Big News: Appeals Court Says CFAA Can't Be Used To Stop Web Scraping
from the this-is-good dept
Two years after a lower court correctly decided that LinkedIn couldn't use the CFAA to stop third parties from scraping their site, the 9th Circuit appeals court has upheld that decision in a very important decision for the future of an open web. For a long time we've talked about how various internet companies -- especially the large ones -- have abused the CFAA to stop competition and interoperability. If you're unaware, the CFAA is basically the US's "anti-hacking" law, which was designed to make it a crime (and a civil infraction) to "break into" someone else's computer. But for years it's been interpreted way too broadly (to the point that it's referred to as "the law that sticks" when trying to get someone for "doing something bad on a computer."
While we have tremendous concerns about criminal CFAA prosecutions, the use of CFAA in civil contexts by companies trying to block competition is perhaps just as troubling. We've called out Craigslist and, especially, Facebook for abusing the CFAA to stop companies from building on what they've built and providing a better service. To this day, we remain troubled by the 9th Circuit siding with Facebook in declaring the CFAA an okay tool to block a third party from building a better service for Facebook users and believe (somewhat strongly) that this particular decision and abuse is part of why Facebook is in the position its in today and that there are no significant competitors it faces. In that decision, the 9th Circuit ruled that because Facebook had sent a cease-and-desist letter to Power, any access after that was now "without authorization" and thus violated the CFAA.
And that's part of what makes this new HiQ v. Linkedin decision, done by the very same court, so fascinating. It seems to go the other way. While Facebook was allowed to use the CFAA to stop Power users from scraping content from Facebook (with permission from the account holder), here, the 9th Circuit has ruled that LinkedIn can't (at this stage) use the CFAA to stop HiQ from scraping its site.
The fact that the results in HiQ and Power came out differently deserves some exploration -- and we can highlight ways in which both decisions are weird and troubling. But from a pure policy standpoint, saying that scraping a site does not violate the law is an undeniably good thing and we should be happy with the overall outcome. Though, the it's now set up a weird system where the 9th Circuit itself seems to disagree with itself and there's a wider circuit split -- meaning it's possible that the Supreme Court could take up this issue at some point.
In discussing the CFAA, this 9th Circuit panel seems to fully understand the intention of the CFAA: to stop hacking. Not to stop companies from blocking people/companies they dislike:
The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: “It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering’ . . . .’” H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of “‘hackers’ who have been able to access (trespass into) both private and public computer systems”). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.”11 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99-612, at 5–6 (1986) (describing “the expanding group of electronic trespassers,” who trespass “just as much as if they broke a window and crawled into a home while the occupants were away”).
In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA’s “without authorization” provision adopted by some of our sister circuits.
That's all good -- and because of that, the court finds that LinkedIn can't claim that scraping their site is a CFAA violation, even after a cease-and-desist. But, it tries to differentiate from the Facebook v. Power decision by saying that one involves a password, and the other does not. So it's the fact that the information being scraped on LinkedIn is public information that changes the calculus here.
We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer information: (1) information for which access is open to the general public and permission is not required, (2) information for which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to such information, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt.
Neither of the cases LinkedIn principally relies upon is to the contrary. LinkedIn first cites Nosal II, 844 F.3d 1024 (9th Cir. 2016). As we have already stated, Nosal II held that a former employee who used current employees’ login credentials to access company computers and collect confidential information had acted “‘without authorization’ in violation of the CFAA.” Nosal II, 844 F.3d at 1038. The computer information the defendant accessed in Nosal II was thus plainly one which no one could access without authorization.
