                    FOR PUBLICATION

   UNITED STATES COURT OF APPEALS
        FOR THE NINTH CIRCUIT

 ORACLE AMERICA, INC., a Delaware                 No. 19-15506
 Corporation; ORACLE
 INTERNATIONAL CORPORATION, a                       D.C. No.
 California Corporation,                         4:16-cv-01393-
                Plaintiffs-Appellants,                JST

                     v.
                                                    OPINION
 HEWLETT PACKARD ENTERPRISE
 COMPANY, a Delaware Corporation,
               Defendant-Appellee.

        Appeal from the United States District Court
          for the Northern District of California
          Jon S. Tigar, District Judge, Presiding

             Argued and Submitted June 8, 2020
                 San Francisco, California

                     Filed August 20, 2020

   Before: MILAN D. SMITH, JR. and ANDREW D.
  HURWITZ, Circuit Judges, and C. ASHLEY ROYAL, *
                   District Judge.

            Opinion by Judge Milan D. Smith, Jr.

    *
      The Honorable C. Ashley Royal, United States District Judge for
the Middle District of Georgia, sitting by designation.
2     ORACLE AMERICA V. HEWLETT PACKARD ENTER.

                          SUMMARY **


                             Copyright

    The panel affirmed in part and reversed in part the
district court’s grant of summary judgment in favor of
Hewlett Packard Enterprise Co. in a copyright infringement
action brought by Oracle America, Inc., and Oracle
International Co.

    Oracle, owner of the proprietary Solaris software
operating system, granted customers a limited use license
and required customers to have a prepaid annual support
contract to access patches for a server. Oracle alleged that
HPE improperly accessed, downloaded, copied, and
installed Solaris patches on servers not under an Oracle
support contract. HPE provided support for all of its
customers’ servers, including servers running Solaris
software, and it subcontracted indirect support to Terix
Computer Co. Oracle asserted direct copyright infringement
claims concerning HPE’s direct support customers, and it
asserted indirect infringement claims concerning joint HPE-
Terix customers.

    The panel affirmed the district court’s partial summary
judgment for HPE on claims for copyright infringement and
intentional interference with prospective economic
advantage based upon the statute of limitations. Following
a prior suit by Oracle against Terix, Oracle and HPE entered
into an agreement, effective May 6, 2015, to toll the statute

    **
       This summary constitutes no part of the opinion of the court. It
has been prepared by court staff for the convenience of the reader.
     ORACLE AMERICA V. HEWLETT PACKARD ENTER.                3

of limitations for any claims that Oracle might assert against
HPE. The panel held that under the Copyright Act’s three-
year statute of limitations, Oracle’s copyright infringement
claims were barred for conduct before May 6, 2012. The
panel concluded that Oracle had constructive knowledge and
thus a duty to investigate but did not conduct a reasonable
investigation into the suspected infringement. The panel
held that under a California two-year statute of limitations,
the IIPEA claim was barred for conduct before May 6, 2013.

    As to remaining infringement claims, the panel affirmed
in part the district court’s summary judgment on indirect
infringement claims for patch installations by Terix. The
panel reversed the district court’s summary judgment on all
infringement claims for pre-installation conduct and on
direct infringement claims for unauthorized patch
installations by HPE. As to indirect infringement, the panel
held that in interpreting Oracle’s licenses, the district court
erred by failing to consider pre-installation conduct. As to
direct infringement, the panel held that for certain customers,
referred to as “non-Symantec customers,” Oracle possibly
could provide unauthorized installations by HPE. Summary
judgment for HPE on the direct infringement claims
concerning customer Symantec was also improper.

  The panel addressed other issues in a concurrently filed
memorandum disposition.


                         COUNSEL

Gregory G. Garre (argued), Elana Nightingale Dawson, and
Charles S. Dameron, Latham & Watkins LLP, Washington,
D.C.; Christopher S. Yates, Christopher B. Campbell, and
Brittany N. Lovejoy, Latham & Watkins LLP, San
4    ORACLE AMERICA V. HEWLETT PACKARD ENTER.

Francisco, California; Dorian Estelle Daley and Deborah
Kay Miller, Oracle America Inc., Redwood City, California;
Jeffrey S. Ross, Oracle America Inc., Burlington, California;
Dale M. Cendali and Joshua L. Simmons, Kirkland & Ellis
LLP, New York, New York; for Plaintiffs-Appellants.

