ORACLE AMERICA, INC., a Delaware Corporation; ORACLE INTERNATIONAL CORPORATION, a California Corporation, Plaintiffs-Appellants, v. HEWLETT PACKARD ENTERPRISE COMPANY, a Delaware Corporation, Defendant-Appellee.
No. 19-15506
United States Court of Appeals for the Ninth Circuit
August 20, 2020
D.C. No. 4:16-cv-01393-JST; Argued and Submitted June 8, 2020 San Francisco, California
Opinion by Judge Milan D. Smith, Jr.
FOR PUBLICATION
UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT
Appeal from the United States District Court for the Northern District of California Jon S. Tigar, District Judge, Presiding
Filed August 20, 2020
Before: MILAN D. SMITH, JR. and ANDREW D. HURWITZ, Circuit Judges, and C. ASHLEY ROYAL,* District Judge.
Opinion by Judge Milan D. Smith, Jr.
SUMMARY**
Copyright
The panel affirmed in part and reversed in part the district court‘s grant of summary judgment in favor of Hewlett Packard Enterprise Co. in a copyright infringement action brought by
Oracle, owner of the proprietary Solaris software operating system, granted customers a limited use license and required customers to have a prepaid annual support contract to access patches for a server. Oracle alleged that HPE improperly accessed, downloaded, copied, and installed Solaris patches on servers not under an Oracle support contract. HPE provided support for all of its customers’ servers, including servers running Solaris software, and it subcontracted indirect support to Terix Computer Co. Oracle asserted direct copyright infringement claims concerning HPE‘s direct support customers, and it asserted indirect infringement claims concerning joint HPE-Terix customers.
The panel affirmed the district court‘s partial summary judgment for HPE on claims for copyright infringement and intentional interference with prospective economic advantage based upon the statute of limitations. Following a prior suit by Oracle against Terix, Oracle and HPE entered into an agreement, effective May 6, 2015, to toll the statute of limitations for any claims that Oracle might assert against HPE. The panel held that under the Copyright Act‘s three-year statute of limitations, Oracle‘s copyright infringement claims were barred for conduct before May 6, 2012. The panel concluded that Oracle had constructive knowledge and thus a duty to investigate but did not conduct a reasonable investigation into the suspected infringement. The panel held that under a California two-year statute of limitations, the IIPEA claim was barred for conduct before May 6, 2013.
As to remaining infringement claims, the panel affirmed in part the district court‘s summary judgment on indirect infringement claims for patch installations by Terix. The panel reversed the district court‘s summary judgment on all infringement claims for pre-installation conduct and on direct infringement claims for unauthorized patch installations by HPE. As to indirect infringement, the panel held that in interpreting Oracle‘s licenses, the district court erred by failing to consider pre-installation conduct. As to direct infringement, the panel held that for certain customers, referred to as “non-Symantec customers,” Oracle possibly could provide unauthorized installations by HPE. Summary judgment for HPE on the direct infringement claims concerning customer Symantec was also improper.
The panel addressed other issues in a concurrently filed memorandum disposition.
COUNSEL
Gregory G. Garre (argued), Elana Nightingale Dawson, and Charles S. Dameron, Latham & Watkins LLP, Washington, D.C.; Christopher S. Yates, Christopher B. Campbell, and Brittany N. Lovejoy, Latham & Watkins LLP, San Francisco, California; Dorian Estelle Daley and Deborah Kay Miller, Oracle America Inc., Redwood City, California; Jeffrey S. Ross, Oracle America Inc., Burlington, California; Dale M. Cendali and Joshua L. Simmons, Kirkland & Ellis LLP, New York, New York; for Plaintiffs-Appellants.
Mark A. Perry (argued), Gibson Dunn & Crutcher LLP, Washington, D.C.; Samuel G. Liverside, Joseph A. Gorman, and Ilissa S. Samplin, Gibson Dunn & Crutcher LLP, Los Angeles, California; Jeffrey T. Thomas and Blaine H. Evanson, Gibson Dunn & Crutcher LLP, Irvine, California; Vaishali Udupa, Hewlett Packard Enterprise Company, Reston, Virginia; Deanna L. Kwong, Hewlett Packard Enterprise Company, San Jose, California; for Defendant-Appellee.
