burden is on Ds to show unprotectability of what they copied

Compulife Software Inc. v. Newman, 2020 WL 2549505, No. 18-12004, No. 18-12007 (11th Cir. May 20, 2020)

The opinion sums up:

The very short story: Compulife Software, Inc., which has developed and markets a computerized mechanism for calculating, organizing, and comparing life-insurance quotes, alleges that one of its competitors lied and hacked its way into Compulife’s system and stole its proprietary data. The question for us is whether the defendants crossed any legal lines—and, in particular, whether they infringed Compulife’s copyright or misappropriated its trade secrets, engaged in false advertising, or violated an anti-hacking statute.

The court of appeals reversed the magistrate judge (which held a bench trial on consent) on copyright infringement and trade secret misappropriation, though it upheld the finding of no false advertising.

Compulife sells access to a database of insurance-premium information, the “Transformative Database,” which contains up-to-date information on many life insurers’ premium-rate tables and thus allows for simultaneous comparison of rates from dozens of providers. “Although the Transformative Database is based on publicly available information—namely, individual insurers’ rate tables—it can’t be replicated without a specialized method and formula known only within Compulife.” Insurance agent clients can input demographic information and get insurance rate estimates from the database; Compulife also licenses a “web quoter” that allows the licensee to offer quotes directly to prospective purchasers who enter their own demographic information on the licensee’s site. And Compulife sells a more expensive license that allows licensees to create addons and sell access to other Compulife licensees. It also gives consumers direct access to life-insurance quotes on its own website, referring prospective life-insurance purchasers to agents who pay Compulife for the referrals.

The defendants are also in the business of generating life-insurance quotes at naaip.org. “NAAIP” stands for National Association of Accredited Insurance Professionals, but as the court below found, “NAAIP is not a real entity, charity, not-for-profit, or trade association, and is not incorporated anywhere.” The defendants offer a service similar to—and at least partially copied from—Compulife’s web quoter, which they call a “Life Insurance Quote Engine,” and any agent can sign up for a post-domain path on the site. If a visitor to an NAAIP site uses its link to buy insurance, the defendants receive money for the referral. Defendants also operate beyondquotes.com, which generates quotes and then generates revenue by selling referrals to affiliated insurance agents.

I have to admit that the process by which Compulife creates its database sounds either useless or actively harmful to truthful comparison to me, though I don’t have all the details. To create the database, Compulife’s CEO “draws on insurers’ publicly available rate information, but he also employs a proprietary calculation technique—in particular, a secure program to which only he has access and that only he knows how to use.” But if he inserts a proprietary calculation technique, why are his results predictive of rates that insurers would actually quote for given demographics?

Anyway, Compulife argued in one case that the defendants gained access to the Transformative Database under false pretenses by purporting to work for licensed Compulife customers. Defendants undoubtedly copied some of Compulife’s HTML source code. In the other case, Compulife alleged that defendants hired a hacker, Natal, to “scrape” data from its server via programming a bot to send automated requests, creating a partial copy of the database, in particular all the insurance-quote data for two zip codes—one in New York and another in Florida, for every possible combination of demographic data within those two zip codes. The total was more than 43 million quotes. “The HTML commands used in the scraping attack included variables and parameters—essentially words (or for that matter any string of characters) used to designate and store values—from Compulife’s copyrighted HTML code. For example, the parameter ‘BirthMonth’ in Compulife’s code stores a number between one and twelve, corresponding to a prospective purchaser’s birth month.)” [That … really sounds unprotectable by copyright.] Compulife alleged that defendants used the scraped data to generate quotes, though defendants claimed they didn’t know the source of the data, which was contested by other evidence.

Copyright infringement: the defendants had the burden to show that what they took wasn’t protectable, so the magistrate judge erred. The usual requirement is substantial similarity “between the allegedly offending program and the protectable, original elements of the copyrighted works.” The higher standard of virtual identicality was not the standard here; that standard is limited to “analyzing claims of compilation copyright infringement of nonliteral elements of a computer program.” Copying source and object code, “even nonliterally,” is subject to substantial similarity analysis.

Still, unprotectable elements have to be filtered out.  But the magistrate “improperly placed the burden on Compulife to prove, as part of the filtration analysis, that the elements the defendants copied were protectable; we hold that he should have required the defendants to prove that those elements were not protectable.” There’s lots of stuff that’s unprotectable, including “ideas, processes, facts, public domain information, merger material, scènes à faire material, and other unprotectable elements.”

The magistrate wrongly faulted Compulife for having “made no attempt to identify the protectable elements of the 2010 HTML Source Code.” But, the court of appeals held, “after an infringement plaintiff has demonstrated that he holds a valid copyright and that the defendant engaged in factual copying, the defendant bears the burden of proving—as part of the filtration analysis—that the elements he copied from a copyrighted work are unprotectable.” Nimmer says so, and it would be unfair to make the plaintiff prove a negative, since “[p]rotectability can’t practicably be demonstrated affirmatively but, rather, consists of the absence of the various species of unprotectability.” [I thought protectability was a function of creativity, not the absence of unprotectability.] A plaintiff couldn’t be expected to present the entire public domain to show that her work was new! Nor could she “reasonably introduce the entire corpus of relevant, industry-standard techniques” just to prove that none of the material copied was scènes à faire. Placing the burden on the defendant allows the plaintiff to just respond. [That seems to conflate the burdens of production and proof.]