So too with regard to the system at issue in Power Ventures, 844 F.3d 1058 (9th Cir. 2016), the other precedent upon which LinkedIn relies. In that case, Facebook sued Power Ventures, a social networking website that aggregated social networking information from multiple platforms, for accessing Facebook users’ data and using that data to send mass messages as part of a promotional campaign. Id. at 1062–63. After Facebook sent a cease-and-desist letter, Power Ventures continued to circumvent IP barriers and gain access to password-protected Facebook member profiles. Id. at 1063. We held that after receiving an individualized cease-and-desist letter, Power Ventures had accessed Facebook computers “without authorization” and was therefore liable under the CFAA. Id. at 1067–68. But we specifically recognized that “Facebook has tried to limit and control access to its website” as to the purposes for which Power Ventures sought to use it. Id. at 1063. Indeed, Facebook requires its users to register with a unique username and password, and Power Ventures required that Facebook users provide their Facebook username and password to access their Facebook data on Power Ventures’ platform. Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012). While Power Ventures was gathering user data that was protected by Facebook’s username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.
That last bit... confuses me. Yes, the information that was at stake in the Power case was locked up with password protection, but (and this is the important part), it was the user whose password it was that gave permission to Power to access the data in Facebook on their behalf. So I have trouble seeing how it's really that different than this HiQ case. This ruling seems to suggest that there's some magical property to a password that doesn't seem supported by the law. In the Power case, the access is still very much "authorized" because the holder of the password is giving it out. But the court tries to dance around this by pretending that the authorization question is different. I don't see how that makes any sense -- even if I'm happy that at least scraping of public info is considered fair game. Still, the panel leans in hard on the password question to distinguish these two cases:
For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.
Orin Kerr -- who probably knows more about the CFAA than anyone else -- has done a deep dive on this ruling as well, which is worth reading. As he notes, part of the weirdness in this case is procedural. HiQ is focused on getting a preliminary injunction stopping LinkedIn from using the CFAA to stop them from scraping the LinkedIn site. That sets the standards a bit lower than might otherwise be, and means that the ruling is not necessarily the final world on the CFAA in this situation. He also notes that this should be seen as a big win for the open internet, and (in many ways) isolates the Power decision as "an outlier."
I also think this decision renders Power Ventures an outlier. I may be biased, as I thought Power Ventures was wrong. As regular readers may remember, I represented Power Ventures on the petition for rehearing to try to get the panel decision overturned. But Power Ventures seemed to give cease-and-desist letters magical powers given their clarity and notice. It was possible to read Power Ventures broadly as saying that as long as the computer owner sends the cease-and-desist letter, the computer owner's written directive controls the CFAA question—the recipient is sent into Brekka-land where their access rights were withdrawn.
HiQ Labs now places a critical limit on Power Ventures. Under HiQ Labs, the cease-and-desist letter only controls access rights to non-public data. That seems to reduce Power Ventures to a limited application of Nosal II. Under both Nosal II and Power Ventures-as-construed-in-HiQ, once a computer owner tells you to go away, you can't then rely on a current legitimate user's permission to let you back in.
Putting the cases together, the Ninth Circuit law right now seems to go like this. You can scrape a public website, and you can violate terms of service, without violating the CFAA. However, you can only access non-public areas of a computer if you haven't had your access rights canceled before, either through a cease-and-desist letter or through the relationship ending that had granted you access rights.
As Kerr and the 9th Circuit itself note, however, there remains a circuit split between the 9th's hodge podge interpretations of the CFAA and other appeals courts. That certainly suggests that this could end up before the Supreme Court at some point.
One other note: I've seen a few lawyers, including those I respect, worry that this decision could actually lead to restrictions on the tools that sites themselves use to block more malicious parties. As Eric Goldman noted in his analysis:
Meanwhile, if server operators can’t restrict who can access their servers, then it will embolden data scavengers–including trolls, malefactors, and governments–who intend to weaponize the data against users.
This is one of the rare cases where I disagree with Goldman's analysis. I don't see how the ruling would lead to such a result. The ruling does suggest that it's tortious interference (this is separate from the CFAA analysis) for LinkedIn to block HiQ, since doing so undermine's HiQ's entire business. But I don't see how that same analysis would apply "trolls, malefactors, and governments." I do find the tortious interference discussion a bit confusing in its own right. While I don't think LinkedIn should be able to use the law to stop HiQ from scraping its site, it seems silly (and of questionable legality) to argue that it can't even use technical measures to block HiQ. But that's what the ruling appears to say:
LinkedIn’s threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute “intentional acts designed to induce a breach or disruption” of hiQ’s contractual relationships with third parties.