William A. Isaacson and Samuel S. Ungar, Boies Schiller Flexner LLP, Washington, D.C.; Keith Kupferschmid and Terry Hart, Copyright Alliance, Washington, D.C.; for Amicus Curiae Copyright Alliance.
Mark E. Ferguson, Bartlit Beck LLP, Chicago, Illinois; Abigail M. Hinchcliff, Bartlit Beck LLP, Denver, Colorado; for Amici Curiae Repair Association and Electronic Frontier Foundation.
OPINION
M. SMITH, Circuit Judge:
Oracle America, Inc. and Oracle International Corporation (together, Oracle) own the proprietary Solaris software operating system. Oracle periodically releases patches for this software to address functionality, improve performance, and resolve security issues. As is relevant here, Oracle restricts use of the Solaris software, including software patches. It grants a customer a limited use license, and it requires a customer to have a prepaid annual support contract to access patches for a server.
Oracle brought copyright infringement claims, California state law intentional interference claims, and a California Unfair Competition Law (UCL) claim against Hewlett Packard Enterprise Company (HPE), alleging that HPE and nonparty Terix Computer Company, Inc. (Terix) improperly accessed, downloaded, copied, and installed Solaris patches on servers
FACTUAL AND PROCEDURAL BACKGROUND
I. The Solaris Software
Oracle has owned federally registered copyrights for the Solaris software since it purchased Sun Microsystems (Sun) in January 2010. Various Solaris patches also have code registered with the United States Copyright Office. Oracle licenses use of the Solaris software to a customer when the customer purchases a server with preinstalled software. The Solaris versions at issue here are Solaris 8, 9, 10 and 11. The Binary Code License Agreement applies to Solaris 8 and 9. The Software License Agreement (SLA) applies to Solaris 10.1
Customers with a prepaid annual Oracle support contract can access Solaris patches through the password protected My Oracle Support (MOS) website.2 A customer must place every server for which it desires support on an active support contract. A support contract is subject to policies that also define a customer‘s right to access patches. With an active support contract, a customer can create an MOS username and password. Upon accessing the MOS, the customer must agree to additional terms of use concerning the software on the site.
II. Third-Party Support of Solaris Software by HPE and Terix
As is relevant here, HPE has a multi-vendor support business that serves as a “one-stop-shop” to support all servers an HPE customer has, including servers running Solaris software. HPE provides such support directly and indirectly. HPE subcontracted indirect support to Terix, a company which specialized in supporting Oracle software. For joint HPE-Terix customers, Terix arranged for a server to have Oracle support in the customer‘s name with a prepaid Terix-supplied credit card and created an MOS credential for the single-server Oracle support contract. Terix also provided customers with a form email to send to Oracle. Terix downloaded patches using the credentials to make copies for use on off-contract servers as part of the so-called “one-to-many” scheme. When a customer was not yet supported, Terix created credentials by using fictitious names, emails addresses, and credit cards.
Oracle sued Terix in July 2013, alleging copyright infringement concerning the Solaris patches, among other claims. Oracle Am., Inc. v. Terix Comp. Co., Inc., No. 4:13-cv-3385-JST, Dkt No. 1 (N.D. Cal. July 19, 2013). Following summary judgment for Oracle on Terix‘s license affirmative defense there, Oracle Am., Inc. v. Terix Comp. Co., 2015 WL 2090191 (N.D. Cal. May 5, 2015), Terix stipulated to a judgment for Oracle on the infringement and fraud claims without admitting liability. Thereafter, Oracle and HPE entered into an agreement, effective
III. This Litigation
Oracle brought this suit against HPE in March 2016 for copyright infringement pursuant to
JURISDICTION AND STANDARD OF REVIEW
We have jurisdiction pursuant to
ANALYSIS
I. The Statute of Limitations
It is undisputed that the May 6, 2015 effective date of the parties’ tolling agreement applies in this case. Thus, we consider whether the copyright infringement claims are barred for conduct before May 6, 2012 and the IIPEA claim is barred for conduct before May 6, 2013.3
A. The Copyright Infringement Claims
A copyright infringement claim is subject to a three-year statute of limitations, which runs separately for each violation.