Resulting approach:

Once the plaintiff has proven that he has a valid copyright and that the defendant engaged in factual copying, the defendant may seek to prove that some or all of the copied material is unprotectable. If the defendant carries this burden as to any portion of the copied material, that material should be filtered out of the analysis before comparing the two works. After filtration is complete, the burden shifts back to the plaintiff to prove substantial similarity between any remaining (i.e., unfiltered) protectable material and the allegedly infringing work…. [W]here the defendant’s evidence is insufficient to prove that a particular element is unprotectable, the court should simply assume that the element is protectable and include that element in the final substantial-similarity comparison between the works.

In a footnote, the court commented that the defendant wouldn’t always need to introduce evidence; argument alone might suffice. “For example, no evidence would be necessary to convince a court that alphabetization is an entirely unoriginal method of arranging data and thus unprotectable as a structural element of a work. But where evidence is required to determine whether some element is protectable, it is the defendant who must advance it or risk abandoning the issue.”

In addition (at least for software?), plaintiffs can concede unprotectability by providing a list of program features it believes to be protectable, which constitutes an implicit concession that elements not included on the list are unprotectable. [Perhaps the court is thinking that, for cases of alleged comprehensive nonliteral similarity, the plaintiff will have to provide a list, and the defendant may well be able to say--without providing further evidence--"those are just ideas," and the defendant will often be right. I still think "the burden is on the defendant" is a real overstatement given the variety of ways infringement claims are stated.]

On reassessment/retrial (the original magistrate retired), some filtration would be warranted; some unprotectable elements were so obvious that no proof was necessary, such as the need to collect a consumer’s state of residence, and alphabetization of the states/assignment of a corresponding number. “A closer question, however, is whether Compulife’s inclusion of the District of Columbia in the list of states and the bifurcation of New York into business and non-business categories are protectable elements of structure.” [Did the underlying insurance companies include the District of Columbia or divide NY into business and non-business? If they do, how could the decision to do so be protectable for Compulife? Also, as a DC native, this is pure discrimination: why isn’t the choice not to exclude the tinier Vermont and Wyoming just as choice-y? Does being able to vote for Senators and Representations make you more entitled to life insurance? Later, the court of appeals says the NY business/non-business decision was “obsolete” by the time that defendants copied it, but was it original to Compulife or based on past insurance company practice? Although based on this description, even if defendants copied the HTML, did they copy any underlying database structure?]

The court of appeals vacated & remanded to give the district court a chance to make the missing findings.

The magistrate also erred by evaluating “the significance of the defendants’ copying vis-à-vis their offending work, rather than Compulife’s copyrighted work” in assessing substantial similarity. After all, “adding new material to copied material doesn’t negate (or even ameliorate) the copying.” And finally, the magistrate didn’t provide sufficient factual analysis to allow meaningful appellate review. This would require the magistrate to indicate unprotectable elements in more detail; evaluate the importance of copied protectable elements as part of a substantial-similarity analysis; and identify, at the threshold, which elements of Compulife’s code the defendants had copied as a factual matter.

The court noted that the burden was still on Compulife to show either the quantitative or qualitative substantiality of the copying, but it provided at least some evidence of both: it provided the texts of both works, which allowed the quantitative significance to be evaluated, and qualitative significance “is often apparent on the face of the copied portion of a copyrighted work.” Moreover, a witness “testified that part of the code copied by the defendants includes variable names and parameters that must be formatted exactly for the web quoter to communicate with the Transformative Database at all. At a minimum, this testimony is some evidence of the qualitative significance of the copied portion of Compulife’s work.” [Or of merger/functionality, I suppose, though perhaps we’ll learn more about this after Google v. Oracle.]

Trade secret: that’s remanded too. Probably the most broadly applicable holding: the public availability of quotes on Compulife’s consumer-facing site didn’t preclude a finding that scraping those quotes constituted misappropriation. “[W]hile manually accessing quotes from Compulife’s database is unlikely ever to constitute improper means, using a bot to collect an otherwise infeasible amount of data may well be—in the same way that using aerial photography may be improper when a secret is exposed to view from above.” However, the court of appeals said it wasn’t expressing an opinion about whether enough of the database was taken to amount to acquisition of the trade secret, nor as to whether the means were improper; it’s just that public availability of quotes didn’t resolve that question.

False advertising: affirmed. Compulife didn’t identify any particular statement alleged to constitute false advertising. Compulife asserted that “[e]nticing ... users” with “quotes for term life insurance where the source of those quotes is infringing software and stolen trade secrets is ... unquestionably unfair competition and false advertising.” But hosting a website without disclosing that Compulife was the ultimate source of the quotes, “doesn’t imply the existence of any advertisement, let alone a false one.”  [Dastar!]

NAAIP may have advertised that its quote engine was a “key benefit,” but that had no capacity to deceive and wasn’t material to any purchasing decision. “[M]erely claiming to have a quote engine is unlikely to mislead anyone into assuming anything about the ultimate source of the software or the quotes that it generates.… Consumers have good reason to care about the quality of the quote engine, but not the identity of its author or the host of the server with which it communicates.”

The Florida Computer Abuse and Data Recovery Act states: “A person who knowingly and with intent to cause harm or loss ... [o]btains information from a protected computer without authorization ... [or] [c]auses the transmission of a program, code, or command to a protected computer without authorization ... caus[ing] harm or loss ... is liable to ... the owner of information stored in the protected computer.” A “protected computer” is one that “can be accessed only by employing a technological access barrier.” But Compulife didn’t attempt to argue that the defendants penetrated a “technological access barrier.”