Ninth Circuit: Computer Fraud and Abuse Act Doesn’t Block Public Profile Data Scraping

The case involved an assessment of the scope of the Computer Fraud and Abuse Act, a statute that was initially enacted to prevent hacking of government computers, but now covers unauthorized access of any computer connected to the internet. A key question at issue in the case was whether or not the CFAA can be used to bar hiQ from using automated bots to scrape data from publicly available LinkedIn profile pages. The Ninth Circuit agreed with the lower court and found that the CFAA likely cannot be used to bar hiQ’s conduct, even though LinkedIn objected.

The case has received significant attention, with famed law professor Laurence Tribe representing hiQ, and President Obama’s former Solicitor General Donald Verrilli representing LinkedIn.

In the decision, the Ninth Circuit affirmed the lower court’s grant of a preliminary injunction in favor of hiQ. The upheld injunction ordered LinkedIn to withdraw its cease and desist letter denying authorization and access to its servers and to disable the technological measures it had then-recently put in place to block hiQ’s IP address and bots from accessing the LinkedIn servers until the merits of the case were decided.

The Ninth Circuit’s decision rested on a combination of statutory construction, review of legislative history, analysis of prior cases, and consideration of policy issues. Among other things, the court distinguished its holding in a 2016 case Facebook, Inc. v. Power Ventures, Inc. which found that Facebook’s data fell under the CFAA’s ambit because, in part, it was password protected and not publicly available unlike LinkedIn’s profile data. Adopting a distinction between public and private data on the internet based on a password-style authorization threshold, it concluded that the CFAA “is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.” The court then assessed whether or not hiQ’s access to the data on LinkedIn’s servers was analogous to “breaking and entering” and thus improper under the CFAA. In doing so, it agreed that the CFAA likely does not govern the public profile data on LinkedIn’s servers because it lacks a password authorization or permission requirement and thus is “publicly available.”

Policy arguments also played a role in the court’s decision. Amicus briefs were filed in support on both sides. Some amici argued for affirmance on the basis that web scraping should not be outlawed because it a common practice that supports academic research and other important public benefits. Others argued for reversal, for reasons including that companies like LinkedIn deserve to be rewarded for their efforts and incentivized to keep data publicly available, and further that consumers are still entitled to privacy and some control over the data that they have authorized LinkedIn to publicly publish on their behalf. While the Ninth Circuit acknowledged that “there are significant public interests on both sides,” it concluded that “the public interest favors hiQ’s position . . . [because] giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.” hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, 2019 WL 4251889, at *15 (9th Cir. Sept. 9, 2019).

This decision signals the Ninth Circuit’s return to limiting the scope and applicability of the CFAA (a position it has taken in the past in contrast to some other circuits). But it is important to note that this decision was made in the context of a preliminary injunction. The question of the legality of data scraping under the CFAA is further complicated by the fact that the statute is the subject of numerous circuits splits. Indeed, other circuits, including the First, Fifth, Seventh, and Eleventh Circuits, have construed portions of the CFAA more broadly than the Second and Ninth Circuits. Thus, some CFAA cases will continue to be jurisdiction-determinative, until, or unless, the Supreme Court weighs in to resolve those disagreements or Congress again amends the statute. Before filing suit under a CFAA claim, litigants should carefully consider the facts on hand and the laws of the courts with jurisdiction over the claim. While the Ninth Circuit’s decision in Facebook, Inc. v. Power Ventures, Inc. requires a cease and desist letter (at least in the case of access to “publicly available” data) for data scraping to be deemed “without authorization” and fall under the CFAA, that same letter may provide a basis for the recipient to pre-emptively file a declaratory judgment action in a circuit that construes the CFAA more in its favor.

Either way, companies that use automated bots to scrape and collect publicly available data should not take this decision as a per se blessing for their business models. First, courts in other districts can and have ruled differently and found that scraping publicly available data violates the CFAA. And, the CFAA is not the only statute that can be invoked against data scraping activities. As the Ninth Circuit noted in a measured closing to its opinion, “entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.” hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783, 2019 WL 4251889, at *14 (9th Cir. Sept. 9, 2019).[1] LinkedIn filed an extension on the deadline to request en banc review to the Ninth Circuit.

Background on the Computer Fraud and Abuse Act

The CFAA is a federal statute that provides civil and criminal liability for “access[ing] a computer without authorization or exceeding authorized access.” 18 U.S.C. § 1030(a). Initially passed in 1986 with the purpose of halting hacking of government computer systems, the statute was later amended to more broadly impose liability for improper access of any computer that “is used in or affecting interstate or foreign commerce or communication” (which, for practical purposes includes all computers—including servers, computers that manage network resources, etc.—that are connected to the internet). 18 U.S.C. § 1030(e)(2)(B). The statute “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Musacchio v. United States, ––– U.S. ––––, 136 S.Ct. 709, 713 (2016); 18 U.S.C. § 1030(a)(2)(C). It also authorizes civil suits by a party able to show, inter alia, a loss of at least $5,000 during any one year period as a result of the unauthorized access. See 18 U.S.C. § 1030(a)(4)(A)(i), (g).

In recent years, criminal defense lawyers and open internet advocates have criticized the CFAA for having harsh penalty schemes and malleable provisions.[2] However, proponents of the CFAA, including some of those who filed amicus briefs in LinkedIn’s favor before the Ninth Circuit, [3] argue that the CFAA is an important tool to combat bad internet actors and to protect consumers’ data. They also argue that less stringent CFAA liability will have adverse consequences for an open internet, either by forcing publicly available web content to move behind protected layers of paywalls or password authorizations, or disincentivizing companies and entrepreneurs from investing in the creation of publicly available databases and websites in the first place.

