Ninth Circuit Finds (Again) that Automated Web Scraping of Public Sites Is Legal | Pillsbury – Internet & Social Media Law Blog

The Ninth Circuit Court of Appeals recently ruled in HiQ Labs, Inc. v. LinkedIn that automated web scraping of publicly accessible websites does not violate the Computer Fraud and Abuse Act (CFAA), even if the website owner objects to the scraping. This marks the second time in this case where the Ninth Circuit found that scraping public websites is not the type of “breaking and entering” into computers that the CFAA prohibits.

For background, the CFAA is, at its core, a cybersecurity bill, which prohibits unauthorized access to computers and computer systems. It creates a civil claim for anyone who suffers damages or loss from a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” which effectively means any computer or server connected to the internet.

The HiQ case deals with the issue of what “unauthorized” access of data stored on a publicly accessible website. HiQ’s business involves providing data analytics services using information it gathers from public LinkedIn profiles. To gather that information, HiQ uses automated web-scraping software—a practice prohibited by LinkedIn’s terms of use. Upon finding this, LinkedIn sent HiQ a cease-and-desist letter threatening to sue for violations of the CFAA and to block HiQ’s access to LinkedIn. In response, HiQ filed suit, seeking an order that its practice was not unlawful.

The District Court agreed with HiQ that automated web scraping of public websites is not an actionable violation of the CFAA, which the Ninth Circuit approved in 2019. However, when the US Supreme Court issued its decision in Van Buren v. US—the Court’s first case interpreting the CFAA—it vacated the Ninth Circuit’s ruling in HiQ to reevaluate the issue consider the pronouncements in Van Buren.

The pivotal CFAA question is whether HiQ’s actions of continuing to scrape LinkedIn’s user data after receiving a cease-and-desist letter was “without authorization” under the CFAA. The Ninth Circuit considered various sources, including a 1984 House Report on the CFAA, which explains that the intent of the statute to prohibit activity “analogous to that of ‘breaking and entering.’” From this, the Court opined that the CFAA “is best understood as an anti-intrusion statute and not as a “misappropriation statute.’”

Just like in 2019, the Ninth Circuit concluded that the CFAA does not prohibit the automated scaping of data on public websites. It cited the Supreme Court’s recent decision in Van Burenwhich held that a police officer who accessed a criminal database for an improper purpose unrelated to his work did not violate the CFAA because he did, in fact, have credentials to access that database for other purposes. Relevant to the HiQ case—where LinkedIn’s cease-and-desist letter meaningful violations of the CFAA based on HiQ’s failure to abide by LinkedIn’s terms of use—the Supreme Court showed concern that interpreting the CFAA to criminalize violations of computer-use policies would make millions of otherwise law -abiding citizens for ordinary computing activities. The Court provided two examples in dicta:

Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the violations “exceeds authorized access” clause why it would violates context-based access restrictions on employers’ computers is difficult to see.

Referencing what it called the Supreme Court’s “gates-up-or-gates-down inquiry,” the Ninth Circuit that access to a public website cannot be “without authorization” under the meaning of the CFAA, explaining:

[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s access that publicly available data will not constitute access without authorization under the CFAA.

In other words, a CFAA claim requires something more than merely copying publicly available data a website owner does not want copied. There must be some intrusion into a protected computer.

To be clear, there are decisions in other Circuit Courts of Appeal that leave the door open to what the Ninth Circuit called a “contract-based” interpretation of the CFAA. See, eg, EF Cultural Travel BV v. Explorica, Inc.274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contract restraints could give rise to a CFAA claim); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). Still, the decision, coupled with the Supreme Court’s statements in Van Burenseems to signal a more restrictive, intrusion-based view of CFAA claims going forward, where something more than merely ignoring a terms of service or cease-and-desist letter will be required to bring a CFAA claim.

[View source.]

Leave a Comment