- Computer and Systems Engineering
- Computer Science & Software
- Electrical Engineering & Electronics
Computer Fraud and Abuse Act “Scraping” public data probably doesn’t violate CFAA
The U.S. Court of Appeals for the Ninth Circuit has again determined that the automated “scraping” of an online networking platform’s publicly available data probably doesn’t violate the Computer Fraud and Abuse Act (CFAA). The U.S. Supreme Court had directed the appellate court to reconsider its earlier determination based on a subsequent high court ruling on the CFAA. But, in the end, the Ninth Circuit found that it was right all along.
Companies scrap over data
Scraping involves extracting data from a website and copying it into a structured format that facilitates data manipulation or analysis. The data analytics company hiQ Labs uses automated bots to scrape information from users’ public LinkedIn profiles; the information is available for viewing by anyone with Internet access. The company then applies a proprietary algorithm to the data to produce “people analytics,” which it sells to business clients.
In 2017, LinkedIn sent hiQ a cease-and-desist letter, claiming that the scraping violated the CFAA. It also notified hiQ that LinkedIn had instituted technical measures to block hiQ from its data. The response from hiQ was to file a lawsuit seeking injunctive relief and a declaratory judgment that LinkedIn couldn’t lawfully invoke the CFAA against it.
The trial court granted a preliminary injunction ordering LinkedIn to remove any barriers to hiQ’s access to public profiles and to refrain from putting any measures in place that would block such access. Not surprisingly, LinkedIn appealed.
Public access unplugs CFAA defense
The appellate court didn’t focus on resolving the legal dispute or addressing the various claims and defenses. Rather, it considered whether hiQ satisfied the requirements for a preliminary injunction by showing:
- It was likely to win the underlying lawsuit,
- It was likely to suffer irreparable harm in the absence of an injunction,
- The balance of equities tipped in its favor, and
- An injunction was in the public interest.
Courts take a “sliding scale” approach to these factors, meaning a stronger showing of one can offset a weaker showing of another.
In this case, the court devoted most of its review to the likelihood of success in the underlying lawsuit. Specifically, it reviewed whether LinkedIn’s CFAA-based defense was likely to defeat hiQ’s claim that LinkedIn intentionally and unlawfully interfered with hiQ’s contracts with third parties. It found the other three factors all tipped in hiQ’s favor.
LinkedIn contended that hiQ’s state law interference allegation was preempted by the CFAA, which LinkedIn claimed hiQ violated. The CFAA generally prohibits intentionally accessing a computer without authorization to obtain information from any computer connected to the Internet.
The “pivotal question,” the court said, was whether hiQ’s scraping of LinkedIn’s data after receiving the cease-and-desist letter was unauthorized. In making that determination, the court described the CFAA as anti-intrusion statute, rather than an anti-misappropriation statute. In light of this, it looked to whether the scraping was analogous to “breaking and entering.”
The Ninth Circuit concluded it wasn’t — because the data hiQ scraped was available to the general public without any permission requirement. According to the court, the CFAA is violated when someone circumvents a computer’s generally applicable rules regarding access permission (such as username and password requirements) to gain access to the computer. When a computer network generally permits public access to its data, as LinkedIn does, a user’s accessing of that data likely won’t qualify as unauthorized access under the CFAA.
Making the connection
The court’s ruling is a clear sign to companies with publicly available information on their websites that the CFAA probably won’t protect that data from third-party scraping. If they hope to invoke the protections of the CFAA, they’ll need to add some type of permission requirements.