Big News: Appeals Court Says CFAA Can't Be Used To Stop Web Scraping
from the this-is-good dept
Two years after a lower court correctly decided that LinkedIn couldn’t use the CFAA to stop third parties from scraping their site, the 9th Circuit appeals court has upheld that decision in a very important decision for the future of an open web. For a long time we’ve talked about how various internet companies — especially the large ones — have abused the CFAA to stop competition and interoperability. If you’re unaware, the CFAA is basically the US’s “anti-hacking” law, which was designed to make it a crime (and a civil infraction) to “break into” someone else’s computer. But for years it’s been interpreted way too broadly (to the point that it’s referred to as “the law that sticks” when trying to get someone for “doing something bad on a computer.”
While we have tremendous concerns about criminal CFAA prosecutions, the use of CFAA in civil contexts by companies trying to block competition is perhaps just as troubling. We’ve called out Craigslist and, especially, Facebook for abusing the CFAA to stop companies from building on what they’ve built and providing a better service. To this day, we remain troubled by the 9th Circuit siding with Facebook in declaring the CFAA an okay tool to block a third party from building a better service for Facebook users and believe (somewhat strongly) that this particular decision and abuse is part of why Facebook is in the position its in today and that there are no significant competitors it faces. In that decision, the 9th Circuit ruled that because Facebook had sent a cease-and-desist letter to Power, any access after that was now “without authorization” and thus violated the CFAA.
And that’s part of what makes this new HiQ v. Linkedin decision, done by the very same court, so fascinating. It seems to go the other way. While Facebook was allowed to use the CFAA to stop Power users from scraping content from Facebook (with permission from the account holder), here, the 9th Circuit has ruled that LinkedIn can’t (at this stage) use the CFAA to stop HiQ from scraping its site.
The fact that the results in HiQ and Power came out differently deserves some exploration — and we can highlight ways in which both decisions are weird and troubling. But from a pure policy standpoint, saying that scraping a site does not violate the law is an undeniably good thing and we should be happy with the overall outcome. Though, the it’s now set up a weird system where the 9th Circuit itself seems to disagree with itself and there’s a wider circuit split — meaning it’s possible that the Supreme Court could take up this issue at some point.
In discussing the CFAA, this 9th Circuit panel seems to fully understand the intention of the CFAA: to stop hacking. Not to stop companies from blocking people/companies they dislike:
The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: ?It is noteworthy that section 1030 deals with an ?unauthorized access? concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ?breaking and entering? . . . .?? H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of ??hackers? who have been able to access (trespass into) both private and public computer systems?). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that ?[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.?11 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99-612, at 5?6 (1986) (describing ?the expanding group of electronic trespassers,? who trespass ?just as much as if they broke a window and crawled into a home while the occupants were away?).
In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a ?misappropriation statute,? Nosal I, 676 F.3d at 857?58, we rejected the contract-based interpretation of the CFAA?s ?without authorization? provision adopted by some of our sister circuits.
That’s all good — and because of that, the court finds that LinkedIn can’t claim that scraping their site is a CFAA violation, even after a cease-and-desist. But, it tries to differentiate from the Facebook v. Power decision by saying that one involves a password, and the other does not. So it’s the fact that the information being scraped on LinkedIn is public information that changes the calculus here.
We therefore conclude that hiQ has raised a serious question as to whether the reference to access ?without authorization? limits the scope of the statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer information: (1) information for which access is open to the general public and permission is not required, (2) information for which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to such information, the ?breaking and entering? analogue invoked so frequently during congressional consideration has no application, and the concept of ?without authorization? is inapt.
Neither of the cases LinkedIn principally relies upon is to the contrary. LinkedIn first cites Nosal II, 844 F.3d 1024 (9th Cir. 2016). As we have already stated, Nosal II held that a former employee who used current employees? login credentials to access company computers and collect confidential information had acted ??without authorization? in violation of the CFAA.? Nosal II, 844 F.3d at 1038. The computer information the defendant accessed in Nosal II was thus plainly one which no one could access without authorization.
So too with regard to the system at issue in Power Ventures, 844 F.3d 1058 (9th Cir. 2016), the other precedent upon which LinkedIn relies. In that case, Facebook sued Power Ventures, a social networking website that aggregated social networking information from multiple platforms, for accessing Facebook users? data and using that data to send mass messages as part of a promotional campaign. Id. at 1062?63. After Facebook sent a cease-and-desist letter, Power Ventures continued to circumvent IP barriers and gain access to password-protected Facebook member profiles. Id. at 1063. We held that after receiving an individualized cease-and-desist letter, Power Ventures had accessed Facebook computers ?without authorization? and was therefore liable under the CFAA. Id. at 1067?68. But we specifically recognized that ?Facebook has tried to limit and control access to its website? as to the purposes for which Power Ventures sought to use it. Id. at 1063. Indeed, Facebook requires its users to register with a unique username and password, and Power Ventures required that Facebook users provide their Facebook username and password to access their Facebook data on Power Ventures? platform. Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012). While Power Ventures was gathering user data that was protected by Facebook?s username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.
