Data has become a valuable commodity in our economy, with some analysts valuing it above crude oil. Billion-dollar businesses stake their existence on the collection and analysis of publicly available data. So naturally, control and access to vast and valuable data sources has become a passionate race, spurring legal disputes with potentially far-reaching consequences.
Congress enacted the Computer Fraud and Abuse Act (CFAA), originally referred to as the “anti-hacking” statute, to prevent malicious actors from accessing internet-connected computers without authorization. In today’s data-driven economy, however, the CFAA has been repurposed in some cases as a bludgeon against data miners in the data race.
Two years ago, hiQ Labs, a data analytics company that uses web scrapers to access data, secured a victory in the U.S. District Court for the Northern District of California. The court granted hiQ’s preliminary injunction motion prohibiting LinkedIn from using electronic blocking measures to prevent hiQ from downloading publicly available information on LinkedIn’s user profiles.
A Lifeline to Web-Scraping Companies?
LinkedIn appealed the preliminary order, and after nearly two years under review, the U.S. Court of Appeals for the Ninth Circuit recently affirmed the district court’s finding that hiQ’s activities did not violate the CFAA, providing a lifeline—at least temporarily—to hiQ and potentially other businesses engaged in web scraping.
LinkedIn was aware of hiQ’s business model since at least 2015. In 2017, LinkedIn began marketing its own products to compete with hiQ. LinkedIn sent hiQ a cease-and-desist letter and employed various technical measures to block hiQ’s access to LinkedIn’s publicly available user profile data.
hiQ believed that these measures posed an existential threat to hiQ’s business, which relies predominantly on LinkedIn users’ profile data. Accordingly, hiQ sued LinkedIn seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA.
Information Was Public
The Ninth Circuit, did not definitely resolve whether LinkedIn lawfully invoked the CFAA against hiQ. Rather, the court reviewed this case on interlocutory appeal at the preliminary injunction stage, and thus decided the district court’s findings regarding hiQ’s likelihood of success on the merits of its case, which specifically turned on whether hiQ raised serious questions about LinkedIn’s invocation of the CFAA, were correct.
The CFAA imposes civil and criminal liability on those accessing and obtaining information from a protected computer without authorization or exceeding authorized access. The central CFAA issue on appeal was whether any further scraping of LinkedIn’s user data by hiQ lacked authorization or exceeded authorized access within the meaning of the CFAA once hiQ received LinkedIn’s cease-and-desist letter.
The court interpreted the ordinary meaning of the CFAA’s authorization language to suggest a “baseline in which access is not generally available.” As such, the court reasoned that prohibitions of the CFAA are inapplicable to publicly available information, which does not require authorization in the first place.
Further, the court found support for its analysis in the legislative history of the CFAA where legislatures intended only to prohibit conduct akin to “breaking and entering” and viewed the statute as a prohibition on unauthorized access to private information obscured to the public by a password or other means.
Access to LinkedIn user profiles is open to the general public and web users do not require a password to access these public profiles. Hence, the court concluded that in the absence of any sort of credential requirement, such as a password, the prohibition on unauthorized access within the CFAA is not applicable to scraping LinkedIn users’ public profile data.
Although the decision was rendered in the context of a motion for preliminary injunction, the court nonetheless crystallized its interpretation of the CFAA’s unauthorized access prohibition, specifically in its application to publicly available data. Further, the court emphasized that its decision was consistent with previous cases interpreting the unauthorized access prohibition.
Notably Power Ventures and Nosal II were cases in which the Ninth Circuit determined a user violated the CFAA because the user accessed private data stored on a password protected computer or shielded from the user through IP address barriers. See Facebook Inc. v. Power Ventures Inc., 844 F.3d 1058 (9th Cir. 2016); see also United States v. Nosal (Nosal II), 844 F.3d 1024 (9th Cir. 2016).
Altogether, the Ninth Circuit has taken the position that the applicability of the CFAA turns on whether the accessed information was private or publicly available. With respect to publicly available data, the Ninth Circuit has signaled the retirement of the CFAA from the arsenal of website owners.
What’s Next for Website Owners?
The Ninth Circuit’s decision is undoubtedly favorable for web scrapers like hiQ with respect to the CFAA.
Website owners are not, however, left without recourse in the burgeoning data race. The court explicitly left intact other legal avenues for website owners to combat web scrapers, including trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy. The hiQ v. LinkedIn dispute will likely now turn to those claims as the litigation continues in district court.
Moreover, other website owners will focus on these causes of action to prevent web scrapers from absconding with their data.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Margaret A. Esquenet is a partner at Finnegan. Her practice focuses on contemporary issues in U.S. and global technology issues, including copyright, advertising, and trademark law.
Pejmon Pashai is an associate at Finnegan. His practice primarily focuses on client counseling, pre-trial investigations, and patent litigation. Pashai’s work spans various sectors including pharmaceuticals, consumer electronics, and data privacy.