickets
4
for resale at a profit. (See generally Compl., ECF No. 1.) Defendants moved to dismiss
5
the Complaint, and the Court granted the motion in part with leave to amend. (ECF
6
Nos. 24, 32.) Ticketmaster filed its First Amended Complaint on February 21, 2018.
7
(First Am. Compl. (“FAC”), ECF No. 36.) Defendants now move to dismiss the First
8
Amended Complaint in its entirety. (Mot. 1, ECF No. 37.) The parties submitted briefs
9
in support of their positions, and the Court heard the parties’ arguments on April 9, 2018
10
at 1:30 p.m. (Mot.; Opp’n, ECF No. 39; Reply, ECF No. 41; ECF No. 42.) For the
11
foregoing reasons, the Court DENIES Defendants’ Motion to Dismiss.
II.
12
13
A.
BACKGROUND
Factual Background
14
Ticketmaster sells tickets for live entertainment events to the general public on
15
behalf of its clients through its website, mobile app, and telephone call centers. (FAC
16
¶ 17.) Consumer demand for tickets to a given event often exceeds the supply available
17
through Ticketmaster.
18
consumers, who try to purchase tickets the moment that the tickets become available
19
for sale on Ticketmaster’s website and mobile app. (FAC ¶ 18.)
(FAC ¶ 18.)
This results in intense competition among
20
Ticketmaster has employed various measures in an effort to ensure a fair and
21
equitable ticket purchasing process for its consumers. (FAC ¶ 19.) For instance,
22
Ticketmaster requires each user to create a password-protected account before the user
23
can purchase a ticket. (FAC ¶ 42.) This allows Ticketmaster to better regulate ticket
24
sales, and it also functions as a form of password protection against unauthorized access
25
to the Ticketmaster platform. (FAC ¶ 42.) Ticketmaster also limits the number of
26
27
28
1
Ticketmaster’s original Complaint also listed Prestige Entertainment, Inc. as a defendant, but
Ticketmaster voluntarily dismissed this Defendant before filing its First Amended Complaint.
(Compl. 1; Not. Dismissal, ECF No. 35.)
2
1
tickets that may be purchased in a single transaction and regulates the speed with which
2
users may refresh their requests to search for, reserve, and purchase tickets. (FAC ¶ 19.)
3
Defendants are an enterprise that seeks to profit off the intense competition for
4
tickets that Ticketmaster’s platforms engender. They do this by purchasing large
5
quantities of tickets from Ticketmaster and selling them at a markup on StubHub.com
6
and other ticket resale sites. (FAC ¶ 47.) In order to gain an unfair advantage in
7
searching for and buying these tickets, Defendants have employed robots, programs,
8
and other automated devices, generally known and referred to herein as “bots.” (FAC
9
¶¶ 3, 5.) These bots inundate Ticketmaster’s website and mobile app with page requests
10
and ticket reserve requests at a far higher rate than would be possible for a human alone.
11
(FAC ¶¶ 3, 5.)
12
13
In an effort to put a stop to bots Ticketmaster has employed several
countermeasures, including:
14
● CAPTCHA, a security program whose purpose is to distinguish between human
15
users and bots by requiring the purchaser to retype a series of random, partially
16
obscured characters, a task designed to be impossible for a bot to accomplish
17
(FAC ¶ 20);
18
● Splunk and other commercial data compilation and analysis services, which help
19
Ticketmaster analyze its sales data and detect patterns that indicate that tickets
20
have been purchased by bots (FAC ¶ 21);
21
● Over Ticket Limit, a proprietary feature created to automatically block, in real
22
time, the purchase of tickets that appear to be coming from bots (FAC ¶ 22).
23
Despite Ticketmaster’s efforts, Defendants have found ways to circumvent these
24
countermeasures by using, among other things, colocation facilities with high speed
25
bandwidth, random number and letter generators, cookie trading, and CAPTCHA
26
farms. (FAC ¶¶ 43–44, 47, 51, 52.)
27
Defendants’ enterprise seems to have achieved its goals. Defendants used their
28
bots to acquire tens of thousands of tickets for the New York stage play Hamilton, often
3
1
purchasing thirty to forty percent of the entire amount of tickets available for a given
2
performance. (FAC ¶ 5.) Defendants’ bots also procured a majority of tickets available
3
through Ticketmaster to the high-profile Mayweather v. Pacquiao boxing match in Las
4
Vegas in 2015. (FAC ¶ 5.) In total, Ticketmaster estimates that between January 2015
5
and September 2016, Defendants generated 9,047 dummy user accounts and 313,528
6
ticket orders, sending a total of six million requests to the Ticketmaster website and
7
mobile app. (FAC ¶¶ 42, 51, 58.)
8
Use of Ticketmaster’s website is governed by its Terms of Use. (FAC ¶ 24.)
9
Users must agree to the Terms of Use before they can view and use Ticketmaster’s
10
platforms, and both the website and mobile app repeatedly remind users that the Terms
11
of Use govern the use of Ticketmaster’s services. (FAC ¶¶ 25, 27.) The Terms of Use
12
grant users a “limited, conditional no-cost, non-exclusive, non-transferable, non-sub-
13
licensable license to view Ticketmaster’s site to purchase tickets as permitted by these
14
Terms for non-commercial purposes only if” the user agrees not to conduct certain
15
activities. (FAC ¶ 30.) These activities include:
16
● using “any robot . . . or any other . . . device, tool, or process to
17
retrieve, index, data mine, or in any way reproduce or circumvent
18
the navigational structure or presentation of the Content or the
19
Site, including with respect to any CAPTCHA displayed on the
20
site,”
21
22
● using any “automated software or computer system to search for,
reserve, buy, or otherwise obtain tickets,”
23
● accessing, reloading, or refreshing transactional event or
24
ticketing pages, or making any other request to transactional
25
servers, more than once during any three-second interval,
26
27
● requesting “more than 1,000 pages of the Site in any 24-hour
period, whether alone or with a group of individuals;” and
28
4
1
● reproducing, modifying, displaying, publicly performing,
2
distributing, or creating derivative works of the Site or its
3
Content.
4
(FAC ¶ 30.)
5
Ticketmaster owns registered copyrights in its website and mobile app. (FAC
6
¶ 28.) According to the express language in the Terms of Use, any of the above
7
activities constitutes copyright, patent, and trademark infringement, because engaging
8
in any prohibited activity revokes the user’s permission to use the Ticketmaster website
9
and mobile app. (FAC, Ex. A at 56.) Continued use of the Ticketmaster website
10
without permission to do so, says the Terms of Use, constitutes infringement. (FAC
11
¶ 32.)
12
Ticketmaster diligently attempts to identify and stop the users of bots, but
13
Defendants’ sophisticated techniques have hindered Ticketmaster’s ability to do so.
14
(FAC ¶ 58.) After tracing the bot-related ticket purchases for the Mayweather-Pacquiao
15
boxing match to Renaissance, Ticketmaster sent a cease-and-desist letter (the “Letter”)
16
in May 2015 addressed to Nicholas Lombardi describing some of the evidence
17
Ticketmaster had uncovered that linked him, his colleagues, and their companies to the
18
improper ticket purchases. (FAC ¶ 59, Ex. E.) The Letter demanded that Defendants
19
“cease and desist from any further violations of Ticketmaster’s rights.” (FAC ¶ 59, Ex.
20
E at 72.)
21
Lombardi acknowledged receiving the Letter, but Defendants continued their
22
enterprise. (FAC ¶ 60.) On October 2, 2017, Ticketmaster initiated this lawsuit against
23
Defendants and several Doe Defendants. Does 7 and 8 are the computer programmers
24
and developers that created, marketed, and provided the named Defendants with the
25
bots, and they are referred to herein as the Bot Developers. (FAC ¶ 6.) Does 9 and 10
26
are those entities who assisted and conspired with Prestige West by purchasing the
27
improperly procured tickets from Defendants for later resale. (FAC ¶ 7.) These Doe
28
defendants are referred to herein as the Additional Purchasers.
5
1
B.
Procedural History
2
In its initial Complaint, Ticketmaster brought claims for: (1) breach of contract;
3
(2) copyright infringement in violation of 17 U.S.C. § 101 et seq.; (3) violation of the
4
Digital Millennium Copyright Act (“DMCA”), 17 U.S.C. § 1201 et seq.; (4) fraud; (5)
5
aiding and abetting fraud; (6) inducing breach of contract; (7) intentional interference
6
with contractual relations; (8) violation of the Computer Fraud and Abuse Act
7
(“CFAA”), 18 U.S.C. § 1030 et seq.; (9) violation of the California Computer Data
8
Access and Fraud Act (“CDAFA”), California Penal Code section 502 et seq.; and (10)
9
violation of the New York Anti-Scalping Law, New York Arts and Cultural Affairs
10
Law section 25.01 et seq.
11
After Ticketmaster filed its Complaint, Defendants moved to dismiss seven of
12
Ticketmaster’s ten claims. (ECF No. 24.) The Court granted Defendants’ motion in
13
part, dismissing the copyright infringement claim, the CFAA claim, and the California
14
CDAFA claim. (Order Mot. Dismiss (“Order”) 9, 14, ECF No. 32.) Dismissal was
15
granted with leave to amend, except to the extent that the copyright infringement claim
16
was based on Defendants’ excess of the limitations on page refreshes and ticket requests
17
imposed by the Terms of Use. (Order 9.) The Court also denied Defendants’ motion
18
in part, finding that Ticketmaster’s initial Complaint stated a claim with respect to the
19
Digital Millennium Copyright Act, breach of contract, and fraud. (Order 11, 16, 18.)
20
Ticketmaster’s First Amended Complaint asserts a new theory of copyright
21
infringement, and adds new allegations regarding the CFAA and CDAFA claims. (See
22
FAC ¶¶ 94–104; 160–165; 166–178.) On March 7, 2018, Defendants moved to dismiss
23
the First Amended Complaint pursuant to Federal Rule of Civil Procedure 12(b)(6).