I agree on the use of the CFAA. But disagree on the point about "technical measures." One involves using the power of the government to block perfectly reasonable activity -- but the other is a purely technical question. And I don't see how or why the law should block any site from implementing technical measures to prevent access, even if overall public policy should encourage such access.
All in all this seems like a mostly good decision, with this oddity, combined with the tap dance to distinguish it from other rulings. Add in the big circuit splits and you can rest assured that this is nowhere near the last word on this matter.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 9th circuit, authorized access, cfaa, hacking, open access, scraping, tortious interference
Companies: facebook, hiq, linkedin, power ventures
Reader Comments
Subscribe: RSS
View by: Time | Thread
I agree with the "few lawyers" that you don't!
Note that I leave off your "more malicious users" because doesn't serve my intended focus.
Now, let's particularize it to Techdirt. -- Conditioned on that you and others agree it's bit of a mess, so therefore I can't be wrong, right? -- And you might note that in my previous comment I only wondered about bandwidth costs: those can be actual harm...
Anyhoo, right here -- likely SOON as clicks percolate through your alleged "hiding" system by "the community" which you tacitly claim that Techdirt / you / administrators and so on play NO part -- this decision suggests, like the Consumer Review Fairness Act, that ANY interference with the normally intended / offered /accustomed PUBLIC parts of a web-site is out of bounds.
Therefore, you'd better STOP the hiding of comments: that's tortious interference with The Public's First Amendment Rights. You in particular had better STOP lying as above and ADMIT that YOU control the hiding. -- As proven by that my comment in August 2017 was in the brief period when was suddenly turned OFF.
I may think of other corollaries...
[ link to this | view in chronology ]
The First Amendment guarantees you the right to speak your mind. It does not guarantee you either the use of a privately-owned third party platform or an audience. If you can show me the law, statute, or “common law” court ruling that says otherwise, you’ll have done the impossible.
[ link to this | view in chronology ]
Re:
Now Stone, don't talk back to a fine A1 citizen like that. He'll report you to the secret court of unwritten law!
[ link to this | view in chronology ]
Will he be reporting the individual or the citizen~?
[ link to this | view in chronology ]
Re:
Since you are Mike, and I am Tim, I'm not sure who is going to report to where for what.
Violation of Common Law - $100 fine, payable to the court of unwritten law!
[ link to this | view in chronology ]
Re: come at me bro
“Therefore, you'd better STOP the hiding of comments:”
In the extremely stupid word of cryin lyin Jhon Smith.
“Bring it on (you ignorant) morherfucer
[ link to this | view in chronology ]
Re: I agree with the "voices in my head” that you don’t!
“that's tortious interference with The Public's First Amendment Rights.”
You got a statute to cite there bro? After all torts ARE statutory law...
Y”You in particular had better STOP lying as above and ADMIT that YOU control the hiding”
Or what? Are you gonna find a way to somehow whine harder? See bro that’s the problem with going blue balls out. You have no way to threaten or negotiate with anyone because we’ve already seen the worst you can do and decided that you are either a minor annoyance or fun to fuck with.
[ link to this | view in chronology ]
Re: I agree with the "few lawyers" that you don't!
As the very white A1 Citizen being slandered here I order all the minions to stop mocking me and my unwritten laws.
[ link to this | view in chronology ]
Re: I agree with the "few lawyers" that you don't!
That's not what this decision says at all. All it says is that accessing a public website, even if you've been sent a cease-and-desist, doesn't violate the CFAA.
There's nothing in this decision that indicates that it's now illegal to ban an IP address to prevent someone from accessing your servers. The closest it gets is the that it didn't explicitly throw out the tortious interference argument; which just means, at this stage, that the argument might have merit. However, the decision also suggests that LinkedIn could entirely remove its public access option, which would certainly destroy HiQ's business, and this wouldn't be interference.
