April 20, 2022

Ninth Circuit Limits CFAA to Digital "Breaking and Entering," Finds LinkedIn Likely Has No CFAA Claim Against Web Scraper

On remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit reaffirmed a California district court’s order preliminarily enjoining LinkedIn from denying hiQ Labs, a data analytics company, access to LinkedIn’s publicly available member profiles. The Ninth Circuit’s decision reaffirms its previous decision, after the Supreme Court remanded the case for further consideration in light of Van Buren v. United States, 141 S. Ct. 1648 (2021). 

Likelihood of Success on CFAA Claim. The “pivotal” question for the Ninth Circuit was whether hiQ’s continued scraping and use of LinkedIn’s data, after a cease-and-desist letter, was “without authorization” within the meaning of the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit found that a plain reading of the CFAA language forbidding “access without authorization” implies a baseline in which permission to access is ordinarily required and distinguished this from the LinkedIn scenario, in which the default is free access without authorization “to anyone with a web browser.” 

The Ninth Circuit relied on the legislative history of the CFAA to confirm its plain reading of the statute. Specifically, the court cited the 1984 House Report’s comparison of section 1030 of the CFAA to criminal “breaking and entering,” an analogy the court found had no application to websites that are publicly accessible on the internet. 

The Ninth Circuit found support in the Supreme Court’s Van Buren opinion, in which the Court decided that a police sergeant did not violate the CFAA when he ran a license plate search in a law enforcement computer database in exchange for money. The Supreme Court held that the CFAA’s “exceeds authorized access” clause applies only to those who obtain information from areas in the computer to which they do not properly have access, and not to those, like Sergeant Van Buren, who have improper motives for obtaining information that is otherwise available to them.

The Ninth Circuit interpreted Van Buren’s “gates-up-or-down” distinction between computer users who can or cannot access a computer system as suggesting a “baseline” in which there are “limitations on access” that prevent some users from accessing the system without permission. Those users have either obtained permission (the gates are up) or they have not (the gates are down). But, the Ninth Circuit found, where there is no “gate,” as is the case for public websites, the CFAA’s “without authorization” concept simply doesn’t apply.

While this opinion is likely to have a wide-ranging effect on web-scraping claims, the Ninth Circuit did note that even if the CFAA does not apply, companies that are victims of web scraping may have another avenue — state law trespass to chattels claims. However, as reflected in the Ninth Circuit’s opinion, circuits appear to have conflicting views on whether such a claim is applicable to web scraping. 

A summary of the remaining factors addressed by the Ninth Circuit in affirming the granting of a preliminary injunction are below. 

Likelihood of hiQ’s Success on its Claims. The Ninth Circuit further found that hiQ had shown a sufficient likelihood of establishing the elements of its intentional interference with contractual relations claims. LinkedIn did not challenge hiQ’s ability to establish the elements, but rather maintained it had a legitimate business purpose defense. On the record before it, the Ninth Circuit found that LinkedIn may not be able to establish a legitimate business defense and therefore concluded hiQ had raised serious questions going to the merits of the tortious interference with contract claim. As for hiQ’s claim of unfair competition, the Ninth Circuit agreed with the district court that hiQ had raised serious questions about whether LinkedIn’s ban of hiQ’s bots was strategically done to further LinkedIn’s plans to introduce a competing professional data analytics tool. 

Irreparable Harm & Balancing of the Equities. The Ninth Circuit found there was no abuse of discretion in the district court’s determination that both the irreparable harm and balance of the equities factors fell in hiQ’s favor. As to irreparable harm, hiQ had demonstrated a likelihood of irreparable harm by establishing that using LinkedIn public profile data was the only viable way for it to stay in business, and that hiQ’s potential harm — going out of business — outweighed LinkedIn’s asserted harm of loss of consumer goodwill. The Ninth Circuit found little evidence in the record to support LinkedIn’s assertions that: (1) its users who choose to make their profiles public actually maintain an expectation of privacy and (2) that the “Do Not Broadcast” option is often selected by a user to prevent the user’s employer from being alerted to profile changes in anticipation of a job search. Moreover, the court found that LinkedIn’s own actions contradicted its assertions as its “Recruiter” product allows recruiters to access public profiles to obtain information to reach out to prospects.

Public Interest. Finally, the Ninth Circuit agreed with the district court that, despite significant and valid public interest arguments raised by both sides, “giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data . . . risks the possible creation of information monopolies that would disserve the public interest.”