24
(Mot. 1.)
25
III.
LEGAL STANDARD
26
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) “tests the
27
sufficiency of a claim.” Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). Dismissal
28
is appropriate when a complaint “lacks a cognizable legal theory or sufficient facts to
6
1
support a cognizable legal theory.” Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d
2
1097, 1104 (9th Cir. 2008).
3
In ruling on a motion to dismiss under Rule 12(b)(6), the Court assumes all
4
factual allegations in the complaint to be true, viewing those allegations in the light
5
most favorable to the nonmoving party. Thompson v. Davis, 295 F.3d 890, 895 (9th
6
Cir. 2002); Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336, 337–38 (9th Cir. 1996). While
7
a plaintiff need not give “detailed factual allegations,” the plaintiff must plead sufficient
8
facts that, if true, “raise a right to relief above the speculative level.” Bell Atlantic Corp.
9
v. Twombly, 550 U.S. 544, 555 (2007). Moreover, a court need not “accept as true
10
allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable
11
inferences.” Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001).
12
Ultimately, “[t]he claim must be sufficiently plausible that ‘it is not unfair to require the
13
opposing party to be subjected to the expense of discovery and continued litigation.’”
14
Mora v. U.S. Bank, No. CV 15–02436 DDP (AJWx), 2015 WL 4537218, at *2 (C.D.
15
Cal July 27, 2015) (quoting Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011)).
IV.
16
DISCUSSION
17
Defendants argue that Ticketmaster has failed to state a claim with respect to
18
copyright infringement, the DMCA, the CFAA, and the California CDAFA. (Mot. 1.)
19
Defendants argue that the Court lacks subject matter jurisdiction over the remaining
20
claims. (Mot. 1.) They also argue that the Court should dismiss the Doe defendants
21
because Ticketmaster has failed to timely serve them. (Mot. 4.) The Court first
22
addresses Defendants’ Motion to Dismiss the Doe defendants, because some of
23
Ticketmaster’s claims against Defendants rest on the viability of its claims against the
24
Doe defendants.
25
A.
Doe Defendants
26
As discussed in further detail below, Ticketmaster’s claim for secondary
27
copyright infringement against the moving Defendants rests on their direct infringement
28
claim against Doe defendants 7 and 8. Defendants argue that such Doe pleading is
7
1
improper, and that the Court should dismiss these Doe defendants because Ticketmaster
2
has failed to identify or serve them. (Mot. 4.) Defendants seek dismissal of the Doe
3
defendants pursuant to Rule 4(m), governing dismissal of unserved defendants, and not
4
under 12(b)(6) for failure to state a claim. (Mot. 4;) see also Fed. R. Civ. P. 4(m).
5
Defendants cite Buckheit v. Dennis, 713 F. Supp. 2d 910, 918 n.4 (N.D. Cal.
6
2010), for the observation that “[g]enerally, ‘Doe’ pleading is improper in federal
7
court.” Although there is no provision in the Federal Rules permitting the use of
8
fictitious defendants, Fifty Associates v. Prudential Ins. Co., 446 F.2d 1187, 1191 (9th
9
Cir. 1970), there is a provision in the Local Rules of the Central District of California
10
allowing the practice of pleading up to 10 Doe defendants without the need for the leave
11
of the Court. C.D. Cal. L.R. 19-1. This alone shows that, at least in some circumstances
12
in the Central District of California, Doe pleading is proper.
13
Here, although Doe defendants 7 and 8 are fictitiously named, they are anything
14
but fictitious. Does 7 and 8 are the individuals or entities who assisted Defendants in
15
creating and developing the bots, and the very fact that the bots exist is proof that Does
16
7 and 8 exist as well. Ticketmaster has identified with specificity the roles that Does
17
7–8 and Does 9–10 played in the alleged enterprise. (FAC ¶¶ 6–7.)
18
When the identity of alleged defendants will not be known prior to the filing of a
19
complaint, “the plaintiff should be given an opportunity through discovery to identify
20
the unknown defendants, unless it is clear that discovery would not uncover the
21
identities, or that the complaint would be dismissed on other grounds.” Gillespie v.
22
Civiletti, 629 F.2d 637, 642 (9th Cir. 1980). Doe pleading is therefore particularly
23
appropriate when, as here, the viability of a claim against a known party depends on the
24
actions of a party whose identity is unknown at the time of the pleading. As discussed
25
below, Ticketmaster’s copyright claim against the moving Defendants depends on
26
direct infringement by Does 7 and 8, whose identities Ticketmaster does not yet know.
27
Ticketmaster’s lack of information prevents it from identifying the Bot Developers and
28
the Additional Purchasers, but, as discussed below in greater detail, it knows
8
1
circumstantially that these individuals or entities must exist, so it impleads them as Doe
2
defendants.
3
Ticketmaster, by propounding discovery with tools such as interrogatories and requests
4
for inspection of electronically stored information, will succeed at uncovering the
5
identities of the Bot Developers and the Additional Purchasers. The Court will give
6
Ticketmaster the opportunity to do so.
This is perfectly acceptable.
There is a reasonable probability that
7
Defendants maintain that Federal Rule of Civil Procedure 4(m) requires a court
8
to dismiss a defendant who has not been served within 90 days after the Complaint was
9
filed. Fed. R. Civ. P. 4(m). However, according to that same rule, “if the plaintiff
10
shows good cause for the failure, the court must extend the time for service for an
11
appropriate period.” Id.
12
Good cause exists in this case to allow Ticketmaster additional time to serve the
13
unidentified Defendants. The Court has yet to enter a scheduling order in this case or
14
set a deadline for moving for leave to amend the pleadings. Moreover, as the Ninth
15
Circuit in Gillespie implicitly recognized, an information deficit, where discovery
16
would correct that deficit, is good cause to allow a plaintiff an extended period of time
17
to identify and serve unknown defendants. 629 F.2d at 642. Such a deficit exists here,
18
and the fact that Ticketmaster has indicated that it is ready to name one of the Doe
19
defendant Bot Developers supports the conclusion that further discovery will allow
20
Ticketmaster to identify the remaining Doe defendants. (Opp’n 23.) Ticketmaster has
21
shown good cause, and the Court DENIES Defendants’ motion to dismiss the Doe
22
defendants from this case pursuant to Federal Rule of Civil Procedure 4(m).
23
B.
Copyright Infringement
24
Defendants move to dismiss Ticketmaster’s secondary copyright infringement
25
claim against Prestige West, Renaissance, and the Additional Purchasers. (FAC ¶¶ 94–
26
99.)
27
infringement of its copyright. MDY Indus., LLC v. Blizzard Entm’t, Inc., 629 F.3d 928,
28
937 (9th Cir. 2010). Ticketmaster alleges that Doe defendants 7 and 8, the entities that
To establish secondary infringement, Ticketmaster must first allege direct
9
1
assisted the named Defendants by creating, marketing, and providing bots, are the direct
2
infringers in this case. (FAC ¶¶ 100–04.) Although Defendants do not move to dismiss
3
the claim against the Bot Developers, the Court analyzes Ticketmaster’s claim against
4
the Bot Developers under the same standard as that used in a motion to dismiss pursuant
5
to Federal Rule of Civil Procedure 12(b)(6), because the sufficiency of Ticketmaster’s
6
claim for secondary infringement depends on the sufficiency of Ticketmaster’s claim
7
for direct infringement.
8
“‘Anyone who violates any of the exclusive rights of the copyright owner,’ that
9
is, anyone who trespasses into his exclusive domain by using or authorizing the use of
10
the copyrighted work in one of the five ways set forth in the statute, ‘is an infringer of
11
the copyright.’” Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 433
12
(1984) (quoting 17 U.S.C. § 501(a)). Thus, to state a claim for direct infringement,
13
Ticketmaster must show (1) that it owns a valid copyright in the allegedly infringed
14
material and (2) that Doe defendants 7 and 8, the Bot Developers, violated at least one
15
exclusive right granted to copyright holders under 17 U.S.C. § 106. See A & M Records,
16
Inc. v. Napster, Inc., 239 F.3d 1004, 1013 (9th Cir. 2001). These rights include the
17
exclusive right to reproduce the copyrighted work. 17 U.S.C. § 106(1).
18
However, one who reproduces the work of another is not an infringer of the
19
copyright if the copyright holder has granted authorization to reproduce. See Sony
20
Corp., 464 U.S. at 433. Specifically, a valid license is an affirmative defense to a claim
21
of copyright infringement, so long as the licensee has not exceeded the scope of the
22
license granted by the copyright holder. See LGS Architects, Inc. v. Concordia Homes
23
of Nev., 434 F.3d 1150, 1156 (9th Cir. 2006).
24
1. Protectability of Website
25
Ticketmaster alleges that the Bot Developers, in the course of developing the bots
26
later used by Defendants to purchase tickets, downloaded, recorded, and stored on their
27
computer systems for extended periods of time the pages and code associated with
28
Ticketmaster’s website and mobile app. (FAC ¶ 66.) A threshold issue is whether
10
1
United States copyright law provides copyright protection to the pages and code that
2
the Bot Developers allegedly copied. See SOFA Entm’t, Inc. v. Dodger Prods., Inc.,
3
709 F.3d 1273, 1279 (9th Cir. 2013) (“Copyright only attaches to an original work fixed
4
in a tangible medium of expression, never in the underlying ideas or facts.”).
5
Defendants argue that websites are not subject to copyright protection, but this argument
6
is without merit. (Mot. 8.)
