Does ‘Scraping’ Data Violate the Computer Fraud and Abuse Act?

“The Court should grant LinkedIn’s writ of certiorari, which LinkedIn has stated that it will file, and provide guidance on how the Computer Fraud and Abuse Act should be interpreted. The failure to do so will create further uncertainty for businesses and for the general public.”

Computer Fraud and Abuse Act - https://depositphotos.com/19723759/stock-photo-privacy-concept-red-closed-padlock.htmlWe live in a world where data has become an increasingly valuable asset and huge companies are built on the collection and analysis of publicly available data. Yet, there is no federal statute that directly protects this type of information or even directly addresses how this information should be treated. Instead, businesses are often forced to rely on the Computer Fraud and Abuse Act (CFAA) in order to protect this valuable asset or commodity, which originally only provided criminal sanctions and was enacted to address computer hacking. Most recently, the Ninth Circuit in hiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website. There, the court determined on hiQ’s motion for preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible and hiQ thus did not access the computers “without authorization” as required by the CFAA. Under these circumstances, the court determined that it did not matter that LinkedIn had sent a cease and desist letter to hiQ prohibiting such access.

This is a potentially very important decision for companies on both sides of this issue and for the general public, at least in the Ninth Circuit. In addition, this deepens the circuit split on the issue. The Supreme Court has previously denied certiorari in a number of cases involving the CFAA, however, the Court should grant LinkedIn’s writ of certiorari, which LinkedIn has stated that it will file, and provide guidance on how the CFAA should be interpreted, settle the circuit split and perhaps address the fundamental question of what entity has the right to control the use of Internet data. The failure to do so will create further uncertainty for businesses and for the general public, since it is unlikely that Congress will address amending the CFAA to bring it into the 21st century, even though it was originally enacted in 1986.

Defining the Problem

“Scraping” refers to automatically accessing and extracting information from a website for a variety of purposes. According to the Ninth Circuit, LinkedIn prohibits search engine crawlers and other web robots from access to LinkedIn servers “via automated bots, except that certain entities, like the Google search engine, have express permission from LinkedIn for bot access. . . In total, LinkedIn blocks approximately 95 million automated attempts to scrape data every day and has restricted over 11 million accounts suspected of violating its User Agreement, including through scraping.” Id. at 991-92 (footnote omitted).

The hiQ decision turns on what it means under the CFAA to access a computer “without authorization” or in “excess of authorization,” and which is often the crux to determine whether a defendant has violated CFFA. The CFAA defines the term “exceed authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6). However, the term “without authorization” is not defined. And as Judge Kozinski in the Seventh Circuit noted, in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006), the difference between “without authorization” and “exceeding authorized access” is “paper thin.”. Further, while the distinction may be “paper thin,” it is not academic. The CFAA targets “without authorization” in seven separate offenses, only three of which also reach persons “exceeding authorized access.”

hiQ Labs scraped LinkdIn profiles and sold analytics to employers that, for example, identified employees at risk of being poached by competitors or which summarized employees’ skills in the aggregate. LinkedIn sent a letter demanding that hiQ cease this activity. In response hiQ filed a declaratory relief action seeking among other form of relief a preliminary injunction and a declaration that hiQ’s conduct did not violate the CFAA. The district court granted hiQ’s request for a preliminary injunction, and LinkedIn appealed to the Ninth Circuit.

On appeal, the Ninth Circuit applied the standard four-part test to determine if the district court’s decision to grant hiQ a preliminary injunction should be upheld. A plaintiff seeking a preliminary injunction must establish that: (1) plaintiff  is likely to succeed on the merits; (2) that plaintiff is likely to suffer irreparable harm in the absence of preliminary relief; (3) the balance of equities tips in plaintiff’s favor, and (4) that an injunction is in the public interest. See e.g., Winter v. Nat. Res. Def. Council, Inc., 55 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008). With regard to the CFAA claim, the court determined, based on the CFAA’s legislative history and prior Ninth Circuit case law, that the CFAA is focused on prohibiting hacking, which the court analogized to breaking and entering in physical space and “that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.” Id.

The court also recognized  that this understanding is directly contrary to that reached by the First Circuit in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001), and the Eleventh Circuit in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010). The hiQ court also distinguished the previous Ninth Circuit decisions in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016) and United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (“Nosal II”), in which the Ninth Circuit found that the defendant had violated the CFAA on the ground those “control situations in which authorization generally is required and has either never been given or has been revoked.” Id. at 1003. By contrast, according to the court, hiQ concerns “information is presumptively open to all comers.” Id. Thus, the Ninth Circuit concluded:

[T]he CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.” Id. at 1003-04.

Finding the Balance

The response to the hiQ decision has generated strong reactions from both sides of the issue. For example, those who applaud the decision note that the web is a critical resource for journalists, academics, businesses, and ordinary people who use it daily. They argue meaningful access may require scraping. As law professor Orin Kerr has explained, posting information on the web and then telling someone that they are not authorized to access it is “like publishing a newspaper but then forbidding someone to read it.” On the other hand, the hiQ court seemed to accept LinkedIn’s argument that to permit scraping is against the public interest because “LinkedIn and other companies with public websites will be forced to choose between leaving their servers open to such attacks or protecting their websites with passwords, thereby cutting them off from public view.” Id. at 1004. On balance, while the Ninth Circuit found that “there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position.” Id.

The hiQ decision should be viewed as green light for those entities that obtain information from public websites. However, as the hiQ court recognized, “entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply,” such as “trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy. …” Id. In addition, such entities may determine that on balance, it is in their interest to make the information less public so as to bring their conduct closer to the Power Ventures ambit than to hiQ.

Although not directly addressed, the hiQ court also left open the possibility that a different conclusion may be warranted if the scraped data belonged to LinkedIn and not to the users. Further, it brings into focus the important and fundamental issue regarding who owns user data that is posted on the Internet. The court found that because the LinkedIn users chose to make their profiles public, they no longer have a privacy interest in such information, which evidences that “the users quite evidently intend them to be accessed by others, including for commercial purposes ….” This does not mean, however, that the users have surrendered their property interest in their data. Indeed, the court stated that “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.” Id. at 995. In other words, it is an open question whether it would have made a difference to the court if the users had assigned their ownership interest in the scraped data to LinkedIn or that users, as part of the LinkedIn terms of service, agree that LinkedIn has authorization to prohibit access to the user’s data by an automated process. While this may present other issues, this option may provide a solution to entities that want to prevent scraping.

Time for Change

Regardless of whether one agrees with the Ninth Circuit, it is clear that the CFAA, which was originally drafted in 1986, is outdated. To put this in context, in 1986, Ronald Reagan was in his second term as president of the United States; President Obama was in his second year of law school; the World Wide Web didn’t even exist; and  there were only approximately 2,000 computers connected to the Internet. Either Congress needs to amend the CFAA so it better reflects the 21st century, which seems unlikely given the present state of politics, or the Supreme Court should grant certiorari to address this very important issue.

 

Share

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com.

Join the Discussion

2 comments so far.

  • [Avatar for Ari Feinstein]
    Ari Feinstein
    December 21, 2019 07:54 am

    “And as Judge Kozinski in the Seventh Circuit noted” –> Judge Posner

  • [Avatar for William Morriss]
    William Morriss
    December 18, 2019 09:20 am

    This quote made me wince:

    “Either Congress needs to amend the CFAA so it better reflects the 21st century, which seems unlikely given the present state of politics, or the Supreme Court should grant certiorari to address this very important issue.”

    After seeing what the Supreme Court did in Alice, I worry that they would “address this very important issue” by declaring computers illegal.