Oracle Int’l Corp. v. Rimini Street, Inc., --- F.4th ----, No.
23-16038, 2024 WL 5114449 (9th Cir. Dec. 16, 2024)
Rimini Street gets a reasonably substantial victory in its
long-running battle with Oracle in this appeal.
Prior rulings held that Rimini’s processes for serving
clients who use Oracle’s software programs infringed on Oracle’s copyrights.
Rimini therefore developed new processes for servicing its Oracle-using
clients. After a bench trial, the district court ruled that many of these new
processes still infringed Oracle’s copyrights and found that certain
security-related statements violated the Lanham Act. The court of appeals
vacated in part, reversed in part, and remanded.
Oracle’s programs include PeopleSoft, which can be
customized to manage all sorts of business processes, including HR processes
such as timekeeping, benefits administration, and recruitment and financial
processes such as expense tracking and payroll. Oracle also provides optional
software support for PeopleSoft, including updates to reflect changes to tax
laws and other regulations. Customers can also modify and customize the
software themselves or through third-party providers.
“Rimini Street is a third-party provider and direct
competitor with Oracle in the support-services market.” Its services include
troubleshooting support and software updates, including creating files that
only work with Oracle’s products. After the first Oracle lawsuit in 2010, the
court found that Rimini infringed Oracle’s copyrights by engaging in
“cross-use” and creating copies of Oracle’s materials on Rimini’s computer
systems. The court of appeals largely affirmed the district court’s permanent
injunction. The district court later found that Rimini violated the injunction
and held it in contempt on five issues, four of which the court of appeals
upheld. Rimini changed aspects of its business model and sought declaratory
judgment that its revised process, “Process 2.0,” did not infringe. Oracle
counterclaimed for copyright infringement and violations of the Lanham Act. The
district court held that Rimini had, in fact, infringed by engaging in
cross-use prohibited by PeopleSoft license agreements and that an update
created for the City of Eugene’s PeopleSoft software environment was a
“derivative work.” After Oracle abandoned claims for monetary relief, the
district court held a bench trial and additionally found that Rimini (1)
created infringing derivative works, (2) violated Oracle’s PeopleSoft and
Database licensing agreements, and (3) made several statements violating the
Lanham Act.
Derivative works: The court says several useful things, in
line with Pam
Samuelson’s exposition of the derivative works right. (I note amicus
support from, among others, EFF, Glynn Lunney, and Betsy Rosenblatt.) The
district court held that Rimini’s Process 2.0 files and updates were infringing
derivative works because they “only interact[ ] and [are] useable with” Oracle
software. But this was the wrong test.
The Copyright Act defines a “derivative work” as:
a work based upon one or more
preexisting works, such as a translation, musical arrangement, dramatization,
fictionalization, motion picture version, sound recording, art reproduction,
abridgment, condensation, or any other form in which a work may be recast,
transformed, or adapted.
This “broad” language nonetheless has limits. The text
starts with examples. Although “such as” means the list isn’t exhaustive, it
still indicates the “kind” of works covered. Thus, “based upon” requires “copying
of the kind exhibited in translations, movie adaptations, and
reproductions. Mere interoperability isn’t enough.” I would have thought that
this was the canon of noscitur a sociis, which means we define a term by
“the company it keeps,” but the court treats that as a second principle: “[t]he
examples of derivative works provided by the Act all physically incorporate the
underlying work or works.” Thus, a derivative work “must be in the subset of
works substantially incorporating the preexisting work.” That substantiality
can be literal or nonliteral, in total concept and feel.
Here, though there were several examples of literal copying,
Rimini challenged only the ruling that Rimini’s programs were derivative works
“even if the work[s] do[ ] not contain any of [Oracle’s] copyrighted code … because
they interact only with PeopleSoft,” “are extensions to and modifications of
Oracle’s copyrighted software” and they “cannot be used with any software
programs other than PeopleSoft.” But without more, “derivative status does not
turn on interoperability, even exclusive interoperability, if the work doesn’t
substantially incorporate the preexisting work’s copyrighted material.” Because
the district court applied the wrong legal standard, the court remanded and
didn’t reach Rimini’s alternative argument that Oracle’s licensing agreements
nonetheless authorize any derivative work or analyze whether Rimini’s programs
incorporated protectable nonliteral elements of Oracle’s programs.