Mark A. Perry (argued), Gibson Dunn & Crutcher LLP,
Washington, D.C.; Samuel G. Liverside, Joseph A. Gorman,
and Ilissa S. Samplin, Gibson Dunn & Crutcher LLP, Los
Angeles, California; Jeffrey T. Thomas and Blaine H.
Evanson, Gibson Dunn & Crutcher LLP, Irvine, California;
Vaishali Udupa, Hewlett Packard Enterprise Company,
Reston, Virginia; Deanna L. Kwong, Hewlett Packard
Enterprise Company, San Jose, California; for Defendant-
Appellee.

William A. Isaacson and Samuel S. Ungar, Boies Schiller
Flexner LLP, Washington, D.C.; Keith Kupferschmid and
Terry Hart, Copyright Alliance, Washington, D.C.; for
Amicus Curiae Copyright Alliance.

Mark E. Ferguson, Bartlit Beck LLP, Chicago, Illinois;
Abigail M. Hinchcliff, Bartlit Beck LLP, Denver, Colorado;
for Amici Curiae Repair Association and Electronic Frontier
Foundation.


                        OPINION

M. SMITH, Circuit Judge:

    Oracle America, Inc. and Oracle International
Corporation (together, Oracle) own the proprietary Solaris
software operating system. Oracle periodically releases
patches for this software to address functionality, improve
     ORACLE AMERICA V. HEWLETT PACKARD ENTER.                5

performance, and resolve security issues. As is relevant
here, Oracle restricts use of the Solaris software, including
software patches. It grants a customer a limited use license,
and it requires a customer to have a prepaid annual support
contract to access patches for a server.

    Oracle brought copyright infringement claims,
California state law intentional interference claims, and a
California Unfair Competition Law (UCL) claim against
Hewlett Packard Enterprise Company (HPE), alleging that
HPE and nonparty Terix Computer Company, Inc. (Terix)
improperly accessed, downloaded, copied, and installed
Solaris patches on servers not under an Oracle support
contract. On cross motions, the district court granted
summary judgment for HPE. We affirm the district court’s
partial summary judgment for HPE on the infringement and
intentional interference claims based upon the statute of
limitations. We affirm in part and reverse in part the
summary judgment on what remains of the infringement
claims. We address all other issues in a concurrently filed
memorandum disposition.

  FACTUAL AND PROCEDURAL BACKGROUND

I. The Solaris Software

    Oracle has owned federally registered copyrights for the
Solaris software since it purchased Sun Microsystems (Sun)
in January 2010. Various Solaris patches also have code
registered with the United States Copyright Office. Oracle
licenses use of the Solaris software to a customer when the
customer purchases a server with preinstalled software. The
Solaris versions at issue here are Solaris 8, 9, 10 and 11. The
Binary Code License Agreement applies to Solaris 8 and 9.
6       ORACLE AMERICA V. HEWLETT PACKARD ENTER.

The Software License Agreement (SLA) applies to Solaris
10. 1

    Customers with a prepaid annual Oracle support contract
can access Solaris patches through the password protected
My Oracle Support (MOS) website. 2 A customer must place
every server for which it desires support on an active support
contract. A support contract is subject to policies that also
define a customer’s right to access patches. With an active
support contract, a customer can create an MOS username
and password. Upon accessing the MOS, the customer must
agree to additional terms of use concerning the software on
the site.

II. Third-Party Support of Solaris Software by HPE and
    Terix

    As is relevant here, HPE has a multi-vendor support
business that serves as a “one-stop-shop” to support all
servers an HPE customer has, including servers running
Solaris software. HPE provides such support directly and
indirectly. HPE subcontracted indirect support to Terix, a
company which specialized in supporting Oracle software.
For joint HPE-Terix customers, Terix arranged for a server
to have Oracle support in the customer’s name with a prepaid
Terix-supplied credit card and created an MOS credential for
the single-server Oracle support contract. Terix also
provided customers with a form email to send to Oracle.
Terix downloaded patches using the credentials to make
copies for use on off-contract servers as part of the so-called
    1
      A customer-specific entitlement accompanies the SLA. Solaris 11
is governed by a license similar to the SLA.
    2
      Oracle ceased Sun’s gratis release of security-related patches,
firmware updates, and new Solaris operating system versions.
       ORACLE AMERICA V. HEWLETT PACKARD ENTER.            7

“one-to-many” scheme. When a customer was not yet
supported, Terix created credentials by using fictitious
names, emails addresses, and credit cards.

    Oracle sued Terix in July 2013, alleging copyright
infringement concerning the Solaris patches, among other
claims. Oracle Am., Inc. v. Terix Comp. Co., Inc., No. 4:13-
cv-3385-JST, Dkt No. 1 (N.D. Cal. July 19, 2013).
Following summary judgment for Oracle on Terix’s license
affirmative defense there, Oracle Am., Inc. v. Terix Comp.
Co., 2015 WL 2090191 (N.D. Cal. May 5, 2015), Terix
stipulated to a judgment for Oracle on the infringement and
fraud claims without admitting liability. Thereafter, Oracle
and HPE entered into an agreement, effective May 6, 2015,
to toll the statute of limitations for any claims that Oracle
might assert against HPE.