7
Copyright law protects “original works of authorship,” 17 U.S.C. §§ 101–103,
8
and the typical commercial website readily qualifies for copyright protection under this
9
standard. See Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096,
10
1104 (“A website may constitute a work of authorship fixed in a tangible medium of
11
expression . . . .”) (quoting Integrative Nutrition, Inc. v. Academy of Healing Nutrition,
12
476 F. Supp. 2d 291, 296 (S.D.N.Y. 2007)). In Integrative Nutrition, the Southern
13
District of New York recognized that “[c]opyright protection for a website may extend
14
to both the screen displays and the computer code for the website.” 476 F. Supp. 2d at
15
296. The Ninth Circuit has recognized in an analogous context that computer software
16
contains three distinct layers of content: literal elements, individual non-literal
17
elements, and dynamic non-literal elements. See MDY Indus., 629 F.3d at 952–54. All
18
three are works of authorship that can merit copyright protection. Id. This three-tiered
19
approach works equally well with respect to websites, because the only functional
20
difference between software and websites is that the underlying code for the former is
21
stored on the user’s local system whereas the underlying code for the latter is stored on
22
a remote server.
23
First, both websites and software are comprised of literal elements. The MDY
24
court defined literal elements as the “source code stored on players’ hard drives,” 629
25
F.3d at 952, which, in the context of websites, is the “computer code for the website,”
26
Integrative Nutrition, 476 F. Supp. 2d at 296.
27
Websites also contain individual non-literal elements and dynamic non-literal
28
elements, which the Integrative Nutrition court described as the “screen displays” of
11
1
the site. Id. A website’s individual non-literal elements are the individual audiovisual
2
components of the website, including the website’s logos, images, fonts, videos and
3
sound effects. Accord MDY, 629 F.3d at 952 (describing a video game’s individual
4
non-literal elements as the “discrete visual and audible components of the game, such
5
as a visual image of a monster or its audible roar”). A website’s dynamic non-literal
6
elements include the experience of the website as presented to the individual user.
7
Accord id. (describing a video game’s dynamic non-literal elements as the “real-time
8
experience of traveling through different worlds, hearing their sounds, viewing their
9
structures, encountering their inhabitants and monsters, and encountering other
10
players”). Nearly all modern websites contain dynamic non-literal elements because
11
nearly all websites are interactive. The user’s experience of the website is “dynamic”
12
in that the site responds to the user’s input by generating a unique presentation of
13
content and information for each user. For example, on social media websites, the
14
user’s content feed is a dynamic non-literal element because it is a collection of content
15
and information generated uniquely and specifically for that user based on the user’s
16
past interactions with the social media platform.
17
The terms “pages” and “code” in Ticketmaster’s First Amended Complaint refer,
18
at the very least, to the literal, code-level elements of the Ticketmaster website and
19
mobile app. (FAC ¶ 66.) “Pages” and “code” may also refer to additional non-literal
20
elements, depending on exactly what the Bot Developers downloaded and stored. Each
21
of these elements is a work of authorship, which gets copyright protection, as long as it
22
contains the required modicum of originality. See Feist Publn’s v. Rural Tel. Servs.,
23
499 U.S. 340, 345 (1991) (“The vast majority of works make the grade quite easily, as
24
they possess some creative spark, no matter how crude, humble, or obvious it might
25
be.”) (internal quotation marks omitted). The numerous proprietary functions and
26
features that Ticketmaster has built into its website and mobile app allow the Court to
27
plausibly infer that all three layers of Ticketmaster’s website contain content that the
28
copyright laws recognize as original. (See, e.g., FAC ¶¶ 4, 22, 49.) Ticketmaster has
12
1
demonstrated that the pages and code of its website and mobile app, contain protectable
2
content.
3
2. Ownership of Copyright
4
Having shown that the material the Bot Developers allegedly copied is subject to
5
copyright protection, Ticketmaster must also show that it owns a copyright in the copied
6
material. See A & M Records, 239 F.3d at 1013. A copyright registration certificate
7
constitutes prima facie evidence of the validity of the copyright and the facts stated on
8
the certificate, including the fact that the plaintiff owns a copyright. Lamps Plus, Inc.
9
v. Seattle Lighting Fixture Co., 345 F.3d 1140, 1144 (9th Cir. 2003); see 9th Circuit
10
Model Jury Instruction 17.5.
Ticketmaster lists the registration numbers and
11
registration dates for 22 components of its website and mobile app, including
12
Ticketmaster.com’s Homepage, Event Ticket Order Pages, Order Information page,
13
Android Platform, and iOS Platform. (FAC ¶ 28.) These allegations establish a
14
presumption that Ticketmaster’s copyrights in its website and mobile app are valid, and
15
that it is the owner of said copyrights. Since nothing in the First Amended Complaint
16
rebuts this presumption, the Court concludes that Ticketmaster has sufficiently pled
17
ownership of copyright in the allegedly copied pages and code.
18
3. Direct Infringement by Bot Developers
19
Ticketmaster claims that the Bot Developers have directly infringed
20
Ticketmaster’s reproduction right. (FAC ¶ 102.) United States Copyright law gives the
21
owner of a valid copyright “the exclusive right to . . . reproduce the copyrighted work
22
in copies . . . .” 17 U.S.C. § 106. Copies, in turn, are “material objects . . . in which a
23
work is fixed by any method now known or later developed, and from which the work
24
can be perceived, reproduced, or otherwise communicated, either directly or with the
25
aid of a machine or device.” 17 U.S.C. § 101; CoStar Realty Info., Inc. v. Field, 737 F.
26
Supp. 2d 496, 507 (D. Md. 2010). The act of downloading and storing the pages and
27
code of a website qualifies as making a “copy” under the Copyright Act because the
28
pages and code becomes fixed on a hard drive, from which they can later be perceived
13
1
and reproduced with the aid of a computer. See 17 U.S.C. § 101. Ninth Circuit courts
2
agree that downloading and storing constitutes reproduction. See Columbia Pictures
3
Indus., Inc. v. Fung, 710 F.3d 1020, 1034 (9th Cir. 2013) (recognizing that downloading
4
copyrighted material violates a copyright holder’s right to reproduction); see also
5
Oracle USA, Inc. v. Rimini Street, Inc., 879 F.3d 948, 955–56 (9th Cir. 2018) (finding
6
infringement of reproduction right when a software servicer downloaded and
7
maintained copies of a software developer’s program on the servicer’s own computers,
8
in excess of the servicer’s license to do so). Thus, if the Bot Developers have indeed
9
downloaded and stored Ticketmaster’s pages and code on their local systems as
10
Ticketmaster alleges, then Ticketmaster has a claim for copyright infringement.
11
Ticketmaster possesses no direct evidence of this copying, so it must present
12
circumstantial evidence.
13
Ticketmaster’s pleadings are sufficient to permit the Court to plausibly infer that the
14
Bot Developers have copied Ticketmaster’s pages and code.
15
i.
The only issue at this stage, however, is whether
Sufficiency of Showing of Copying
16
Defendants contend that Ticketmaster’s copyright claim must fail because
17
Ticketmaster has failed to allege with particularity which components of its website are
18
original, which components were copied, and exactly when. (Reply 4, ECF No. 41.)
19
Defendants’ argument overstates the pleading requirements for direct copyright
20
infringement. It is enough if Ticketmaster alleges facts which plausibly lead to the
21
conclusion that at least one Defendant downloaded and stored portions of the
22
Ticketmaster website or mobile app, with sufficient specificity to put Defendants on
23
“fair notice of the allegations against it.” See Perfect 10, Inc. v. Cybernet Ventures,
24
Inc., 167 F. Supp. 2d 1114, 1120–21 (C.D. Cal. 2001) (recognizing that a complaint
25
that alleges present ownership of copyright, proper registration, and infringement by a
26
defendant is typically sufficient under pleading rules).
27
Ticketmaster, like many copyright plaintiffs, does not possess direct evidence
28
that any Defendant copied the literal elements of its website or mobile app. See Three
14
1
Boys Music Corp v. Bolton, 212 F.3d 477, 481 (9th Cir. 2000) (“Proof of copyright
2
infringement is often highly circumstantial . . . .”) Absent direct evidence of copying,
3
a plaintiff may show infringement circumstantially, by alleging that (1) the defendant
4
had access to the plaintiff’s work prior to the alleged copying and (2) the defendant’s
5
work and the plaintiff’s work are substantially similar. See Unicolors, Inc. v. Urban
6
Outfitters, 853 F.3d 980, 984–85 (9th Cir. 2017). This method of proving copying
7
circumstantially is grounded in the notion that an accused work can be so similar to the
8
copyrighted work that at a certain point the factfinder’s only reasonable conclusion must
9
be that the defendant copied the work. See Airframe Sys., Inc. v. L-3 Commcn’s Corp.,
10
658 F.3d 100, 106 (1st Cir. 2011) (describing the substantial similarity test as turning
11
on whether a reasonable, ordinary observer, upon examination of the two works, would
12
conclude that the defendant unlawfully appropriated the plaintiff’s protectable
13
expression).
14
Ticketmaster alleges circumstantial proof of copying, albeit by a slightly different
15
route than the familiar two-pronged test of access and substantial similarity.
16
Specifically, Ticketmaster alleges that (1) the Bot Developers developed bots that
17
proved highly capable of purchasing large quantities of tickets, and (2) Ticketmaster’s
18
website and mobile app are complex platforms that each contain several layers of
19
protection and security measures.
20
developing such capable bots would necessarily require deep study and analysis of the
21
pages and code of Ticketmaster’s website and mobile app, which means that the Bot
22
Developers must have downloaded and stored literal or non-literal elements of
23
Ticketmaster’s website and mobile app on their local systems in the course of
24
developing these bots. (FAC ¶¶ 66, 102.)
(FAC ¶¶ 54–55.)
Ticketmaster asserts that
25
Ticketmaster’s argument about the striking compatibility of Defendants’ bots
26
with Ticketmaster’s platforms is a compelling variation on the well-known “substantial
27
similarity” test for circumstantial proof of copyright infringement. Ticketmaster’s
28
15
1
theory is based on the legally sound (and rather unremarkable) proposition that
2
circumstantial evidence can create a plausible inference that copying has occurred.
