Web Scraping and CFAA – A Big Step Toward Clarity

Ninth Circuit Court

Clarification of a key term in computer fraud law advanced a step in September, when the Ninth District Court of Appeals ruled that scraping publicly available website data doesn’t violate the relevant statute.

The decision was handed down in HiQ Labs v. LinkedIn. HiQ, a data analytics firm, brought the case after LinkedIn tried to keep it from scraping member profile data from the site. In a cease-and-desist letter, LinkedIn had asserted that HiQ was engaging in “unauthorized access” as defined under the Computer Fraud and Abuse Act of 1986 (CFAA).

By way of background: HiQ is in the business of packaging scraped information with additional data and selling it to other business firms. LinkedIn reportedly has plans for a similar enterprise using its members’ profile data.

Not waiting for a lawsuit from LinkedIn, HiQ filed its own suit in federal court seeking to stop LinkedIn from carrying out threatened legal action and asking the court to rule that HiQ’s activity was legal. The court granted a preliminary injunction and set an appeal hearing.

The arguments and ruling revolved around the CFAA term “unauthorized access.” Historically, court decisions under CFAA have employed shifting definitions of this term, making it hard to apply that section of the law consistently. Of great importance in this case, the Ninth District Court held that scraping the LinkedIn profile data didn’t constitute “unauthorized access,” since profile data is available to anyone on the Internet, even without a user ID and password.

Like the latest case, past cases have often hinged on whether sidestepping a website owner’s use policies was a violation of the CFAA’s “unauthorized access” provision. The consequences of a CFAA offense could be much more severe than those for breaching website terms of service. For example, what if you lied about your age in a social network profile? Should you be liable for a fine and a prison term, like a hacker – someone who stormed access barriers and caused material damage?

LinkedIn had argued that HiQ’s scraping activity was unauthorized access within the meaning of CFAA. But the court concluded that “unauthorized access” may pertain only to data access restricted by password requirements. UC Berkeley law professor Orrin S. Kerr points out, “The court ruled that LinkedIn couldn’t use anti-hacking rules to control how HiQ used the data.”

Similarly in a 2012 case, the same Ninth Circuit rejected overuse of the CFAA rule, saying it amounted to “a sweeping Internet-policing mandate.” Instead, it held that “unauthorized access” meant “hacking,” a narrower interpretation from the 1980s.

On the other side of the question, also in 2012, Facebook stopped a data-analytics company from using bots to gather members’ posts, even with users’ permission. The company had access permission from Facebook members, but not from the owner of the website, Facebook itself.

The CFAA was initially designed to thwart cybercrime in the 1980s, when few obstacles stood against it. Also, the law was narrowly focused on invasion of federal computer systems, a threat to national security. But today web scraping for lawful purposes has become a widespread practice among data analytics companies.

Still, the Ninth Circuit ruling doesn’t guarantee a trouble-free future for web scraping. While the CFAA is the key federal law defining and governing cybercrime in the United States, the Ninth District acknowledged that website owners have several alternatives for advancing their arguments, such as complaints of copyright infringement, though social media don’t really own their members’ information.

Too, the Ninth Circuit case had a highly limited scope – whether HiQ violated CFAA, and whether enforcement of LinkedIn’s cease-and-desist letter would have interfered with HiQ’s legitimate business.

The Verge technology news site notes that the Ninth Circuit decision “is just a preliminary ruling on specific issues. But ruling out CFAA charges is a big deal, because the CFAA can be broadly weaponized against anybody who uses a computer in a way a company or government disagrees with. [Law professor Orrin] Kerr calls the ruling a ‘critical limit’ on the law’s interpretation.”

The definition of “unauthorized access” has been crucial to CFAA case law. With the latest Ninth Circuit decision, the definition has become clearer. It applies to cybercrime, not to the common practice of gathering publicly available information for legitimate business purposes.