Ninth Circuit Reaffirms Key Ruling in CFAA Case
Government is pushing back against the steady increase in computer crime. Its task includes making sure its tools – laws against cybercrime – reflect present conditions. Current focus is on an important, long-established law, the Computer Fraud and Abuse Act (CFAA). Since its passage in 1986, the scope of that law has shifted away from preventing or punishing invasion of federal computer systems – a national security threat. CFAA now focuses on a range of cybercrimes against diverse targets – individuals, governments, and business enterprises.
In part because of its broadening application, critics complain that some provisions of CFAA are vague or too narrowly applicable. Especially problematic has been the definition of “unauthorized access.” Is that a serious offense meriting the harsh punishments prescribed by CFAA? Or can it be applied arbitrarily against a widespread business practice like copying a website’s publicly accessible member data? Two recent court cases that grappled with the meaning of “unauthorized access” may have special relevance to web scraping.
In hiQ vs. LinkedIn (2019), the Ninth Circuit Court of Appeals held that “unauthorized access” applies to cybercrime, not to the common practice of gathering publicly available information for legitimate business purposes. LinkedIn had complained that hiQ, a data analytics company, committed unauthorized access by scraping member profile data from the LinkedIn site. The Ninth Circuit held that hiQ’s access didn’t fit that definition. It noted that LinkedIn member data is accessible to everyone, even those not registered on the site.
The U.S. Supreme Court further clarified “unauthorized access” in a later case, Van Buren vs. United States (2021). The Court held that CFAA does not apply to defendants with authorized access using data for unsuitable purposes. The defendant was a police officer charged with selling personal information from a database he had permission to use. The Court said this use, while improper, did not constitute unauthorized access under the CFAA. Adding a crucial distinction, the court went on to say that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him.”
LinkedIn petitions the court
Then LinkedIn asserted that this ruling in Van Buren affected the definition of “unauthorized access” in hiQ vs. LinkedIn. The site petitioned the Supreme Court for a writ of certiorari, which would indicate the Supreme Court’s willingness to review. The Court granted the writ and vacated the Ninth Circuit’s 2019 opinion. It then remanded the case to the Ninth Circuit for further consideration in light of the Van Buren opinion. The Ninth Circuit heard arguments again in October 2021, after which it reaffirmed its earlier decision. LinkedIn would continue to be enjoined from preventing hiQ from scraping LinkedIn members’ public profile data under the CFAA.
As target sites have fought scraping, the meaning of “unauthorized access” has been crucial to CFAA case law. With the Ninth Circuit reaffirming its 2019 decision, that meaning has become clearer. It applies specifically to cybercrime, now better defined by the court.
Still, it’s important to remember that the Ninth Circuit case had a highly limited scope. Parties could still debate whether a scraper would begin to commit “unauthorized access” by ignoring a site’s cease-and-desist letter. And there’s the far broader question of data ownership.
Website owners could also push back in other ways, beyond the CFAA, against what they consider unauthorized, or undesirable, web scraping. For instance, they might claim misappropriation, or copyright infringement, even though they don’t own their subscribers’ data. Scrapers need to be aware of all the legal risks even if the courts narrow the applicability of the CFAA.
A final observation
The NYU Journal of Intellectual Property and Entertainment Law offered a final observation on the case. “As for data scraping, it’s essential to abide by the robots.txt rules and not to circumvent any technical measures implemented by the website owner for an ordered and peaceful Internet ecosystem.”
Core Topic: Everything You Need to Know about CFAA