Applying broader interpretations of the Computer Fraud and Abuse Act could help curb fraudulent plays on music streaming platforms

By Rohan Parekh

Streaming music revenues now account for sixty-five percent of the revenue share in the music industry thanks to streaming services like Spotify, YouTube, Apple Music, and Tidal.[1]  Despite an increase in listeners and subscribers to these services, the industry is being undermined by instances of streaming fraud, which involves using a bot or human to repeatedly click on a song to rack up royalty payments or payments that artists receive for every time a song is streamed, at the expense of other artists, rather than listening to the underlying content.[2] The streaming service Tidal has recently been accused of faking streams for artists like Kanye West and Beyoncé, and the Norwegian rights holder group TONO has filed an official police complaint in Norway for law enforcement to look into the streaming manipulation.[3] Just last year, a scamming operation in Bulgaria involved the creation of fake user accounts and automation of plays for 500 thirty-second songs, resulting in a large payout to the scammers.[4] Spotify removed the playlists after the scam was detected.[5]

While no lawsuit has been filed yet regarding fake streaming, litigators might be able to rely on section (a)(4) of the Computer Fraud and Abuse Act (CFAA) to go after streaming fraud perpetrators.[6] It is a crime under section (a)(4) to knowingly, and with the intent to defraud, access a protected computer without authorization, or exceed authorized access, and obtain anything of value.[7] The phrase “obtain anything of value” includes obtaining customers or subscribers, and courts would likely find increased plays, which result in royalty payments, to be something of value.[8]

The CFAA defines “exceeds authorized access” as accessing a computer with authorization and using such access to obtain or alter information in the computer the user is not entitled to obtain or alter.[9] However, courts are split on their interpretations of what constitutes authorization, with circuits differing on whether violating terms of use regulating access to information, in addition to use of information on a website, can establish a claim for unauthorized access.[10] In EF Cultural Travel BV v. Explorica, the First Circuit found that the defendant’s access to the plaintiff’s website by using a robot was a breach of the terms between the parties and exceeded authorization.[11] In contrast, the Ninth Circuit held in United States v. Nosal that criminal prosecution under the CFAA’s “exceeding authorized access” provisions could not be based on violating contractual “use” restrictions, but must be linked to contractual or technological “access” restrictions.[12] For example, Spotify’s Terms of Service, which is a contract between a website user and the service, prohibits users from engaging in fraudulent streaming behavior.[13] In the music streaming context, a user might have “access” to, or generate a valid account for, a music streaming service, but then continue to use a robot or manually click songs repeatedly to rack up royalty payments.[14] Although that might be a violation of the terms of use, it might not inherently be a violation of any contractual “access” restriction.

Utilizing the Ninth Circuit’s logic in Nosal and other cases, hackers who “access” songs on streaming services while violating the terms of use would fall under the “exceeded authorized access” prong of the CFAA, but this interpretation does not go far enough for hackers who subsequently “use” the access for fraudulent purposes like click fraud.[15] Instead, courts should uniformly adopt the First and Fifth Circuits’ broader interpretation of the CFAA and allow terms of use to control the scope of authorization.[16] Even the CFAA’s legislative history has clarified that the law should be responsive to changes in technology and sophisticated hackers.[17] Otherwise, terms of service and online agreements would have little value for websites looking to discourage activity once hackers are given “access.”[18] Litigators may still be able to rely on other causes of action, such as tortious interference of business relationships, fraudulent misrepresentation, unjust enrichment, and breaching the implied covenant of good faith and fair dealing to go after streaming fraud perpetrators, but prosecution under the CFAA could impose criminal liability and be a stronger deterrent to scamming activity.[19]

Courts that interpret authorization in the broadest sense allow plaintiffs to recover royalties paid to scammers, artists, or even streaming services committing click fraud.[20] Furthermore, as streaming technologies continue to develop, and popular social media websites like Facebook enter into music licensing deals, the CFAA must be interpreted to give plaintiffs the broadest resources and remedies possible to combat fraud so that artists and listeners using legitimate methods of streaming have confidence in the music services that stream their music and stream their favorite artists, respectively.[21]

[1] See Joshua P. Friedlander, News and Notes on 2017 RIAA Revenue Statistics (RIAA, Washington, D.C.), 2018, at 1 (stating that streaming accounts for $5.7 billion in total music industry revenue).

[2] See Tim Ingham, Forget About Fake Artists – It’s Time to Talk About Fake Streams, Music Bus. Worldwide (July 20, 2017), https://www.musicbusinessworldwide.com/forget-about-fake-artists-its-time-to-talk-about-fake-streams/(describing that websites allegedly offer increased streams for money).

[3] See Tim Ingham, Tidal Accused of Deliberately Faking Kanye West and Beyoncé Streaming Numbers, Music Bus. Worldwide (May 9, 2018), https://www.musicbusinessworldwide.com/did-tidal-falsify-streams-to-bulk-up-kanye-west-and-beyonce-numbers/ (explaining that a Norwegian University of Science and Technology Center for Cyber and Information Security study found that Tidal likely accessed genuine user accounts to increase artist play-counts).