III.    This Litigation

    Oracle brought this suit against HPE in March 2016 for
copyright infringement pursuant to 17 U.S.C. §§ 101, et seq.,
intentional interference with contractual relations (IICR),
intentional interference with prospective economic
advantage (IIPEA), and violations of the UCL, Cal. Bus. &
Prof. Code § 17200. Among other affirmative defenses,
HPE asserted express and implied license. Following
discovery, Oracle moved for partial summary judgment on
the infringement claims and some affirmative defenses,
including the license defense. HPE cross moved on all
claims. The district court granted summary judgment for
HPE. Oracle timely appealed.

   JURISDICTION AND STANDARD OF REVIEW

    We have jurisdiction pursuant to 28 U.S.C. § 1291. We
review a grant of summary judgment de novo. Shelley v.
8       ORACLE AMERICA V. HEWLETT PACKARD ENTER.

Geren, 666 F.3d 599, 604 (9th Cir. 2012). “We must
determine, viewing the evidence in the light most favorable
to the nonmoving party, whether there are any genuine issues
of material fact and whether the district court correctly
applied the substantive law.” Zabriskie v. Fed. Nat’l Mortg.
Ass’n, 940 F.3d 1022, 1026 (9th Cir. 2019) (citation and
quotations omitted).

                            ANALYSIS

I. The Statute of Limitations

    It is undisputed that the May 6, 2015 effective date of the
parties’ tolling agreement applies in this case. Thus, we
consider whether the copyright infringement claims are
barred for conduct before May 6, 2012 and the IIPEA claim
is barred for conduct before May 6, 2013. 3

    A. The Copyright Infringement Claims

    A copyright infringement claim is subject to a three-year
statute of limitations, which runs separately for each
violation. 17 U.S.C. § 507(b); Petrella v. Metro-Goldwyn-
Mayer, Inc., 572 U.S. 663, 671 (2014). “[A] copyright
infringement claim accrues—and the statute of limitations
begins to run—when a party discovers, or reasonably should
have discovered, the alleged infringement.” Media Rights

    3
      Oracle raised limitations arguments in its opening brief for only
copyright infringement and IIPEA claims. Oracle has waived the IICR
claim limitations argument it raised for the first time in reply. U.S. v.
Alcan Elec. & Eng’g, Inc., 197 F.3d 1014, 1020 (9th Cir. 1999). In any
event, our analysis on the IIPEA claim here would apply equally to the
IICR claim. HPE has also waived its perfunctory argument that the UCL
claims are time-barred. See Cal. Pac. Bank v. Fed. Deposit Ins. Corp.,
885 F.3d 560, 570 (9th Cir. 2018).
        ORACLE AMERICA V. HEWLETT PACKARD ENTER.                      9

Techs., Inc. v. Microsoft Corp., 922 F.3d 1014, 1022 (9th
Cir. 2019). 4

    Although Oracle repeatedly argues that it lacked actual
knowledge of all the wrongdoing by HPE and Terix,
constructive knowledge triggers the statute of limitations.
“The plaintiff is deemed to have had constructive knowledge
if it had enough information to warrant an investigation
which, if reasonably diligent, would have led to discovery of
the [claim].” Pincay v. Andrews, 238 F.3d 1106, 1110 (9th
Cir. 2001) (citation omitted). We have previously explained
that “suspicion” of copyright infringement “place[s] upon
[the plaintiff] a duty to investigate further into possible
infringements of [its] copyrights.” Wood v. Santa Barbara
Chamber of Commerce, Inc., 705 F.2d 1515, 1521 (9th Cir.
1983). 5 Even if the plaintiff “may not actually have
conducted this further investigation, equity will impute to
[the plaintiff] knowledge of facts that would have been
revealed by reasonably required further investigation.” Id.;

