Blog Data, Privacy + Cybersecurity Insights April 22, 2022

Ninth Circuit: Web Scraping Does Not Violate CFAA

In a decision that is certain to reverberate through the big data community, the U.S. Court of Appeals for the Ninth Circuit ruled that the primary legal tool that companies tried to use to limit scraping of their websites – the criminal statute Computer Fraud and Abuse Act (“CFAA”) – does not in fact prohibit companies from scraping publicly available information on the web.

How we got here

In its decision in hiQ Labs vs. LinkedIn Corporation, the Ninth Circuit reaffirmed that hiQ Labs, a data analytics company, could continue to scrape publicly available information from LinkedIn because the scraping did not violate the CFAA. The court affirmed the District Court’s order preliminarily enjoining LinkedIn from denying hiQ Labs access to LinkedIn’s publicly available member profiles. The Ninth Circuit reviewed the case on remand from the U.S. Supreme Court for further consideration in light of Van Buren v. United States, 141 S. Ct. 1648 (2021). In affirming the injunction against LinkedIn, the Ninth Circuit concluded that hiQ had raised a serious question as to whether the scope of the CFAA’s prohibition was limited to computers that required access permission by default and therefore did not apply to hiQ’s actions in scraping information that was public.

Key issue: “without authorization” means “breaking and entering”

The crucial question for the Ninth Circuit was whether hiQ’s continued scraping and use of LinkedIn’s data, after a cease-and-desist letter, was “without authorization” within the meaning of the CFAA. The Ninth Circuit found that one cannot “access without authorization” a website for which no authorization is required in the first place. The court concluded that a plain reading of the CFAA language forbidding “access without authorization” implied a baseline in which permission to access is ordinarily required to access a resource. The court described the conduct that the CFAA prohibited as “without authorization” as analogous to “breaking and entering.” It distinguished that conduct from the LinkedIn scenario, in which the default is free access without authorization to “anyone with a web browser.”

The Ninth Circuit found that the reasoning in Van Buren reinforced its interpretation that the “without authorization” concept does not apply to public websites. In Van Buren, the Supreme Court ruled that a police sergeant did not violate the CFAA when he ran an unauthorized license plate search in a law enforcement computer database in exchange for money. The Supreme Court held that the CFAA’s “exceeds authorized access” clause applied only to those who obtained information from areas in the computer that they did not have access to, and not to those, like Van Buren, who had improper motives for accessing information otherwise available to them.

Van Buren’s distinction between users who technically can or cannot access a computer system implies a baseline in which there are limitations that prevent users from accessing the entire system, the court stated. These limitations do not exist with publicly accessible websites.

What comes next

The Ninth Circuit decision is another in a line of cases rejecting the claim that web scraping in violation of a website’s terms of use constitutes a violation of the CFAA – a criminal statute. While legal risks for scrapers remain, concerns around the criminalization of terms of use are relaxed, at least until the next round in this battle.

While this opinion is likely to have a wide-ranging effect on web scraping claims, the Ninth Circuit did note that even if the CFAA does not apply, companies that try to prevent web scraping of their website may have another legal avenue – state law trespass to chattels claims. However, as reflected in the Ninth Circuit’s opinion, circuits appear to have conflicting views on whether such claims are applicable to web scraping.

Broader impact: privacy v. business v. competition

In considering the procedural elements of the relief – which in this case was an injunction – the court keenly observed that the public interest favors hiQ’s position. Despite significant public interests on both sides, the Ninth Circuit found that “giving companies such as LinkedIn free rein to decide, on any basis, who can collect and use data . . . risks the possible creation of information monopolies that would disserve the public interest.”

For another perspective on the ruling, including how it illuminates the differences between U.S. and European approaches to privacy protections, see an insightful article by our partner Omer Tene on IAPP.

The post Ninth Circuit: Web Scraping Does Not Violate CFAA appeared first on Data + Privacy + Cybersecurity Insights.