Celebration on Rimini Street as it achieves significant (c)/Lanham Act victories in 9th Circuit

Oracle Int’l Corp. v. Rimini Street, Inc., --- F.4th ----, No. 23-16038, 2024 WL 5114449 (9^th Cir. Dec. 16, 2024)

Rimini Street gets a reasonably substantial victory in its long-running battle with Oracle in this appeal.

Prior rulings held that Rimini’s processes for serving clients who use Oracle’s software programs infringed on Oracle’s copyrights. Rimini therefore developed new processes for servicing its Oracle-using clients. After a bench trial, the district court ruled that many of these new processes still infringed Oracle’s copyrights and found that certain security-related statements violated the Lanham Act. The court of appeals vacated in part, reversed in part, and remanded.

Oracle’s programs include PeopleSoft, which can be customized to manage all sorts of business processes, including HR processes such as timekeeping, benefits administration, and recruitment and financial processes such as expense tracking and payroll. Oracle also provides optional software support for PeopleSoft, including updates to reflect changes to tax laws and other regulations. Customers can also modify and customize the software themselves or through third-party providers.

“Rimini Street is a third-party provider and direct competitor with Oracle in the support-services market.” Its services include troubleshooting support and software updates, including creating files that only work with Oracle’s products. After the first Oracle lawsuit in 2010, the court found that Rimini infringed Oracle’s copyrights by engaging in “cross-use” and creating copies of Oracle’s materials on Rimini’s computer systems. The court of appeals largely affirmed the district court’s permanent injunction. The district court later found that Rimini violated the injunction and held it in contempt on five issues, four of which the court of appeals upheld. Rimini changed aspects of its business model and sought declaratory judgment that its revised process, “Process 2.0,” did not infringe. Oracle counterclaimed for copyright infringement and violations of the Lanham Act. The district court held that Rimini had, in fact, infringed by engaging in cross-use prohibited by PeopleSoft license agreements and that an update created for the City of Eugene’s PeopleSoft software environment was a “derivative work.” After Oracle abandoned claims for monetary relief, the district court held a bench trial and additionally found that Rimini (1) created infringing derivative works, (2) violated Oracle’s PeopleSoft and Database licensing agreements, and (3) made several statements violating the Lanham Act.

Derivative works: The court says several useful things, in line with Pam Samuelson’s exposition of the derivative works right. (I note amicus support from, among others, EFF, Glynn Lunney, and Betsy Rosenblatt.) The district court held that Rimini’s Process 2.0 files and updates were infringing derivative works because they “only interact[ ] and [are] useable with” Oracle software. But this was the wrong test.  

The Copyright Act defines a “derivative work” as:

a work based upon one or more preexisting works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which a work may be recast, transformed, or adapted.

This “broad” language nonetheless has limits. The text starts with examples. Although “such as” means the list isn’t exhaustive, it still indicates the “kind” of works covered. Thus, “based upon” requires “copying of the kind exhibited in translations, movie adaptations, and reproductions. Mere interoperability isn’t enough.” I would have thought that this was the canon of noscitur a sociis, which means we define a term by “the company it keeps,” but the court treats that as a second principle: “[t]he examples of derivative works provided by the Act all physically incorporate the underlying work or works.” Thus, a derivative work “must be in the subset of works substantially incorporating the preexisting work.” That substantiality can be literal or nonliteral, in total concept and feel.

Here, though there were several examples of literal copying, Rimini challenged only the ruling that Rimini’s programs were derivative works “even if the work[s] do[ ] not contain any of [Oracle’s] copyrighted code … because they interact only with PeopleSoft,” “are extensions to and modifications of Oracle’s copyrighted software” and they “cannot be used with any software programs other than PeopleSoft.” But without more, “derivative status does not turn on interoperability, even exclusive interoperability, if the work doesn’t substantially incorporate the preexisting work’s copyrighted material.” Because the district court applied the wrong legal standard, the court remanded and didn’t reach Rimini’s alternative argument that Oracle’s licensing agreements nonetheless authorize any derivative work or analyze whether Rimini’s programs incorporated protectable nonliteral elements of Oracle’s programs.

In addition, the district court applied the wrong legal standard on Rimini’s § 117(a) defense, which provides that it’s not infringing when an “owner of a copy of a computer program ... mak[es] ... another copy or adaptation of that computer program” for certain purposes, such as when it’s an “essential step” in using the program. At the pleading stage, the district court struck this affirmative defense because it found that “Oracle’s customers only license, rather than buy, Oracle’s copyrighted software.”

In the Ninth Circuit, courts look for “sufficient incidents of ownership” to distinguish a license to a copy from ownership of the copy. Mere labeling of an arrangement as a license, while relevant, is not itself dispositive. Courts also consider whether the parties’ arrangement “significantly restricts the user’s ability to transfer the software” and whether the agreement “imposes notable use restrictions.” Because the concern is ownership of the copy of the copyright, not of the copyright itself, use restrictions that only protect against the infringement of the copyrighted material are less relevant. Instead, courts should attend to use restrictions that affect using the copy of the computer program, such as limiting the user to “one working and one back up copy of the software,” forbidding the “examination, disclosure, copying, modification, adaptation, and visual display of the software,” and permitting the “software use on [a] single computer, [while] prohibit[ing] multicomputer and multi-user arrangements, and permitt[ing] transfer to another computer no more than once every thirty days.” Other “incidents of ownership” may be considered, including whether the user paid “significant consideration to develop the programs for [the user’s] sole benefit” and whether the user could use the “programs ‘forever,’ regardless of whether the parties’ relationship terminated.”

The district court seemed to rely only on the labeling of the agreements between Oracle and its customers as a “license,” and that wasn’t enough. Remand again, both on ownership and on the other elements of the §117 “required step” defense.

