In a case involving LinkedIn, a federal appeals court reaffirmed Monday that web scraping likely doesn’t violate the Computer Fraud and Abuse Act (CFAA).
The ruling by the US Court of Appeals for the Ninth Circuit drew a distinction between data that is password-protected and data that is publicly available. That means hiQ Labs—a data analytics company that uses automated technology to scrape information from public LinkedIn profiles—can continue accessing LinkedIn data, a three-judge panel at the appeals court ruled:
[I]t appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.
Judges warn against “information monopolies”
The judges said they “favor a narrow interpretation of the CFAA’s ‘without authorization’ provision so as not to turn a criminal hacking statute into a ‘sweeping Internet-policing mandate.'” They also found that the public interest favors allowing access to LinkedIn data.
“We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest,” the ruling said.
The overall case hasn’t been decided yet, but Monday’s ruling affirmed a preliminary injunction issued by the US District Court for the Northern District of California and remanded the case back to the district court. The injunction prevents Microsoft-owned LinkedIn from denying hiQ access to publicly available member profiles while litigation is pending.
LinkedIn sent hiQ a cease-and-desist letter in May 2017, claiming “that if hiQ accessed LinkedIn’s data in the future, it would be violating state and federal law, including the CFAA, the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass,” the appeals court noted. HiQ responded by suing LinkedIn and sought a declaratory judgment that LinkedIn could not invoke those laws against it.
Supreme Court limited what’s a crime under CFAA
The same panel of appeals court judges reached a similar decision upholding the preliminary injunction in September 2019. But the Supreme Court granted a LinkedIn petition for certiorari and remanded the case back to the appeals court for further consideration in light of the Supreme Court’s 2021 decision in Van Buren v. United States, another CFAA case that we’ve previously covered.
In Van Buren, the Supreme Court imposed a limit on what counts as a crime under the CFAA. Former Georgia police sergeant Nathan Van Buren used his own valid credentials to get information about a license plate number from a law enforcement database. The sergeant ran the search in exchange for money and for non-law enforcement purposes, violating a department policy.
Van Buren was charged with a felony under the CFAA, which says it’s a crime when someone “intentionally accesses a computer without authorization or exceeds authorized access.” He was convicted and sentenced to 18 months in prison, but the Supreme Court ruled in a 6-3 decision that Van Buren did not violate the CFAA. As we previously wrote, justices found that the cybersecurity statute does not make it a crime to obtain information from a computer when the person has authorized access to that machine, even if the person has “improper motives.”
LinkedIn argued that its petition “addresses the precise question left open by the Court in Van Buren. LinkedIn put gates around its servers by employing technical ‘code-based’ measures to prevent hiQ from scraping data (which hiQ circumvented via bots) and sending a cease-and-desist letter to hiQ, thereby expressly revoking any ‘authorization’ hiQ had to access LinkedIn’s computers. Van Buren expressly left open whether these methods of denying and revoking authorization, or any other methods of doing so, qualify as ‘gates-down’ under Section 1030(a)(2), thus rendering hiQ’s massive scraping of data ‘without authorization.'” LinkedIn said the technical barriers it uses include its robots.txt file and “several technological systems to detect suspicious activity and restrict automated scraping.”