As we have previously discussed, claims under the Computer Fraud and Abuses Act (CFAA) are commonly asserted as a means of protecting online data from unwanted scraping activity. The scope and application of the CFAA, however, have been subject to significant, and sometimes conflicting, judicial consideration. Last week's highly anticipated decision of the United States Court of Appeals for the Ninth Circuit in hiQ Labs, Inc. v. LinkedIn Corp. 1 marks the latest decision in this evolving judicial narrative. In affirming the District Court for the Northern District of California's award of a preliminary injunction preventing LinkedIn Corp. (LinkedIn) from denying hiQ Labs, Inc. (hiQ) access to the public profiles of LinkedIn's members,2 the Ninth Circuit found, inter alia, that hiQ raised serious questions as to the applicability of the CFAA to hiQ's conduct. This article focuses on the examination of the CFAA in this recent decision and the implications for data scrapers and aggregators and those who want to protect their public data from unwanted scraping activity.
For those that are not familiar with the hiQ proceedings, hiQ is a data analytics company that, using automated means, scrapes data from public LinkedIn profiles and uses such data, along with a proprietary predictive algorithm, to develop analytic products. In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting, inter alia, that hiQ was in violation of LinkedIn's User Agreement, demanding that hiQ stop accessing and copying LinkedIn data and alleging that hiQ would be violating the CFAA if hiQ did not. hiQ subsequently filed suit seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not, among other things, lawfully invoke the CFAA against hiQ. The district court granted hiQ's motion and ordered LinkedIn to withdraw its cease-and-desist letter, and to refrain from putting in place any legal or technical measures with the effect of blocking hiQ's access to public LinkedIn profiles. LinkedIn appealed.
The appeal: Applicability of the CFAA to hiQ's conduct
The interlocutory appeal was focused on whether the district court below abused its discretion in granting hiQ a preliminary injunction. A party seeking a preliminary injunction must establish that it is likely to succeed on the merits, that it is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of the equities tips in its favor, and that an injunction is in the public interest. When the balance of hardships tips sharply in the plaintiff's favor, the plaintiff need only demonstrate serious questions going to the merits.
The CFAA was examined in the context of whether hiQ could show a likelihood of success on any of its state law causes of action, as LinkedIn argued that such state law causes of action were preempted by the CFAA. The pivotal question was "whether, once hiQ received LinkedIn's cease-and-desist letter, any further scraping and use of LinkedIn's data was ‘without authorization' within the meaning of the CFAA and thus a violation of the statute." This was important because, if the CFAA was likely to apply, "hiQ could have no legal right of access to LinkedIn's data and so could not succeed on any of its state law claims, including the tortious interference with contract claim [the Ninth Circuit] held otherwise sufficient for preliminary injunction purposes."
The CFAA states that "[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished. . ." 3 Further, "[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief."4
In considering the meaning of "without authorization," the Ninth Circuit examined both the language of the statute (including the meaning of the word "authorization") as well as the legislative histories of both the CFAA and the Stored Communications Act 18 U.S.C. § 2701 (that contains a similar "without authorization" provision).
- The language of the statute: The Ninth Circuit found that the wording "‘access . . . without authorization' . . . suggests a baseline in which access is not generally available and so permission is ordinarily required." The Ninth Circuit added that "‘[a]uthorization' is an affirmative notion, indicating that access is restricted to those specially recognized . . . Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not a lack of ‘authorization.'"
- Legislative history: In noting that the CFAA was "enacted to prevent intentional intrusion onto someone else's computer —specifically, computer hacking," the Ninth Circuit recounted that the 1984 House Report on the CFAA explicitly "analogized the conduct prohibited by section 1030 to forced entry" and thus the conduct prohibited is akin to that of "breaking and entering." The Ninth Circuit concluded that the "legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort."
Accordingly, the Ninth Circuit held:
"[i]t is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA," and that the "without authorization" provision under the CFAA is violated "when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer."
In reaching the holding above, the Ninth Circuit laid out the three categories computer information contemplated by the CFAA:5
- Information for which access is open to the general public and permission is not required
- Information for which authorization is required and has been given and
- Information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed)
The Ninth Circuit concluded that the public LinkedIn profiles at issue "fall into the first category" and the concept of "without authorization" is inapplicable in this case as hiQ's scraping is not analogous to the "breaking and entering" invoked frequently during congressional consideration of the CFAA. The data was publicly available to all and the users knew this about their data. The Ninth Circuit noted that the data hiQ sought to access "is not owned by LinkedIn" and "has not been demarcated by LinkedIn as private using such an authorization system" like username and password.
The Ninth Circuit distinguished the two cases6 LinkedIn principally relied upon to establish the application of the CFAA to hiQ's conduct. The Ninth Court concluded that the two cases "control situations in which authorization generally is required and has either never been given or has been revoked" and fall into the third category above. Further, noting that "the CFAA is best understood as an anti-intrusion statute and not as a ‘misappropriation statute,'" the Ninth Circuit also expressly rejected the contract-based interpretation of the CFAA's "without authorization" provision adopted by some of the other circuits. See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant "exceeds authorized access" when violating policies governing authorized use of databases).
Other factors were also highly relevant to the Ninth Circuit's decision to affirm the district court's decision to grant hiQ's motion, namely:
- Irreparable harm: That hiQ had demonstrated a likelihood of irreparable harm absent a preliminary injunction because the record provided "ample support" for finding that "hiQ currently has no viable way to remain in business other than using LinkedIn public profile data" for its services. The Ninth Circuit noted that hiQ would likely be forced to breach its existing contracts with its clients, hiQ's financing round stalled upon receiving LinkedIn's cease-and-desist letter, and several employees left the company.
- Public interest: That "giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest" and thus the public interest "favors hiQ's position." The Ninth Circuit denied the possibility of the injunction opening the door to malicious activities (e.g., denial-of-service attacks and identity thefts) because such injunction does not preclude LinkedIn from continuing to engage in "technological self-help."8
Is this a green light for data scraping?
While data vendors, aggregators and proponents of open internet data will welcome this decision, it is important to note that in affirming the district court's conclusion that hiQ raised serious questions as to the applicability of the CFAA to hiQ's conduct and its decision to affirm the preliminary injunction, the Ninth Circuit suggested that inapplicability of the CFAA is not the end for data scraping victims. The Ninth Circuit noted that other causes of action, including state law trespass to chattels claims, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract or breach of privacy may still apply. In particular, the Ninth Circuit hinted that, albeit dicta, "web scraping exceeding the scope of the website owner's consent" may give rise to "a common law tort claim for trespass to chattels, at least when it causes demonstrable harm." We have explored many of these causes of action in the past on our Technology Newsflash blog.
The Ninth Circuit also emphasized that the LinkedIn profile data was not "owned" by or proprietary to LinkedIn and that LinkedIn only had a non-exclusive license to such data (a position regularly taken by social media platforms). One wonders, however, if the data were not contributed by third parties, would the Ninth Court's analysis have differed.
It is also important to note that the decision only affirms the district court's decision to award hiQ a preliminary injunction and does not "resolve the companies' legal disputes definitively, nor . . . address all the claims and defenses they have pleaded in the district court." Indeed, the matter has been remanded to the district court for further proceedings.
The decision, however, does illustrate that whether data has been accessed from behind a password authentication system is relevant to a CFAA analysis, at least in the Ninth Circuit for now. Whether this leads to a more free and open internet or whether this encourages those wanting to protect publicly available website data from unwanted scraping activity to locate more data behind logins or other access controls in an attempt to gain CFAA protections remains to be seen.