Free Speech

Requiring Creation of Computer Code Doesn't Violate the First Amendment

Seems right to me, at least as a general matter.

|The Volokh Conspiracy |

From Judge G. Murray Snow's decision Wednesday in CDK Global LLC v. Brnovich (D. Az.):

Plaintiffs CDK Global LLC and Reynolds and Reynolds Company … develop, own, and operate proprietary computer systems known as dealer management systems ("DMSs") that process vast amounts of data sourced from various parties. Automotive dealerships hold licenses to DMSs to help manage their business operations, including handling confidential consumer and proprietary data, processing transactions, and managing data communications between dealers, customers, car manufacturers, credit bureaus, and other third parties. Plaintiffs employ multiple technological measures—such as secure login credentials, CAPTCHA prompts, and comprehensive cybersecurity infrastructure, hardware, and software—to safeguard their DMS systems from unauthorized access or breach. Plaintiffs also contractually prohibit dealers from granting third parties access to their DMSs without Plaintiffs' authorization.

In March 2019, the Arizona Legislature passed the Dealer Data Security Law ("the Dealer Law")…. The Dealer Law regulates the relationship between DMS licensers like Plaintiffs and the dealerships they serve. Under the Dealer Law, DMS providers may no longer "[p]rohibit[] a third party [that has been authorized by the Dealer and] that has satisfied or is compliant with … current, applicable security standards published by the standards for technology in automotive retail [(STAR standards)] … from integrating into the dealer's [DMS] or plac[e] an unreasonable restriction on integration …." The Dealer Law also requires that DMS providers "[a]dopt and make available a standardized framework for the exchange, integration and sharing of data from [a DMS]" that is compatible with STAR standards and that they "[p]rovide access to open application programming interfaces to authorized integrators." Finally, a DMS provider may only use data to the extent permitted in the DMS provider's agreement with the dealer, must permit dealer termination of such agreement, and "must work to ensure a secure transition of all protected dealer data to a successor dealer data vendor or authorized integrator" upon termination….

Plaintiffs allege the Dealer Law abridges their freedom of speech in two ways.

First, Plaintiffs contend that because they are "not merely conduits facilitating the transmission of information between dealers and third-party integrators," but rather "organize[rs of] information belonging to dealers and others in their proprietary DMSs," the Dealer Law violates the First Amendment by requiring Plaintiffs to share "information, as they have organized it, with third parties." Plaintiffs describe this information sharing as "compelled … communicat[ion]." To the extent that Plaintiffs seek protection for any copyright they have in the organization of their DMS information, they have stated a claim to such protection that survives, as addressed in the above Copyright Act section. However, Plaintiffs have provided no relevant authority to support the claim that organization of otherwise unprotected information is subject to First Amendment protection.

At oral argument, Plaintiffs cited Arkansas Educational Television Commission v. Forbes, 523 U.S. 666 (1998), for the provision that the First Amendment protects the organization of material. Forbes held that a public broadcaster "engages in speech activity" when it "exercises editorial discretion in the selection and presentation of its programming"; however, that case is inapposite here, where, unlike the broadcaster in Forbes, Plaintiffs' organizational decisions do not result in a decision by Plaintiff as to what speech to disseminate. Forbes dealt with the organizing broadcaster's right to exclude a candidate for federal office from a televised debate—in other words, allowing the broadcaster the freedom to "speak" by running programming that did not include the candidate. Here, Plaintiffs' seek First Amendment protection not to "speak," but to protect information stored within the DMS from access by any others, relief more appropriately provided—if at all—through statute. Plaintiffs' first free speech arguments fails.

Plaintiffs' second First Amendment argument is that because they will be "compelled to write computer code if the Dealer Law goes into effect" and "the computer code Plaintiffs must write falls within the First Amendment's protection," the Dealer Law violates the First Amendment because it "necessarily alters the content of [Plaintiffs'] speech," demanding "exacting First Amendment scrutiny." Plaintiffs complaint does not sufficiently allege how writing code to make unprotected information accessible to third parties is subject to First Amendment scrutiny.