3
Ticketmaster pleads several facts that together make a strong case for its “striking
4
compatibility” argument.
The bots enable Defendants to launch thousands of
5
concurrent and recurring reserve requests for tickets for specific events. (FAC ¶ 45.)
6
The bots are calibrated such that when the reserve request expires, the bot is able to
7
regenerate a new ticket reserve request at a far greater speed than any legitimate human
8
could manage, thus preventing any human from reserving or purchasing the ticket.
9
(FAC ¶ 45.) Moreover, the bots can trade information so that purchases coming from
10
multiple computers would appear to be coming from the same computer, allowing the
11
bots to hide themselves by more closely mirroring what Ticketmaster’s algorithms
12
considered normal human use. (FAC ¶ 47.) Finally, the bots are able to escape
13
detection when ordering tickets through the mobile app interface, which Ticketmaster
14
alleges is not possible without first obtaining certain lines of code called security tokens
15
embedded deep within the code of the Ticketmaster mobile app. (FAC ¶ 56.)
16
These allegations show that Defendants’ bots were remarkably effective at
17
circumventing a leading online ticketing platform’s best defenses. It strains credulity
18
to think that the Bot Developers could have developed such successful bots without
19
downloading and storing Ticketmaster’s pages and code. The bots’ effectiveness is
20
circumstantial evidence that plausibly supports the conclusion that at some point the
21
Bot Developers copied protected portions of the Ticketmaster website and mobile app
22
onto its own servers, in order to develop bots that could successfully circumvent
23
Ticketmaster’s myriad security measures. Under the federal standards for notice
24
pleading, Ticketmaster’s allegations of copying are sufficient.
25
ii.
License defense
26
Defendants assert a license defense, arguing that Ticketmaster’s Terms of Use
27
agreement (“TOU”) provides users a license to copy Ticketmaster’s website. (Reply
28
3.) A 12(b)(6) motion tests the sufficiency of a complaint, and as such, it is generally
16
1
not the appropriate stage to assert affirmative defenses. Scott v. Kuhlmann, 746 F.2d
2
1377, 1378 (9th Cir. 1984). But if an affirmative defense is obvious from the face of
3
the pleadings, a defendant may raise that defense in a motion to dismiss. Clifton v.
4
Houghton Mifflin Harcourt Publishing Co., 152 F. Supp. 3d 1221, 1225 (N.D. Cal.
5
2015); see Rodriguez v. Swartz, 111 F. Supp. 3d 1025, 1030 (D. Ariz. 2015).
6
The Court finds that nothing in the Complaint, including Ticketmaster’s Terms
7
of Use attached thereto as Exhibit E, shows that Ticketmaster granted Defendants, or
8
any other users, a license to download and store Ticketmaster’s pages and code on the
9
user’s local system. The section of the Terms of Use entitled “Ownership of Content
10
and Grant of Conditional License” describes exactly what rights Ticketmaster grants its
11
users, and nowhere does Ticketmaster grant its users a right to download and copy. The
12
relevant section of the Terms of Use provide:
13
The Site and all data, text, designs, pages, print screens, images,
14
artwork, photographs, audio and video clips, and HTML code,
15
source code, or software that reside or are viewable or otherwise
16
discoverable on the Site, and all tickets obtained from the Site,
17
(collectively, the “Content”) are owned by us or our licensors. . .
18
.
19
We grant you a limited, conditional, no-cost, non-exclusive, non-
20
transferable, non-sublicensable license to view this Site and its
21
Content as permitted by these Terms for non-commercial
22
purposes only if, as a condition precedent, you agree that you will
23
not [engage in one of several prohibited activities.]2
24
(FAC, Ex. E at 55.) These Terms of Use give Ticketmaster users the right to “view”
25
Ticketmaster’s website. While the Terms of Use do indicate that the website’s HTML
26
code and source code may be “viewable or otherwise discoverable,” such descriptive
27
28
2
Other provisions of the Terms of Use contain minor provisions regarding the scope of the user’s
license, but these two paragraphs contain all the material provisions of the user’s license.
17
1
language does not amount to a grant of a license. Under no reasonable interpretation
2
do these Terms of Use grant Defendants a license to download and store Ticketmaster’s
3
pages and code.
4
At Defendants’ motion to dismiss Ticketmaster’s original Complaint, both the
5
Court and the parties devoted considerable attention to whether the provisions of
6
Ticketmaster’s Terms of Use were conditions or covenants. (Prior Mot. 7–8, ECF No.
7
24-1; Prior Opp’n 10, ECF No. 25; Order 8–9.) Defendants now reiterate that, pursuant
8
to this Court’s prior order, the provisions of the Terms of Use are covenants, and that,
9
under MDY, the violation of a covenant gives rise only to a contract claim and not to a
10
claim for copyright infringement. (Mot. 6; Order 9.) In so arguing, Defendants
11
misconstrue MDY and the underlying copyright laws. Under MDY, a violation of a
12
provision of a Terms of Use is copyright infringement if the violation implicates one of
13
the copyright holder’s exclusive rights, regardless of whether the violated provision is
14
a covenant or a condition. See MDY Indus., 629 F.3d at 940. Ticketmaster’s new theory
15
of direct infringement is based on the Bot Developers’ violation of its exclusive
16
statutory right of reproduction, and under MDY, this is sufficient. (FAC ¶ 102.) The
17
condition-versus-covenant issue is moot in a scenario where, as here, the defendant has
18
violated the plaintiff’s exclusive statutory right.
19
The MDY court’s concern with the condition-versus-covenant distinction arose
20
from public policy concerns that are not present in this case. The plaintiff in MDY was
21
the developer of an online multiplayer game, and the defendant was the developer of a
22
bot that ordinary gamers could purchase to automatically play the early stages of the
23
game on behalf of the gamer. Id. at 935. The plaintiff claimed that the direct infringers
24
were the gamers who used the bots. Id. at 937–38. Because the game’s Terms of Use
25
declared that playing the game with a bot was unauthorized use of the game, any gamer
26
who used a bot was a direct infringer of the plaintiff’s copyright, by virtue of the fact
27
that the gamer’s computer made an unauthorized “copy” of the game in the gamer’s
28
local computer memory (RAM) while the game was being played. Id. at 939. The court
18
1
rejected this analysis, refusing to recognize common bot use by ordinary gamers as
2
copyright infringement. To hold these gamers liable, the court reasoned, would allow
3
“any software copyright holder [to] designate any disfavored conduct during software
4
use as copyright infringement, by purporting to condition the license on the player’s
5
abstention from the disfavored conduct.” Id. at 941.
6
The concerns of the MDY court are not implicated by Ticketmaster’s First
7
Amended Complaint. Ticketmaster is alleging direct infringement by a small number
8
of sophisticated software developers and marketers. (FAC ¶ 6.) This is a completely
9
different theory of direct infringement than that alleged by the MDY plaintiff. MDY,
10
629 F.3d at 939. A finding of direct infringement in this case will not expose masses
11
of Ticketmaster users to copyright liability merely because they violated Ticketmaster’s
12
own house rules. Thus, the holding of MDY does not directly control today’s outcome.
13
Ticketmaster has plausibly alleged that the Bot Developers infringed
14
Ticketmaster’s statutory right of reproduction, and Defendants have not established that
15
they had a license to reproduce Ticketmaster’s pages and code by downloading and
16
storing them on a local system. As the Court explained in its prior order, under MDY,
17
this constitutes copyright infringement. (Order 7;) see also MDY, 629 F.3d at 940 (“To
18
recover for copyright infringement based on breach of a license agreement, (1) the
19
copying must exceed the scope of the defendant’s license and (2) the copyright owner’s
20
complaint must be grounded in an exclusive right of copyright . . . .”) Ticketmaster’s
21
claim survives not because the Bot Developers violated Ticketmaster’s Terms of Use,
22
but rather because they reproduced Ticketmaster’s website in violation of 17 U.S.C.
23
§ 106, without possessing a license to do so. The Court therefore concludes that
24
Ticketmaster has stated a claim for direct copyright infringement on the part of the Bot
25
Developers.
26
4. Secondary Infringement by Moving Defendants
27
Having alleged direct infringement, Ticketmaster proceeds to accuse Defendants
28
of secondary copyright infringement. (FAC ¶¶ 94–99.) A defendant may commit
19
1
secondary infringement in one of two ways: contributorily, “by intentionally inducing
2
or encouraging direct infringement,” or vicariously, “by profiting from direct
3
infringement while declining to exercise a right to stop or limit it.” Metro–Goldwyn–
4
Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 930–931 (2005). Although “[t]he
5
Copyright Act does not expressly render anyone liable for infringement committed by
6
another, these doctrines of secondary liability emerged from common law principles
7
and are well established in the law.”
8
committed secondary infringement by inducing, causing, or materially contributing to
9
the Bot Developers’ creation of bots, with knowledge that the Bot Developers would
10
have to infringe Ticketmaster’s copyrights in its website and mobile app in order to
11
create the bots. (FAC ¶ 96.) The Court finds that Ticketmaster has stated a claim for
12
Defendants’ contributory infringement based on the direct infringement of the Bot
13
Developers.
Id.
Ticketmaster alleges that Defendants
14
“[O]ne contributorily infringes when he (1) has knowledge of another’s
15
infringement and (2) either (a) materially contributes to or (b) induces that
16
infringement.” Perfect 10, Inc. v. Visa Int’l Serv. Ass’n, 494 F.3d 788, 795 (9th Cir.
17
2007); see also A & M Records, Inc. v. Napster, Inc., 239 F.3d 1004, 1019 (9th Cir.