Although Oracle repeatedly argues that it lacked actual knowledge of all the wrongdoing by HPE and Terix, constructive knowledge triggers the statute of limitations. “The plaintiff is deemed to have had constructive knowledge if it had enough information to warrant an investigation which, if reasonably diligent, would have led to discovery of the [claim].” Pincay v. Andrews, 238 F.3d 1106, 1110 (9th Cir. 2001) (citation omitted). We have previously
see also Bibeau v. Pac. Nw. Res. Found. Inc., 188 F.3d 1105, 1108 (9th Cir. 1999) (citation omitted), as amended, 208 F.3d 831 (9th Cir. 2000) (explaining that the “twist” of the discovery rule is that it requires “[t]he plaintiff [to] be diligent in discovering the critical facts,” i.e., “that he has been hurt and who has inflicted the injury” (citation omitted)).
Oracle concedes that it “had concerns” in November 2010 that Terix might purchase support for one system and reuse the patches for all other systems. Oracle also had suspicions about HPE as early as 2010 and certainly by October 2011. Critically, Oracle concedes that “it made inquiries of Terix and HPE after receiving reports of potential infringement.” In relevant part, Oracle relies on inquiries that occurred in 2008 and September 2011. Oracle, thus, had a duty to conduct a reasonable investigation. Bibeau, 188 F.3d at 1108; Wood, 705 F.2d at 1521.
The doctrine of fraudulent concealment does not help Oracle in this case. A plaintiff relying on this doctrine to toll the limitations period must show “both that the defendant used fraudulent means to keep the plaintiff unaware of his cause of action, and also that the plaintiff was, in fact, ignorant of the existence of his cause of action.” Wood, 705 F.2d at 1521. The doctrine does not apply if the plaintiff had actual or constructive knowledge of the facts giving rise to the claim. Hexcel Corp. v. Ineos Polymers, Inc., 681 F.3d 1055, 1060 (9th Cir. 2012). “The plaintiff is deemed to have had constructive knowledge if it had enough information to warrant an investigation which, if reasonably diligent, would have led to the discovery of the fraud.” Id. (citation omitted). Although Oracle singularly focuses on the means of the purported concealment, it is not accurate that Oracle “had no reason to suspect” infringement and thus no duty to inquire. Taylor v. Meirick, 712 F.2d 1112, 1118 (7th Cir. 1983). Oracle concededly suspected infringement of its patches by Terix and HPE well before May 6, 2012.
The remaining issue is whether Oracle conducted a reasonable investigation into the suspected infringement. Although “summary judgment is generally an inappropriate way to decide questions of reasonableness,” it “is appropriate ‘when only one conclusion about the conduct‘s reasonableness is possible.‘” Gorman v. Wolpoff & Abramson, LLP, 584 F.3d 1147, 1157 (9th Cir. 2009) (quoting In re Software Toolworks, Inc., 50 F.3d 615, 622 (9th Cir. 1994)). Oracle‘s only evidence of any investigation concerns Terix.6 In April 2012—a
The district court determined that this investigation was unreasonable because Oracle failed to use its contractual right to audit customers, despite knowing that Oracle customers were working with Terix. The court did not err in focusing on this issue. Oracle had already identified customer audits as a tool to protect its intellectual property. Critically, only a customer with an active support contract can access the MOS in the first instance. Furthermore, Oracle requires that its customers ensure that third party agents comply with the terms of use for the Solaris software.
Oracle does not dispute that it had the right to audit its customers. It asserts, however, that requiring it to have
exercised that right would be “unprecedented,” “dilute the value of copyright ownership by increasing the costs of policing for infringement,” and “subject its clients to a hostile inquiry for the sake of tolling the statute of limitations.” Oracle cites no evidence or authority supporting these assertions, which are insufficient to preclude summary judgment. S. A. Empresa de Viacao Aerea Rio Grandense (Varig Airlines) v. Walter Kidde & Co., Inc., 690 F.2d 1235, 1238 (9th Cir. 1982) (“[A] party cannot manufacture a genuine issue of material fact merely by making assertions in its legal memoranda“). Because Oracle did not raise a triable issue about its investigation, HPE was entitled to summary judgment on the infringement claims for pre-May 6, 2012 conduct.