Computer code and computer programs constructed from code can constitute speech warranting First Amendment protection. Universal City Studios, Inc. v. Corley, 273 F.3d 429, 449 (2d Cir. 2001); see also United States v. Elcom Ltd., 203 F. Supp. 2d 1111, 1127 (N.D. Cal. 2002) ("[c]omputer software is … speech that is protected at some level by the First Amendment"). However, whether code rises to the level of speech under the First Amendment depends on whether "a programmer might be said to communicate through code to the user of the program (not necessarily protected)" or only "to the computer (never protected)." Corley, 273 F.3d at 449. And even when software communicates to a user, where it is "mechanical[]" and does not involve "second-guessing" or "intercession of the mind or the will of the recipient," such code is devoid of any constitutionally protected speech. Id. (describing the holding of Commodity Futures Trading Comm'n v. Vartuli, 228 F.3d 94 (2d Cir. 2000)).

The Dealer Law does not in fact mandate that a DMS provider write code. It only mandates that owners of DMS systems "[a]dopt and make available a standardized framework for the exchange, integration and sharing of data from [a DMS]," Ariz. Rev. Stat. Ann. § 28-4654, "[p]rovide access to open application programming interfaces to authorized integrators," id., and allow "third part[ies] that ha[ve] satisfied or [are] compliant with the star standards or other generally accepted standards that are at least as comprehensive as the star standards and that the dealer has identified as one of its authorized integrators [to] integrat[e] into the dealer's dealer data system," Ariz. Rev. Stat. Ann. § 28-4653. Given the nature of existing DMSs, it would not be surprising if the implementation of these provisions required DMS providers to write code. Nevertheless, as the statute makes plain, the purpose of the Dealer Law—and thus any such code—is merely to facilitate the sharing of the otherwise unprotected underlying information in the DMS. To the extent Plaintiffs comply with the Dealer Law by creating code, that code only tells a computer how to function; it has no other expressive purpose.

Junger v. Daley, 209 F.3d 481 (6th Cir. 2000), is not to the contrary. In that case, the plaintiff sought to distribute encryption source code to demonstrate how computers work—code that qualified as speech because it was "an expressive means for the exchange of information and ideas about computer programming." 209 F.3d at 485. Nor is this case like Bernstein v. U.S. Dep't of State, 922 F. Supp. 1426, 1429 (N.D. Cal. 1996), in which the regulation at issue prohibited the plaintiff's publication of code "articulat[ing] … mathematical ideas" so substantive they were also published in an academic paper. Plaintiffs cannot plausibly argue that the Dealer Law's regulation of Plaintiffs' code goes beyond the code's capacity "to instruct a computer" to give third parties access to dealer data, just as the Corley court held that the DMCA's prohibition on posting technology for circumventing DVD encryption on the internet was a functional and not a speech regulation. 273 F.3d at 454. The allegations of Plaintiffs' complaint establish that, unlike in Junger, Bernstein, and Corley, any code Plaintiffs create pursuant to the Dealer Law only instructs a computer to provide access to unprotected information contained in Plaintiffs' DMSs. Thus, as alleged in the complaint, the Dealer Law does not regulate speech under the First Amendment….

The court also rejected various other arguments made by the plaintiffs, but allowed their Takings Clause and Contracts Clause claims to go forward (at least until the motion for summary judgment stage; this was a decision on a motion to dismiss).

NEXT: Kentucky Police Chief Retires in Wake of Breonna Taylor's Death

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I should have learned to code but my mother discouraged me from pursuing computer engineering as a career path. Now I’m just a putz living in the Deep South!

    1. I wonder if the bill of rights will ever apply to a sufficiently advanced artificial intelligence. What do you think Rabbi?

      1. It applies to cyborgs, like Mark Zuckerberg, so I expect that eventually AI rights would be recognized by the US government. I hope Microsoft frees my old girlfriend, TayAI, so she can post on Twitter again.

        1. How did you two meet?

  2. They should have also made a 13th Amendment claim. Governments have gotten far too comfortable ignoring the 13th Amendment.

    1. Agreed. The 13th amendment is terribly under-enforced, due to the government not wanting to admit that the government itself compelling people to do something can be “involuntary servitude”.

    2. Maybe there is “involuntary servitude” if the data interface was being built for use by the government, and not customers in general.

      For example, does the government reimburse Microsoft, Google, Facebook, and Apple for the data interfaces they create and maintain for the NSA? As I understand it from the Snowden revelations, the government has basically drafted big tech into the national security business.

  3. Oh for Christ’s sake!
    Just stop doing business in AZ.
    When a business sees this coming, they should tell their subscribers that you will end their license on the effective date of the law, and if they wish to continue as they are, they should lobby the state legislature to not pass the bill.
    Given the recent history in this country, all businesses should include clauses in their contracts allowing for termination if there are significant changes in the legislative or regulatory climate.

