Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Welcome
Go
Free Newsletter Sign Up

Supreme Court Scraps LinkedIn Data-Scraping Decision

July 6, 2021, 8:00 AM

The U.S. Supreme Court agreed to hear LinkedIn’s case against a data analytics company for scraping data from public LinkedIn user profiles allegedly in violation of the Computer Fraud and Abuse Act (CFAA). In its order, the court vacated the Ninth Circuit’s September 2019 ruling in the case and remanded it back to the appeals court for reconsideration in light of another recent Supreme Court opinion interpreting the statute’s scope.

The practice of using automated tools to “scrape” data from websites has been controversial and the law surrounding this practice has been somewhat inconsistent. Perhaps, the Supreme Court’s intervention will provide some much needed clarity to at least some of the questions associated with this practice.

Legal Issues With ‘Screen Scraping’

Many companies use bots or other software to obtain data and other content from websites. This practice, also known as “screen scraping” can raise a number of legal issues. These issues can include copyright infringement (e.g., if the content being scraped includes pictures or other creative content), breach of terms of use, electronic trespass, DMCA violations (e.g., if the scraper circumvents technical measures on the site) and claims related to computer fraud.

The LinkedIn dispute arose out of hiQ’s use of automated bots to scrape massive amounts of information from publicly available LinkedIn user profiles. Thus far, lower courts have sided with hiQ on grounds that certain information on the site is publicly available and could be accessed by the public without entering a password.

In its petition for review, LinkedIn urged the high court to overturn the Ninth Circuit’s opinion on several grounds, including that it was in contravention of CFAA policy and has left operators of public-facing websites like itself without a means of protecting user data from unauthorized scrapers, such as hiQ.

Tie in With Van Buren CFAA Decision

In another recent decision, Van Buren v. United States, the Supreme Court reversed and remanded a criminal conviction of a former police officer for a felony violation of the CFAA. In that case, Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct clearly violated his department’s policy, which authorized database access only for law enforcement purposes. Van Buren was charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized acces.”

The term “exceeds authorized access” is defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

On appeal, Van Buren argued that the “exceeds authorized access” clause of the CFAA applies only to those who obtain information to which their computer access does not extend, not to those who misuse access that they otherwise have.

The Supreme Court framed the issue as whether Van Buren violated the CFAA, which makes it illegal to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled “so to obtain” or alter. The court found that he did not. It reasoned that this provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.

One of the interesting questions based on the LinkedIn case is what constitutes “authorized access.” A LinkedIn user who has properly logged into their account manually is “authorized” to access public information on that site. However, the LinkedIn terms of service specifically preclude data scraping.

The interpretation of the clause “so to obtain” is also an issue. The “so to obtain” language arguably refers back to the “access.” If that is the case, then how the user accesses the data may be relevant. Given the prohibition on using data scraping for accessing LinkedIn data, that form of access likely was not authorized.

This sets up an interesting issue of what is meant by “authorized access.” On the one hand, a user is authorized to access the LinkedIn data. On the other hand, a user agrees not to do so by using scraping technology.

Hopefully, the Supreme Court’s review of LinkedIn will provide further clarification on resolution of these and other data scraping issues.

This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.

Write for Us: Author Guidelines

Author Information

James G. Gatto is a partner in Sheppard Mullin’s Intellectual Property practice in the Washington, D.C., office.

Pouneh Almasi is an associate in Sheppard Mullin’s Intellectual Property practice.