B. The IIPEA Claim
An IIPEA claim is subject to a two-year statute of limitations. See
In concluding that Oracle‘s pre-May 6, 2013 IIPEA claims were time-barred, the district court analyzed evidence concerning Comcast, one of Oracle‘s support customers, and determined that Oracle constructively knew of HPE‘s interference with the Comcast relationship as early as 2011. Oracle has not challenged that finding here, and thus has waived that issue. Paladin Assocs., Inc. v. Mont. Power Co., 328 F.3d 1145, 1164 (9th Cir. 2003). Oracle nonetheless argues that it could not have known about the “broader one-to-many scheme to interfere with Oracle‘s relationships.” Relying on El Pollo Loco, Inc. v. Hashim, 316 F.3d 1032, 1040 (9th Cir. 2003), Oracle further argues that it could rely on the truth of HPE‘s and Terix‘s assurances that “they were not engaged in misconduct” even if an investigation would have disclosed the falsity of those assurances.
Although fraudulent concealment tolls a statute of limitations for the time
II. The Copyright Infringement Claims
Oracle asserted direct infringement claims concerning HPE‘s direct support customers, and indirect infringement claims concerning joint HPE-Terix customers. The claimed infringing acts were unauthorized downloading, copying, and delivery of patches, and patch installations. We consider separately the indirect and direct infringement claims, mindful that “[t]he test for summary judgment in a copyright case must comport with the standard applied to all civil actions.” Shaw v. Lindheim, 919 F.2d 1353, 1358–59 (9th Cir. 1990), overruled in part on other grounds by, Skidmore v. Led Zeppelin, 952 F.3d 1051, 1066 (9th Cir. 2020) (en banc).
A. Indirect Infringement Claims
A defendant may be held vicariously and contributorily liable for copyright infringement carried out by another. Luvdarts, LLC v. AT & T Mobility, LLC, 710 F.3d 1068, 1071 (9th Cir. 2013). But a plaintiff must show “[a]s a threshold matter . . . that there has been direct infringement by third parties.” Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1169 (9th Cir. 2007). The district court concluded that Oracle could not prove direct infringement by Terix in the form of unauthorized patch installations.7 Oracle challenges the court‘s failure to consider evidence of Terix‘s pre-installation conduct. We briefly address that evidence and then discuss the deficiencies in the district court‘s analysis.
Direct infringement requires: “(1) ownership of a valid copyright, and (2) copying of constituent elements of the work that are original.” Seven Arts Filmed Entm‘t Ltd. v. Content Media Corp. PLC, 733 F.3d 1251, 1254 (9th Cir. 2013) (citation omitted). On the second element, we have made clear that “[b]oth uploading and downloading copyrighted material are infringing acts.” Columbia Pictures Indus. v. Fung, 710 F.3d 1020, 1034 (9th Cir. 2012).
Oracle provided evidence of Terix‘s downloading and copying of patches for joint HPE-Terix customers. Terix downloaded some 11,500 copies of Solaris patches, including thousands of copies of registered protectable code by using customers’ MOS credentials. Terix employees copied patches to internal Terix repositories as well as to Terix-provided laptops so that it could provide patches on demand to joint customers. Terix reproduced and distributed patches on its servers so that customers could access patch copies.
