Victory! Ruling in hiQ v. Linkedin protects scraping of public data

In a long-awaited decision in hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit Court of Appeals ruled that automated scraping of publicly accessible data likely does not violate the Computer Fraud and Abuse Act (CFAA). This is an important clarification of the CFAA’s scope, which should provide some relief to the wide variety of researchers, journalists, and companies who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to. It’s a major win for research and innovation, which will hopefully pave the way for courts and Congress to further curb abuse of the CFAA.

The Trouble with the CFAA

Passed in 1986, the CFAA is the federal anti-hacking law, which imposes both criminal and civil liability on anyone who accesses a computer connected to the Internet “without authorization” or “exceeds authorized access.” Because the statute does not define “without authorization,” interpreting its meaning in the context of modern Internet usages has been notoriously difficult for courts around the country. The hiQ case is just the latest in a series of high-profile Ninth Circuit decisions about the CFAA, in which the appeals court has too often vacillated between limiting the CFAA to its original purpose and adopting more expansive interpretations that risk criminalizing widespread, innocuous online-behavior.

A key question in many early cases was whether companies and websites could enforce their computer use policies, like terms of service or corporate computer policies, through the CFAA’s concept of unauthorized access. In 2012, the Ninth Circuit issued a strong ruling in United States v. Nosal (Nosal I)  explaining that it refused to turn the CFAA “into a sweeping Internet-policing mandate.” The court instead chose to “maintain[] the CFAA’s focus on hacking,” holding that violating a company’s or website’s terms of use cannot give rise to liability. Otherwise, nearly anyone who used the Internet would face potential of criminal liability, for example by violating a social media site’s terms of service that prohibited even lying on a user profile.

Unfortunately, the Ninth Circuit muddied its own clear rule in two subsequent decisions, a second decision in the Nosal case (Nosal II) and Facebook v. Power Ventures, both involving password sharing. In Nosal II, the court found that “without authorization” is not limited to the circumvention of technical access mechanisms, like password barriers, and concluded that using someone else’s valid login credentials may violate the statute. Then, in Power Ventures, the court found that a data aggregator that had consent to access Facebook users’ accounts using their passwords nevertheless violated the CFAA by continuing to scrape data after Facebook sent a cease and desist letter and blocked one of Power Ventures’ IP addresses.

The dispute between hiQ and LinkedIn

EFF warned that the Ninth Circuit’s misguided decisions in Nosal II and Power Ventures would enable further abuse of the CFAA, and LinkedIn provided an example of why just weeks later.

HiQ Labs’ business model involves scraping publicly available LinkedIn data to create corporate analytics tools that could determine when employees might leave for another company, or what trainings companies should invest in for their employees. Perhaps because it intended to develop its own products that would compete with hiQ, LinkedIn served a cease and desist letter, stating it would implement technical measures to stop hiQ from accessing the website at all and relying on the Power Ventures case to argue that any further access to this public information would violate the CFAA. Rather than waiting to be sued, hiQ itself filed suit, obtaining a preliminary injunction in the district court, which found that hiQ was “likely to succeed” on its claims and holding that automated access to public information is likely not a violation of the CFAA. (The court used conditional “likely” language because preliminary injunctions are assessed on the chance a party will succeed after a full determination of the merits.)

On appeal, EFF