We live in a world where data has become an increasingly valuable asset and huge companies are built on the collection and analysis of publicly available data. Yet, there is no federal statute that directly protects this type of information or even directly addresses how this information should be treated. Instead, businesses are often forced to rely on the Computer Fraud and Abuse Act (“CFAA) in order to seek to protect this valuable asset or commodity which originally only provided criminal sanctions and was originally enacted to address computer hacking. Most recently, the Ninth Circuit in hiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website. There, the court determined on a hiQ’s motion for preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of CFAA because the LinkedIn computers are publicly accessible and, thus, hiQ did not access the computers “without authorization” as required by the CFAA. Under these circumstances, the court determined that it did not matter that LinkedIn had sent a cease and desist letter to hiQ expressing prohibiting such access.
This potentially is very important decision for companies on both sides of this issue and for the general public, at least in the Ninth Circuit. In addition, this deepens the circuit split on this issue. The Supreme Court has previously denied certiorari from a number of cases involving the CFAA, however, the Court should grant LinkedIn’s writ of certiorari, which LinkedIn has stated that it will file, and provide guidance on how the CFAA should be interpreted, settle the circuit split and perhaps address the fundamental question of what entity has the right to control the use of Internet data. The failure to do will create further uncertainty for businesses and for the general public since it is unlikely that Congress will address amending the CFAA to bring it into the 21st century, even though it was originally enacted in 1986.
“Scraping” refers to automatically accessing and extracting information from a website for a variety of purposes. According to the Ninth Circuit, LinkedIn prohibits search engine crawlers and other web robots from access to LinkedIn servers “via automated bots, except that certain entities, like the Google search engine, have express permission form LinkedIn for bot access. . . In total, LinkedIn blocks approximately 95 million automated attempts to scrape data every day and has restricted over 11 million accounts suspected of violating its User Agreement, including through scraping.” Id. at 991-92 (footnote omitted).
The hiQ decision turns on what it means under the CFAA to access a computer “without authorization” or in “excess of authorization,” and which is often the crux to determine whether a defendant has violated CFFA. The CFAA defines the term “exceed authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). However, the term “without authorization” is not defined. And as Judge Kozinski in the Seventh Circuit noted, in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006), the difference between “without authorization” and “exceeding authorized access” is “paper thin.”. Further, while the distinction may be “paper thin,” it is not academic. The CFAA targets “without authorization” in seven separate offenses, while only three of which also reach persons “exceeding authorized access,” subsections
hiQ Labs scraped LinkdIn profiles and sold analytics to employers that, for example, identified employees at risk of being poached by competitors or which summarized employees’ skills in the aggregate. LinkedIn sent a letter demanding that hiQ cease this activity. In response hiQ filed a declaratory relief action seeking among other form of relief a preliminary injunction and a declaration that hiQ’s conduct did not violate the CFAA. The district court granted hiQ’s request for a preliminary injunction, and LinkedIn appealed to the Ninth Circuit.
On appeal, the Ninth Circuit applied the standard four-part test to determine if the district court’s decision to grant hiQ preliminary injunction should be upheld.[1] With regard to the CFAA claim, the court determined, based on the CFAA’s legislative history and prior Ninth Circuit case law, that the CFAA is focused on prohibiting hacking, which the court analogized to breaking and entering in physical space and “that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.” Id.
The court also recognized that this understanding is directly contrary to that reached by the First Circuit in EF Cultural Travel BV v. Explorica, Inc.,, 274 F.3d 577, 583-84 (1st Cir. 2001), and the Eleventh Circuit in United States v. Rodriquez, 628 F.3d 1258, 1263 (11th Cir. 2010). The hiQ court also distinguished the previous Ninth Circuit decisions in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016) and United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (“Nosal II”), in which the Ninth Circuit found that defendant had violated the CFAA, on the ground those “control situations in which authorization generally is required and has either never been given or has been revoked.” Id. at 1003. By contrast, according to the court, hiQ concerns “information is presumptively open to all comers.” Id. Thus, the Ninth Circuit concluded “that the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.” Id. at 1003-04.
The response to the hiQ decision has generated strong reactions from both sides of the issue. For example, those who applaud the decision note that the web is a critical resource for journalists, academics, businesses, and ordinary people who use it daily. They argue meaningful access may require scraping. As law professor Orin Kerr has explained, posting information on the web and then telling someone that are not authorized to access it is “like publishing a newspaper but then forbidding someone to read it.” On the other hand, the hiQ court seemed to accept LinkIn’s argument that to permit scraping is against the public interest because “LinkedIn and other companies with public websites will be forced to choose between leaving their servers open to such attacks or protecting their websites with passwords, thereby cutting them off from public view.” Id. at 1004. On balance, while the Ninth Circuit found that “there significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position.” Id.
The hiQ decision should be viewed as green light for those entities that obtain information from public websites. However, as the hiQ court recognized, “entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply,” such as “trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy. …” Id. In addition, such entities may determine that on balance, it is in their interest to make the information less public so as to bring their conduct closer to the Power Ventures ambit than to hiQ.
Although not directly addressed, the hiQ court also left open the possibility that a different conclusion may be warranted if the scraped data belonged to LinkedIn and not to the users. Further, it brings into focus the important and fundamental issue regarding who owns user data that is posted on the Internet. The court found that because the LinkedIn users chose to make their profiles public, they no longer have a privacy interest in such information which evidences that “the users quite evidently intend them to be accessed by others, including for commercial purposes ….” This does not mean, however, that the users have surrendered their property interest in their data. Indeed, the court stated that “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.” Id. at 995. In other words, it is an open question whether it would have made a difference to the court if the users had assigned their ownership interest in the scraped data to LinkedIn or that users, as part of the LinkedIn terms of service, agree that LinkedIn has authorization to prohibit access to the user’s data by an automated process. While this may present other issues, this option may provide a solution to entities that want to prevent scraping.
Regardless of whether one agrees with the Ninth Circuit, it is clear that the CFAA which was originally drafted in 1986, is outdated. To put this in context, in 1986, Ronald Reagan was in his second term as president of the United States. “Out of Africa” won the Academy Award for best picture. The space shuttle Challenger exploded just after launch from Cape Canaveral killing all eight on board, including teacher-astronaut Christina McAuliffe. The New York Mets beat the Red Sox in the World Series in seven games extending to 86 years the last time the Red Sox had won the World Series, President Obama was in his second year of law school and the World Wide Web didn’t even exist and there were only approximately 2,000 computers connected to the Internet. Either Congress needs to amend the CFAA so it better reflects the 21st century, which seems unlikely given the state of politics, or the Supreme Court should grant certiorari to address this very important issue.
[1] A plaintiff seeking a preliminary injunction must establish that: (1) plaintiff is likely to succeed on the merits; (2) that plaintiff is likely to suffer irreparable harm in the absence of preliminary relief; (3) the balance of equities tips in plaintiff’s favor, and (4) that an injunction is in the public interest. See e.g., Winter v. Nat. Res. Def. Council, Inc., 55 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008).