Anti-hacking law does not bar data scraping from public websites

REUTERS/Florence Lo/Illustration

(Reuters) – Public websites are fair game for data scrapers and others — including journalists and academics — who want to access information without worrying about potential criminal exposure.

That’s the upshot of a ruling Monday by the 9th U.S. Circuit Court of Appeals in hiQ Labs Inc v. LinkedIn Corp. The appeals court concluded that the Computer Fraud and Abuse Act, a federal anti-hacking law that bars unauthorized access to computer systems, likely does not apply to websites that are open to the public.

The ruling upheld a preliminary injunction forbidding LinkedIn, the professional networking site, from denying hiQ, a data analytics company, access to LinkedIn’s publicly available member profiles.

“It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA,” wrote Judge Marsha Berzon for a panel that also included Judge Clifford Wallace and U.S. District Judge Terrence Berg of Detroit, sitting by designation. “The concept of ‘without authorization’ does not apply to public websites,” the court said.

The 9th Circuit previously upheld the preliminary injunction against LinkedIn back in 2019. That decision was vacated and remanded by the U.S. Supreme Court in 2021, after the justices ruled in Van Buren v. United States that the CFAA does not apply to computer users who act with improper motives to obtain information they are authorized to access. (In Van Buren, the Supreme Court overturned the CFAA conviction of a police officer who used his patrol car computer to run a license-plate search in exchange for money.)

On remand, the 9th Circuit asked LinkedIn and hiQ to submit supplemental briefs addressing the Supreme Court’s Van Buren decision. hiQ’s lawyers at Quinn Emanuel Urquhart & Sullivan argued the justices had confirmed that the anti-hacking law cannot be used to penalize users for accessing information they are authorized to obtain. The Supreme Court in Van Buren used the analogy of gates to information being up or down, depending on protections such as passwords. The justices said CFAA does not apply unless a user breaches a closed gate to obtain unauthorized information. Under Van Buren, hiQ said, “CFAA liability cannot be based on access to public information.”

LinkedIn, represented by Munger Tolles & Olson, relied on the Supreme Court’s closed-gate analogy in its supplemental brief to the 9th Circuit. The company argued that it lowered the gates of access for hiQ, first when it sent the data scraping company a cease-and-desist letter ordering hiQ to stop harvesting data from LinkedIn member profiles, and then when LinkedIn erected a technical barricade to block hiQ from accessing its servers. Under the Supreme Court’s Van Buren reasoning, LinkedIn said, hiQ was subject to the CFAA if it continued to access LinkedIn data after the networking site revoked authorization to access its public data.

LinkedIn also argued that the public’s interest in restricting data scrapers has become more acute in the years since the 9th Circuit’s original affirmance of the preliminary injunction, thanks to increased awareness of privacy abuses. “The interests in preventing the mass-scraping of user data for use in facial recognition, phishing attacks and other damaging exploits weigh strongly against affirming the district court’s preliminary injunction — which gives a green light to such activities,” LinkedIn said.

The 9th Circuit sided with hiQ, concluding, as it did in 2019, that public websites are outside the scope of the anti-hacking law. The Supreme Court, Berzon noted, talked in Van Buren about raising and lowering gates to authorize access to computer data. But “a computer hosting publicly available webpages,” she wrote, “has erected no gates to lift or lower in the first place.”

The Van Buren decision, the 9th Circuit said, “therefore reinforces our conclusion that the concept of ‘without authorization’ does not apply to public websites.”

The appeals court acknowledged LinkedIn’s public policy argument, but said hiQ offered the countervailing view that scraping data from public sites has become a common tool for search engines, journalists, academic researchers and others without malicious intentions. The 9th Circuit agreed that the public interest would be ill served by allowing “outsized control” to companies like LinkedIn, which have amassed vast stores of information that technically belongs to their users.

LinkedIn counsel Donald Verrilli and Jonathan Blavin of Munger Tolles didn’t respond to my email query about the 9th Circuit ruling. Renita Sharma of Quinn Emanuel, who argued for hiQ at the 9th Circuit last October, said she’s pleased the appeals court agreed that the Supreme Court’s Van Buren precedent means “the CFAA’s concept of access ‘without authorization’ does not apply to public websites.”

The Reporters Committee for Freedom of the Press and dozens of news organizations filed an amicus brief echoing hiQ’s concern that data amassers like LinkedIn could use the CFAA to restrict legitimate information gathering. RCFP lawyer Grayson Clary said via email that Monday’s ruling “is an important recognition that scraping information a website chooses to make public isn’t illegal.”

Interestingly, hiQ’s business was not saved by the preliminary injunction it obtained against LinkedIn more than four years ago. Last September, LinkedIn filed a motion to dissolve the injunction in San Francisco federal district court, where the underlying case is being litigated. Its lawyers at Orrick, Herrington & Sutcliffe argued that despite LinkedIn’s compliance with the injunction, hiQ ceased operations more than two years ago. “Accordingly, hiQ is incapable of suffering the irreparable harm required to sustain injunctive relief,” LinkedIn said.

HiQ, which blames LinkedIn for its lost contracts with large employers, responded that it nevertheless remains an intact business and has been approached by prospective partners interested in its data scraping technology. U.S. District Judge Edward Chen of San Francisco deferred a ruling on LinkedIn’s motion to dissolve the injunction until resolution of the 9th Circuit appeal.

HiQ counsel Sharma said her client is looking forward to continuing to litigate its claims.

Read more:

U.S. Supreme Court revives LinkedIn bid to shield personal data

Our Standards: The Thomson Reuters Trust Principles.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias.