Web Scraping Not Hacking- 9th Circuit Court of Appeals Rules Automated Gathering of public data not a violation of the Computer Fraud and Abuse Act.

By Bryan Rizza

As previously described in a blog entry, hiQ technologies brought a suit against LinkedIn for anticompetitive practices and won an injunction at the trial level. LinkedIn appealed, and on September 9th, the 9th Circuit Court of appeals issued an opinion in HiQ Labs, Inc. v. LinkedIn Corp, affirming the lower courts injunction against LinkedIn in favor of hiQ. HiQ filed an injunction against LinkedIn for anticompetitive practices as a preemptive measure to a demand letter issued to them by LinkedIn. LinkedIn, an online social media platform that hosts user data for professional and employment-related purposes claimed that hiQ, an analytics company with uses automated scripts to gather data from public sites like LinkedIn in order to provide various products, violated the Computer Fraud and Abuse Act by scaping their data against their terms of service.

The Computer Fraud and Abuse Act, or CFAA, is a 1986 statute that was written to prevent computer hacking. It requires that the access to another’s computer system “without authorization.” In order to meet this criterion, LinkedIn attempted to claim that even though the information gathered was publicly available, their terms of service stating that automated and scripted “web scraping” isn’t allowed are the same as “without authorization.”

Part of the analysis that LinkedIn relied upon was based on two precedential cases to guide its analysis on what constitutes “without authorization.” The first is United States v. Nosal (Nosal II), in which the court determined that unauthorized access to computer systems isn’t necessarily only accomplished by having locked credentials but can instead be the circumvention of access using credentials that would otherwise be valid. In that case, the court determined that unauthorized use of valid credentials is “without authorization” for the purposes of the statute.

The second case is Facebook v. Power Ventures, in which the court found that a data analytics company similar to hiQ accessed the data “without authorization” even though they were initially allowed to because they did so after their internet protocol address was blocked and they were sent a cease and desist letter

Nevertheless, the court held that terms of service or policies against web scraping are not unauthorized for the purposes of the CFAA. The term “unauthorized” is understood under the context of the statute, which is to prevent hacking, and with regard to a locked door metaphor rather than in the terms of the policy that LinkedIn claimed was violated. This significantly strengthened the legality of such “scraping” automated information gathering tech on public information.

However, the court kept the door open for other arguments or legal avenues to challenge web scraping, including state law claims like trespass, breach of contract, or unjust enrichment. One area that was not discussed was whether copyright laws may preclude this data from being appropriated this way.

The court additionally looked at the factual basis behind why LinkedIn chose now to demand hiQ to desist in their behavior. LinkedIn knew of the behavior for years before issuing their demand letter, and it was only after LinkedIn began entering into competition with hiQ with plans to perform similar analytics on their data. The court agreed that LinkedIn sent representatives to several tradeshows where hiQ presented their automation and data leveraging and that LinkedIn knew the extent of their operations well before the demand. This placed an element of bad faith into the analysis for bringing the claim against hiQ in the first place.

The elephant in the room that is only tangentially mentioned at the very end of the opinion is that the data both companies are attempting to leverage and use in their business endeavors is information provided by and for LinkedIn’s userbase. This begs the question about the data privacy concerns that users of the LinkedIn social networking platform, as well as similar platforms that other data analytics companies are using to leverage user data for profit. At the end of the day, LinkedIn wasn’t able to enforce a quasi-monopoly on the monetization of the public data its users provide, but to what extent this could be done through other mechanisms, particularly copyright, remains to be seen.

 

Student Bio: Bryan Rizza is a second-year law student at Suffolk University Law School and a staff writer for the Journal of High Technology Law. He is also a U.S. Army National Guard field artillery officer and graduated from the University of Massachusetts with a degree in Political Science a minor Computer Science.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.

 

 

Print Friendly, PDF & Email