In addition, the district court applied the wrong legal
standard on Rimini’s § 117(a) defense, which provides that it’s not infringing
when an “owner of a copy of a computer program ... mak[es] ... another copy or
adaptation of that computer program” for certain purposes, such as when it’s an
“essential step” in using the program. At the pleading stage, the district
court struck this affirmative defense because it found that “Oracle’s customers
only license, rather than buy, Oracle’s copyrighted software.”
In the Ninth Circuit, courts look for “sufficient incidents
of ownership” to distinguish a license to a copy from ownership of the copy.
Mere labeling of an arrangement as a license, while relevant, is not itself
dispositive. Courts also consider whether the parties’ arrangement
“significantly restricts the user’s ability to transfer the software” and
whether the agreement “imposes notable use restrictions.” Because the concern
is ownership of the copy of the copyright, not of the copyright itself, use
restrictions that only protect against the infringement of the copyrighted
material are less relevant. Instead, courts should attend to use restrictions
that affect using the copy of the computer program, such as limiting the
user to “one working and one back up copy of the software,” forbidding the
“examination, disclosure, copying, modification, adaptation, and visual display
of the software,” and permitting the “software use on [a] single computer,
[while] prohibit[ing] multicomputer and multi-user arrangements, and
permitt[ing] transfer to another computer no more than once every thirty days.”
Other “incidents of ownership” may be considered, including whether the user
paid “significant consideration to develop the programs for [the user’s] sole
benefit” and whether the user could use the “programs ‘forever,’ regardless of
whether the parties’ relationship terminated.”
The district court seemed to rely only on the labeling of
the agreements between Oracle and its customers as a “license,” and that wasn’t
enough. Remand again, both on ownership and on the other elements of the §117
“required step” defense.
The court of appeals also found that the Oracle Database
licensing agreement did not prohibit third-party support providers, like
Rimini, from possessing a copy of Oracle’s software to further a client’s
“internal business operations,” requiring reversal of the district court’s
conclusion that it infringed Oracle’s copyright in Database.
A similar ruling about Rimini’s delivery of PeopleSoft
updates to clients was intertwined with the derivative works ruling above and
needed further sorting out.
Lanham Act: The district court found that Rimini engaged in
false advertising; Rimini challenged whether 12 statements about its security
services could be found to be misleading.
Oracle provides periodic security patches, aka “Critical
Patch Updates,” to customers who buy Oracle software support. Rimini offers its
own security service using a technology called “virtual patching.” Unlike
Oracle’s patches, virtual patching does not modify source code. Instead, it
acts as a firewall for software programs, attempting to intercept and block any
exploits. Rimini’s statements covered: (1) statements about the relative
security of the parites’ services; (2) statements that Rimini offers “holistic”
security; and (3) statements about the need for software patching.
(1) “Relative
security” statements
• “Security professionals have found that traditional vendor
security patching models are outdated and provide ineffective security
protection.”
• Oracle’s [Critical Patch Updates] are unnecessary to be
secure.
• It is not risky to switch to Rimini and forgo receiving
[Critical Patch Updates] from Oracle.
• Virtual patching can serve as a replacement for [Oracle]
patching.
• “Virtual patching can be more comprehensive, more
effective, faster, safer, and easier to apply than traditional [Oracle]
patching.”
• “Rimini Security Support Services helps clients
proactively maintain a more secure application compared to [Oracle’s] support
program which offers only software package-centric fixes.”
• Rimini provides more security as compared to Oracle.
• Rimini’s [Global Security Services] can “pinpoint and
circumvent vulnerabilities months and even years before they are discovered and
addressed by the software vendor.”
These statements were puffery.
