By Rohan Parekh
Streaming music revenues now account for sixty-five percent of the revenue share in the music industry thanks to streaming services like Spotify, YouTube, Apple Music, and Tidal. Despite an increase in listeners and subscribers to these services, the industry is being undermined by instances of streaming fraud, which involves using a bot or human to repeatedly click on a song to rack up royalty payments or payments that artists receive for every time a song is streamed, at the expense of other artists, rather than listening to the underlying content. The streaming service Tidal has recently been accused of faking streams for artists like Kanye West and Beyoncé, and the Norwegian rights holder group TONO has filed an official police complaint in Norway for law enforcement to look into the streaming manipulation. Just last year, a scamming operation in Bulgaria involved the creation of fake user accounts and automation of plays for 500 thirty-second songs, resulting in a large payout to the scammers. Spotify removed the playlists after the scam was detected.
While no lawsuit has been filed yet regarding fake streaming, litigators might be able to rely on section (a)(4) of the Computer Fraud and Abuse Act (CFAA) to go after streaming fraud perpetrators. It is a crime under section (a)(4) to knowingly, and with the intent to defraud, access a protected computer without authorization, or exceed authorized access, and obtain anything of value. The phrase “obtain anything of value” includes obtaining customers or subscribers, and courts would likely find increased plays, which result in royalty payments, to be something of value.
Courts that interpret authorization in the broadest sense allow plaintiffs to recover royalties paid to scammers, artists, or even streaming services committing click fraud. Furthermore, as streaming technologies continue to develop, and popular social media websites like Facebook enter into music licensing deals, the CFAA must be interpreted to give plaintiffs the broadest resources and remedies possible to combat fraud so that artists and listeners using legitimate methods of streaming have confidence in the music services that stream their music and stream their favorite artists, respectively.
 See Joshua P. Friedlander, News and Notes on 2017 RIAA Revenue Statistics (RIAA, Washington, D.C.), 2018, at 1 (stating that streaming accounts for $5.7 billion in total music industry revenue).
 See Tim Ingham, Forget About Fake Artists – It’s Time to Talk About Fake Streams, Music Bus. Worldwide (July 20, 2017), https://www.musicbusinessworldwide.com/forget-about-fake-artists-its-time-to-talk-about-fake-streams/(describing that websites allegedly offer increased streams for money).
 See Tim Ingham, Tidal Accused of Deliberately Faking Kanye West and Beyoncé Streaming Numbers, Music Bus. Worldwide (May 9, 2018), https://www.musicbusinessworldwide.com/did-tidal-falsify-streams-to-bulk-up-kanye-west-and-beyonce-numbers/ (explaining that a Norwegian University of Science and Technology Center for Cyber and Information Security study found that Tidal likely accessed genuine user accounts to increase artist play-counts).
 See Amy Wang, A Bulgarian Scheme Scammed Spotify for $1-Million Without Breaking A Single Law, Quartz (Feb. 22, 2018), https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-for-1-million-without-breaking-a-single-law/ (stating that until Spotify comes up with a solution, cheating music streaming will result in thousands to millions of misappropriated dollars).
 See id. (noting that a takedown approach is different from initiating litigation because a takedown removes the songs but does not recover the paid out royalties).
 See generally Artin Gholian and Brian S. Kabateck, Feature: Click Here: The Computer Fraud and Abuse Act May Become the Best Tool for Fighting Internet Advertising Click Fraud 33 L.A. Law. 22 (2010) (stating that the CFAA has been used in advertising fraud litigation).
 See generally 18 U.S.C. § 1030(a)(4) (2017) (asserting that prosecutors must allege certain conduct to file charges under the CFAA).
 See In re AOL, Inc. Version 5.0 Software Litig., 168 F. Supp. 2d 1359, 1379-81 (S.D. Fla. 2001) (holding that although the typical item of value in CFAA litigation is usually data, customers have been found to be a thing of value).
 See 18 U.S.C.§ 1030(e)(6) (2017) (defining the term “exceeds authorized access,” but still leaving interpretation of the term “authorized” up to court interpretation).
 See EF Cultural Travel BV, 274 F.3d at 583 (holding that the defendant went beyond the authorized use of plaintiff’s website by using proprietary information to learn about the plaintiff’s technical abilities and gain a competitive advantage).
 See Nosal, 676 F.3d at 863 (holding that “exceeding authorized access” occurs when initial access is permitted and the access of certain information is not allowed, but that “exceeding authorized access” does not place limits on the use of such information).
 See Spotify Terms and Conditions of Use, Spotify (July 6, 2017), https://www.spotify.com/us/legal/end-user-agreement/#s10 (prohibiting users from “artificially increasing play count or otherwise manipulating the services by using a script or other automated process”).
 See William Bedell, I Built a Botnet that Could Destroy Spotify with Fake Listens, Motherboard, Oct. 16, 2015, https://motherboard.vice.com/enus/article/gv5xbx/i-built-a-botnet-that-could-destroy-spotify-with-fake-listens (describing that robots were used to create valid user accounts with minimal barriers to entry and did not set off Spotify’s fraud algorithms).
 See United States v. John, 597 F.3d 263, 269 (5th Cir. 2010) (finding that “authorized access” or “authorization” encompasses limits placed on the use of information obtained through permitted access to a computer system and data available on that system).
 See S. Rep. No. 104-357, at 11 (1996) (discussing how the CFAA amendments reflect the importance of the new ways hackers manipulate technology).
 See America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d. 444, 450 (E.D. Va. 1998) (concluding a violation of the CFAA occurred when a website member obtained and altered information).
 See generally Complaint, Microsoft Corp. v. Lam, No. C09-0815 (W.D. Wash. June 15, 2009) (stating that the alleged fraudulent behavior violated Microsoft’s provision of “generating automated or fraudulent impressions or clicks on sponsored sites on the Microsoft networks”).
 See Bedell, supra note 14 (stating bots were given “access” to user accounts and streamed music like human users without detection).
 See Stuart Dredge, Facebook Signs Universal Music Licensing Deal for Music, Video, and More, MusicAlly (Dec. 21, 2017), https://musically.com/2017/12/21/facebook-universal-music-licensing-deal/ (stating that Facebook has entered into the music licensing landscape, but that it is unclear if the royalty model will resemble other music streaming services); Tim Ingham, In Wake of Bulgarian Scam, Spotify Unleashes Its Own Anti-Fraud SquadMusic Bus. Worldwide (Mar.8, 2018), https://www.musicbusinessworldwide.com/in-wake-of-bulgarian-scam-spotify-unleashes-its-own-anti-fraud-squad/(noting that Spotify has increased efforts to stamp down on fraudulent activity).