Open Internet Advocates Rejoice: Ninth Circuit Finds Web Scraping of Publicly Accessible Data Likely Does Not Violate CFAA

Oct 29, 2019

By Linda Henry

See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The Ninth Circuit Court of Appeals recently handed open internet advocates a big win by upholding the right of a data analytics startup to use automated bots to scrape publicly available data (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019)). Although the Ninth Circuit did not definitively resolve the legal dispute between hiQ and LinkedIn, the court affirmed the district court’s preliminary injunction against LinkedIn, and found that hiQ’s automated scraping of publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The dispute between LinkedIn and hiQ began in May 2017, when LinkedIn delivered a cease-and-desist letter to hiQ, warning hiQ that it was violating LinkedIn’s terms of use as both a user and an advertiser by using bots to scrape data from LinkedIn users’ public profiles. LinkedIn threatened to bring an action against hiQ under a variety statutes, including the CFAA, and also advised that LinkedIn would be implementing technical measures to block hiQ’s bots from scraping data on LinkedIn’s site.

hiQ responded by filing suit against LinkedIn, seeking injunctive relief and a declaratory judgement that LinkedIn could not lawfully invoke the CFAA, among other state, federal and common law claims threatened by LinkedIn.

The CFAA is one statute frequently used by companies who seek to stop third-parties from harvesting data, and imposes liability on anyone who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains … information from any protected computer.” The Supreme Court has held that the CFAA “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Musacchio v. United States, 136 S. Ct. 709, 713 (2016).

The CFAA’s applicability to data scraping is not clear though, as it was originally intended as an anti-hacking statue, and scraping typically involves accessing publicly available data on a public website. In order to meet the CFAA’s requirement that a third party engage in unauthorized or improper access of a website, companies often argue that use of a website in violation of the applicable terms of use (e.g., by harvesting data), constitutes unauthorized access in violation of the CFAA.

With respect to LinkedIn’s threatened CFAA claim, the district court found, in part, that because authorization is not necessary to access publicly available profile pages, LinkedIn was not likely to prevail on its CFAA claim even if hiQ had violated the terms of use. The district court did note that LinkedIn’s construction of the CFAA was not without basis, because “visiting a website accesses the host computer in one literal sense, and where authorization has been revoked by the website host, that “access” can be said to be “without authorization. However, whether access to a publicly viewable site may be deemed “without authorization” under the CFAA where the website host purports to revoke permission is not free from ambiguity.”

The district court also found that LinkedIn’s interpretation of the CFAA would allow a company to revoke authorization to a publicly available website at any time and for any reason, and then invoke the CFAA for enforcement, exposing an individual to both criminal and civil liability. The district court characterized the possibility of criminalizing the act of viewing a public website in violation of an order from a private entity as “effectuating the digital equivalence of Medusa.”

On September 9, 2019, the Ninth Circuit affirmed the district court’s finding that hiQ had established the elements required for a preliminary injunction against LinkedIn.

In its opinion, the Ninth Circuit stated that the pivotal CFAA question was whether hiQ’s scraping activities and use of LinkedIn’s data after receiving the cease-and-desist letter was “without authorization” under the CFAA. The court noted that it had previously found that “without authorization” is a “non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” In addition, the court found that the statute’s legislative history provided support for the court’s interpretation of “without authorization” because the “CFAA was enacted to prevent intentional intrusion onto someone else’s computer—specifically, computer hacking,” and noted that the CFAA is an anti-intrusion statute and not a misappropriation statute.

The Ninth Circuit also found that the CFAA’s legislative history is clear that “the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.” The court noted that LinkedIn’s claim that its users have an expectation of privacy in their public profiles was undercut by several features that LinkedIn makes available on its platform, including LinkedIn’s “Recruiter” feature, which allows recruiters to follow prospects and receive alerts when prospects change their profiles, all without the prospect’s knowledge.

The Ninth Circuit’s finding that a person has not accessed a computer “without authorization” in violation of the CFAA if a platform generally permits public access to data is a significant win for web scrapers and others that may access publicly available information in a manner objectionable to online publishers. However, because other federal circuit courts have conflicting interpretations of the CFAA’s scope, and the Ninth Circuit left open the possibility that online publishers may have other causes of action against web scrapers, the law applicable to data scraping is far from settled.


DHS Cybersecurity Arm Directs Executive Agencies to Develop Vulnerability Disclosure Policies

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”).

Open Internet Advocates Rejoice: Ninth Circuit Finds Web Scraping of Publicly Accessible Data Likely Does Not Violate CFAA

The Ninth Circuit Court of Appeals recently handed open internet advocates a big win by upholding the right of a data analytics startup to use automated bots to scrape publicly available data.

The ABA Speaks on AI

By Jennifer Thompson | Earlier this week, the American Bar Association (“ABA”) House of Delegates, charged with developing policy for the ABA, approved Resolution 112 which urges lawyers and courts to reflect on their use (or non-use) of artificial intelligence (“AI”) in the practice of law, and to address the attendant ethical issues related to AI.

Is Anonymized Data Truly Safe From Re-Identification? Maybe not.

By Linda Henry | Across all industries, data collection is ubiquitous. One recent study estimates that over 2.5 quintillion bytes of data are created every day, and over 90% of the data in the world was generated over the last two years.

FTC Settlement Reminds IoT Companies to Employ Prudent Software Development Practices

By Linda Henry | Smart home products manufacturer D-Link Systems Inc. (D-Link) has reached a proposed settlement with the Federal Trade Commission after several years of litigation over D-Link’s security practices.

Beyond GDPR: How Brexit Affects Other Data Laws

By Dawn Ingley | Since the United Kingdom (UK) voted in June, 2016, to exit the European Union (i.e., “Brexit”), the question in many minds has been, “Whither GDPR?” After all, the UK was a substantial contributor to this legislation. The UK has offered assurances that that it intends to, in large part, harmonize its data protection laws with GDPR.

San Francisco Says The Eyes Don’t Have It: Setting Limits on Facial Recognition Technology

By Jennifer Thompson | On May 14, 2019, the San Francisco Board of Supervisors voted 8-1 to approve a proposal that will ban all city agencies, including law enforcement entities, from using facial recognition technologies in the performance of their duties.

NYC’s Task Force to Tackle Algorithmic Bias: A Study in Inertia

By Linda Henry | In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

U.S. Lawmakers Want Companies to Check their Bias

By Linda Henry | Although algorithms are often presumed to be objective and unbiased, technology companies are under increased scrutiny for alleged discriminatory practices related to their use of artificial intelligence.

The Weight of “GDPR Lite”

By Dawn Ingley | In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection. Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known.