Computer Fraud and Abuse Act (CFAA)

On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

On June 3, 2021, in a 6-3 decision that created a diverse majority—uniting the most recent conservative additions—Justices Barrett, Kavanaugh, and Gorsuch—with the more liberal Justices Breyer, Sotomayor, and Kagan, the Supreme Court resolved a split among the Circuit courts regarding the Computer Fraud and Abuse Act (the CFAA), The language of the CFAA creates

remote workOn November 30, 2020, the Supreme Court held oral argument in Van Buren v. United States to determine the scope of criminal liability under the Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030.  The court’s decision may resolve a circuit split and have far-reaching implications for the scope of civil and criminal liability under the CFAA.  The key point of dispute under the CFAA is whether a person “exceeds authorized access” of a computer (1) only by accessing the computer as an unauthorized person, or (2) more broadly by using the computer for unpermitted uses, even when otherwise permitted to access the computer.  The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted “exceeds authorized access” to cover access that takes place for an improper purpose, whereas the Second, Fourth, and Ninth Circuits have narrowly interpreted unauthorized access to require a lack of any authorization.  For example, under the broad interpretation at dispute before the Supreme Court, an employee who is authorized to access a work computer to carry out certain tasks for employment may still be liable under the CFAA if the employee uses the office computer to download confidential information for non-employment purposes.
Continue Reading Supreme Court Hears Oral Argument to Address Circuit Split under the CFAA