Delaware District Court Jury Makes Landmark Decision based on "Screen Scraping"
Ryanair recently prevailed in a jury trial in Delaware Federal District Court when the jury determined that Booking.Com B.V. violated the U.S. Computer Fraud and Abuse Act (CFAA) by engaging in "screen scraping" of data belonging to Ryanair. Click the link to view the Verdict Form used by the jury to enter its verdict: Ryanair Verdict Form. While the damages award was small ($5000), the importance of the verdict was more for its relevance to the overall development of law under the CFAA, which as a statute allowing civil lawsuits for violation of the Act, has struggled to gain a foothold due to everchanging technology and the evolution through numerous amendments of the statute in trying to keep up with that technology. The jury found sufficient evidence to prove that Ryanair had suffered at least $5000 in Loss during a one year period. See verdict form.
Ryanair initially brought 5 claims under the Computer Fraud and Abuse Act (FCAA) 18 U.S.C. § 1030 against several defendants including Booking Holdings, Inc. and Booking.Com B.V. The complaint was filed on September 4, 2020 in the USDC for the District of Delaware at 20-cv-01191. Booking Holdings owns travel companies Booking.com, Priceline, Agoda and KAYAK that allow customers to purchase plane flights, hotel reservations, rental cars and other travel related services on the NET. Booking.Com allegedly performs the claimed bad acts through various agent companies including one called Etraveli group. According to an Opinion in 2022 filed by Judge William C. Bryson (see it by clicking here), which in large part denied a Motion to Dismiss filed by the Defendants, he wrote:
"Ryanair sells flight reservations to the public on its website. In order to book a flight on the Ryanair website, a user must create an account by selecting a username and password. After creating an account, a user may view and purchase flights in the “myRyanair” section of the Ryanair website. Ryanair alleges that the myRyanair section of the website is not public, and that there are various contractual and technical mechanisms in place to ensure that unauthorized users are not able to access the myRyanair section of the Ryanair website or make unauthorized use of materials found in that section of the website."
Ryanair's Complaint was found to be "plausible" (Iqbal and Twombly standard) in all but one Count and their claims proceeded eventually to a jury trial which ended on July 18, 2024 with a verdict in favor of Ryanair. Again, per the initial MTD opinion of Judge Bryson"
"The key allegation underlying Ryanair’s claims is that the defendants or their agents (referred to as 'aggregators') engage in 'screen scraping,' i.e., automatically collecting data from the myRyanair section of the Ryanair website. Ryanair alleges that the defendants then use the data they obtain to allow users to book Ryanair flights on the defendants’ websites, often at higher fares than those flights are priced on the Ryanair website. Ryanair further alleges that such conduct violates the terms of use for the Ryanair website and that in conducting their screen scraping activities the defendants circumvent technology that Ryanair employs to prevent unauthorized users from accessing the myRyanair portion of the website."
Indirect or Vicarious Liability per the CFAA
Important in this case was the early ruling by Judge Bryson that upheld most of the Ryanair claims against Motions to Dismiss the complaint filed by the defendants. The court upheld the claim by Ryanair that Booking.com induced its agency partners (the "aggregators") to commit the offenses proscribed by the CFAA and Booking.com challenged this indirect theory of violation. Defendants had argued that Ryanair could not proceed on a theory of indirect or vicarious liability against Booking.com. In arguing the "plausibility" of their complaint, Ryanair argued that it only needed to get over the Iqbal standard and then discover some of the details of how the "aggregators" work through discovery. Judge Bryson agreed and wrote in denying the MTD:
"In sum, to the extent the defendants argue that the complaint was insufficient because it
failed to allege the existence of a formal agency relationship between the defendants and the
aggregators, the short answer is that the existence of an agency (or master-servant) relationship is
not a necessary predicate for liability on a “direct, encourage, or induce” theory. As indicated in
the cases cited above, even if the aggregators are independent contractors and not agents of the defendants, the defendants can be held liable simply based on evidence that the defendants induced
the aggregators to commit violations of the CFAA."
At trial Ryanair apparently proved to the jury's satisfaction that "Etraveli was an extension of Booking.com" and that they had been induced to violate the CFAA. See verdict form wherein the jury found by a preponderence of the evidence that Booking.com had induced Etraveli to "access the Ryanair portion of the Ryanair website without authorization."
Damage or Loss per the CFAA
A very tough burden under the CFAA is to prove actionable harm - loss - damages that meet the definition under the CFAA. The CFAA requires not only proof of access to a computer without authorization, but also losses that are "technological" in nature and that amount to more than $5000 in a year. Damage is defined under the CFAA as "any impairment to the integrity or availability of data, a program, a system, or information.” Likewise, the CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Judge Bryson agreed to a broad reading of "loss" that could include the cost to investigate the intrusion.
These damages and losses provisions in the CFAA are the subject of much dispute in the growing law of the CFAA. Judge Bryson cited the Supreme Court in Van Buren v. United States "As the Supreme Court has observed, those terms [loss and damage] “focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren v. United States, 141 S. Ct. 1648, 1660 (2021)." He found the allegations by Ryanair sufficient to demonstrate plausible technological harm in that they alleged, inter alia, "that the actions of the defendants greatly increase the quantities of queries on the Ryanair website and...they impair the availability and usability of the Ryanair website". Ryanair argued that the "myRyanair" part of their website is for registered customers only and is password protected and guarded by a program called "Shield." The Court and the jury found that Booking.com had somehow gotten around these barriers to entry to the allegedly private part of the myRyanair website and that this violated the CFAA.
Knowingly and With Intent To Defraud Standard in the CFAA
Ryanair overcame a motion to dismiss on the grounds that its complaint did not meet the "intent" burden under CFAA 18 U.S.C. § 1030(a)(4) and that it particulary failed in meeting the heightened pleading standard for fraud under Federal Rule of Civil Procedure 9(b). Judge Bryson deemed the law in this area "a mess." In denying the MTD he wrote:
"As noted, Rule 9(b) requires that Ryanair establish the “who, what, where, when, and how” of the fraudulent conduct Ryanair is alleging. See UPMC, 946 F.3d at 176. Ryanair has alleged the “who” (the defendants and/or the aggregators), the “what” (misrepresenting themselves), the “where” (on the Ryanair website), the “when” (when attempting to access the myRyanair section of the Ryanair website), and the “how” (using false email addresses or IP addresses)".
The jury found "by a preponderance of the evidence that Booking.com knowingly and with intent to defraud, directed, encouraged, or induced a third party to accesss the myRyanair portion of the Ryanair website without authorization..." See verdict form.
Without Authorization and Exceeds Authorized Access Elements of the CFAA
In citing various cases, Judge Bryson denied the motion to dismiss which argued that the Ryanair website is a public website and that therefore, there was no access which violated the CFAA. He found that the site was protected enough, at least according to the complaint, that it had sufficient technological barriers to entry to meet the standard set in Van Buren by the Supreme Court. He again quoted Van Buren:
"in Van Buren v. United States, the Supreme Court held that an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” 141 S. Ct. at 1662...the Court’s ultimate holding—that a police officer did not violate the CFAA when he accessed police records for an improper purpose—strongly suggests that the operative question is whether a technological or code-based limitation exists to prevent access to a computer by those who do not have proper authorization. See id. at 1658–59 & n.8, 1662.
Judge Bryson also found that there were sufficient allegation of conspiracy to meet the threshold pleading burden for that claim and he cited to many other courts which recognize such a claim under the CFAA. The jury found that the actions of Booking.com were Without Authorization and that their acts furthered the intended fraud. Both sides have stated that they will appeal all or parts of the verdict.
