Scraping of Public Data Likely Does Not Violate CFAA

The plaintiff sued, seeking, among other things, declaratory relief preventing LinkedIn from invoking the CFAA. It also filed a motion for preliminary injunction against LinkedIn requiring it to allow the plaintiff to access LinkedIn’s public pages. The plaintiff argued that the survival of its business was threatened, because its entire business depended on its ability to access public LinkedIn profiles.

The U.S. District Court for the Northern District of California granted the plaintiff’s motion. It ordered LinkedIn to withdraw its cease-and-desist letter, to remove any existing technical barriers to the plaintiff’s access to public profiles, and to refrain from using legal or technical measures to block the plaintiff’s access to public profiles.

Appellate Court Narrowly Interprets CFAA

The Ninth Circuit affirmed the district court’s order. It determined that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s rules, such as password requirements, to gain access to a computer. Such a violation does not occur when a user accesses publicly available data on a computer network like LinkedIn’s. In so ruling, the court rejected the First and Eleventh Circuit’s broader interpretations of the CFAA.

The Ninth Circuit also considered public policy implications. It agreed with the district court that giving companies like LinkedIn “free rein” to decide who can collect and use public data could result in “information monopolies that would disserve the public interest.” “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles,” the court observed.

The Ninth Circuit rejected LinkedIn’s assertion that the injunction threatened its members’ privacy and could put at risk the goodwill it had developed with its members, noting it was doubtful LinkedIn members maintained an expectation of privacy with respect to information they posted publicly on the Internet. Even if some LinkedIn users retained some privacy interests in their public profile information, those interests did not outweigh the plaintiff’s interest in continuing its business.

The Ninth Circuit cautioned that its opinion was issued at the preliminary injunction stage and it did not “resolve the companies’ legal dispute definitely,” nor did it “address all the claims and defenses they have pleaded in the district court.”

Implications for Businesses and Individuals

Section of Litigation leaders note the competing public interests at issue in the case. “On the one hand, we want to reward companies like LinkedIn that built a completely new platform, but on the other hand LinkedIn may not have used the data to its full value and Hi-Q brought something new to the table,” says Marcus R. Chatterton, Birmingham, AL, cochair of the Social Media subcommittee of the Section’s Intellectual Property Litigation Committee. “In the balancing of public interests, the ruling was clearly favoring the open innovation interest, encouraging innovation by making public data available,” he explains.

The court’s opinion will affect handling of publicly available data, Section Leaders say. “We are going to see new efforts to hold data close or at least make sure creators are compensated for releasing data,” Chatterton comments. “If more data is put behind a privacy screen to make it harder to scrape, it could change scrapers’ business models,” he adds.

The court’s ruling has consequences for the public as well. “While much of the case focuses on what constitutes access to LinkedIn’s servers without authorization under the CFAA, it assumes an individual waives any privacy rights by posting personal information, on certain sites, for specific purposes,” says Robert W. Wilkins, West Palm Beach, FL, cochair of the Data Breach and Internet subcommittee of the Section’s Commercial & Business Litigation Committee. “Under this ruling, arguably anyone scraping personal information from public facing sites has the unfettered right to use that information for any purpose,” he warns.

Whether a company controls data or wants access, it should remain careful. “If my client is a company trying to protect data, I am going to encourage it to be consistent and not just target certain companies or individuals it doesn’t want to have the data,” advises Chatterton. “If companies continue making it hard to access data and my client is an analytics company, I am going to encourage it to find creative ways to distinguish itself and pitch services without having its hands on big hordes of data,” he concludes.

Catherine M. Chiccine is a team editor for Litigation News.

Hashtags: #internet, #dataprivacy, #bigdata, #socialmedia, #misappropriation, #CFAA

Related Resources

• Peter J.G. Toren, “Computer Fraud and Abuse Act,” Landslide (May/June 2017).
• Aaron M. Danzig & Matthew A.S. Esworthy, “Glitches within CFAA’s ‘Exceeds Authorized Access’ Language,” Criminal Litigation (Oct. 9, 2013).
• Jonathan H. Blavin, “Friends or Frenemies? The Increasingly Important Legal Battle over Social Data Extraction Tools,” Landslide (May/June 2012).

_{Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).}