[4] See Amy Wang, A Bulgarian Scheme Scammed Spotify for $1-Million Without Breaking A Single Law, Quartz (Feb. 22, 2018), https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-for-1-million-without-breaking-a-single-law/ (stating that until Spotify comes up with a solution, cheating music streaming will result in thousands to millions of misappropriated dollars).

[5] See id. (noting that a takedown approach is different from initiating litigation because a takedown removes the songs but does not recover the paid out royalties).

[6] See generally Artin Gholian and Brian S. Kabateck, Feature: Click Here: The Computer Fraud and Abuse Act May Become the Best Tool for Fighting Internet Advertising Click Fraud 33 L.A. Law. 22 (2010) (stating that the CFAA has been used in advertising fraud litigation).

[7] See generally 18 U.S.C. § 1030(a)(4) (2017) (asserting that prosecutors must allege certain conduct to file charges under the CFAA).

[8] See In re AOL, Inc. Version 5.0 Software Litig., 168 F. Supp. 2d 1359, 1379-81 (S.D. Fla. 2001) (holding that although the typical item of value in CFAA litigation is usually data, customers have been found to be a thing of value).

[9] See 18 U.S.C.§ 1030(e)(6) (2017) (defining the term “exceeds authorized access,” but still leaving interpretation of the term “authorized” up to court interpretation).

[10] See EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582 (1st Cir. 2001) (holding terms of use and access restrictions control the scope of “authorization”). But see United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (finding that public policy concerns such as overcriminalization outweigh defining “authorization” based on breach of contract terms).

[11] See EF Cultural Travel BV, 274 F.3d at 583 (holding that the defendant went beyond the authorized use of plaintiff’s website by using proprietary information to learn about the plaintiff’s technical abilities and gain a competitive advantage).

[12] See Nosal, 676 F.3d at 863 (holding that “exceeding authorized access” occurs when initial access is permitted and the access of certain information is not allowed, but that “exceeding authorized access” does not place limits on the use of such information).

[13] See Spotify Terms and Conditions of Use, Spotify (July 6, 2017), https://www.spotify.com/us/legal/end-user-agreement/#s10 (prohibiting users from “artificially increasing play count or otherwise manipulating the services by using a script or other automated process”).

[14] See William Bedell, I Built a Botnet that Could Destroy Spotify with Fake Listens, Motherboard, Oct. 16, 2015, https://motherboard.vice.com/enus/article/gv5xbx/i-built-a-botnet-that-could-destroy-spotify-with-fake-listens (describing that robots were used to create valid user accounts with minimal barriers to entry and did not set off Spotify’s fraud algorithms).

[15] See Nosal, 676 F.3d at 858 (explaining that the CFAA is a hacking statute and should not criminalize the unauthorized obtaining or use of information); see also United States v. Drew, 2009 U.S. Dist. LEXIS 85780, at *1, *60 (C.D. Cal. Aug. 28, 2009) (stating that terms of use on Internet sites prohibit a broad range of conduct, and prosecutors would be emboldened to go after any breach of terms).

[16] See United States v. John, 597 F.3d 263, 269 (5th Cir. 2010) (finding that “authorized access” or “authorization” encompasses limits placed on the use of information obtained through permitted access to a computer system and data available on that system).

[17] See S. Rep. No. 104-357, at 11 (1996) (discussing how the CFAA amendments reflect the importance of the new ways hackers manipulate technology).

[18] See America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d. 444, 450 (E.D. Va. 1998) (concluding a violation of the CFAA occurred when a website member obtained and altered information).

[19] See generally Complaint, Microsoft Corp. v. Lam, No. C09-0815 (W.D. Wash. June 15, 2009) (stating that the alleged fraudulent behavior violated Microsoft’s provision of “generating automated or fraudulent impressions or clicks on sponsored sites on the Microsoft networks”).

[20] See Bedell, supra note 14 (stating bots were given “access” to user accounts and streamed music like human users without detection).

[21] See Stuart Dredge, Facebook Signs Universal Music Licensing Deal for Music, Video, and More, MusicAlly (Dec. 21, 2017), http://musically.com/2017/12/21/facebook-universal-music-licensing-deal/ (stating that Facebook has entered into the music licensing landscape, but that it is unclear if the royalty model will resemble other music streaming services); Tim Ingham, In Wake of Bulgarian Scam, Spotify Unleashes Its Own Anti-Fraud SquadMusic Bus. Worldwide (Mar.8, 2018), https://www.musicbusinessworldwide.com/in-wake-of-bulgarian-scam-spotify-unleashes-its-own-anti-fraud-squad/(noting that Spotify has increased efforts to stamp down on fraudulent activity).