    4
      Oracle waived its argument in reply about the district court’s
treatment of the indirect infringement claims as accruing when Oracle
discovered or could have reasonably discovered direct infringement.
Alcan Elec. & Eng’g, 197 F.3d at 1020.
    5
       Relying on O’Connor v. Boeing North American, Inc., 311 F.3d
1139 (9th Cir. 2002), Oracle argues that “suspicion alone” is not
sufficient to trigger the limitations period. O’Connor concerned whether
the discovery rule applied to 42 U.S.C. § 9658 preempted the California
discovery rule in the context of personal injury claims for exposure to
hazardous substances. Id. at 1146–49. We rejected “an interpretation of
the federal discovery rule that would commence limitations periods upon
mere suspicion of the elements of a claim” to “forestall” the filing of
unnecessary and preventive claims. Id. at 1148. We did not, however,
discuss Wood. As Oracle recognizes, Wood provides that suspicion of
infringement triggers a duty to investigate. 705 F.2d at 1521. We apply
that standard here.
10   ORACLE AMERICA V. HEWLETT PACKARD ENTER.

see also Bibeau v. Pac. Nw. Res. Found. Inc., 188 F.3d 1105,
1108 (9th Cir. 1999) (citation omitted), as amended,
208 F.3d 831 (9th Cir. 2000) (explaining that the “twist” of
the discovery rule is that it requires “[t]he plaintiff [to] be
diligent in discovering the critical facts,” i.e., “that he has
been hurt and who has inflicted the injury” (citation
omitted)).

    Oracle concedes that it “had concerns” in November
2010 that Terix might purchase support for one system and
reuse the patches for all other systems. Oracle also had
suspicions about HPE as early as 2010 and certainly by
October 2011. Critically, Oracle concedes that “it made
inquiries of Terix and HPE after receiving reports of
potential infringement.” In relevant part, Oracle relies on
inquiries that occurred in 2008 and September 2011. Oracle,
thus, had a duty to conduct a reasonable investigation.
Bibeau, 188 F.3d at 1108; Wood, 705 F.2d at 1521.

    The doctrine of fraudulent concealment does not help
Oracle in this case. A plaintiff relying on this doctrine to toll
the limitations period must show “both that the defendant
used fraudulent means to keep the plaintiff unaware of his
cause of action, and also that the plaintiff was, in fact,
ignorant of the existence of his cause of action.” Wood,
705 F.2d at 1521. The doctrine does not apply if the plaintiff
had actual or constructive knowledge of the facts giving rise
to the claim. Hexcel Corp. v. Ineos Polymers, Inc., 681 F.3d
1055, 1060 (9th Cir. 2012). “The plaintiff is deemed to have
had constructive knowledge if it had enough information to
warrant an investigation which, if reasonably diligent, would
have led to the discovery of the fraud.” Id. (citation omitted).
Although Oracle singularly focuses on the means of the
purported concealment, it is not accurate that Oracle “had no
reason to suspect” infringement and thus no duty to inquire.
       ORACLE AMERICA V. HEWLETT PACKARD ENTER.             11

Taylor v. Meirick, 712 F.2d 1112, 1118 (7th Cir. 1983).
Oracle concededly suspected infringement of its patches by
Terix and HPE well before May 6, 2012.

    The remaining issue is whether Oracle conducted a
reasonable investigation into the suspected infringement.
Although “summary judgment is generally an inappropriate
way to decide questions of reasonableness,” it “is
appropriate ‘when only one conclusion about the conduct’s
reasonableness is possible.’” Gorman v. Wolpoff &
Abramson, LLP, 584 F.3d 1147, 1157 (9th Cir. 2009)
(quoting In re Software Toolworks, Inc., 50 F.3d 615, 622
(9th Cir. 1994)). Oracle’s only evidence of any investigation
concerns Terix. 6 In April 2012—a month before the three-
year lookback from the effective date of the tolling
agreement—an Oracle employee searched the MOS for a
“terix.com” email address to determine whether Terix
downloaded Solaris patches or purchased support contracts.
That search yielded no results.

    The district court determined that this investigation was
unreasonable because Oracle failed to use its contractual
right to audit customers, despite knowing that Oracle
customers were working with Terix. The court did not err in
focusing on this issue. Oracle had already identified
customer audits as a tool to protect its intellectual property.
Critically, only a customer with an active support contract
can access the MOS in the first instance. Furthermore,
Oracle requires that its customers ensure that third party
agents comply with the terms of use for the Solaris software.

    Oracle does not dispute that it had the right to audit its
customers. It asserts, however, that requiring it to have

   6
       Oracle does not argue that it investigated HPE.
12    ORACLE AMERICA V. HEWLETT PACKARD ENTER.

exercised that right would be “unprecedented,” “dilute the
value of copyright ownership by increasing the costs of
policing for infringement,” and “subject its clients to a
hostile inquiry for the sake of tolling the statute of
limitations.”    Oracle cites no evidence or authority
supporting these assertions, which are insufficient to
preclude summary judgment. S. A. Empresa de Viacao
Aerea Rio Grandense (Varig Airlines) v. Walter Kidde &
Co., Inc., 690 F.2d 1235, 1238 (9th Cir. 1982) (“[A] party
cannot manufacture a genuine issue of material fact merely
by making assertions in its legal memoranda”). Because
Oracle did not raise a triable issue about its investigation,
HPE was entitled to summary judgment on the infringement
claims for pre-May 6, 2012 conduct.