18
2001) (defining contributory infringement as “personal conduct that encourages or
19
assists the infringement”). The Ninth Circuit and the Supreme Court have announced
20
various formulations of this same basic test for contributory liability. Visa Int’l, 494
21
F.3d at 795. In synthesizing those formulations, the Ninth Circuit reviews the details
22
of the actual ‘cases and controversies’ in each of the test-defining cases and the actual
23
holdings in those cases to determine whether the factual scenario presented in the case
24
before it is analogous. VHT, Inc. v. Zillow Grp., Inc., No. C15-1096JLR, 2017 WL
25
2654583, at *14 (W.D. Wash. June 20, 2017) (ellipsis and some internal quotation
26
marks removed).
27
Ticketmaster has sufficiently pled Defendants’ contributory liability for the
28
copying committed by the Bot Developers. First, Ticketmaster alleges that the moving
20
1
Defendants directed the Bot Developers to download and store on their computer
2
systems large portions of Ticketmaster’s copyrighted Site and App. (FAC ¶ 67.)
3
Ticketmaster has therefore alleged facts that show that Defendants had knowledge of
4
the Bot Developers’ infringing activities.
5
Ticketmaster has also shown that the named Defendants induced or materially
6
contributed to the Bot Developers’ infringement. Ticketmaster alleges that the Bot
7
Developers created, marketed, and provided the bots. (FAC ¶ 6.) Defendants then used
8
those bots to purchase large quantities of tickets. (FAC ¶ 5.) These facts indicate a
9
relationship between Defendants and the Bot Developers of mutual benefit to both
10
parties, and it is reasonable to infer that Defendants contributed to the Bot Developers’
11
infringement as part of this relationship. Without more knowledge about the nature of
12
the relationship between Defendants and the Bot Developers, Ticketmaster cannot be
13
expected to plead with any greater specificity. A 12(b)(6) motion tests the sufficiency
14
of a complaint, not the sufficiency of the available evidence.
15
Because the Court has determined that Ticketmaster has successfully pled the
16
moving Defendants’ contributory liability for copyright infringement, the Court need
17
not consider whether the moving Defendants are also vicariously liable under the facts
18
as alleged.
For these reasons, the Court DENIES Defendants’ motion to dismiss
19
20
Ticketmaster’s Second Claim for Relief.
21
C.
DMCA
22
Defendants move to dismiss Ticketmaster’s Fifth Claim for Relief for violations
23
of the Digital Millennium Copyright Act, 17 U.S.C. § 1201 et seq. This Court, in its
24
prior Order, found that Ticketmaster’s original Complaint stated a claim under the
25
DMCA, and denied Defendants’ motion to dismiss on that ground. (Order 11.) Under
26
the doctrine of law of the case, a court is generally precluded from reconsidering an
27
issue that has already been decided by the same court or a higher court in the identical
28
case, absent a material change in circumstances. See Thomas v. Bible, 983 F.2d 152,
21
1
154–155 (9th Cir. 1993). Ticketmaster’s First Amended Complaint does contain new
2
factual allegations, but none of those allegations disturb the sufficiency of its DMCA
3
claim. In accordance with its prior order, the Court therefore DENIES Defendants’
4
motion to dismiss Ticketmaster’s Fifth Claim for Relief.
5
The Court will briefly address Defendants’ main argument against the DMCA
6
claim as pressed in its brief in support of this Motion. The relevant provision of the
7
DMCA provides that “[n]o person shall circumvent a technological measure that
8
effectively controls access to a [copyrighted] work . . . .” 17 U.S.C. § 1201(a)(1).
9
Ticketmaster alleges that Ticketmaster’s security measures, including CAPTCHA, are
10
technological measures that control access to Ticketmaster’s copyrighted webpages,
11
and that Defendants’ bots and other efforts circumvent those measures in violation of
12
the DMCA. (FAC ¶ 52, 111.) Defendants’ main argument is that Ticketmaster has
13
failed to indicate any copyrighted work to which any of Ticketmaster’s technological
14
measures were effectively controlling access. (Mot. 10; Reply 5.)
15
Defendants’ argument fails because Ticketmaster’s CAPTCHA controls non-
16
human access to Ticketmaster’s ticket purchase pages and ticket confirmation pages,
17
both of which are copyrighted works. The three-tiered analytical framework for
18
copyrightable content as discussed above and as articulated by the Ninth Circuit in MDY
19
makes this abundantly clear. 629 F.3d at 942–43.
20
The defendant in MDY argued that the bots he developed simply helped players
21
play a game, and that there wasn’t any copyrighted material that his bots were accessing
22
in circumvention of a security measure. The court did agree with the defendant that the
23
game’s literal and individual non-literal elements did not qualify as access-controlled
24
works under the statute. Id. at 952. The court reasoned that there was no technological
25
measure controlling access to the literal and individual non-literal elements of the game
26
because those elements were readily accessible to any player who had installed the game
27
on their computers. Id. With respect to the game’s dynamic non-literal elements,
28
though, the court found a DMCA violation. Id. at 954. The individual experience of
22
1
the game—the particular configuration of shapes, colors, and sounds presented on the
2
screen as the gamer plays the game—was copyrightable expression, to which only a
3
human had authorized access. Id. The plaintiff put security measures in place to keep
4
bots from playing the game—that is, from accessing the game’s copyrighted dynamic
5
non-literal elements—and when the bots circumvented those measures, they
6
circumvented an access control to a copyrighted work. Id.
7
Defendants’ bots in this case do the very same thing. In order to purchase tickets
8
from Ticketmaster, one must work through Ticketmaster’s security measures, including
9
CAPTCHA. Ticketmaster designs these security measures so that only a human can
10
progress through Ticketmaster’s pages and ultimately purchase a ticket. Each of these
11
pages is a unique page, tailored specifically to the customer and what that customer is
12
trying to accomplish. The process is familiar to anyone who has shopped online. For
13
example, the purchase confirmation page of an online store will contain an
14
individualized presentation of details, including the purchaser’s shipping and billing
15
information, information about the product or service purchased, and a purchase
16
confirmation number.
17
constitutes dynamic non-literal content which is subject to copyright protection.
18
Moreover, the source code used to generate the purchase confirmation page is literal
19
content which is also subject to copyright protection. Thus, when Defendants used bots
20
to progress through Ticketmaster’s security measures and ultimately gain access to
21
ticket confirmation pages and data, they circumvented a technological measure that
22
Ticketmaster had put in place to control access to Ticketmaster’s copyrighted ticket
23
confirmation pages and data. These pages and data are dynamic non-literal content and
24
literal content, respectively, both of which, as discussed above, are protected by
25
Ticketmaster’s copyrights. Defendants’ activities therefore satisfy the textual elements
26
of the DMCA, 17 U.S.C. § 1201(a)(1).
This unique, individualized presentation of information
27
The Court’s finding falls in line with the growing number of courts that have
28
concluded that circumvention of CAPTCHA and similar measures designed to
23
1
distinguish between humans and non-humans violates the DMCA. In Ticketmaster
2
L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007), the court
3
considered Ticketmaster’s CAPTCHA feature, observing that it “controls access to a
4
protected work because a user cannot proceed to copyright[-]protected webpages
5
without solving CAPTCHA.” RMG, 507 F. Supp. 2d at 1112; see also Craigslist, Inc.
6
v. Kerbel, No. C–11–3309 EMC, 2012 WL 3166798, at *10 (N.D. Cal. Aug. 2, 2012)
7
(denying dismissal of DMCA claim where defendant marketed auto-posting services
8
that enabled users to circumvent Craigslist’s CAPTCHA, and collecting other Craigslist
9
cases making the same finding.
Plaintiffs have stated a claim for relief under the DMCA. The Court therefore
10
11
DENIES Defendants’ motion to dismiss Ticketmaster’s Fifth Claim for Relief.
12
D.
CFAA
13
Defendants move to dismiss Ticketmaster’s Eleventh Claim for Relief for
14
violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. The CFAA
15
prohibits computer trespass by those who are not authorized users or who exceed
16
authorized use. Facebook, Inc. v. Power Ventures, 844 F.3d 1058, 1065–66 (9th Cir.
17
2016) (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA is primarily a criminal-law
18
statute, but a civil action is available for “[a]ny person who suffers damage or loss by
19
reason of a violation” of the CFAA. The CFAA lists thirteen categories of offense that
20
constitute a violation, and includes a conspiracy clause. 18 U.S.C. § 1030 (a)–(b).
21
Ticketmaster alleges that Defendants “knowingly and intentionally accessed
22
Ticketmaster’s computers without authorization or in excess of authorization” and that
23
by so doing, they “obtained valuable, unauthorized information from Ticketmaster’s
24
ticketing systems.” (FAC ¶¶ 162–63.)3 These allegations signal a potential violation
25
26
27
28
3
Defendants maintain that this Court’s prior order, which dismissed Ticketmaster’s CFAA claim,
constitutes law of the case that requires dismissal of Ticketmaster’s CFAA claim on this Motion as
well. (Mot. 13.) Ticketmaster’s First Amended Complaint identifies specific ways that Defendants
accessed the Ticketmaster website without authorization or in excess of authorization that were not
identified in the original Complaint. (See, e.g., FAC ¶ 163.) In light of Ticketmaster’s new factual
allegations, the Court finds it appropriate to consider Ticketmaster’s CFAA claim anew.
24
1
under two of the CFAA’s thirteen categories of offense. The first category prohibits
2
“intentionally accessing a computer without authorization or exceeding authorized
3
access, and thereby obtaining . . . information from any protected computer.” 18 U.S.C.
4
§ 1030(a)(2)(C). The second category provides punishment for those who “knowingly
5
and with intent to defraud, access[] a protected computer without authorization, or
6
exceed[] authorized access, and by means of such conduct further[] the intended fraud
7
and obtain[] anything of value.” 18 U.S.C. § 1030(a)(4).
