The Ninth Circuit Court of Appeals recently ruled in HiQ Labs, Inc. v. LinkedIn that automated web scraping of publicly accessible websites does not violate the Computer Fraud and Abuse Act (CFAA), even if the website owner objects to the scraping. This marks the second time in this case where the Ninth Circuit found that scraping public websites is not the type of “breaking and entering” into computers that the CFAA prohibits.
For background, the CFAA is, at its core, a cybersecurity bill, which prohibits unauthorized access to computers and computer systems. It creates a civil claim for anyone who suffers damages or loss from a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” which effectively means any computer or server connected to the internet.
The District Court agreed with HiQ that automated web scraping of public websites is not an actionable violation of the CFAA, which the Ninth Circuit affirmed in 2019. However, when the U.S. Supreme Court issued its decision in Van Buren v. U.S.—the Court’s first case interpreting the CFAA—it vacated the Ninth Circuit’s ruling in HiQ to reevaluate the issue considering the pronouncements in Van Buren.
The pivotal CFAA question is whether HiQ’s actions of continuing to scrape LinkedIn’s user data after receiving a cease-and-desist letter was “without authorization” under the CFAA. The Ninth Circuit considered various sources, including a 1984 House Report on the CFAA, which explained that the intent of the statute to prohibit activity “analogous to that of ‘breaking and entering.’” From this, the Court opined that the CFAA “is best understood as an anti-intrusion statute and not as a “misappropriation statute.’”
Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.
Referencing what it called the Supreme Court’s “gates-up-or-gates-down inquiry,” the Ninth Circuit held that access to a public website cannot be “without authorization” under the meaning of the CFAA, explaining:
[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.
In other words, a CFAA claim requires something more than merely copying publicly available data a website owner does not want copied. There must be some intrusion into a protected computer.
To be clear, there are decisions in other Circuit Courts of Appeal that leave the door open to what the Ninth Circuit called a “contract-based” interpretation of the CFAA. See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contract restraints could give rise to a CFAA claim); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). Still, the decision, coupled with the Supreme Court’s statements in Van Buren, seems to signal a more restrictive, intrusion-based view of CFAA claims going forward, where something more than merely ignoring a terms of service or cease-and-desist letter will be required to bring a CFAA claim.