On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).
The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.
Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.
While the Ninth Circuit opinion stated that the CFAA likely does not apply to the scraping of otherwise public data, the court left open the possibility that the CFAA may prohibit scraping where the data accessed is not public, such as when it is stored behind a login prompt. It also expressly stated that “victims of data scraping are not without resort” and could assert various other causes of action to potentially block access. Companies seeking to scrape website data should, therefore, carefully evaluate technical, legal, and other barriers to their access before proceeding to scrape data, particularly where their activities could cause website outages or other harm.
Background on HiQ v LinkedIn
The plaintiff, hiQ Labs, is a data analytics company that uses algorithm-based machine learning to help employers identify employees who are at risk of being recruited to other companies. To collect data for its algorithms, hiQ harvested publicly available user profiles posted on LinkedIn’s websites. LinkedIn sent cease and desist letters to hiQ demanding that it stop harvesting such data. LinkedIn also disabled access to IP addresses that hiQ used to scrape data. In its cease and desist letters, LinkedIn accused hiQ of violating the CFAA, the Digital Millennium Copyright Act (“DMCA”), the California Comprehensive Computer Data Access and Fraud Act (“CDAFA” – California’s state law analogue of the CFAA), and the California common law of trespass.
In response, hiQ filed a complaint against LinkedIn in the District Court for the Northern District of California seeking declaratory judgment that its continued access to LinkedIn data would not entitle LinkedIn to assert any of the theories it had invoked. The complaint also argued that that LinkedIn had committed tortious interference with its contracts and unfair competition practices under California common law by rendering it impossible for hiQ to provide its services to existing clients. HiQ requested that the court enjoin LinkedIn from restricting hiQ’s access going forward. HiQ alleged that LinkedIn sought to block hiQ’s access not because of its stated concerns about protecting user privacy but instead because LinkedIn was developing a competing service.
LinkedIn responded that the CFAA, as a federal law, preempted all of hiQ’s common law claims. As relevant here, the CFAA prohibits obtaining information from a protected computer “without authorization,” or in excess of “authorized access.” LinkedIn argued that hiQ’s scraping of data from its website, in defiance of LinkedIn’s cease and desist letter, constituted access “without authorization.” The district court, however, granted hiQ’s request for a preliminary injunction, finding that hiQ had demonstrated it was likely to prevail on its claim for tortious interference and that LinkedIn was unlikely to succeed on its affirmative defense that hiQ’s scraping activities violated the CFAA.
LinkedIn appealed the court’s holding on CFAA preemption, but in September 2019 the Ninth Circuit affirmed the district court decision. After the Ninth Circuit’s 2019 opinion was issued, LinkedIn appealed further, petitioning the Supreme Court to decide whether hiQ’s continued scraping of LinkedIn’s publicly facing data after receiving LinkedIn’s cease and desist letters constituted access “without authorization” under the CFAA. LinkedIn’s petition was pending before the Supreme Court for more than a year before, on June 14, 2021, the Court granted the petition, only to issue a summary disposition vacating the Ninth Circuit’s decision and remanding the case for further consideration in light of Van Buren.
The Ninth Circuit Reaffirms Its Holding That Scraping Publicly Available Data Likely Does Not Violate the CFAA
The key question for this case is similar to the key question the Court faced in Van Buren: what are the bounds of the CFAA’s prohibition on accessing information “without authorization” or in excess of “authorized access”? In Van Buren, the Supreme Court held that a police sergeant who used a law enforcement computer for unpermitted purposes (e.g., in violation of applicable employee policies) did not “exceed authorized access” under the CFAA. While Van Buren turned on whether the sergeant’s actions “exceed[ed] authorized access,” the Court’s reasoning in Van Buren extended to the “without authorization” language in CFAA: “The ‘without authorization’ clause . . . protects computers themselves by targeting so-called outside hackers—those who ‘acces[s] a computer without any permission at all.’” In trying to distinguish this case from Van Buren, LinkedIn asserted that hiQ’s data scraping of public websites was “without authorization” rather than “exceed[ing] authorized access” (the CFAA prong addressed in Van Buren). Regardless of that argument, the Ninth Circuit concluded that Van Buren’s reasoning supported its determination that hiQ’s scraping of public data was not “without authorization” under the CFAA.
The Ninth Circuit identified the “pivotal CFAA question” as “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute.” Consistent with Van Buren, the Ninth Circuit framed the CFAA as an “anti-intrusion” statute rather than a “misappropriation statute.” It explained that the term “authorization” assumes a “baseline in which access is not generally available” and is restricted to a select group. “[U]nauthorized access” requires conduct akin to breaking and entering into a system rather than improperly using a system that one is otherwise permitted to access.” Where “access is open to the general public and permission is not required,” the court explained that the concept of acting “without authorization” should not apply because authorization is given to “anyone with an Internet connection” and no hacking or “breaking and entering” is required. Thus, LinkedIn’s cease and desist letter claiming to prohibit hiQ from accessing its public websites would not revoke any permissions or authorization that would implicate the “without authorization” prong of the CFAA.
The Ninth Circuit likewise interpreted the Supreme Court’s “gates-up-or-down-inquiry” in Van Buren as consistent with its analysis. Under that theory, where users are able to “proceed past a computer’s access gate,” the conduct is authorized under the CFAA. By contrast, the Ninth Circuit explained, publicly accessible data is automatically “authorized” because a computer hosting a publicly accessible website “has erected no gates to lift or lower in the first place.” As part of this analysis, the Ninth Circuit described three classifications of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given. The Ninth Circuit determined that the sections of LinkedIn’s website that contain public profiles falls into the first category because these sections of the website lack limitations on access generally.
The Ninth Court’s reasoning leaves open the possibility that violations of the “without authorization” clause are still possible in the context of password protected websites (or segments of websites behind a password or paywall) under the second and third categories. For example, data scraping activity after a previously authorized user is sent a cease and desist letter and loses such authorization could be considered access “without authorization” of the second category of computer systems. See Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016). As another example, use of fraudulent credentials—whether stolen, forged, or otherwise obtained dishonestly—to data scrape from a password protected website could be considered access “without authorization” of the third category of computers.
Alternative Legal Data Scraping Theories Still Available
HiQ and Van Buren have raised the bar for claims asserting that the CFAA prohibits data scraping. Nevertheless, the Ninth Circuit did not disavow prior caselaw suggesting that abusing login credentials or circumventing other technical measures could potentially lead to a CFAA violation. Likewise, the Ninth Circuit agreed that website owners may still assert other causes of action to curb data scraping. For example, an aggrieved party may bring various state law claims such as trespass to chattels, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, as well as federal law claims including copyright infringement. The Ninth Circuit did not opine on the potential merits of such claims except to state that LinkedIn’s claim of trespass to chattel raised in its cease and desist letters could be potentially actionable if LinkedIn could demonstrate harm arising from the trespass. It is also worth noting that the Ninth Circuit’s holding, while persuasive, is not binding in other circuits, which could still reach differing conclusions.
Ropes & Gray will continue to monitor and report on developments under the CFAA and laws related to data scraping. Subscribe to RopesDataphiles.com for further updates.