When Data Scraping and the Computer Fraud and Abuse Act Collide
As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use and monetization. Data scraping has come a long way since its early days, which involved manually copying data visible on a website. Today, data scraping is a thriving industry, and high-performance web scraping tools are fueling the big data revolution. Like many technological advances though, the law has not kept up with the technology that enables scraping. As a result, the state of the law on data scraping remains in flux.
The federal Computer Fraud and Abuse Act (CFAA) is one statute frequently used by companies who seek to stop third-parties from harvesting data. The CFAA imposes liability on anyone who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains … information from any protected computer.” The Supreme Court has held that the CFAA “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” (Musacchio v. United States).
Judge Chen reasoned that LinkedIn’s interpretation of the CFAA would allow a company to revoke authorization to a publicly available website at any time and for any reason, and then invoke the CFAA for enforcement, exposing an individual to both criminal and civil liability. He characterized the possibility of criminalizing the act of viewing of a public website in violation of an order from a private entity as “effectuating the digital equivalence of Medusa.”
While LinkedIn waits for the Ninth Circuit to hear oral arguments in hiQ, yet another company (3taps Inc.) has filed a similar suit against LinkedIn, seeking a declaratory judgement that 3taps is not violating the CFAA and thus should be permitted to continue to extract data on public LinkedIn profile pages. (3taps Inc. v. LinkedIn Corp.). In addition, because 3taps successfully argued that the court should deem the 3taps and hiQ matters related and heard by the same judge, on February 22, 2018, Judge Chen ordered the reassignment of the 3taps case from the Northern District of California’s San Jose court to Judge Chen’s court in San Francisco.