The Prior Ninth Circuit Cases on the Computer Fraud and Abuse Act

In a string of three recent prior cases, the Ninth Circuit opined on the CFAA’s scope to varying effects.

First, in 2012, in United States v. Nosal, 676 F.3d 854, 857-58 (9th Cir. 2012) (en banc) (“Nosal I”), the Ninth Circuit held that violation of company or website terms of use does not on its own provide a basis for liability under the CFAA. That decision rested on a determination that the phrase “exceeds authorized access” within the CFAA is limited to access restrictions, not use restrictions. The case involved criminal CFAA claims against a former employee who convinced still-current employees to use their log-in credentials in violation of the company’s use policies to download confidential company files for use in connection with starting a competitive business. In that opinion, the Ninth Circuit expressed concerns about the CFAA’s potentially all-encompassing scope, stating that it refused to “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute” and would construe the statute in line with its “focus on hacking rather than turning it into a sweeping Internet-policing mandate.” Id. at 857-58.

Several years later, in a follow-up appeal in United States v. Nosal, 844 F.3d 1024, 1028 (9th Cir. 2016), cert. denied, 138 S. Ct. 314 (2017) (“Nosal II”), the Ninth Circuit held that the unauthorized use of company log-ins and passwords after access to company computers was revoked constituted a violation of the CFAA. The court there explained that CFAA liability is not limited to complex circumvention of technical access mechanisms because the statutory term “‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Id. at 1028. Thus, because the former employee’s authorization to access the computers was revoked upon his departure from the company, his continued use of other employees’ passwords to access protected files on the company’s computers was access “without authorization” in violation of the CFAA. Nonetheless, despite that finding of liability, the court was again careful to explain that the CFAA has clear limits, stating that “we have held that authorization is not pegged to website terms and conditions. . . . This provision, coupled with the requirement that access be ‘knowingly and with intent to defraud,’ means that the statute will not sweep in innocent conduct, such as family password sharing.” Id. at 1028.

The very next day, in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067-68 (9th Cir. 2016) (en banc), cert. denied, 138 S. Ct. 313 (2017), the court found CFAA liability and reiterated that “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly.” Id. at 1067. In that case, the issue was whether a defendant data aggregator’s access to Facebook’s computers to collect profile data violated the CFAA when the individual users consented to the defendant’s use and collection, but Facebook objected via a cease and desist letter. The Ninth Circuit attempted to strike a balance, finding that before the cease and desist letter issued, there was no CFAA violation because the defendant “reasonably could have thought that consent from Facebook users to share the promotion was permission [] to access Facebook’s computers.” Id. at 1067. However, the court ruled that upon receipt of Facebook’s cease and desist letter and notice of its objection, the defendant’s continued accessing the Facebook computers to collect the data was “without authorization” and a violation of the CFAA.

The Computer Fraud and Abuse Act is Subject to a Number of Circuit Splits

The CFAA is subject to a number of circuit splits, making the viability of claims for data scraping or other computer access activities highly dependent on the factual nature of the data collected and means of collection, as well as where the suit is filed. Not all circuits agree with the Ninth Circuit that violation of terms of service or a website use policy alone cannot give rise to CFAA liability. While the Second and Fourth Circuits have indicated some agreement,[4] other, including the First, Third, and Eleventh Circuits have declined to decide the issue or reached contrary conclusions.[5] 

[1] Not surprisingly, the viability of each of those claims is highly dependent on the jurisdiction where the suit is filed and nature of the conduct at-hand and id therefore outside the scope of this alert.

[2] For example, the Electronic Frontier Foundation advocated for CFAA reforms after the death of Aaron Swartz, an internet activist who committed suicide while facing federal criminal prosecution for using a script to download scholarly research articles from JSTOR in violation of the terms of service. Computer Fraud And Abuse Act Reform, The Electronic Frontier Foundation, (last visited Sept. 15, 2019). The National Association of Criminal Defense Lawyers has likewise identified the CFAA as a statute “[w]ith harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and use against nearly every aspect of computer activity.” Stay Informed: Overcrimalization, NACDL, (last visited Sept. 15, 2019).

[3] Parties who filed amicus briefs in LinkedIn’s favor included: Craigslist, Inc., an online free classified advertisements website, see Brief of Amicus Curiae Craigslist, Inc. in Support of Defendant/Appellant Linkedin Corp., 2017 WL 4698991 (9th Circuit, Filed October 10, 2017); and CoStar Group, Inc., a company that provides an online real estate marketplace and accompanying information and analytics, see Brief of Amicus Curiae Costar Group, Inc., in Support of Appellant and Reversal, 2017 WL 4698990 (9th Circuit, Filed Oct. 10, 2017).

[4] See, e.g., United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015) (rejecting “the government’s interpretation of ‘exceeds authorized access’ [as unauthorized use because it would] make[] every violation of a private computer use policy a federal crime”); WEC Carolina Ener. Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (noting that the unauthorized use construction of the CFAA “would impute liability to an employee who with commendable intentions disregards his employer’s policy against downloading information to a personal computer so that he can work at home”).

[5] See, e.g., EarthCam, Inc. v. OxBlue Corp., 703 Fed. Appx. 803, 808 & n.2 (11th Cir. 2017) (noting that circuit precedent suggests that “a person exceed[s] authorized access if he or she uses the access in a way that contravenes any policy or term of use governing the computer in question,” but acknowledging disagreement of this rule in other circuits); CollegeSource, Inc. v. AcademyOne, Inc., 597 Fed. Appx. 116, 130 (3d Cir. 2015) (suggesting that defendants could violate the CFAA by “breach[ing] any technological barrier or contractual term of use”); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003) (stating that “[a] lack of authorization could be established by an explicit statement on the website restricting access”).