8
In addition to showing a violation of one of the provisions of section 1030(a)(1)–
9
(7), a private plaintiff bringing suit under the CFAA must show that the violation
10
involved one of the five factors listed in subsection 1030(c)(4)(A)(i). See Custom
11
Packaging Supply Inc. v. Phillips, Case No. 2:15-cv-04584-ODW-AGR, 2016 WL
12
1532220, at *4 (C.D. Cal. April 15, 2016). Ticketmaster alleges that Defendants’
13
violations of the CFAA cost Ticketmaster “a loss of over $5000 in a one-year period.”
14
(FAC ¶ 164.) With this allegation, Ticketmaster seeks to avail itself of the first of the
15
five factors, which allows for a civil action “if the offense caused . . . loss to 1 or more
16
persons during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C.
17
§ 1030(c)(4)(A)(i)(I). Ticketmaster does not allege any facts that suggest that any of
18
the factors in subsections (II)–(V) are involved.
19
To start with, Defendants do not maintain that their access was unintentional or
20
unknowing, or that the computers in question were not protected computers. See 18
21
U.S.C. § 1030(e)(2) (“‘[P]rotected computer’ means a computer . . . which is used in or
22
affecting interstate or foreign commerce or communication . . . .”). Thus, the issues
23
common to both putative violations are (1) whether Defendants accessed Ticketmaster’s
24
computers without authorization or in a manner that exceeded authorized access, and
25
(2) whether such access caused Ticketmaster an aggregate ‘loss’ of $5,000 in any one-
26
year period. 18 U.S.C. §§ 1030(a)(2)(C), (a)(4). If Ticketmaster has successfully pled
27
both of these allegations, it need only further plead that Defendants obtained
28
25
1
“information,” thus violating section 1030(a)(2)(C), or that Defendants obtained
2
“anything of value,” thus violating section 1030(a)(4).4
3
1. Accessing Without Authorization or Exceeding Authorized Access
4
The CFAA “provides two ways of committing the crime of improperly accessing
5
a protected computer: (1) obtaining access without authorization; and (2) obtaining
6
access with authorization but then using that access improperly.” Musacchio v. United
7
States, 136 S. Ct. 709, 713 (2016). The parties in this case characterize the CFAA as
8
an anti-hacking statute, and argue vigorously that hacking has not or has occurred.
9
(Mot. 13; Opp’n 12 n.9.) Defendants understand hacking to mean accessing a non-
10
public part of a website without authorization, and repeatedly assert that no Defendant
11
has accessed anything other than the public Ticketmaster website. (Mot. 14, 15.)
12
While it is true that “Congress enacted the CFAA in 1984 primarily to address
13
the growing problem of computer hacking,” United States v. Nosal, 676 F.3d 854, 858
14
(9th Cir. 2012), the word “hack” does not appear anywhere in the statute’s text. See
15
generally 18 U.S.C. § 1030. In fact, courts in the Ninth Circuit have repeatedly
16
recognized violations of the CFAA without characterizing the violations as hacking.
17
For example, the defendant in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058
18
(9th Cir. 2016) was a provider of an online dashboard that allowed the user to log in
19
and manage several of the user’s social media accounts at once. Id. at 1062. The
20
defendant initiated a promotional campaign that made combined use of the defendant’s
21
own platform and Facebook’s email system to promote the defendant’s service. Id. at
22
1063. Facebook sent the defendant a cease-and-desist letter, instructing the defendant
23
to end the campaign. Id. Defendants continued their campaign, and in doing so, they
24
accessed Facebook’s computers in a way that exceeded their authorization, because the
25
cease-and-desist letter had specifically revoked that authorization. Id. at 1067. The
26
27
28
4
Section 1030(a)(4) further specifies that a defendant who obtained only “the use of the computer,”
where the value of that use was not more than $5,000 in any one-year period, has not violated the
CFAA. Since Defendants here allegedly did more than use Ticketmaster’s computers, this exception
does not apply.
26
1
court found a valid CFAA claim without needing to find that the defendants had hacked
2
into anything. Id. at 1069; see also United States v. Nosal, 930 F. Supp. 2d 1051, 1060
3
(N.D. Cal. 2013) (clarifying that the Ninth Circuit “did not . . . explicitly hold that the
4
CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute.
5
. . . Hacking was only a shorthand term used as common parlance by the court to
6
describe the general purpose of the CFAA . . . .”).
7
Thus, Ticketmaster’s successful pleading of a CFAA violation doesn’t depend on
8
whether any Defendant hacked anything. The proper inquiry is whether Ticketmaster
9
has sufficiently pled that Defendants accessed Ticketmaster’s computers, either without
10
any authorization, or in excess of the authorization they did have. Ticketmaster argues
11
that each use of a bot to purchase a ticket was a use in excess of authorization because
12
an individualized cease-and-desist Letter sent to Prestige on May 7, 2015 explicitly
13
prohibited Prestige and the other Defendants from using bots to access Ticketmaster’s
14
website. (FAC, Ex. E; Opp’n 17.) Defendants argue that they did no more than violate
15
Ticketmaster’s Terms of Use, and that under relevant Ninth Circuit jurisprudence a
16
violation of a Terms of Use cannot provide the basis for CFAA liability. (Reply 8.)
17
Ticketmaster and Defendants both argue that United States v. Nosal (“Nosal”),
18
676 F.3d 854 (9th Cir. 2012) supports their respective positions. In that case, the court
19
recognized that the terms of use that website owners impose upon visitors are often
20
“vague and generally unknown,” and that “website owners retain the right to change the
21
terms at any time and without notice.” Id. at 863. Many terms-of-use agreements,
22
including Ticketmaster’s, expressly condition their permission to use the website on
23
compliance with the Terms of Use, such that the moment a user violates a single
24
provision, that user no longer has permission to access the site. See id. at 858. The
25
result is that each visit to the site constitutes access of the site without authorization, in
26
violation of the CFAA. Id. at 859.
27
28
27
1
Such reasoning, the court explained, creates federal crimes out of ordinary, run-
2
of-the-mill Terms of Use violations, an unacceptable result. Id. at 860. As the court
3
further explained:
4
[C]onsider the numerous dating websites whose terms of use
5
prohibit inaccurate or misleading information. Or eBay and
6
Craigslist, where it’s a violation of the terms of use to post items
7
in an inappropriate category. Under the government’s proposed
8
interpretation of the CFAA, . . . describing yourself as “tall, dark,
9
and handsome,” when you’re actually short and homely, will
10
earn you a handsome orange jumpsuit.
11
Id. at 861–62 (citations omitted). The court went on to hold that “‘exceeds authorized
12
access’ in the CFAA does not extend to violations of use restrictions.” Id. at 864.
13
Nosal was about an employee who violated his employer’s information use
14
policies, not a web surfer who violated a website’s terms of use.
Id. at 856.
15
Nevertheless, courts in the Ninth Circuit have applied the Nosal holding to ordinary
16
computer users visiting websites or using software governed by terms-of-use
17
agreements. These courts have held that violation of a website’s (or software’s) Terms
18
of Use, without more, cannot constitute a violation of the CFAA. See Synopsis, Inc. v.
19
ATopTech, Inc., No. C 13–cv–02965 SC, 2013 WL 5770542, at *9 (N.D. Cal Oct. 24,
20
2013) (dismissing a CFAA claim brought on the basis of a software license agreement
21
violation); Matot v. CH, 975 F. Supp. 2d 1191, 1194 (D. Or. 2013) (dismissing a CFAA
22
claim brought on the basis of a website’s Terms of Use violation).
23
Defendants insist that Ticketmaster’s CFAA claim is based “entirely” on a
24
violation of its Terms of Use, and that the holding of Nosal therefore requires dismissal
25
of Ticketmaster’s CFAA claim. (Mot. 13.) However, this case is distinguishable from
26
Nosal in two ways. First, here, Ticketmaster sent an individualized Letter to Defendants
27
instructing them to cease their activities, whereas the defendant in Nosal received no
28
individualized notice, and merely violated his employer’s pre-existing confidentiality
28
1
policies. Nosal, 676 F.3d at 856. Second, the Nosal defendant was an ex-employee
2
who convinced current employees to steal confidential company files. Id. at 856. When
3
those current employees accessed their employer’s database to download the files, they
4
had authorization to do so as employees of the company. Id. The Ninth Circuit would
5
not find that the defendant exceeded authorized access when the only agreement the
6
current employees broke was their employer’s confidentiality agreement. Id. at 863.
7
Here, by contrast, Defendants have been told by Ticketmaster that the only kind of
8
access that they, Defendants, are authorized to make is access that conforms to
9
Ticketmaster’s Terms of Use. (FAC, Ex. E at 71–72.) Ticketmaster’s cease-and-desist
10
Letter was of far greater practical and legal significance than a generally applicable “use
11
restriction,” see Nosal, 676 F.3d at 864. The Letter was, in effect, an individualized
12
access policy that revoked authorization upon breach of the policy.
13
These distinctions render Nosal’s bright-line rule about use restrictions
14
inapplicable to this case. Far more applicable is the reasoning and holding of the Ninth
15
Circuit in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016). Both
16
this case and Facebook involve a commercial defendant whose business model is built
17
on unauthorized use of the plaintiff’s website. The Facebook court found that after
18
receipt of an individualized cease-and-desist letter, the defendant “knew that it no longer
19
had authorization to access Facebook’s computers, but continued to do so anyway.” Id.
20
at 1067. Unlike the Nosal opinion, the Facebook opinion contains no discussion of the
21
risk of turning Terms of Use violators into copyright infringers, because after receipt of
22
an individualized cease-and-desist letter, the defendant’s use—as here—is no longer a
23
mere Terms of Use violation and is instead a violation of a set of permissions and
24
prohibitions directly and individually imposed upon the defendant.
25
Ticketmaster’s Letter has the same effect as the letter in Facebook.