I'm no lawyer, but I'm pretty sure that's not actually a thing. Besides, you obviously are still able to access the site, and are obviously able to leave a comment, and I'm obviously able to see that comment... so I'm not seeing the supposed "rights" violation.
[ link to this | view in chronology ]
Re: Re: I agree with the "few lawyers" that you don't!
"That's not what this decision says at all."
Very little of what he obsesses over says what he thinks it says.
[ link to this | view in chronology ]
Re: I agree with the "few lawyers" that you don't!
Are you like this in real life? I mean, do you go to stores and get refused service for being an asshole and whine about they have to serve you even though they've told you to leave? Or, are you only this whiny when people can't physically eject you?
"As proven by that my comment in August 2017 was in the brief period when was suddenly turned OFF"
I'm not sure what's sadder. The fact that you're so obsessed with what happens here that you remember the dates of certain comments. Or, the fact that you admit you've been acting like an asshole here for years yet think it's a conspiracy when everybody else tells you to GTFO.
[ link to this | view in chronology ]
Re: Re:
The fact that you're so obsessed with what happens here that you remember the dates of certain comments.
blue kinda has to, because the alternative would be to use a search engine. That's the equivalent of devil worship in RIAAstafarianism, that is!
[ link to this | view in chronology ]
Re:
There once was an out of the blue
Who hated the process of due
Each lawyer he'd paid
Was DMCAed
And said, "Wow, what an ignorant motherfucker!"
[ link to this | view in chronology ]
Re: I agree with the "few lawyers" that you don't!
Therefore, you'd better STOP the hiding of comments: that's tortious interference with The Public's First Amendment Rights.
See you in court, Blue.
[ link to this | view in chronology ]
Passwords -- I see where they are coming from
So, I would have to assume the 9th Circuit sees giving a password to a third party as 'unauthorized access'. This would be the same as if I gave my friend my Netflix password. There you gave lawful access to a knowing third party, but that doesn't mean that the company WANTS that type of access to be performed, thus the password in the first place. CFAA would be like a howitzer killing an ant in that instance, but the legal premise remains.
A second argument for Facebook in this instance is, additional automated calls that are not directly generated by a user can also cause additional costs should enough people be using services attached to their accounts. Bandwidth isn't free, nor is computing hardware to handle the requests. While a pesky little startup with big dreams isn't trouble now, even if it were to become 1% of Facebook's footprint, that would be a LOT of extra overhead in term of scraping calls that weren't turning eyeballs into dollars.
Threading that needle is a dicey one because sharing account info like that has a lot of LEGITIMATE uses as well. And painting everything with broad strokes does tend to stifle invention.
We will just have to see where it goes.
[ link to this | view in chronology ]
Re: Passwords -- I see where they are coming from
Yup, I was thinking along similar lines.
One other factor you didn't exactly mention though is the user agreement part of this. When you register a Facebook account, you agree to certain terms and conditions, and one of those is almost certainly about not sharing your password. The account holder is explicitly not authorized to share those credentials and there's no other way to get to the data.
Arguing that the use is authorized just because the user gave their password is like arguing that bribing the gate guard of a military base to let you in means that you are now legally considered "authorized personnel". That's not how that works.
Now, LinkedIn could post some garbage EULA claiming that "by viewing this page you agree to the terms and conditions..." and all of that, but such agreements often aren't legally binding since you don't actively agree and they can't prove you even saw it. It might be more enforceable though if it was a paywall style splash screen where you have to actually click 'Agree' to view the page...
[ link to this | view in chronology ]
Re: Passwords -- I see where they are coming from
"This would be the same as if I gave my friend my Netflix password. There you gave lawful access to a knowing third party, but that doesn't mean that the company WANTS that type of access to be performed, thus the password in the first place."
But, the correct remedy there would be for Netflix to control the access to their servers, not to hunt after the people who took part in a perfectly legal private transaction. The publishing industry would prefer if people didn't share books or sell secondhand, that doesn't mean they should be able to ban that or go after the people borrowing books.
