A “defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser.” The U.S. Court of Appeals for the Ninth Circuit recently reiterated in a significant ruling in hiQ Labs v. LinkedIn [1] that the capture of data from the publicly accessible webpages of LinkedIn would not violate the Computer Fraud and Abuse Act’s (CFAA’s) [2] prohibition against accessing a computer “without authorization.” This ruling follows and applies the U.S. Supreme Court’s 2021 decision in Van Buren v. United States, [3] which reined in the scope of the “exceeds authorized access” provision of the CFAA. Many view hiQ as a win for analytics firms, academics, researchers, and other data aggregators. Companies seeking to protect publicly accessible online information should evaluate the applicability of the CFAA to their websites by determining, among other things, whether the data access in question involves intrusion into a protected system, rather than access to publicly available data that merely violates the company’s terms of service or use. If only a company’s terms of service or use are implicated, hiQ casts doubt on whether the CFAA offers any protection for companies’ publicly available data.

HiQ’s Data Collection Versus LinkedIn’s Data Protection

HiQ is a data analytics company that collects information from public profiles of LinkedIn users. In particular, hiQ uses automated bots that scrape LinkedIn user information, including name, job title, work history, and skills. HiQ then analyzes and sells this data to employers. In 2017, LinkedIn sent hiQ a cease-and-desist letter demanding that it stop scraping data from LinkedIn and accusing hiQ of violating, among other things, the CFAA and LinkedIn’s User Agreement by collecting users’ data. LinkedIn also implemented technical measures to block hiQ from scraping more data from its website.

HiQ responded by suing LinkedIn and asking a federal court to enjoin LinkedIn from blocking hiQ’s access. The court sided with hiQ and granted an injunction, ordering LinkedIn to stop blocking hiQ’s access to LinkedIn’s website. The Ninth Circuit affirmed. LinkedIn then sought review from the U.S. Supreme Court, which vacated the Ninth Circuit’s judgment and remanded the case for further consideration in view of the Supreme Court’s CFAA-related decision in Van Buren. There, the Supreme Court held that an accused police officer’s improper use of a license plate database did not “exceed” his authorized access for purposes of the CFAA’s “exceeds authorized access” provision because he did not access areas of his employer’s computer systems, such as files, folders, or databases to which his authorized access did not extend. Van Buren did not rule on the meaning of the CFAA’s “without authorization” provision of the CFAA, which was at issue in hiQ, but the Supreme Court did observe that the “‘without authorization’ clause…protects computers themselves by targeting so-called outside hackers—those who ‘acces[s] a computer without any permission at all.’”

On remand from the Supreme Court, the Ninth Circuit grappled with the issue of “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA.” LinkedIn argued that the letter, coupled with its User Agreement in which people visiting the website agree to not “[s]crape or copy profiles and information of others through any means…,” deprived hiQ of authorization to scrape data and thus made its actions unlawful. The Ninth Circuit, however, disagreed.

The Ninth Circuit’s Analysis of the CFAA as an “Anti-Intrusion,” and Not a “Misappropriation,” Statute

The Ninth Circuit highlighted the relevant portion of the CFAA that states, “Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished” by fine or imprisonment. [4] The court explained that the legislative history of the CFAA indicated that its purpose was “to prevent intentional intrusion onto someone else’s computer—specifically, computer hacking.” The CFAA was intended to be an “anti-intrusion” statute rather than a “misappropriation statute.” The Ninth Circuit stated that it “favor[ed] a narrow interpretation of the CFAA’s ’without authorization’ provision so as not to turn a criminal hacking statute into a ’sweeping Internet-policing mandate.’” The court cited to precedent holding that “[a] violation of the terms of use of a website—without more—cannot establish liability under the CFAA.” Instead, the Ninth Circuit found persuasive an interpretation that, to violate the CFAA’s “without authorization” provision, “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.” Public websites like LinkedIn generally have no such barriers. They, instead, provide anyone with a web browser the ability to search and view data posted on such public websites.

Concluding its assessment of the merits of LinkedIn’s CFAA violation accusation, the Ninth Circuit found the following:

It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system.

LinkedIn argued that permitting hiQ to scrape data from LinkedIn’s website would undermine LinkedIn’s ability to thwart denial-of-service attacks and LinkedIn’s ability to “block[] abusive users, identity thieves, and other ill-intentioned actors.” The court, however, appeared skeptical of LinkedIn’s argument and stated that the opinion against LinkedIn’s CFAA claim “does not preclude LinkedIn from continuing to engage in ‘technological self-help’ against bad actors—for example, by employing ‘anti-bot measures’ to prevent, e.g., harmful intrusions or attacks on its server.”

Regardless of whether your company is a data aggregator, an operator of a public social networking website, or otherwise allows public access to company data on the internet, the hiQ opinion suggests that a company seeking the protection of the CFAA should carefully analyze its data access policies and practices. In the wake of hiQ, companies may also wish to evaluate other possible legal mechanisms for protecting their publicly available data, including privacy torts and misappropriation laws.