Ninth Circuit Finds (Again) that Automated Web Scraping of Public Sites Is Legal

The Ninth Circuit Court of Appeals recently ruled in HiQ Labs, Inc. v. LinkedIn that automated web scraping of publicly accessible websites does not violate the Computer Fraud and Abuse Act (CFAA), even if the website owner objects to the scraping. This marks the second time in this case where the Ninth Circuit found that scraping public websites is not the type of “breaking and entering” into computers that the CFAA prohibits.

For background, the CFAA is, at its core, a cybersecurity bill, which prohibits unauthorized access to computers and computer systems. It creates a civil claim for anyone who suffers damages or loss from a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” which effectively means any computer or server connected to the internet.

The HiQ case deals with the issue of what constitutes “unauthorized” access of data stored on a publicly accessible website. HiQ’s business involves providing data analytics services using information it gathers from public LinkedIn profiles. To gather that information, HiQ uses automated web-scraping software—a practice prohibited by LinkedIn’s terms of use. Upon discovering this, LinkedIn sent HiQ a cease-and-desist letter threatening to sue for violations of the CFAA and to block HiQ’s access to LinkedIn. In response, HiQ filed suit, seeking an order that its practice was not unlawful.

The District Court agreed with HiQ that automated web scraping of public websites is not an actionable violation of the CFAA, which the Ninth Circuit affirmed in 2019. However, when the U.S. Supreme Court issued its decision in Van Buren v. U.S.—the Court’s first case interpreting the CFAA—it vacated the Ninth Circuit’s ruling in HiQ to reevaluate the issue considering the pronouncements in Van Buren.

The pivotal CFAA question is whether HiQ’s actions of continuing to scrape LinkedIn’s user data after receiving a cease-and-desist letter was “without authorization” under the CFAA. The Ninth Circuit considered various sources, including a 1984 House Report on the CFAA, which explained that the intent of the statute to prohibit activity “analogous to that of ‘breaking and entering.’” From this, the Court opined that the CFAA “is best understood as an anti-intrusion statute and not as a “misappropriation statute.’”

Just like in 2019, the Ninth Circuit concluded that the CFAA does not prohibit the automated scaping of data on public websites. It cited the Supreme Court’s recent decision in Van Buren, which held that a police officer who accessed a criminal database for an improper purpose unrelated to his work did not violate the CFAA because he did, in fact, have credentials to access that database for other purposes. Relevant to the HiQ case—where LinkedIn’s cease-and-desist letter alleged violations of the CFAA based on HiQ’s failure to abide by LinkedIn’s terms of use—the Supreme Court showed concern that interpreting the CFAA to criminalize violations of computer-use policies would make millions of otherwise law-abiding citizens criminals for ordinary computing activities. The Court provided two examples in dicta:

Employers commonly state that computers and electronic devices can be used only for business purposes. So, on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.

Referencing what it called the Supreme Court’s “gates-up-or-gates-down inquiry,” the Ninth Circuit held that access to a public website cannot be “without authorization” under the meaning of the CFAA, explaining:

[T]he CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.

In other words, a CFAA claim requires something more than merely copying publicly available data a website owner does not want copied. There must be some intrusion into a protected computer.

To be clear, there are decisions in other Circuit Courts of Appeal that leave the door open to what the Ninth Circuit called a “contract-based” interpretation of the CFAA. See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contract restraints could give rise to a CFAA claim); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). Still, the decision, coupled with the Supreme Court’s statements in Van Buren, seems to signal a more restrictive, intrusion-based view of CFAA claims going forward, where something more than merely ignoring a terms of service or cease-and-desist letter will be required to bring a CFAA claim.


Web Scraping Watch: Cases Set to Clarify Application of the Computer Fraud and Abuse Act

Does the CFAA Apply to Website Scraping? The Ninth Circuit Says “Not So Fast”