Although this evidence appears to show direct infringement, the district court did not consider it because the court read “Oracle‘s support contracts to grant an Oracle customer, or an agent of the customer, a license to download, deliver, and install
An applicable license may be dispositive of an infringement claim. “Anyone who is authorized by the copyright owner to use the copyrighted work in a way specified in [the Copyright Act] . . . is not an infringer of the copyright with respect to such use.” Sony Corp. of Am. v. Universal City Studios, Inc., 464 U.S. 417, 433 (1984). Thus, an infringement claim “fails if the challenged use of the work falls within the scope of a valid license.” Great Minds v. Office Depot, Inc., 945 F.3d 1106, 1110 (9th Cir. 2019). And “[t]he existence of a license creates an affirmative defense to” an infringement claim. Worldwide Church of God v. Phila. Church of God, Inc., 227 F.3d 1110, 1114 (9th Cir. 2000). But “[w]hen a licensee exceeds the scope of the license granted by the copyright holder, the licensee is liable for infringement.” LGS Architects, Inc. v. Concordia Homes of Nev., 434 F.3d 1150, 1156 (9th Cir. 2006).
A court must construe the license to evaluate its effect on a claim of copyright infringement. “A copyright license ‘must be construed in accordance with the purposes underlying federal copyright law.‘” Great Minds, 945 F.3d at 1110 (quoting S.O.S., Inc. v. Payday, Inc., 886 F.2d 1081, 1088 (9th Cir. 1989)); see also Cohen v. Paramount Pictures Corp., 845 F.2d 851, 854 (9th Cir. 1988) (same). “Chief among these purposes is the protection of the author‘s rights.” S.O.S., 886 F.2d at 1088. “Federal courts ‘rely on state law to provide the canons of contractual construction to interpret a license, but only to the extent such rules do not interfere with federal copyright law or policy.‘” Great Minds, 945 F.3d at 1110 (quoting S.O.S., 886 F.2d at 1088).
The district court here, however, opined on Oracle‘s licenses without applying these principles, and it never identified a license provision that authorized the challenged pre-installation conduct.8 That was error. At summary judgment, “[t]he district court must not only properly consider the record . . . but must consider that record in light of the ‘governing law.‘” Zetwick v. County of Yolo, 850 F.3d 436, 441 (9th Cir. 2017)
(quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). “[W]here application of incorrect legal standards may have influenced the district court‘s conclusion, remand is appropriate.” Id. at 442. By applying no legal standard to interpret the licenses, the district court failed to apply the correct one. In doing so, the court excluded pre-installation conduct from its analysis. Thus, we remand for the court to properly analyze the licenses. The court must reconsider all infringement claims for pre-installation conduct, including the direct infringement claims for which the court also limited its focus to unauthorized installations.9
As is relevant here, direct infringement requires copying of a protected work by the defendant. Seven Arts, 733 F.3d at 1254. It is undisputed that HPE‘s installation of patches on unsupported servers would constitute infringement. But the parties dispute whether Oracle‘s evidence showed that HPE performed such installations for its direct customers. We address separately the non-Symantec customers and Symantec and conclude that triable issues remain.
1. Non-Symantec Customers
The district court reasoned that, to survive summary judgment on the direct infringement claims for non-Symantec customers, Oracle had to provide: “(1) evidence that HPE installed a patch on a server that was not supported by an Oracle support contract, and (2) evidence that the
patch was released and downloaded while that server was not on contract.” Oracle does not challenge this application of the copying element, and thus, it guides us here.
Oracle relied on an analysis by its expert, Christian Hicks, of HPE-produced spreadsheet data for 35 HPE direct customers to show that HPE performed unauthorized patch installations. The spreadsheets had an “Installed on Date” column and a column identifying the hardware serial number. Hicks treated the “Installed on Date” column as showing actual installation dates. He found 210 instances of patching where “the ‘Installed on Date’ in HPE‘s data occurred after Oracle support for that server had ended.” He found that for 188 of those instances, Oracle had not released the patches until after Oracle support for the server expired. Crediting HPE‘s arguments, the district court concluded that Oracle could not prove with this data (a) unauthorized installations (b) by HPE. We disagree.
a. Unauthorized Patch Installations
The district court found an insurmountable “ambiguity” about whether the “Installed on Date” column reflected actual patch installations. The “ambiguity” stemmed from testimony by David Jensen, HPE‘s Rule 30(b)(6) witness and a former HPE employee. In considering this testimony, the court failed to draw all reasonable inferences in Oracle‘s favor.
