Ninth Circuit Rules that Scraping a Public Website is Likely Not a CFAA Violation
In the highly-anticipated decision in the hiQ Labs v. LinkedIn case, the Ninth Circuit upheld the preliminary injunction against LinkedIn, prohibiting it from barring hiQ’s scraping of public profiles from its site. In so doing, the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”) is likely not violated by the scraping of publicly available data even after receipt of a cease-and-desist letter. Notwithstanding that this decision is not a full adjudication of the case – but rather a determination of whether hiQ has a likelihood of success on the merits and if the injunction is necessary to prevent irreparable harm – the court’s analysis of the CFAA claims significantly extends a body of CFAA-related caselaw suggesting that the CFAA cannot be used to prevent webscraping of public content.
The Ninth Circuit did not decide the entire case on its merits. Rather, it only analyzed whether the preliminary injunction issued against LinkedIn should be affirmed. In so doing, it found that the balance of hardships tipped in hiQ’s favor—under the applicable legal standard, hiQ only had to demonstrate that it had raised “serious questions going to the merits” of the legal issues in the case. Thus, the opinion is not a final ruling on any of the described claims, and its treatment of the issues could still be revisited by the court after summary judgment or a trial on the merits if the case proceeds.
Analysis of Decision
The district court entered the injunction against LinkedIn after analyzing the four preliminary injunction factors. As part of this analysis, the district court found that hiQ was likely to have success on the merits of its state law claims that LinkedIn had tortiously interfered with hiQ’s contracts by seeking to block it from accessing public profiles on the LinkedIn website. Such blocking was alleged to be a death knell to hiQ’s business, preventing the company from collecting the data that fuels its operations and thus, causing it to violate its customer contracts. After finding that the district court had correctly concluded that LinkedIn likely knew of these contracts as well as hiQ’s business expectations and may not have been within the realm of fair competition, the Ninth Circuit needed to determine if hiQ’s conduct amounted to a CFAA violation. If it was, the CFAA would preempt all of hiQ’s claims against LinkedIn and justify LinkedIn’s steps to block hiQ’s traffic. But, as described below, the Ninth Circuit found that the CFAA is unlikely to cover hiQ’s scraping activities as applied to LinkedIn public profiles.
The court identified the pivotal CFAA question as “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA.” The court focused its analysis on the statute’s original legislative purpose, stating the CFAA is “best understood as an anti-intrusion statute” and “therefore we look to whether the conduct at issue is analogous to ‘breaking and entering’.” The court explained that the CFAA is “premised on a distinction between information presumptively accessible to the public and information for which authorization is generally required….” Therefore, the court suggested that publicly available information does not require authorization to access in the first place and similarly cannot have such authorization revoked. The court also analogized to the concept of “without authorization” as used in the Stored Communications Act, where computer communication systems are generally divided into sites “accessible to the general public,” and sites that are “not visible to the public,” i.e. restricted or private. Restricted systems – like Facebook – require passwords or other credentials to access them.
Accordingly, the court articulated three categories of computer information for purposes of the CFAA analysis:
- Information for which access is open to the general public and permission is not required;
- Information for which authorization is required and has been given; and
- Information for which authorization is required and has not been given (or not given for the part of the system accessed).
In the court’s view, LinkedIn’s public profiles fall into the first category, (whereas the court suggested, in dicta, that Facebook’s private profiles, which require the creation of username and passwords to access, would fall into the second or third category as the case may be). Computer information in the first category needs no authorization by the site owner to access, and therefore attempts to deny access under the CFAA through Terms of Service and/or cease-and-desist letters are ineffective. As such, “[i]t is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.”
How do you tell a site in the first category from one in the second or third? According to the court, a non-public site has “generally applicable rules regarding access permissions, such as username and password requirements,” which “demarcate” the information “as private using such an authorization system.” In sum, there has to be an authentication gateway of some sort – using technical measures, not mere words – for a site to be able to establish that the information on the site is not public.
Other Claims Against Webscrapers
In addition to the CFAA claim, LinkedIn had alleged a number of other claims against hiQ. Because the court only considered the claims and defenses the parties pressed on appeal, the court did not address these other claims. That said, the court recognized that LinkedIn or other sites seeking to discourage webscraping may still pursue other claims against scrapers, such as trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract or privacy claims.