The court of appeals also found that the Oracle Database licensing agreement did not prohibit third-party support providers, like Rimini, from possessing a copy of Oracle’s software to further a client’s “internal business operations,” requiring reversal of the district court’s conclusion that it infringed Oracle’s copyright in Database.

A similar ruling about Rimini’s delivery of PeopleSoft updates to clients was intertwined with the derivative works ruling above and needed further sorting out.

Lanham Act: The district court found that Rimini engaged in false advertising; Rimini challenged whether 12 statements about its security services could be found to be misleading.

Oracle provides periodic security patches, aka “Critical Patch Updates,” to customers who buy Oracle software support. Rimini offers its own security service using a technology called “virtual patching.” Unlike Oracle’s patches, virtual patching does not modify source code. Instead, it acts as a firewall for software programs, attempting to intercept and block any exploits. Rimini’s statements covered: (1) statements about the relative security of the parties’ services; (2) statements that Rimini offers “holistic” security; and (3) statements about the need for software patching.

(1) “Relative security” statements:

• “Security professionals have found that traditional vendor security patching models are outdated and provide ineffective security protection.”

• Oracle’s [Critical Patch Updates] are unnecessary to be secure.

• It is not risky to switch to Rimini and forgo receiving [Critical Patch Updates] from Oracle.

• Virtual patching can serve as a replacement for [Oracle] patching.

• “Virtual patching can be more comprehensive, more effective, faster, safer, and easier to apply than traditional [Oracle] patching.”

• “Rimini Security Support Services helps clients proactively maintain a more secure application compared to [Oracle’s] support program which offers only software package-centric fixes.”

• Rimini provides more security as compared to Oracle.

• Rimini’s [Global Security Services] can “pinpoint and circumvent vulnerabilities months and even years before they are discovered and addressed by the software vendor.”

These statements were puffery.

Comparative assertions about effectiveness, riskiness, and security are the kinds of generalized statements of product superiority that we have routinely found to be nonactionable. Here, neither Oracle nor the district court provided any objective, quantifiable metric to measure software’s security, risk to vulnerabilities, or security protocols’ effectiveness to prove the falsity of Rimini’s statements. Indeed, the possibility of exploitation by hackers always exists. No product can offer complete “security” or eliminate all “risk.” Without an objective measure of the difference between perfect security and the security programs offered by Rimini’s and Oracle’s products, any statement about comparative security is necessarily tinged with subjectivity. As Oracle’s security expert acknowledged, “security experts can reasonably disagree on what constitutes adequate security.”

The district court held that Rimini’s statement that its security services could “pinpoint” future vulnerabilities “before they even exist” was literally false because such technology is “not technically feasible.” But “Rimini never claimed clairvoyance in spotting vulnerabilities; instead, it was merely claiming that its products can spot problems before they are ‘discovered and addressed by the software vendor.’” That was “a comparative statement of superiority—not a statement of psychic ability. Indeed, Rimini presented evidence that it had identified and addressed specific vulnerabilities before Oracle released a patch to address them.” Reversed.

(2) Rimini's “holistic security” claim:

The district court found that “holistic security” is a term of art within the world of software security that refers to “a comprehensive approach to security at all layers of a system, and includes security patching at the software level.” Because “industry standards can provide objective meaning to otherwise subjective or ambiguous terms in particular contexts,” the statement was actionable.

If “holistic security” means “multi-layered security protection including at the source-code level” that’s a “binary determination” with “falsifiable criteria.” The district court found that Rimini doesn’t offer multi-level security, so the court of appeals affirmed.

(3) Rimini's “No need for software patching” statements:

• Oracle’s [Critical Patch Updates] provide little to no value to customers and are no longer relevant.

• Once an Oracle ERP platform is stable, there is no real need for additional patches from Oracle.

• If you are operating a stable version of an Oracle application platform, especially with customizations, you probably cannot apply or do not even need the latest patches.

The district court held that these statements were misleading because the “security community recognizes that software-level patching is one of the most important aspects of any modern IT security strategy.” These too were puffery.

The record showed that Oracle’s customers are “some of the most sophisticated companies in the world” and “take the security of their systems seriously.” Whether to deploy or skip software patching is a matter of subjective discretion. One Oracle customer testified that it made the decision not to apply Oracle’s Critical Patching Updates because it focused on its firewall security and believed that the patches could introduce new problems—all before it considered signing up with Rimini. Thus, it is doubtful that any of Oracle’s customers would be fooled about its own security needs merely based on Rimini’s fanciful but vague statements. Indeed, Oracle could not identify “any customers that left Oracle and went to Rimini because of a statement about security.” Nor did Oracle present any evidence of a security breach suffered by a Rimini client. So while these statements border on falsehood, we cannot say that they are so specific and measurable to become actionable under the Lanham Act. We thus reverse.

All this also required the district court to reconsider the scope of the injunction.

Judge Bybee dissented in part, and would have found that the statement “Oracle’s [Critical Patch Updates] provide little or no value to customers and are no longer relevant” was not puffery.  “Little or no value” and “no longer relevant” were “absolute characteristics” that could be “falsified”—Oracle’s product was either valueless and irrelevant or not, even if using software patching is a discretionary decision, and even if Oracle’s “sophisticated” customers would not be “fooled” by this statement. Rimini “internally acknowledges that patching ... is necessary,” and has said that “no one is thinking of not applying patches at all.” Most of Rimini’s statements were puffery because they used qualifiers like “probably,” “can,” and “more”—and made generalized statements. [FWIW, the “qualifiers” justification doesn’t persuade me—most studies I’ve seen show that consumers don’t distinguish in that way.]