Ninth Circuit Rejects Claim That Web Scraping Violates CFAA
On September 9, 2019, the U.S. Court of Appeals for the Ninth Circuit issued a highly-anticipated opinion in hiQ Labs, Inc. v. LinkedIn Corporation, No. 17-16783 (9th Cir. Sept. 9, 2019). At issue was whether businesses can invoke the Computer Fraud and Abuse Act (“CFAA”), the federal anti-hacking law, to prevent competitors from scraping publicly available data from a company’s website. In its decision, the court declined to interpret the scope of CFAA to prohibit hiQ’s data scraping activity.
The defendant in this case, LinkedIn, is a professional networking website with over 500 million members. According to its User Agreement, the user retains ownership of their content and information, and the user grants LinkedIn a non-exclusive license to use their information.
The plaintiff, hiQ Labs, Inc., is a data analytics company that specializes in “people analytics.” It developed a proprietary predictive algorithm to analyze vast datasets available online. Relying on a data collection method that has come into increasingly wide use by companies across industries, hiQ acquires its data through the use of automated software programs, called bots, to scrape information contained online. For purposes of hiQ’s business model, some of that automated collection includes scraping information from LinkedIn users’ public profiles. It then uses the LinkedIn data and its own proprietary predictive algorithm to sell “people analytics” products to businesses, including two products that assist employers with retaining their workforce and identify skill gaps in their workforce.
In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ’s data collection was in violation of the LinkedIn User Agreement, and that it violated the CFAA, along with other state and federal laws. HiQ responded by filing suit for tortious interference with contracts, along with other state law claims. Additionally, hiQ sought both a preliminary injunction to prevent LinkedIn from denying hiQ’s bots access to LinkedIn’s information, and a declaratory judgment that hiQ’s data collection practices did not violate the CFAA or other federal and state laws. The District Court granted hiQ’s request for a preliminary injunction, which LinkedIn appealed.
Broadly speaking, the CFAA makes it a crime for a person or organization to access someone else’s computers without appropriate authorization. The statute also creates a private right of action, allowing computer owners to sue other persons or entities for damages they sustain as a result of falling victim to the unauthorized access. The key CFAA provision at issue in this case was whether or not hiQ’s scraping activity is a type of activity included within the scope of the law’s prohibition against knowingly accessing a computer “without authorization” or in a manner that “exceeds authorized access.”
LinkedIn argued that a user who scrapes data from the public profiles on LinkedIn’s website after receiving a cease-and-desist letter does so in violation of the User Agreement, and that these actions meet the definition which constitutes access “without authorization” in violation of the CFAA. The law does not offer a precise definition or test for accessing a computer “without authorization,” and as a result, this provision has been the subject of significant litigation over the past decade, including in the Ninth Circuit, where the court has previously ruled that CFAA ought not be turned “into a sweeping Internet-policing mandate.” Because the technique of scraping data is so widely used – by search engines and academic research purposes as well as for commercial aims – a number of advocacy groups filed amicus briefs in this litigation.
The Ninth Circuit rejected LinkedIn’s claim. In reviewing CFAA’s legislative history, the court noted that CFAA was enacted to prohibit hacking, the deliberate intrusion onto someone else’s computer, and it is therefore “best understood as an anti-intrusion statute and not a misappropriation statute.” The court noted that, throughout the legislative record, the concept of access “without authorization” was analogized to breaking and entering, something that the court analogized to circumventing password authentication or a similar access authorization system. Although bypassing login credential requirements such as username and password does appear to violate CFAA, the court noted that, in this case, hi-Q was accessing publicly available information that was not protected by passwords or similar login requirements.
Further, because hiQ was accessing publicly available information from LinkedIn users’ public profiles and because LinkedIn users retain ownership over their information, LinkedIn did not have a protected property interest in this information. The Ninth Circuit recognized that access to publicly available information does not constitute access “without authorization” under the CFAA, and sending a cease-and-desist letter does not make that access “without authorization” under the CFAA.
The court also reviewed a number of other claims that are relevant for future cases litigating the propriety of data scraping. Specifically, the Ninth Circuit rejected LinkedIn’s contract-based interpretation of the CFAA’s prohibition of access “without authorization” provision, while acknowledging other circuits have adopted this interpretation.
The Ninth Circuit affirmed the District Court’s decision to grant a preliminary injunction that prevented LinkedIn from blocking hi-Q’s bots from accessing publicly available information on LinkedIn’s site.
While this opinion indicates the Ninth Circuit may interpret the scope of CFAA narrowly, the Ninth Circuit reassures us that “victims of data scraping are not without resort” and identifies other avenues, including pursuing state law trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy claims.
One important caveat to this opinion is that because of the procedural posture of the case, the Ninth Circuit only addressed whether hiQ “raised serious questions” about whether LinkedIn could appropriately invoke CFAA to block hi-Q’s data collection. The Ninth Circuit has not definitively resolved the legal dispute between hiQ and LinkedIn, and the litigation is far from over. In addition, given how closely watched this litigation has been, and the perennial discussion about whether and when CFAA should be amended, the issue of CFAA’s applicability to scraping of publicly available information is likely to surface again in future cases and legislative proposals.
Saul Ewing Arnstein & Lehr’s lawyers are available to assist with any questions you may have regarding issues raised in this Alert. For further information, please contact the authors of this alert, the Saul Ewing Arnstein & Lehr lawyer with whom you usually work or any of the leaders of the firm’s Cybersecurity and Privacy practice group.