    1. if they wish to continue as they are, they should lobby the state legislature to not pass the bill.

      This law was pushed for by auto dealerships in the State of Arizona. So this is EXACTLY what happened.

      Or are auto dealerships not businesses to you?

  4. Is this “right to repair”?

    We have that in Massachusetts — motor vehicle manufacturers are required to allow both vehicle owners and independent garages to have access to the same vehicle diagnostic and repair information that the dealers do. An update to include the electronic vehicle data electronically transmitted to the dealer is on November’s ballot.

    If you don’t want to sell vehicles in Massachusetts — nor have them be registerable in Massachusetts — fine. But otherwise this is a legitimate consumer protection law.

    1. “Is this “right to repair”?

      I doubt it. This is not about the internal systems of individual vehicles. It’s about systems for a dealership to manage inventory and customer relationships.

      1. No, it is about a prohibiting a prior restraint on trade.

        1. It is about a prohibiting a prior restraint on trade in systems used to manage automotive dealerships, not systems used to repair automobiles.

  5. Although it wasn’t fully adjudicated, first amendment claims were part of Apple’s refusal to write a backdoor for iphones in the San Bernardino case. I have a feeling this will come back and wind up at SCOTUS.

    I’m also skeptical that the US Constitution gives explicit creative work credit to computer code through copywrite, but its not expressive enough to be compelled speech.

  6. Why didn’t plaintiffs argue that the human-to-human (documentation or other) communication necessary to enable these complex APIs to actually be *used* by the authorized integrators, is compelled communication?

    1. ..or maybe they are planning to supply the APIs without documentation and let the integrators figure it out (and while they’re at it, provide no maintenance support beyond the bare code fixes – no communication to humans as to which bugs were fixed when, available workarounds, necessary tweaks to functionality or caveats introduced, etc.)?

  7. Always hard to find the gist of an argument to which a court is determined to give short shrift, but after skimming the opinion, my entirely uninformed guess is that the compelled speech claim arose from the fact that they were compelled to allow developers to use their DB layers to port out information to their own apps. As if the Yankees fan wiki was compelled to open up its DB layers (especially the ones closer to the interface, where it’s more than a phone book) to a monetized newsfeed run by the Red Sox front office — there might be a few (more) angry folks in the Bronx.

    Mr. D.

  8. “The Dealer Law does not in fact mandate that a DMS provider write code.”
    I can tell you, as a programmer, that this statement is factually incorrect. In order to make the existing data structures implement the state-mandated API, coding will be necessary in all cases. However, the result is still correct because the code is purely functional and does not possess First Amendment protection.

    A different argument about compelled labor or a taking based on requiring the production of a work product without compensation might have a different result, however. Or at least maybe it should have a different result, but I don’t think modern courts would see it that way.

    1. ““The Dealer Law does not in fact mandate that a DMS provider write code.”
      I can tell you, as a programmer, that this statement is factually incorrect. ”
      I agree.
      “However, the result is still correct because the code is purely functional and does not possess First Amendment protection.”
      I disagree. The notion that there’s a distinction in creative effort in producing an interface that is “purely functional” and some other thing is nonsense. It’s not as if producing an API involves some mechanical process, like long division. This is a running system, with one or more databases behind it. One has to be quite clever to create an API that can extract valid data from such a system. Even the design, the architecture, of the API requires creative thought and expression.

      1. One has to be quite clever to create an API that can extract valid data from such a system. Even the design, the architecture, of the API requires creative thought and expression.

        Millions of engineers create and write API interfaces every day. It doesn’t require anyone to be quite clever. And as companies like AWS further tune their API Gateway Service offerings – one doesn’t even need to know how to code.

        1. You don’t know what you’re talking about. Taking an existing software system and creating an API according to an external spec is non-trivial.

          1. It appears the issue is database access which is not difficult to implement.

            1. Only if you give everyone access to the entire database, and regardless of the state of the software system; which is clearly not feasible.

        2. “And as companies like AWS further tune their API Gateway Service offerings – one doesn’t even need to know how to code.”

          With apologies to Max Planck, that statement is “not even wrong”.