     B. The IIPEA Claim

    An IIPEA claim is subject to a two-year statute of
limitations. See Cal. Civ. Proc. Code § 339(1). A cause of
action does not accrue under California law “until the
plaintiff discovers, or has to discover, the cause of action.”
Fox v. Ethicon Endo-Surgery, Inc., 110 P.3d 914, 920 (Cal.
2005). A “potential plaintiff who suspects that an injury has
been wrongfully caused must conduct a reasonable
investigation of all potential causes of that injury.” Id. at
921. A defendant’s fraudulent concealment will toll the
statute of limitations “for that period during which the claim
is undiscovered by a plaintiff or until such time as plaintiff,
by the exercise of reasonable diligence, should have
discovered it.” Bernson v. Browning-Ferris Indus., 873 P.2d
613, 615 (Cal. 1994) (citation omitted).

    In concluding that Oracle’s pre-May 6, 2013 IIPEA
claims were time-barred, the district court analyzed evidence
concerning Comcast, one of Oracle’s support customers, and
determined that Oracle constructively knew of HPE’s
     ORACLE AMERICA V. HEWLETT PACKARD ENTER.              13

interference with the Comcast relationship as early as 2011.
Oracle has not challenged that finding here, and thus has
waived that issue. Paladin Assocs., Inc. v. Mont. Power Co.,
328 F.3d 1145, 1164 (9th Cir. 2003). Oracle nonetheless
argues that it could not have known about the “broader one-
to-many scheme to interfere with Oracle’s relationships.”
Relying on El Pollo Loco, Inc. v. Hashim, 316 F.3d 1032,
1040 (9th Cir. 2003), Oracle further argues that it could rely
on the truth of HPE’s and Terix’s assurances that “they were
not engaged in misconduct” even if an investigation would
have disclosed the falsity of those assurances.

     Although fraudulent concealment tolls a statute of
limitations for the time that a plaintiff cannot discover its
claim, Bernson, 873 P.2d at 615, 619, Oracle was aware, at
a minimum, of enough facts well before May 6, 2013 to
discover its IIPEA claim against HPE. Oracle identified
HPE and Terix in 2010, among others, as third-party
maintainers of Solaris software who sought to attract
customers from Oracle in the manner challenged here. And,
in 2011, Comcast indicated that it would leave Oracle for
HPE and Terix after HPE and Terix had made purported
assurances to Oracle. In short, Oracle, was not “ignorant” of
its IIPEA claim against HPE before May 6, 2013. Weatherly
v. Universal Music Publ’g Grp., 23 Cal. Rptr. 3d 157, 161–
62 (Ct. App. 2004). Thus, the claim is time-barred for pre-
May 6, 2013 conduct.

II. The Copyright Infringement Claims

    Oracle asserted direct infringement claims concerning
HPE’s direct support customers, and indirect infringement
claims concerning joint HPE-Terix customers. The claimed
infringing acts were unauthorized downloading, copying,
and delivery of patches, and patch installations. We consider
separately the indirect and direct infringement claims,
14       ORACLE AMERICA V. HEWLETT PACKARD ENTER.

mindful that “[t]he test for summary judgment in a copyright
case must comport with the standard applied to all civil
actions.” Shaw v. Lindheim, 919 F.2d 1353, 1358–59 (9th
Cir. 1990), overruled in part on other grounds by, Skidmore
v. Led Zeppelin, 952 F.3d 1051, 1066 (9th Cir. 2020) (en
banc).

     A. Indirect Infringement Claims

    A defendant may be held vicariously and contributorily
liable for copyright infringement carried out by another.
Luvdarts, LLC v. AT & T Mobility, LLC, 710 F.3d 1068,
1071 (9th Cir. 2013). But a plaintiff must show “[a]s a
threshold matter . . . that there has been direct infringement
by third parties.” Perfect 10, Inc. v. Amazon.com, Inc.,
508 F.3d 1146, 1169 (9th Cir. 2007). The district court
concluded that Oracle could not prove direct infringement
by Terix in the form of unauthorized patch installations. 7
Oracle challenges the court’s failure to consider evidence of
Terix’s pre-installation conduct. We briefly address that
evidence and then discuss the deficiencies in the district
court’s analysis.

