Scraping data from a public website does not violate the US Computer Fraud and Abuse Act (CFAA), the US Ninth Circuit Court of Appeals ruled Monday.
decision [PDF] echoes the 2019 appeals court ruling, which upheld a 2017 lower court ruling in HiQ vs. LinkedIn that web scraping is not considered unauthorized access to a protected computer.
The case began in California in 2017 when HiQ, an employment analytics company, filed a lawsuit challenging LinkedIn’s legal and technical efforts to stop HiQ from copying LinkedIn users’ public profile data. .
The district judge hearing the case granted a preliminary injunction to HiQ restraining LinkedIn from interfering with the scraping of HiQ’s data while the case progressed. He decided it made no sense to apply the CFAA – a law that criminalizes accessing a protected computer “without authorization” or in a manner that “exceeds authorized access” – to data collection. public from the LinkedIn website.
LinkedIn appealed nonetheless, and two years later the Ninth Circuit sided with HiQ and referred the case to the Northern District of California for resolution.
Undeterred, LinkedIn appealed to the US Supreme Court. In March 2020, he asked the Supreme Court to review the Ninth Circuit’s decision. The company argued that implementing technical barriers to web scraping in conjunction with sending a cease and desist letter should be considered a permission mechanism. Indeed, the Microsoft-owned social media site wants the competitive advantages of secure access without the consequences – the invisibility of search engine traffic.
“Under the Ninth Circuit rule, every business whose public portion of its website is integral to the operation of its business — from online retailers like Ticketmaster and Amazon to social media platforms like Twitter — will be exposed to bots. invasive measures deployed by free-unless they place these websites entirely behind password barricades,” LinkedIn’s attorneys wrote in the company’s petition. [PDF] be heard by the Supreme Court.
“But if that happens, those websites will no longer be indexable by search engines, making the information less discoverable through the primary means by which people get information on the Internet.”
On June 3, 2021, the Supreme Court in a related case, Van Buren v. United Statesrestricted the CFAA, which had been criticized for years for not defining “unauthorized” and “exceeds authorized access”.
The High Court of Van Buren stated that failure to comply with the terms of service alone does not constitute “exceeding authorized access” under the CFAA. Yet this left some ambiguity as to whether credential-based triggering is the only way to determine if access was “unauthorized”.
Then, two weeks later, the Supreme Court sent HiQ vs. LinkedIn back to the Ninth Circuit for reconsideration in light of how Van Buren had reshaped the accountability of the CFAA. Today the Court of Appeal reconsidered its earlier decision and came to the same conclusion as two years ago, albeit reinforced by the Van Buren Case.
“[A] defining characteristic of public websites is that their publicly accessible sections are not restricted in terms of access; instead, these sections are open to anyone with a web browser,” the Ninth Circuit ruling [PDF] said.
“In other words, applying the analogy of ‘doors’ to a computer hosting publicly accessible web pages, that computer erected no doors to raise or lower in the first place. Van Buren therefore reinforces our conclusion that the concept of ‘permissionless’ does not apply to public websites.”
However, the decision does not resolve the dispute between HiQ and LinkedIn. It simply prevents LinkedIn from blocking HiQ’s collection of public data and from suing the analytics industry under the CFAA. Issues related to unfair competition, privacy, and state law have yet to be resolved.
In a statement emailed to The registera LinkedIn spokesperson said the company intends to continue fighting in court.
“We are disappointed, but this was a preliminary ruling and the case is far from over,” a company spokesperson said. “We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn.” ®