Monday, September 30, 2019

Legal Geek No. 188: Is "Scraping" Data illegal under U.S. Law?

Hi, and welcome back to Legal Geek.  This week, we cover a California federal case decided this week on whether "scraping" of publicly-available data on websites is illegal when against the terms of service of the website provider.

Last December we covered an interesting web scraping case where Alan Ross Manufacturing tried to craft intellectual property causes of action to stop web scraping and content copying of another company.  If you don't recall that segment, "scraping" is the process of extracting data from the HTML of a webpage in a similar manner as a person viewing the website on a browser, generally for the purposes of data collection and manipulation.

This case stems from a small company called hiQ, which scrapes data from publicly-available portions of LinkedIn and sells reports to employers about which of their employees may be looking for new jobs.  LinkedIn sent a cease and desist letter to hiQ, indicating that such practice was against their terms and also illegal under the Computer Fraud and Abuse Act, the 1986 anti-hacking law still in effect today in the U.S..

We've also covered the CFAA before, and it makes it a crime to access a computer without authorization or exceed authorized access.  This law is broadly written because it predates modern web technologies, but the law is still in force and is continually being interpreted for how it works in the modern context.  LinkedIn argued for an interpretation of the CFAA that would make any affirmative action of an owner, including a cease and desist letter, prohibitions in terms of service, and technical measures like IP-based blocking be sufficient to show that the offending access was unauthorized and effectively illegal hacking under the law.

The California district judge declined such an interpretation of the CFAA.  He noted that when you publish a publicly-available website, it is like having open store hours in that you implicitly give members of the public permission to access that data.  The judge argued that such a broad reading could enable website owners to block access for any reason, including improper reasons like gender discrimination, with the backing of a threat of federal law supporting such blocking.  In short, the potential outcomes from interpreting the CFAA to cover hiQ's conduct in this case would be very problematic for future cases.

The judge further drew a line between public and private portions of websites generally being distinguished by password authentication or the like.  If a page is available to the public without a password, it's presumptively public and any download of data from that should not be considered a violation of the CFAA.  That may also be a key element of whether this decision gets overturned if it is appealed to the 9th Circuit Court of Appeals.

A prior 9th Circuit decision was issued in 2016 regarding scraping of Facebook data from another company, and in that case, the scraping was deemed illegal under CFAA based on a cease and desist letter sent by Facebook to the scraping company.  However, one distinction there is that the data scraped was behind password protection, albeit with the permission of the password owner.  That will certainly be what hiQ argues is a critical distinguishing factor should this get appealed and LinkedIn tries to make that 2016 precedent case apply again here.  We will monitor for such an appeal, as it will help define an important new frontier of how the federal anti-hacking law will be applied moving forward.

The Bottom Line is: no matter how this case linking web scraping and anti-hacking laws comes out, it seems likely that there will be a push in the coming years for Congress to supplement the CFAA with updated new laws better defining the limits of modern web practices with regard to criminality.  If that does not occur, there will continue to be many cases where old, broad language gets interpreted based largely on societal norms like this California case or litigants coming up with unique claims to avoid being locked into the CFAA, as done on other cases we've covered.  Once again, the law struggles sometimes to keep up with the tech.

----------------------------------
Do you have a question? Send it in!

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

No comments:

Post a Comment