In September 2019, the Ninth Circuit held that hiQ Labs, Inc.’s (“hiQ”) collection and use of information that LinkedIn users shared on their public profiles did not violate the Computer Fraud and Abuse Act (“CFAA”) because the data was publicly available and therefore did not fall within the scope of the CFAA. Following the Ninth Circuit’s order, the Supreme Court issued a decision in Van Buren v. United States, wherein the Supreme Court held, in a 6-3 ruling, that a former Georgia police officer did not “exceed authorized access” within the meaning of the CFAA by accessing a state law enforcement computer database containing license plate information to determine whether an individual was an undercover officer. The Supreme Court concluded that an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of that computer—such as files, folders, or databases—that are off-limits to him.
Meanwhile, LinkedIn petitioned for certiorari to the Supreme Court, which vacated and remanded the Ninth Circuit’s judgment for further consideration in light of the Supreme Court’s ruling in Van Buren. On remand, the Ninth Circuit again affirmed the trial court’s preliminary injunction, concluding that Van Buren reinforced its earlier determination that hiQ had raised serious questions about whether LinkedIn may invoke the CFAA under the circumstances.
The CFAA provides that “[w]hoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment. While the Ninth Circuit again concluded that LinkedIn’s computer servers were a “protected computer,” the court held that hiQ at least raised a serious question as to whether it accessed LinkedIn’s servers “without authorization.” Pointing to the CFAA’s legislative history, the Ninth Circuit noted that the CFAA was enacted to prevent computer hacking, analogous to “breaking and entering.” The Ninth Circuit cited to a prominent treatise, which suggested that “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.”
Viewing hiQ’s conduct through that lens, the Ninth Circuit concluded that the CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required; (2) computers for which authorization is required and has been given; and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Because public LinkedIn profiles are available to anyone with an Internet connection, they fall within the first category and the “breaking and entering” analogue is therefore inapt. Moreover, Van Buren’s illustration of a computer having “gates up or down” applies to the latter two categories of computers: if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down. Applying the “gates” analogy to a computer hosting publicly available webpages (like LinkedIn), that computer has erected no gates to lift or lower in the first place.
In sum, the Ninth Circuit held that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. When a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The Ninth Circuit noted, however, that entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply, as other causes of action, such as trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy may also present viable claims.