Reiterating its prior common-sense opinion, the Ninth Circuit Court of Appeals ruled in hiQ v. LinkedIn that the Computer Fraud and Abuse Act likely does not bar scraping data from a public website against the wishes of the website owner. Last year, after the Supreme Court decided its first CFAA case, Van Buren v. United States, it vacated the Ninth Circuit’s original ruling in hiQ and sent it back to court of appeals for reconsideration. According to the Ninth Circuit, Van Buren only “reinforces” the court’s earlier determination that access to a public website cannot be “without authorization” under the meaning of the CFAA, as EFF argued in our most recent amicus brief. The hiQ decision is good news for all those who collect, aggregate, and index publicly available information, as well as the work of journalists, researchers, and watchdog organizations, who use automated tools to find security flaws, news stories and investigate discrimination in public websites.
Why Has LinkedIn Gotten So Many Tries at Playing CFAA Gatekeeper on the Open Web?
The long-running dispute in hiQ concerns LinkedIn’s attempts to stop hiQ from scraping public information from LinkedIn user profiles as part of hiQ’s data analytics services. LinkedIn tried to block hiQ’s access and threatened to sue for violation of the CFAA, on the theory that hiQ’s access violated the website’s terms of service and LinkedIn’s explicit wishes. But hiQ sued first and obtained a preliminary injunction to preserve its access.
The key question for the Ninth Circuit on appeal was whether access to a public website can ever be “without authorization” under the CFAA. According to an earlier Ninth Circuit precedent, Facebook v. Power, merely violating a website’s terms of service is not enough to be a violation of the CFAA, but individualized notice in the form of a cease-and-desist letter can revoke a user’s prior authorization. However, the court noted that the phrase “access without authorization” implies that there is a baseline requirement of authorization, and public websites like the LinkedIn profiles at issue do not require any permission to begin with. As a result, the court held that access to public information online likely cannot be a violation of the CFAA. (Because it was considering an appeal from a preliminary injunction, the holding was discussed in terms of the “likely” outcome of a final ruling.)
Then, in Van Buren, the Supreme Court answered a different question interpreting a different term in the CFAA, holding that a police officer did not “exceed authorized access” by using a law enforcement database for an unofficial purpose that violated the department’s written rules and procedures. The Court held that the CFAA does not encompass “violations of circumstance-based access restrictions on employers’ computers.” Rather, it adopted what it called a “gates-up-or-down approach,” writing that violations of the “exceeds authorized access” provision are limited to someone who “accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”
Although there was nothing in that opinion that obviously called the Ninth Circuit’s hiQ ruling into question, the Supreme Court nevertheless sent hiQ back to the court of appeals for reconsideration in light of Van Buren.
Unsurprisingly then, the Ninth Circuit found that Van Buren merely reinforced its earlier conclusion: no authorization is required to access a public website, so scraping that website likely cannot be access without authorization, no matter what the website owner thinks about it. The court explained that the Supreme Court’s “gates up-or-down inquiry” applies when a website requires authorization such as a username and password, writing that “if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down.” But “applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.”
The CFAA is Fixed Now, Right? Right?
Both the new ruling in hiQ and Van Buren are victories that place important limits on the scope of the CFAA, but unfortunately it remains a vague law that gives prosecutors and private parties significant discretion to attack security researchers, journalists, and follow-on innovators.
Most importantly, both decisions scrupulously avoid defining the contours of what counts as “authorization” in the CFAA. Congress passed the CFAA to address computer “break-ins”—malicious hacking—and EFF has long argued that violations of the law should involve circumvention of effective technical barriers. Whether you call the requirement of a technical authorization “gates down” or something else, computer owners should not get to invoke power of the CFAA based merely on a written agreement or a cease-and-desist letter.
Also, despite the Ninth Circuit’s clear-eyed approach to public websites, the hiQ opinion includes a disappointing reference to the possibility of a “trespass to chattels” claim against scrapers. As EFF helped establish in the California Supreme Court’s Intel v. Hamidi ruling, that ancient common law tort at the minimum cannot apply to situations where there is no harm to a computer or any proprietary right in data. Here, LinkedIn does not even claim to own its users’ data, so it’s difficult to see how it could win a trespass to chattels argument.
Despite the narrowness of these opinions, though, there’s reason to be hopeful that courts will continue to cut back at the CFAA’s overbreadth. EFF will continue to fight as well, through our work on the Coders Rights Project, our attempts to reduce barriers to innovation and interoperability, and our support for online investigative journalism.