26
Ticketmaster’s Letter explicitly reminded Defendants that “use of the [Ticketmaster]
27
website is conditioned on an agreement that the user will not . . . use any automated . . .
28
29
1
computer system to . . . buy . . . tickets,” and instructed Defendants to “cease and desist
2
from any further violations of Ticketmaster’s rights.” (FAC, Ex. E at 71–72.)
3
To be clear, it is the violation of the terms of the Letter, not of Ticketmaster’s
4
Terms of Use, on which the Court bases its finding of a well-pled CFAA claim. The
5
Facebook court required something “more” than mere violation of a website owner’s
6
terms of use to impose liability under the CFAA, and the Letter satisfies that
7
requirement. Facebook, 844 F.3d at 1067. Ticketmaster’s Letter accuses Defendants
8
of particular unauthorized purchases of particular quantities of tickets on particular
9
dates and times and contains a list of 47 fake email addresses that Defendants allegedly
10
used to buy tickets. (FAC, Ex. E at 69–70.) The Letter, with its detailed factual
11
allegations, is a “far cry from the permission skirmishes that ordinary Internet users
12
face.” See Facebook, 844 F.3d at 1069. Finding an individualized letter to be a basis
13
for unauthorized use under the CFAA is fully consistent with the holding of the Nosal
14
court, which was concerned specifically about violations arising from Terms of Use
15
agreements imposed uniformly and adhesively upon a large number of end users.
16
Nor are Defendants “ordinary Internet users.” Facebook, 844 F.3d at 1069. It is
17
true that the Ninth Circuit will not use the CFAA to “transform[] otherwise innocuous
18
behavior into federal crimes simply because a computer is involved,” preferring to
19
“prevent criminal liability for computer users who might be unaware that they were
20
committing a crime.” Id. But Defendants in this case are a sophisticated multi-entity
21
business operation, not an employee on his way out the company, much less an
22
overconfident eHarmony user or an innocuous eBay merchant struggling to determine
23
the proper category in which to sell a trinket. See Nosal, 676 F.3d at 861–62.
24
Defendants are anything but innocuous. They know that their entire business model is
25
built on a scheme to evade Ticketmaster’s policies for profit. (See ¶¶ 58, 122 (alleging
26
9,047 instances of fraud for each account Defendants created and 313,528 instances of
27
fraud for each ticket order Defendants executed).)
28
30
1
Defendants attempt to distinguish this case from Facebook by pointing out that
2
this Court previously found that Ticketmaster’s Letter did not completely revoke access
3
authority. (See Order 13 (“Ticketmaster’s cease-and-desist letter appears to imply that
4
Defendants could continue to use Ticketmaster’s website so long as they abide by the
5
TOU.”)) In Facebook, by contrast, the cease-and-desist letter sent by Facebook to the
6
defendants appears to have revoked all authorization for defendants to use Facebook’s
7
website. 844 F.3d at 1067. Defendants make a distinction without a difference, because
8
the CFAA penalizes both access without authorization and situations where a defendant
9
possesses some authorization, but acts excess of that authorization. 18 U.S.C. § 1030
10
(a)(2)(c), (a)(4). Therefore, the fact that the Letter may have allowed Defendants to
11
continue using Ticketmaster’s website in a limited way does not allow Defendants to
12
escape CFAA liability. After receipt of the Letter, each time Defendants purchased
13
tickets with a bot, they accessed the Ticketmaster website in a manner explicitly
14
forbidden to them, thus exceeding their authorization to use the Ticketmaster website.
15
Defendants exceeded authorized access to Ticketmaster’s computers when they
16
received Ticketmaster’s letter and nevertheless continued to use bots to purchase
17
Ticketmaster tickets.
18
2. Loss
19
To sufficiently state its CFAA claim, Ticketmaster must plead facts that show
20
that Defendants’ conduct caused “loss to 1 or more persons during any 1-year period .
21
. . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA
22
defines “loss” as “any reasonable cost to any victim,” and lists as examples “the cost of
23
responding to an offense, conducting a damage assessment, and restoring the data,
24
program, system, or information to its condition prior to the offense, and any revenue
25
lost, cost incurred, or other consequential damages incurred because of interruption of
26
service.”
27
Ticketmaster to plead facts that show “interruption of service or impairment of data”
28
and losses that flow directly therefrom. (Reply 11.) The Court disagrees with this
18 U.S.C. § 1030(e)(11).
Defendants insist that the CFAA requires
31
1
reading of the statute’s definition of “loss” for two reasons. First, the placement of the
2
commas in the definition of “loss” indicates that “the cost of responding to an offense”
3
does not have to be caused by “interruption of service.” See 18 U.S.C. 1030(e)(11).
4
These two clauses are separated by seven commas, and a strained reading is required to
5
conclude that the last clause controls the first. The cost of “responding to an offense,”
6
on its own, qualifies as loss under the CFAA, without any need to connect it to an
7
interruption of service.
8
The Court is mindful of a split among the circuits over what constitutes “loss”
9
under the CFAA. Namely, some district courts have held that “loss” under the CFAA
10
must “relate to the investigation or repair of a computer system following a violation
11
that caused impairment or unavailability of data.” Cassetica Software, Inc. v. Computer
12
Scis. Corp., No. 09 C 0003, 2009 WL 1703015, at *4 (N.D. Ill. June 18, 2009); see also
13
Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd., 387 F. Supp. 2d 378, 381 (S.D.N.Y.
14
2005) (synthesizing cases and determining that “‘losses’ under the CFAA are
15
compensable only when they result from damage to, or the inoperability of, the accessed
16
computer system”). This narrow definition of loss under the CFAA permits recovery
17
of costs related to damage assessment or recovery only “when the costs are related to
18
an interruption of service.” Cassetica Software, 2009 WL 1703015, at*4.
19
Courts in the Ninth Circuit, on the other hand, do not read “loss” so narrowly.
20
The defendant in SuccessFactors v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal.
21
2008) was a departing employee who stole proprietary company information from a
22
company computer and used the information to attempt to tarnish the reputation of his
23
former employer. Id. at 977–78. The SuccessFactors court examined some of the cases
24
that applied the narrower definition of “loss,” but found them inapposite, because in
25
cases like the one before it, “where the offense involves unauthorized access and the
26
use of protected information, the reasonable “cost of responding to [the] offense,” 18
27
U.S.C. § 1030[(e)(11)], will be different from such cost in a case where the primary
28
concern is the damage to the plaintiff’s computer system itself.” Id. at 981. The court
32
1
further reasoned that “where the offender has . . . accessed protected information,
2
discovering who has that information and what information he or she has is essential to
3
remedying the harm,” and concluded that the plaintiff was likely to prevail on its CFAA
4
claim. Id.
5
The Facebook court disposed of the issue in two sentences, finding “loss” under
6
the CFAA in light of the fact that the plaintiff’s “employees spent many hours, totaling
7
more than $5,000 in costs, analyzing, investigating, and responding” to the defendant’s
8
actions. Facebook, 844 F.3d at 1066. The Facebook court did not require the plaintiff’s
9
losses to flow either from “impairment of service” or from actual loss or unavailability
10
of data. 18 U.S.C. § 1030(e)(11). To the Facebook court, costs spent analyzing,
11
investigating, and responding to a defendant’s unauthorized access, even when that
12
access led to no actual loss or unavailability of data, qualify as “the cost of responding
13
to an offense” and therefore provide the basis for a civil action under the CFAA. 844
14
F.3d at 1066.
15
A careful reading of the statute supports the reasoning of the SuccessFactors and
16
Facebook courts. Under the CFAA, loss is “any reasonable cost to any victim.” 18
17
U.S.C. § 1030(e)(1). This definition is followed by a list of costs that qualify as loss,
18
but the word “including” indicates that this list is not exhaustive. Id. The nine types of
19
loss in the statutory definition are provided merely as examples, not as limitations on
20
what qualifies as “loss” under the CFAA.
21
Ticketmaster’s allegations are sufficient in the Ninth Circuit to show “loss” under
22
the CFAA. Under federal notice pleading standards, it is enough if Ticketmaster’s
23
allegations allow the Court to plausibly infer that Ticketmaster’s “loss” exceeds $5,000.
24
See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Ticketmaster need not, as Defendants
25
contend, allege with detail “which Defendant allegedly did what and when and how and
26
what it was that [Ticketmaster] allegedly did in response that caused it to incur any
27
loss.”
28
Defendants’ unauthorized access, including the costs of identifying Defendants (FAC
(Mot. 18.)
Ticketmaster has alleged a panoply of costs necessitated by
33
1
¶ 58), expanding security to identify and block bots (FAC ¶¶ 54–55, 60), and hiring
2
third-party consultants to implement additional bot mitigation measures (FAC ¶ 54).
3
Defendants maintain that Custom Packaging Supply, Inc. v. Phillips, No. 2:15-
4
cv-04584-ODW-AGR, 2016 WL 1532220, at *1 (C.D. Cal. Apr. 15, 2016) requires the
5
opposite result. (Mot. 18.) The Phillips defendants were employees who stole their
6
employer’s proprietary company information in order “to compile an illegal library that
7
they then passed on” to a competitor. 2016 WL 1532220, at *1. The plaintiff claimed
8
that its “loss” arose from the fact that its employees had to spend several days taking
9
action in wake of the theft of information. Id. at *5. However, in that case, the
10
defendant’s violation was a one-time act, and the money spent by the plaintiff in
11
response was spent to diminish any consequential damages that might arise as a result
12
of a single violation by a known violator. Id. Ticketmaster’s money, by contrast, was
13
spent identifying Defendants and trying to put a stop to their fraudulent enterprise.