    Direct infringement requires: “(1) ownership of a valid
copyright, and (2) copying of constituent elements of the
work that are original.” Seven Arts Filmed Entm’t Ltd. v.
Content Media Corp. PLC, 733 F.3d 1251, 1254 (9th Cir.
2013) (citation omitted). On the second element, we have
made clear that “[b]oth uploading and downloading
copyrighted material are infringing acts.”       Columbia
Pictures Indus. v. Fung, 710 F.3d 1020, 1034 (9th Cir.

     7
      Oracle does not challenge the district court’s ruling concerning
patch installations by Terix. Thus, we affirm the partial summary
judgment for HPE on the indirect infringement claims as to that issue.
     ORACLE AMERICA V. HEWLETT PACKARD ENTER.                 15

2012). Oracle provided evidence of Terix’s downloading
and copying of patches for joint HPE-Terix customers.
Terix downloaded some 11,500 copies of Solaris patches,
including thousands of copies of registered protectable code
by using customers’ MOS credentials. Terix employees
copied patches to internal Terix repositories as well as to
Terix-provided laptops so that it could provide patches on
demand to joint customers. Terix reproduced and distributed
patches on its servers so that customers could access patch
copies.

    Although this evidence appears to show direct
infringement, the district court did not consider it because
the court read “Oracle’s support contracts to grant an Oracle
customer, or an agent of the customer, a license to download,
deliver, and install Solaris patches.” Reasoning that Terix
was an agent of a customer with a license, the court thought
that only patch installations could constitute infringing
conduct.

    An applicable license may be dispositive of an
infringement claim. “Anyone who is authorized by the
copyright owner to use the copyrighted work in a way
specified in [the Copyright Act] . . . is not an infringer of the
copyright with respect to such use.” Sony Corp. of Am. v.
Universal City Studios, Inc., 464 U.S. 417, 433 (1984).
Thus, an infringement claim “fails if the challenged use of
the work falls within the scope of a valid license.” Great
Minds v. Office Depot, Inc., 945 F.3d 1106, 1110 (9th Cir.
2019). And “[t]he existence of a license creates an
affirmative defense to” an infringement claim. Worldwide
Church of God v. Phila. Church of God, Inc., 227 F.3d 1110,
1114 (9th Cir. 2000). But “[w]hen a licensee exceeds the
scope of the license granted by the copyright holder, the
licensee is liable for infringement.” LGS Architects, Inc. v.
16       ORACLE AMERICA V. HEWLETT PACKARD ENTER.

Concordia Homes of Nev., 434 F.3d 1150, 1156 (9th Cir.
2006).

    A court must construe the license to evaluate its effect on
a claim of copyright infringement. “A copyright license
‘must be construed in accordance with the purposes
underlying federal copyright law.’” Great Minds, 945 F.3d
at 1110 (quoting S.O.S., Inc. v. Payday, Inc., 886 F.2d 1081,
1088 (9th Cir. 1989)); see also Cohen v. Paramount Pictures
Corp., 845 F.2d 851, 854 (9th Cir. 1988) (same). “Chief
among these purposes is the protection of the author’s
rights.” S.O.S., 886 F.2d at 1088. “Federal courts ‘rely on
state law to provide the canons of contractual construction to
interpret a license, but only to the extent such rules do not
interfere with federal copyright law or policy.’” Great
Minds, 945 F.3d at 1110 (quoting S.O.S., 886 F.2d at 1088).

    The district court here, however, opined on Oracle’s
licenses without applying these principles, and it never
identified a license provision that authorized the challenged
pre-installation conduct. 8 That was error. At summary
judgment, “[t]he district court must not only properly
consider the record . . . but must consider that record in light
of the ‘governing law.’” Zetwick v. County of Yolo, 850 F.3d
     8
       HPE avers that the district court “held” HPE to its burden to
identify a license provision authorizing the pre-installation conduct,
pointing to an order in Oracle’s case against Terix. Oracle, 2015 WL
2090191, at *1. But, in that order, the magistrate judge granted summary
judgment for Oracle on the affirmative license defense, reasoning that
Terix “violated the terms of the relevant licenses by using a customer’s
credential’s to . . . download patches for any number of that customer’s
machines, whether covered by the license terms or not” because “[t]his
type of use is clearly not contemplated on the face of the license
agreements.” Id. at *6. And unlike the district court here, the magistrate
judge there applied the relevant principles to construe the licenses for
Solaris versions 7, 8, 9 and 10. Id. at *1, 7–9.
        ORACLE AMERICA V. HEWLETT PACKARD ENTER.                      17