That last bit… confuses me. Yes, the information that was at stake in the Power case was locked up with password protection, but (and this is the important part), it was the user whose password it was that gave permission to Power to access the data in Facebook on their behalf. So I have trouble seeing how it’s really that different than this HiQ case. This ruling seems to suggest that there’s some magical property to a password that doesn’t seem supported by the law. In the Power case, the access is still very much “authorized” because the holder of the password is giving it out. But the court tries to dance around this by pretending that the authorization question is different. I don’t see how that makes any sense — even if I’m happy that at least scraping of public info is considered fair game. Still, the panel leans in hard on the password question to distinguish these two cases:
For all these reasons, it appears that the CFAA?s prohibition on accessing a computer ?without authorization? is violated when a person circumvents a computer?s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user?s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ?s possibly meritorious tortious interference claim.
Orin Kerr — who probably knows more about the CFAA than anyone else — has done a deep dive on this ruling as well, which is worth reading. As he notes, part of the weirdness in this case is procedural. HiQ is focused on getting a preliminary injunction stopping LinkedIn from using the CFAA to stop them from scraping the LinkedIn site. That sets the standards a bit lower than might otherwise be, and means that the ruling is not necessarily the final world on the CFAA in this situation. He also notes that this should be seen as a big win for the open internet, and (in many ways) isolates the Power decision as “an outlier.”
I also think this decision renders Power Ventures an outlier. I may be biased, as I thought Power Ventures was wrong. As regular readers may remember, I represented Power Ventures on the petition for rehearing to try to get the panel decision overturned. But Power Ventures seemed to give cease-and-desist letters magical powers given their clarity and notice. It was possible to read Power Ventures broadly as saying that as long as the computer owner sends the cease-and-desist letter, the computer owner’s written directive controls the CFAA question?the recipient is sent into Brekka-land where their access rights were withdrawn.
HiQ Labs now places a critical limit on Power Ventures. Under HiQ Labs, the cease-and-desist letter only controls access rights to non-public data. That seems to reduce Power Ventures to a limited application of Nosal II. Under both Nosal II and Power Ventures-as-construed-in-HiQ, once a computer owner tells you to go away, you can’t then rely on a current legitimate user’s permission to let you back in.
Putting the cases together, the Ninth Circuit law right now seems to go like this. You can scrape a public website, and you can violate terms of service, without violating the CFAA. However, you can only access non-public areas of a computer if you haven’t had your access rights canceled before, either through a cease-and-desist letter or through the relationship ending that had granted you access rights.
As Kerr and the 9th Circuit itself note, however, there remains a circuit split between the 9th’s hodge podge interpretations of the CFAA and other appeals courts. That certainly suggests that this could end up before the Supreme Court at some point.
One other note: I’ve seen a few lawyers, including those I respect, worry that this decision could actually lead to restrictions on the tools that sites themselves use to block more malicious parties. As Eric Goldman noted in his analysis:
Meanwhile, if server operators can?t restrict who can access their servers, then it will embolden data scavengers?including trolls, malefactors, and governments?who intend to weaponize the data against users.
This is one of the rare cases where I disagree with Goldman’s analysis. I don’t see how the ruling would lead to such a result. The ruling does suggest that it’s tortious interference (this is separate from the CFAA analysis) for LinkedIn to block HiQ, since doing so undermine’s HiQ’s entire business. But I don’t see how that same analysis would apply “trolls, malefactors, and governments.” I do find the tortious interference discussion a bit confusing in its own right. While I don’t think LinkedIn should be able to use the law to stop HiQ from scraping its site, it seems silly (and of questionable legality) to argue that it can’t even use technical measures to block HiQ. But that’s what the ruling appears to say:
LinkedIn?s threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute ?intentional acts designed to induce a breach or disruption? of hiQ?s contractual relationships with third parties.
I agree on the use of the CFAA. But disagree on the point about “technical measures.” One involves using the power of the government to block perfectly reasonable activity — but the other is a purely technical question. And I don’t see how or why the law should block any site from implementing technical measures to prevent access, even if overall public policy should encourage such access.
All in all this seems like a mostly good decision, with this oddity, combined with the tap dance to distinguish it from other rulings. Add in the big circuit splits and you can rest assured that this is nowhere near the last word on this matter.