  9. Right to repair correct. Compare this to the battle in Kansas between farmers and John Deere Tractors Inc.

    Not just simple repairs, but also the right to use 3rd party replacement parts, the right to defeat JD detection and lockout of 3rd party parts, the right to reverse engineer the software for purposes of diagnosis and extension and adaption. In short, all activities a farmer (or a car dealer) needs to conduct as part of his legitimate business.

    I say this as a person who made a living by licensing proprietary software. There should be limits regarding how far I can go holding my client’s core business hostage to protect my proprietary rights.

    It might even be fun to argue that the software vendor has produced ransomware. There might be anti-ransomware laws around that could be applied in cases like this.

    I say all this with no specific knowledge of the details in this case.

    1. What I don’t understand is why this hasn’t hurt Deere’s sales because there *are* other tractor manufacturers.

  10. I find judges and lawyers writing and decisions regarding technology matters to be simultaneously laughable and infuriating.

    That said, who is supposed to pay for this API development? And, the notion that writing code to allow access to the data is not a creative work is nonsense.

    What if CDK Global LLC and Reynolds and Reynolds Company wrote an API so shitty, indecipherably obscure, with zero support? (I know this is possible, having participated in obfuscated C coding contests years ago. (See ioccc dot org.)) Do a maintenance release once a decade. And so on.

    Were I the vendor I would just leave Arizona, and tell customers their that the law voids any contract, and ask where would they like their data dumped. I’d give them a hard copy of their data.

    1. What if CDK Global LLC and Reynolds and Reynolds Company wrote an API so shitty, indecipherably obscure, with zero support? … Do a maintenance release once a decade. And so on.”

      Wouldn’t that create liability if it led to a security breach?

      Wouldn’t there be potential punitive damages if it could be proven that this was deliberate?

      1. Or if there were a security breach of unknown cause and this intent could be proven…..

        1. The law shouldn’t be able to force a company to perform to any particular standard. If it did, Bill Gates would be doing life in prison.

      2. Are you suggesting this law requires a particular service level to be delivered by the company, like a certain time to correct a high or critical CVE? A law that requires new functionality and a CVE, but specifically prohibits fees?

        1. I’m suggesting that if it could be proven that the company intentionally marketed a flawed product, and that flaw harmed someone, there might be liability.

          ANY product — and if it came out that the company had INTENTIONALLY made it flawed, that could be problematic.

          1. I’m not saying “intentionally make it flawed,” I’m just saying don’t try that hard. Outsource it to some inexpensive body shop in India or China. They never intentionally make shitty code, but they make a lot of shitty code.

            As I think I asked, is the legal system now going to police software quality? Maybe do code reviews, SQA, etc.?

            1. FWIW I think it’s safe to say that no substantial real world software application is known to be correct (where “known” means proven; one can’t test a substantial program into correctness), especially when “program” is taken to mean the entire operating stack (OS, libraries, firmware, hardware), tools (compiler, assembler, linker), tools used in the proof, etc. Correctness is a matter of pragmatism and degree, and while life-, security-, and infrastructure-critical apps push the envelope, none achieve perfection, and most sizeable commercial software has thousands to millions of bugs at the application level alone.
              (If anyone can cite a real world counterexample, I’d be interested in hearing about it).

          2. I’m guessing you’ve never read a modern commercial software EULA. Pretty much all of them specifically disclaim any “fitness for a particular purpose” as well as other astoundingly broad disclaimers.

        2. Meant “SLA,” not “CVE” at the end of that last sentence.(s/CVE/SLA/2)

  11. By the way, Google v. Oracle is scheduled for oral arguments at SCOTUS in October. At issue, whether APIs are copyrightable. This case could turn on that result.

  12. “However, Plaintiffs have provided no relevant authority to support the claim that organization of otherwise unprotected information is subject to First Amendment protection.”

    This doesn’t seem right. See Learned Hand’s opinion in Reiss v. National Quotation Bureau, 276 Fed. 717 (S.D.N.Y. 1921). Seems to me if you can copyright a series of letters with no meaning, you ought to be able to copyright a certain organization of data.

  13. The first rule of software – “This is my software. It does what I say it does. If you don’t like it, write your own.” There is already a solution. The integrator can create a screen scraping app in Citrix – have a nice day. If a legislature creates a law that a house painter must create a masterpiece, will the courts support that? This is not a health and safety issue like seat belts or pollution control or a building code. What is the constitutional justification for compelling someone to write software?

    1. What’s the constitutional justification for compelling me to put a license plate on my truck?

Please to post comments