436, 441 (9th Cir. 2017) (quoting Anderson v. Liberty Lobby,
Inc., 477 U.S. 242, 248 (1986)). “[W]here application of
incorrect legal standards may have influenced the district
court’s conclusion, remand is appropriate.” Id. at 442. By
applying no legal standard to interpret the licenses, the
district court failed to apply the correct one. In doing so, the
court excluded pre-installation conduct from its analysis.
Thus, we remand for the court to properly analyze the
licenses. The court must reconsider all infringement claims
for pre-installation conduct, including the direct
infringement claims for which the court also limited its focus
to unauthorized installations. 9

    B. The Direct Infringement Claims

    As is relevant here, direct infringement requires copying
of a protected work by the defendant. Seven Arts, 733 F.3d
at 1254. It is undisputed that HPE’s installation of patches
on unsupported servers would constitute infringement. But
the parties dispute whether Oracle’s evidence showed that
HPE performed such installations for its direct customers.
We address separately the non-Symantec customers and
Symantec and conclude that triable issues remain.

         1. Non-Symantec Customers

    The district court reasoned that, to survive summary
judgment on the direct infringement claims for non-
Symantec customers, Oracle had to provide: “(1) evidence
that HPE installed a patch on a server that was not supported
by an Oracle support contract, and (2) evidence that the
    9
      We decline to resolve in the first instance whether Oracle produced
sufficient evidence on the additional elements of secondary liability
because the district court never considered those issues. Shirk v. U.S. ex
rel. Dep’t of Interior, 773 F.3d 999, 1007 (9th Cir. 2014).
18   ORACLE AMERICA V. HEWLETT PACKARD ENTER.

patch was released and downloaded while that server was
not on contract.” Oracle does not challenge this application
of the copying element, and thus, it guides us here.

    Oracle relied on an analysis by its expert, Christian
Hicks, of HPE-produced spreadsheet data for 35 HPE direct
customers to show that HPE performed unauthorized patch
installations. The spreadsheets had an “Installed on Date”
column and a column identifying the hardware serial
number. Hicks treated the “Installed on Date” column as
showing actual installation dates. He found 210 instances of
patching where “the ‘Installed on Date’ in HPE’s data
occurred after Oracle support for that server had ended.” He
found that for 188 of those instances, Oracle had not released
the patches until after Oracle support for the server expired.
Crediting HPE’s arguments, the district court concluded that
Oracle could not prove with this data (a) unauthorized
installations (b) by HPE. We disagree.

               a. Unauthorized Patch Installations

    The district court found an insurmountable “ambiguity”
about whether the “Installed on Date” column reflected
actual patch installations. The “ambiguity” stemmed from
testimony by David Jensen, HPE’s Rule 30(b)(6) witness
and a former HPE employee. In considering this testimony,
the court failed to draw all reasonable inferences in Oracle’s
favor.

    Jensen testified that the “Installed on Date” column had
three possible meanings. It could mean the date that: (1) a
kernel patch was installed, (2) a patch was released from the
vendor, or (3) a file was updated on the system, such as a
deletion, modification, or change to the file. Although
Jensen testified that one could not know which meaning
applied, he explained that the field prioritized the first
         ORACLE AMERICA V. HEWLETT PACKARD ENTER.                     19

meaning. Only if actual installation data was unavailable
would the entry reflect another meaning. This testimony
supported the actual installation date meaning that Hicks
attributed to “Installed on Date,” and it showed that that
meaning was prioritized. 10 In light of this evidence, the
district court could not properly assume in HPE’s favor that
no entries reflected an actual installation.

    The court also reasoned that even if all entries reflected
installations, “Oracle could not identify any particular non-
supported server on which a protected patch was improperly
installed.” That conclusion stemmed from what the court
viewed as a concession by Oracle during the summary
judgment hearing. Oracle, however, effectively explained
that it would prove unauthorized installations
circumstantially. “Proof of copyright infringement is often
highly circumstantial,” Loomis v. Cornish, 836 F.3d 991,
994 (9th Cir. 2016) (citation omitted), “[b]ecause direct
evidence of copying is rarely available,” Baxter v. MCA,
Inc., 812 F.2d 421, 423 (9th Cir. 1987). Here, Oracle could
identify protected patches and the spreadsheets showed
installations that post-dated the release of a given patch.
Drawing all reasonable inferences in Oracle’s favor, a jury
could find that at least one entry reflected an actual patch
installation.




