Once again, hiQ wins the day in the continuous data scraping saga. In the most recent ruling, the U.S. Ninth Circuit Court of Appeals reaffirmed its original finding that scraping data that is publicly available on the internet is not a violation of the CFAA (Computer Fraud and Abuse Act), which governs certain types of computer hacking.
The Ninth Circuit’s ruling constitutes the latest decision in a long-running legal battle between the parties around hiQ’s data scraping of LinkedIn profiles. Although the district court originally sided with hiQ, LinkedIn’s appeals attempted to get some traction around its CFAA claims. Initially the Ninth Circuit affirmed the lower court’s decision, reasoning that LinkedIn could not invoke the CFAA as a defense to ban hiQ from scraping public data from the social networking site. But the Supreme Court later vacated that decision and remanded the case for further consideration in light of its decision in the Van Buren case, which resolved a circuit split regarding the scope of the CFAA, holding that the “exceeding authorized access” prohibition of the statute does not require misuse of a computer system that a user otherwise has the authority to access.
In the current decision, the Ninth Circuit analyzed whether or not hiQ’s continued scraping and use of LinkedIn member data following receipt of a cease-and-desist letter constituted unauthorized access under the CFAA, in light of the Van Buren. The decision found Van Buren consistent with the Ninth Circuit’s categorization of computer systems for which data is generally accessible to the public, as a class of systems for which authorization cannot not be withdrawn. The extension of the Ninth Circuit’s categorical approach could preclude a CFAA violation even if LinkedIn enacted technical measures to specifically block hiQ’s access, and hiQ circumvented them, a result which may not have been intended by the Supreme Court in Van Buren. By distinguishing its prior decision in Power Ventures based on the fact that Facebook requires users to provide a username and password, the Ninth Circuit left open the notion that authorization for CFAA purposes can still be withdrawn by a cease-and-desist letter, but some generally applicable restriction on access may be necessary.
The Ninth Circuit’s ruling certainly affords shelter to automated scraping and analytics businesses from criminal liability under the CFAA. However, while the decision provides some additional clarity on how the CFAA should be applied, the issue is far from being settled. Questions still linger within the civil field and around the application of the CFAA to the different web scraping scenarios. It seems likely that we will have more to report on this as this case continues.