In a much-anticipated ruling this week addressing the confluence of website scraping and computer hacking law, the U.S. Court of Appeals for the Ninth Circuit became the latest federal court to limit the reach of the Computer Fraud and Abuse Act (CFAA). In hiQ Labs v. LinkedIn, the Ninth Circuit held, for a second time, that the automated capture of data from the publicly accessible pages of websites (that do not require the creation of an account for access) does not violate the CFAA’s prohibition on accessing a computer “without authorization.” The circuit court’s decision closely tracks the U.S. Supreme Court’s landmark ruling in Van Buren v. United States (2021), which narrowly interpreted the correlated “exceeds authorized access” provision of the CFAA.
HiQ, like Van Buren before it, reads the CFAA to create a bright-line “gates-up-or-down inquiry.” Liability turns on whether there was an intrusion into a protected system, not whether data access amounted to a technical violation of the data holder’s terms of service. The decision creates breathing room for companies that mine public data for commercial use, just as state and federal regulators are ramping up data privacy protections.
A Long and Twisting Road
HiQ is a data analytics company that uses automated bots to extract or “scrape” employment data from public websites for use in its commercial “talent management” AI products. HiQ scraped LinkedIn users’ career profiles from pages that are viewable to all visitors to LinkedIn’s website, but did not scrape profiles visible only after one logs into a LinkedIn account. In May 2017, LinkedIn sent hiQ a cease-and-desist letter asserting that hiQ violated state law, the CFAA and the LinkedIn User Agreement by harvesting its users’ data, and further demanded that hiQ stop accessing and copying LinkedIn data. LinkedIn also implemented technical guards to restrict hiQ from further acquiring data from its website.
In response, hiQ sued LinkedIn in the Northern District of California, seeking injunctive relief to prevent LinkedIn from blocking its access to public member profiles and declaratory relief on the state and federal law claims. The district court granted hiQ’s motion, holding that LinkedIn was unlikely to prevail on its CFAA claim, and that it might be in violation of California’s Unfair Competition Law.
In 2019, on appeal, the Ninth Circuit upheld the injunction against LinkedIn, finding that hiQ raised serious questions on the merits of the factual and legal issues. The Supreme Court granted LinkedIn’s petition for writ of certiorari, but then vacated the judgment and remanded for further consideration based on its June 2021 decision in Van Buren. That case involved a police sergeant charged with violating the CFAA’s “exceeds authorized access” prohibition in Section 1030(a)(2) by running license plate searches on a database that he was authorized to use in exchange for money. In a 6-3 ruling, the Supreme Court held that the sergeant’s improper use of the license plate database did not “exceed” his authorized access because he did not access areas of his employer’s computer systems, such as files, folders or databases to which his authorized access did not extend. While Van Buren addressed the meaning of the “exceeds authorized access” clause and not the “without authorization” clause at issue in hiQ, the Supreme Court did observe that the “‘without authorization’ clause ... protects computers themselves by targeting so-called outside hackers—those who ‘acces[s] a computer without any permission at all.’”
On April 18, 2022, in its latest ruling on remand, the Ninth Circuit again upheld the injunctive relief.
HiQ Revisited in Light of Van Buren
HiQ marked the Ninth Circuit’s first opportunity to apply the limiting principles in Van Buren to a common set of facts: Did hiQ access data “without authorization” in violation of the CFAA after it received LinkedIn’s cease-and-desist letter advising hiQ that it breached LinkedIn’s User Agreement? The Ninth Circuit conducted several layers of analysis:
- The circuit court considered the CFAA’s legislative history, noting that the statute “was enacted to prevent intentional intrusion onto someone else’s computer—specifically, computer hacking.” As the CFAA was an “anti-intrusion” statute rather than a “misappropriation statute,” trespass principles logically applied.
- The Ninth Circuit found that Van Buren’s liability analysis under a “gates-up-or-down inquiry” was not applicable to information available to the public. According to the court, a computer hosting publicly available webpages “has erected no gates to lift or lower in the first place.”
- The Ninth Circuit also reconciled its ruling with two prior opinions interpreting the CFAA, which some had interpreted as broadly recognizing that the owner of a computer could revoke access to the computer by sending a cease-and-desist letter or otherwise informing a person that he or she was no longer authorized to access the computer. In Facebook v. Power Ventures, the Ninth Circuit held that Power Ventures’ continued access to non-public, password-protected Facebook user data through Power Ventures’ Facebook account was sufficient to state a claim under the CFAA for unauthorized access. In United States v. Nosal (Nosal II), the circuit court held that an individual’s access to a former employer’s computers using current employees’ login credentials was unauthorized. In hiQ, the Ninth Circuit clarified that the publicly accessible LinkedIn profiles were accessible to all by default because no limitations on access had ever been imposed on them. Because Facebook and Nosal’s employer had “gated” access to the data at issue to registered account holders in Facebook’s case, and current employees in Nosal’s case, Power Ventures and Nosal lacked authorization to access it. But because there had never been any restrictions on access to the public profiles on LinkedIn, the circuit court held that it could not revoke access merely by sending a letter and attempting to block a user from accessing the site.
- The circuit court applied the rule of lenity to make a “narrow interpretation of the ‘without authorization’ provision of the CFAA.” Because the prohibition on authorized access applies to both civil actions and criminal prosecutions, the Ninth Circuit favored a narrow interpretation “so as to not turn a criminal hacking statute into a sweeping Internet-policing mandate.”
Free-for-All on Public Scraping? What the hiQ Decision Means
The Ninth Circuit’s decision illuminates what the future may hold for data analytic companies and websites with data accessible to the public, at least within the Ninth Circuit.
The decision comes as a win for data aggregators, archivists, academics, researchers and journalists who use tools to mass collect (or “scrape”) information that is publicly accessible on the internet and not otherwise protected behind a user login.
However, it should not be seen as a green light on all data harvesting activities. Mass copying of copyrightable content, such as photos or other protectable expression, may give rise to copyright infringement liability, and automated data collection practices that overwhelm and bog down servers can raise exposure for common law claims such as trespass to chattels. Additionally, if a scraper agrees to a website operator’s terms of service that prohibits automated scraping, as many do, the scraped site may enforce its contract to stop the scraping.
Thus, while the Ninth Circuit’s decision adds some clarity around risk for violating the CFAA, automated data collection programs should be conducted thoughtfully to navigate the legal minefield of scraping.