The Ninth Circuit Court of Appeals recently ruled in HiQ Labs, Inc. v. LinkedIn that automated web scraping of publicly accessible websites does not violate the Computer Fraud and Abuse Act (CFAA), even if the website owner objects to the scraping. This marks the second time in this case where the Ninth Circuit found that scraping public websites is not the type of “breaking and entering” into computers that the CFAA prohibits.
For background, the CFAA is, at its core, a cybersecurity bill, which prohibits unauthorized access to computers and computer systems. It creates a civil claim for anyone who suffers damages or loss from a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” which effectively means any computer or server connected to the internet.
The District Court agreed with HiQ that automated web scraping of public websites is not an actionable violation of the CFAA, which the Ninth Circuit approved in 2019. However, when the US Supreme Court issued its decision in Van Buren v. US—the Court’s first case interpreting the CFAA—it vacated the Ninth Circuit’s ruling in HiQ to reevaluate the issue consider the pronouncements in Van Buren.
The pivotal CFAA question is whether HiQ’s actions of continuing to scrape LinkedIn’s user data after receiving a cease-and-desist letter was “without authorization” under the CFAA. The Ninth Circuit considered various sources, including a 1984 House Report on the CFAA, which explains that the intent of the statute to prohibit activity “analogous to that of ‘breaking and entering.’” From this, the Court opined that the CFAA “is best understood as an anti-intrusion statute and not as a “misappropriation statute.’”
Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the violations “exceeds authorized access” clause why it would violates context-based access restrictions on employers’ computers is difficult to see.
Referencing what it called the Supreme Court’s “gates-up-or-gates-down inquiry,” the Ninth Circuit that access to a public website cannot be “without authorization” under the meaning of the CFAA, explaining:
[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s access that publicly available data will not constitute access without authorization under the CFAA.
In other words, a CFAA claim requires something more than merely copying publicly available data a website owner does not want copied. There must be some intrusion into a protected computer.
To be clear, there are decisions in other Circuit Courts of Appeal that leave the door open to what the Ninth Circuit called a “contract-based” interpretation of the CFAA. See, eg, EF Cultural Travel BV v. Explorica, Inc.274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contract restraints could give rise to a CFAA claim); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). Still, the decision, coupled with the Supreme Court’s statements in Van Burenseems to signal a more restrictive, intrusion-based view of CFAA claims going forward, where something more than merely ignoring a terms of service or cease-and-desist letter will be required to bring a CFAA claim.