"Bandwidth isn't free, nor is computing hardware to handle the requests"
If it becomes that much of a problem, the company either needs to redesign their systems so that this isn't so resource heavy, or they need to invest in staff competent enough to fend off an effective DDOS attack. The law can't fix bad design or administration.
"sharing account info like that has a lot of LEGITIMATE uses as well'
Therefore, it should be legal, end of story.
[ link to this | view in chronology ]
Re: Re: Passwords -- I see where they are coming from
"But, the correct remedy there would be for Netflix to control the access to their servers, not to hunt after the people who took part in a perfectly legal private transaction."
It's not a 'perfectly legal private transaction', it's a violation of the license agreement. Downloading content that you don't have a valid license for is copyright infringement, isn't it? If nothing else it's probably some form of trespassing or CFAA violation for accessing the service without permission. You enter into a contract when you sign up for Netflix, and sharing your login credentials violates that contract.
"The publishing industry would prefer if people didn't share books or sell secondhand, that doesn't mean they should be able to ban that or go after the people borrowing books."
The difference is that you aren't letting multiple people read the same book at the same time. the way you can (and plenty do) with shared Netflix passwords. You can probably give your credentials to someone else, but you cannot share your credentials with them.
[ link to this | view in chronology ]
Re: Re: Re: Passwords -- I see where they are coming from
"It's not a 'perfectly legal private transaction', it's a violation of the license agreement"
Is itin an actionable way? That would need to be tested in court. In the case of Netflix, the CEO has said he's fine with people doing that (although they're under some pressure to change). That seems to be the sensible approach.
Either way, which is likely to be more effective in reality? Netflix applying the restrictions in the contract via their own software, or taking their customers and their friends to court?
"The difference is that you aren't letting multiple people read the same book at the same time."
So, it's cool if I let a person watch Netflix while I'm at work the way I would let them read a book I'm not using?
Again, Netflix have limits on the number of devices being used on the account I pay for. If I'm paying for 2 devices to be streaming simultaneous, they should be enforcing that instead of the courts. They might even get more money in the long run as I pay for more devices or the friend I've been helping out gets their own. If they apply that limit, who cares if the 2 streaming devices are in my home or not, they get paid the same if my friend down the street or my girlfriend in the next room is the one watching.
It's a contract issue for sure, but thankfully Netflix go about it the right way, enforcing the account limits via their own network rather than suing for all the imaginary money they might have from their customers' friends.
[ link to this | view in chronology ]
Dumb-ass ruling.
I have seen dumb-ass rulings, and this seems like a another.
Courts have found that evading IP blocks are enforceable by the CFAA and California penal code 502 (the baby cfaa). I can't see how restricting the scraping of data from a private web site could be interference with a 3rd party contract.
However, this is at the preliminary injunction stage, not at a trial or summary judgment stage.
[ link to this | view in chronology ]
Re: Dumb-ass ruling.
The argument is that the data being scraped is public-facing, so it's not a "private website." The decision suggests that if LinkedIn required a login to view any of its data, HiQ might have no leg to stand on.
With regard to the interference argument, the way I read it is that if LinkedIn was somehow able to restrict all scraping by anyone, it wouldn't be interference. But if LinkedIn is specifically stopping only HiQ, then it's interference.
[ link to this | view in chronology ]
CFAA never contemplated...
That the owner of a computer system and the owner of the data on it are different parties.
Who has the right to grant access? Clearly the owner of the system would control any technical access protections. But does that give them the right to deny access to others' data?
The courts haven't even recognized a distinction - one likely to be continuously exacerbated by new non-federal privacy laws - between these owners.
It's just going to get worse until this distinction is resolved. Imagine that Intech uses Initrode's cloud storage. Intech contracts a third party, Inipower, to perform operations on said data in the cloud. Initrode doesn't like Inipower and cuts off access. Do they have the right to do so? The law is unclear.
[ link to this | view in chronology ]