Jensen testified that the “Installed on Date” column had three possible meanings. It could mean the date that: (1) a kernel patch was installed, (2) a patch was released from the vendor, or (3) a file was updated on the system, such as a deletion, modification, or change to the file. Although Jensen testified that one could not know which meaning applied, he explained that the field prioritized the first meaning. Only if actual installation data was unavailable would the entry reflect another meaning. This testimony supported the actual installation date meaning that Hicks attributed to “Installed on Date,” and it showed that that meaning was prioritized.10 In light of this evidence, the district court could not properly assume in HPE‘s favor that no entries reflected an actual installation.
The court also reasoned that even if all entries reflected installations, “Oracle
b. By HPE
A “direct infringement claim turn[s] on ‘who made’ the copies[.]” Fox Broad. Co. v. Dish Network L.L.C., 747 F.3d 1060, 1067 (9th Cir. 2014) (quoting Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121, 130 (2d Cir. 2008)) (emphasis in original). Oracle must “show causation (also referred to as ‘volitional conduct‘) by the defendant.” Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657, 666 (9th Cir. 2017), cert denied, 138 S. Ct. 504 (2017). This requires conduct by the defendant “that can reasonably be described as the direct cause of the infringement.” Id. (citation omitted) (emphasis in original).
Relying on Jensen‘s testimony, HPE avers that some entity other than it—Oracle, the customer, or some unknown third party could have installed patches for its direct support customers. Jensen‘s testimony, however, could not foreclose that HPE installed patches. Indeed, he testified that when the data indicated that a patch was applied to a server, it “could mean” that a customer updated the patch, a customer-hired third party did it, or critically—that HPE applied the patch if HPE had the responsibility to do so. HPE evades and the district court failed to acknowledge this third scenario, which plainly goes to causation by HPE.11
HPE further contends that Oracle cannot prove causation because Hicks did not know who performed any patch installations. Hicks, however, relied on the fact that HPE supported the servers identified in HPE‘s data and that
customers specifically paid HPE to support their Solaris software to conclude that HPE made installations. We see no reason why a reasonable jury could not rely on these same circumstances. Viewing the evidence in the light most favorable to Oracle, a reasonable jury could find that HPE performed patch installations for direct customers. Thus, summary judgment was improper on the direct infringement claims concerning non-Symantec customers.
2. Symantec
Summary judgment for HPE on the direct infringement claims concerning Symantec was also improper. The testimony from HPE‘s employees permitted the reasonable inference that HPE installed a patch on an unsupported Symantec server. Indeed, the court acknowledged that testimony from HPE employees showed that HPE “had a practice of . . . installing patches downloaded from and delivered through Terix for Symantec‘s off-contract
HPE also argues that the district court held that Oracle did not show that any patch delivered to Symantec was protectable. If true, Oracle could not press infringement claims for such patches. Seven Arts, 733 F.3d at 1254 (observing that “ownership of a valid copyright” is a “basic
element” of infringement) (citation omitted). The district court, however, does not appear to have granted summary judgment for HPE on this basis, but instead to have merely acknowledged HPE‘s argument. Although we may affirm on any ground supported by the record, Johnson v. Riverside Healthcare Sys., LP, 534 F.3d 1116, 1121 (9th Cir. 2008), the record supplied by the parties is insufficient for us do so. We have no obligation to mine the extensive district court record, and we decline to do so here. See In re Oracle Corp. Sec. Litig., 627 F.3d 376, 386 (9th Cir. 2010) (“It behooves litigants, particularly in a case with a record of this magnitude, to resist the temptation to treat judges as if they were pigs sniffing for truffles.“). The district court may revisit and clarify this issue on remand.
CONCLUSION
We affirm the partial summary judgment for HPE on the copyright infringement and IIPEA claims as time-barred. We affirm in part summary judgment on the indirect infringement claims for patch installations by Terix. We reverse summary judgment on all infringement claims for pre-installation conduct, and on the direct infringement claims for unauthorized patch installations by HPE.
AFFIRMED IN PART, REVERSED AND VACATED IN PART, and REMANDED. EACH PARTY SHALL BEAR ITS OWN COSTS.