The Ninth Circuit Court of Appeals has affirmed that the Computer Fraud and Abuse Act (a 1986 anti-hacking law passed after a moral panic over the movie Wargames) does not ban accessing public information from websites, even if you do so against the wishes of the website's operator.
The case involves Linkedin and Hiq, a company that does "employer analytics" and scrapes public Linkedin profiles to do so. Linkedin launched a competing service and threatened to sue Hiq under the CFAA; and Hiq responded by seeking a declaratory judgment that the CFAA did not reach to accessing publicly accessible information.
The CFAA defines hacking broadly: "exceeding authorization" on someone else's computer is banned under the plain language of the act. But, as the appeals court found, the CFAA was trying to capture "computer intrusions," not terms-of-service violations on services you were permitted to use.
The appeals court also ordered Linkedin not to interfere with Hiq's scraping, as doing so would put Hiq out of business before the case could be litigated. It remains to be seen whether Linkedin will continue to sue Hiq under other legal theories, or seek other courses of action that might allow it to block Hiq's scrapers.
"None of the computers to which the CFAA initially applied were accessible to the general public," the court writes. "Affirmative authorization of some kind was presumptively required."
When the law was extended to more computers in 1996, a Senate report said its goal was to "increase protection for the privacy and confidentiality of computer information." As a result, the 9th Circuit reasons "the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort."
In contrast, hiQ is only scraping information from public LinkedIn profiles. By definition, any member of the public has authorization to access this information. LinkedIn argued that it could selectively revoke that authorization using a cease-and-desist letter. But the 9th Circuit found this unpersuasive. Ignoring a cease-and-desist letter isn't analogous to hacking into a private computer system.
Web scraping doesn't violate anti-hacking law, appeals court rules [Timothy B Lee/Ars Technica]