Man vs. Machine: Court Examines Bot's Data Scraping as Improper Means of Appropriating Trade Secrets
In Compulife Software Inc. v. Newman, 959 F.3d 1288 (11th Cir. 2020), the United States Court of Appeals for the Eleventh Circuit examined the intersection between technology and improper use or acquisition of trade secrets. At issue was whether using a bot to access a tremendous amount of free, publically available information could be considered "improper means" of acquiring a trade secret.
In the case, Compulife sued a competitor for misappropriating proprietary information from its database of life insurance quotes. Compulife sold insurers access to the database to help them create cost estimates based on up-to-date comparisons of insurers' premium rates. The database was based on publically available information but relied on Compulife's secret methodology and formula. The company sold two different kinds of access: a "PC quoter" license, allowing licensees to install the quoter on their personal devices, and a more expensive "internet-engine" license, which permitted licensees to integrate the database with their own servers and features. Apart from the paid products, Compulife also provided free access to quotes through a website, which earned revenue through insurance referrals. The defendants offered similar services as Compulife after copying some of the code from the paid services (which they obtained through false representations) and employing a hacker to "scrape" data from Compulife's free service.
Of particular note are the allegations of data acquisition through scraping. The defendants' hacker created a bot that submitted millions of automated requests for quotes to Compulife's free service in order to partially recreate the database. The bot did not obtain any information that would not be available to a human user, but it compiled over 43 million quotes in just four days, a feat that would take thousands of hours for a human to replicate.
After a magistrate judge ruled that the defendants had not misappropriated Compulife's trade secrets, the Eleventh Circuit reversed and remanded. (Id. at 1318.) On appeal, the relevant question was whether the defendants had utilized improper means through their "acquisition" and "use" of the secrets. (Id. at 1311.) Misappropriation through acquisition occurs when a party acquires a trade secret and "knows or has reason to know that the trade secret was acquired by improper means." (Id.)Misappropriation through use requires the defendant to use the trade secret without consent and either 1) acquire it through improper means, 2) know that it was acquired through improper means or in violation of a duty of secrecy, or 3) know that it was acquired through an accident or mistake. (Id.)
In applying these principles, the Eleventh Circuit analyzed what constitutes "improper means." Under the applicable statute, Florida's Uniform Trade Secrets Act, the term includes "theft, bribery, misrepresentation, breach, or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." (See id. at 1311–12 (citing Fla. Stat. § 688.002(1))). Improper acts do not have to be independently unlawful. (Id. at 1312.) The court distinguished access to "as many quotes as is humanly possible" from the enormous amount of quotes a bot could access. (Id. at 1314.)
Even though each of the individual quotes obtained in the scraping attack were not entitled to protection, the court held that the database as a whole may be protectable, comparing it to trade secret protection for "compilations." (Id.) The court then remanded the case for consideration of whether 1) the amount of data taken by the defendants was large enough to constitute appropriation of the entire database itself, and 2) whether defendants' use of an automated bot to scrape the database amounted to improper means of acquiring or using a trade secret. (Id. at 1315.)
The Eleventh Circuit's decision suggests that, within the realm of modern technology, "improper means" of accessing a trade secret may go beyond obvious methods like dishonesty or theft. The "hacker" hired by the defendants did not steal a password or obtain direct access to the source code. Instead, she used a bot to obtain a portion of the database in a way a human could not. The opinion acknowledged that "independent invention, accidental disclosure, or . . . reverse engineering" cannot constitute improper means. (Id. at 312.) Nonetheless, it appears the court, at least on the facts of this case, believed that the use of technology that goes beyond human capabilities required a second look.