14
These are direct losses flowing from an unknown defendant’s continued breach, as
15
opposed to consequential losses flowing from a known defendant’s one-time breach, as
16
were present in Phillips. Accord Doyle v. Taylor, No. CV-09-158-RHW, 2010 WL
17
2163521, at *1 (E.D. Wash. May 24, 2010), aff’d sub nom. Doyle v. Chase, 434 F.
18
App’x 656 (9th Cir. 2011) (observing that “loss” under the CFAA must flow from
19
“something more: the costs associated with assessing a hacked system for damage,
20
upgrading a system’s defenses to prevent future unauthorized access, or the lost revenue
21
caused by the misappropriation of trade secrets.”). The loss alleged by the Custom
22
Packaging Supply plaintiff was of a different species than the loss alleged here by
23
Ticketmaster. The direct costs Ticketmaster incurred putting a stop to an ongoing
24
offense qualify as “loss” under the CFAA. Moreover, Ticketmaster alleges that these
25
direct costs far exceeded $5,000, as required by the CFAA, and provides sufficient
26
support for that allegation with facts about the heightened security measures it put in
27
place. 18 U.S.C. § 1030(c)(4)(A)(i)(I).
28
34
1
3. Obtaining Information and Obtaining Anything of Value
2
Ticketmaster’s claim for relief under 18 U.S.C. § 1030(a)(2)(c) is complete if it
3
can show that Defendants “obtained information” by accessing Ticketmaster’s
4
computers without authorization. By using their bots, Defendants obtained tickets to
5
events. (FAC ¶ 5.) These tickets are “information” in two senses: (1) the tickets contain
6
information on the face of the ticket that grants the bearer entrance to a particular event;
7
and (2) the tickets themselves are transmitted through the internet in the form of
8
computer code, which is itself information. Thus, Ticketmaster has stated a claim for
9
relief under 18 U.S.C. § 1030(a)(2)(C).
10
Alternatively, Ticketmaster can show that Defendants obtained “something of
11
value” to complete their claim for relief under 18 U.S.C. § 1030(a)(4). The tickets
12
Defendants purchased undeniably have value, or else Defendants would not be running
13
an ever-increasingly sophisticated business operation to obtain them. (FAC ¶¶ 6, 55.)
14
Subsection (a)(4) also requires a showing of intent to defraud, and Defendants argue
15
that Ticketmaster has not shown this intent under the heightened pleading standards of
16
Federal Rule of Civil Procedure 9(b). (Mot. 15 n.6.) This Court, in its prior Order,
17
explained that each of the 9,047 accounts created by Defendants, along with each of
18
Defendant’s 313,528 ticket purchases, was a particular instance of alleged fraud that
19
satisfied the pleading requirements of Rule 9(b). (Order 17–18.) Ticketmaster’s
20
allegations of fraud were sufficient to survive Defendants’ first motion to dismiss, and
21
they are sufficient to survive this Motion as well.
For these reasons, the court DENIES Defendants’ motion to dismiss
22
23
Ticketmaster’s Eleventh Claim for Relief.
24
E.
CDAFA
25
Defendants move to dismiss Ticketmaster’s Twelfth Claim for Relief for
26
violations of the California Computer Data Access and Fraud Act. (Mot. 1.) The Court
27
previously dismissed Ticketmaster’s CDAFA claim as pled in the original Complaint.
28
(Order 14.) The Court finds it appropriate to consider Ticketmaster’s CDAFA claim
35
1
anew, in light of Ticketmaster’s new allegations regarding the Bot Developers’
2
downloading and storing of Ticketmaster’s pages and code.
3
The CDAFA is California’s state-law analogue to the CFAA. The statute
4
provides thirteen categories of activity that constitute an offense. Cal. Penal Code
5
§ 502(c)(1)–(13).
6
committed acts that constitute violations under seven different subsections of the
7
CDAFA. (FAC ¶¶ 167–173.) The Court finds that Ticketmaster has stated a claim with
8
respect to three of these subsections.
Ticketmaster alleges that the Defendants have collectively
9
First, Ticketmaster has not stated a claim with respect to subsections (c)(1) and
10
(c)(4), because those subsections both require that the Defendants have altered,
11
damaged, deleted, or destroyed the data in some way.5 Id. § 502(c)(1), (4). Although
12
Ticketmaster does allege that the Defendants’ activities resulted in alteration, deletion,
13
and destruction of data on the system, the allegation merely tracks the language of the
14
statute itself, without providing facts to substantiate the claimed legal conclusions.
15
(FAC ¶ 77.) Defendants’ bots place a heavy load on Ticketmaster’s system, and they
16
cause Ticketmaster’s system to relinquish tickets to Defendants against Ticketmaster’s
17
wishes, but Defendants’ bots do not actually alter, damage, delete, or destroy data on
18
Ticketmaster’s systems. Precisely the opposite is true: the fact that Ticketmaster’s
19
systems continued to deliver tickets to Defendants’ bots shows that Ticketmaster’s
20
systems continued to function as intended, without damage or alteration, while the bots
21
operated. It is for this same reason that Ticketmaster has also failed to state a claim
22
with respect to subsection (c)(5) of the CDAFA, which requires a showing of
23
“disruption” or “denial” of computer services. Cal. Penal Code § 502(c)(5).
24
25
26
27
28
5
The Court will not read the phrase “or otherwise uses” in section 502(c)(1) as prohibiting anything
other than use that is similar to alteration, damage, deletion, or destruction. Under the doctrine of
eiusdem generis, when a list of two or more specific terms is followed by a more general term, the
otherwise wide meaning of the general term must be restricted to the same class of the specific terms
that precede it. See Circuit City Stores, Inc. v. Adams, 532 U.S. 105, 114–15 (2001). The Court
narrowly construes “otherwise uses” in section 502(c)(1) to refer to uses that involve data alteration,
damage, deletion, and destruction.
36
1
Nor has Ticketmaster stated a claim with respect to subsection (c)(3) of the
2
CDAFA. Under this section, knowingly using or causing the use of computer services
3
without permission constitutes a violation. Id. § 502(c)(3). Under the CDAFA,
4
“‘[c]omputer services’ includes, but is not limited to, computer time, data processing or
5
storage functions, or other uses of a computer . . . .” Id. § 502(b)(4). The services
6
Ticketmaster’s computers provide all relate to the sale of tickets. The sale of tickets is
7
insufficiently similar to “computer time, data processing, or storage functions” to justify
8
construing the “other uses” provision of the statutory definition of “computer services”
9
to include ticket sale services. Id. Because Ticketmaster has not pled facts showing
10
that it offers computer services, section 502(b)(4) does not provide Ticketmaster a basis
11
for a CDAFA claim.
12
Ticketmaster’s allegations with respect to subsections (c)(2), (c)(6), and (c)(7) of
13
the CDAFA, on the other hand, are sufficient. The above-mentioned Facebook, Inc. v.
14
Power Ventures, Inc., 844 F.3d 1058, (9th Cir. 2016) controls the Court’s holding with
15
respect to subsection (c)(2). After sustaining the District Court’s finding that the
16
Facebook plaintiff stated a claim for a CFAA violation, the Ninth Circuit observed:
17
[D]espite differences in wording, the analysis under both [the
18
CFAA and the CDAFA] is similar in the present case. Because
19
[defendant] Power had implied authorization to access [plaintiff]
20
Facebook’s computers, it did not, at first, violate the statute. But
21
when Facebook sent the cease and desist letter, Power, as it
22
conceded, knew that it no longer had permission to access
23
Facebook’s computers at all. Power, therefore, knowingly
24
accessed and without permission took, copied, and made use of
25
Facebook’s data. Accordingly, we affirm in part the district
26
court’s holding that Power violated section 502.
27
Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1069 (9th Cir. 2016), cert.
28
denied, 138 S. Ct. 313 (2017).
37
1
In accordance with the reasoning of the Ninth Circuit, Ticketmaster has stated a
2
claim with respect to section 502(c)(2), which penalizes one who “[k]nowingly accesses
3
and without permission takes, copies, or makes use of any data from a computer . . . .”
4
Cal. Penal Code § 502(c)(2). Ticketmaster’s Letter informed Defendants that they no
5
longer had permission to use bots to purchase tickets from Ticketmaster. The fact that
6
the Letter allowed Defendants to continue to make normal human use of the
7
Ticketmaster website and app is of no consequence, because Defendants’ subsequent
8
ticket purchases constituted taking, copying, or making use of data, all done without
9
Ticketmaster’s permission by virtue of the fact that the purchases were powered by bots.
10
Next, subsection (c)(7) of the CDAFA prohibits knowing, unauthorized access
11
of a computer.
Id. § 502(c)(7).
Ticketmaster’s Letter revoked Defendants’
12
authorization to use bots to access the Ticketmaster website in the same way that it
13
revoked Defendants’ authorization to use bots to take and make use of Ticketmaster
14
tickets. For those reasons, supported by the Court’s prior reasoning with respect to
15
“exceeding authorized access” under the CFAA, Ticketmaster has stated a claim with
16
respect to subsection (c)(7). See supra, Section IV.D.1.
17
Finally, subsection (c)(6) prohibits knowingly providing a means of accessing a
18
computer system in violation of the CDAFA. Id. § 502(c)(6). The Bot Developers
19
provided Defendants with bots, which Defendants used to commit violations of at least
20
three other subsections of the CDAFA. Ticketmaster has therefore pled allegations
21
sufficient to show the Bot Developers’ violation of subsection (c)(6).
For these reasons, the Court DENIES Defendants’ motion to dismiss
22
23
Ticketmaster’s Twelfth Claim for Relief.
24
F.
Remaining Claims
25
Ticketmaster has stated claims for relief for violations of three different federal
26
laws: copyright infringement, 17 U.S.C. § 101 et seq., violation of the Digital
27
Millennium Copyright Act, 17 U.S.C. § 1201 et seq. and violation of the Computer
28
Fraud and Abuse Act, 18 U.S.C. § 1030. Because the Court has original jurisdiction
38
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?