Comparative assertions about
effectiveness, riskiness, and security are the kinds of generalized statements
of product superiority that we have routinely found to be nonactionable. Here,
neither Oracle nor the district court provided any objective, quantifiable metric
to measure software’s security, risk to vulnerabilities, or security protocols’
effectiveness to prove the falsity of Rimini’s statements. Indeed, the
possibility of exploitation by hackers always exists. No product can offer
complete “security” or eliminate all “risk.” Without an objective measure of
the difference between perfect security and the security programs offered by
Rimini’s and Oracle’s products, any statement about comparative security is
necessarily tinged with subjectivity. As Oracle’s security expert acknowledged,
“security experts can reasonably disagree on what constitutes adequate
security.”
The district court held that Rimini’s statement that its
security services could “pinpoint” future vulnerabilities “before they even
exist” was literally false because such technology is “not technically
feasible.” But “Rimini never claimed clairvoyance in spotting vulnerabilities;
instead, it was merely claiming that its products can spot problems before they
are ‘discovered and addressed by the software vendor.’” That was “a comparative
statement of superiority—not a statement of psychic ability. Indeed, Rimini
presented evidence that it had identified and addressed specific
vulnerabilities before Oracle released a patch to address them.” Reversed.
(2) The
claim that Rimini offers “holistic security” solutions for Oracle software for
enterprises
The district court found that “holistic security” is a term
of art within the world of software security that refers to “a comprehensive
approach to security at all layers of a system, and includes security patching
at the software level.” Because “industry standards can provide objective
meaning to otherwise subjective or ambiguous terms in particular contexts,” the
statement was actionable.
If “holistic security” means “multi-layered security
protection including at the source-code level” that’s a “binary determination”
with “falsifiable criteria.” The district court found that Rimini doesn’t offer
multi-level security, so the court of appeals affirmed.
(3) “No
need for software patching” statements
• Oracle’s [Critical Patch Updates] provide little to no
value to customers and are no longer relevant.
• Once an Oracle ERP platform is stable, there is no real
need for additional patches from Oracle.
• If you are operating a stable version of an Oracle
application platform, especially with customizations, you probably cannot apply
or do not even need the latest patches.
The district court held that these statements were
misleading because the “security community recognizes that software-level
patching is one of the most important aspects of any modern IT security
strategy.” These too were puffery.
The record showed that Oracle’s
customers are “some of the most sophisticated companies in the world” and “take
the security of their systems seriously.” Whether to deploy or skip software
patching is a matter of subjective discretion. One Oracle customer testified
that it made the decision not to apply Oracle’s Critical Patching Updates
because it focused on its firewall security and believed that the patches could
introduce new problems—all before it considered signing up with Rimini. Thus,
it is doubtful that any of Oracle’s customers would be fooled about its own
security needs merely based on Rimini’s fanciful but vague statements. Indeed,
Oracle could not identify “any customers that left Oracle and went to Rimini
because of a statement about security.” Nor did Oracle present any evidence of
a security breach suffered by a Rimini client. So while these statements border
on falsehood, we cannot say that they are so specific and measurable to become
actionable under the Lanham Act. We thus reverse.
All this also required the district court to reconsider the
scope of the injunction.
Judge Bybee dissented in part, and would have found that the
statement “Oracle’s [Critical Patch Updates] provide little or no value to
customers and are no longer relevant” was not puffery. “Little or no value” and “no longer relevant”
were “absolute characteristics” that could be “falsified”—Oracle’s product was
either valueless and irrelevant or not, even if using software patching is a
discretionary decision, and even if Oracle’s “sophisticated” customers would
not be “fooled” by this statement. Rimini “internally acknowledges that
patching ... is necessary,” and has said that “no one is thinking of not
applying patches at all.” Most of Rimini’s statements were puffery because they
used qualifiers like “probably,” “can,” and “more”—and made generalized
statements. [FWIW, the “qualifiers” justification doesn’t persuade me—most
studies I’ve seen show that consumers don’t distinguish in that way.]
Posts
No comments:
Post a Comment