    10
       The district court also stated that the data had a “false positive”
because Oracle identified a patch installation on an off-contract server
before Oracle had released that patch. Such an entry can be explained as
the date of a file update, consistent with Jensen’s third meaning of
“Installed on Date.” That “false positive” would not preclude that other
entries reflect actual installations.
20        ORACLE AMERICA V. HEWLETT PACKARD ENTER.

           b. By HPE

    A “direct infringement claim turn[s] on ‘who made’ the
copies[.]” Fox Broad. Co. v. Dish Network L.L.C., 747 F.3d
1060, 1067 (9th Cir. 2014) (quoting Cartoon Network LP,
LLLP v. CSC Holdings, Inc., 536 F.3d 121, 130 (2d Cir.
2008)) (emphasis in original). Oracle must “show causation
(also referred to as ‘volitional conduct’) by the defendant.”
Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657, 666 (9th
Cir. 2017), cert denied, 138 S. Ct. 504 (2017). This requires
conduct by the defendant “that can reasonably be described
as the direct cause of the infringement.” Id. (citation
omitted) (emphasis in original).

    Relying on Jensen’s testimony, HPE avers that some
entity other than it—Oracle, the customer, or some unknown
third party—could have installed patches for its direct
support customers. Jensen’s testimony, however, could not
foreclose that HPE installed patches. Indeed, he testified
that when the data indicated that a patch was applied to a
server, it “could mean” that a customer updated the patch, a
customer-hired third party did it, or—critically—that HPE
applied the patch if HPE had the responsibility to do so. HPE
evades and the district court failed to acknowledge this third
scenario, which plainly goes to causation by HPE. 11

    HPE further contends that Oracle cannot prove causation
because Hicks did not know who performed any patch
installations. Hicks, however, relied on the fact that HPE
supported the servers identified in HPE’s data and that
     11
       We reject Oracle’s assertion that Jensen’s testimony suffices to
award summary judgment for it. Although Oracle cross moved for
summary judgment on its infringement claims, we must view the
evidence in the light most favorable to HPE. At the very least, the
testimony creates a dispute of material fact.
         ORACLE AMERICA V. HEWLETT PACKARD ENTER.                    21

customers specifically paid HPE to support their Solaris
software to conclude that HPE made installations. We see
no reason why a reasonable jury could not rely on these same
circumstances. Viewing the evidence in the light most
favorable to Oracle, a reasonable jury could find that HPE
performed patch installations for direct customers. Thus,
summary judgment was improper on the direct infringement
claims concerning non-Symantec customers.

          2. Symantec

    Summary judgment for HPE on the direct infringement
claims concerning Symantec was also improper. The
testimony from HPE’s employees permitted the reasonable
inference that HPE installed a patch on an unsupported
Symantec server. Indeed, the court acknowledged that
testimony from HPE employees showed that HPE “had a
practice of . . . installing patches downloaded from and
delivered through Terix for Symantec’s off-contract
servers.”    Because Oracle may prove infringement
circumstantially, Loomis, 836 F.3d at 994, Oracle did not
need to further show that a particular patch was installed on
a particular off-contract server to survive summary
judgment. 12

    HPE also argues that the district court held that Oracle
did not show that any patch delivered to Symantec was
protectable. If true, Oracle could not press infringement
claims for such patches. Seven Arts, 733 F.3d at 1254
(observing that “ownership of a valid copyright” is a “basic
    12
       HPE argues that “many” Symantec servers ran older versions of
Solaris that are not at issue and that Symantec also asked HPE to install
patches received from Terix onto servers covered by Oracle support
contracts. This would not preclude the reasonable inference that HPE
performed an unauthorized patch installation.
22   ORACLE AMERICA V. HEWLETT PACKARD ENTER.

element” of infringement) (citation omitted). The district
court, however, does not appear to have granted summary
judgment for HPE on this basis, but instead to have merely
acknowledged HPE’s argument. Although we may affirm
on any ground supported by the record, Johnson v. Riverside
Healthcare Sys., LP, 534 F.3d 1116, 1121 (9th Cir. 2008),
the record supplied by the parties is insufficient for us do so.
We have no obligation to mine the extensive district court
record, and we decline to do so here. See In re Oracle Corp.
Sec. Litig., 627 F.3d 376, 386 (9th Cir. 2010) (“It behooves
litigants, particularly in a case with a record of this
magnitude, to resist the temptation to treat judges as if they
were pigs sniffing for truffles.”). The district court may
revisit and clarify this issue on remand.

                      CONCLUSION

    We affirm the partial summary judgment for HPE on the
copyright infringement and IIPEA claims as time-barred.
We affirm in part summary judgment on the indirect
infringement claims for patch installations by Terix. We
reverse summary judgment on all infringement claims for
pre-installation conduct, and on the direct infringement
claims for unauthorized patch installations by HPE.

  AFFIRMED IN PART, REVERSED AND
VACATED IN PART, and REMANDED. EACH
PARTY SHALL BEAR ITS OWN COSTS.
