The United States Supreme Court has agreed to hear the LinkedIn case against a data analysis company for retrieving data from profiles of public users of LinkedIn, allegedly in violation of the Computer Fraud and Abuse Act (CFAA ). In its order, the court overturned the September 2019 Ninth Circuit ruling in the case and returned it to the appeals court for reconsideration in light of another recent Supreme Court opinion interpreting the scope of the law.
The practice of using automated tools to “extract” data from websites has been controversial, and the law surrounding the practice has been somewhat inconsistent. The intervention of the Supreme Court may provide much needed clarification on at least some of the issues associated with this practice.
Legal issues with “screen scraping”
Many companies use bots or other software to obtain data and other content from websites. This practice, also known as “screen scraping”, can raise a number of legal issues. These issues may include copyright infringement (for example, if the scraped-off content includes images or other creative content), violation of terms of service, electronic intrusion, DMCA violations (for example, if the scraper circumvents technical measures on the site) and claims related to computer fraud.
the LinkedIn The dispute arose out of hiQ’s use of automated bots to extract huge amounts of information from publicly available LinkedIn user profiles. So far, lower courts have sided with hiQ on the grounds that certain information on the site is publicly available and can be viewed by the public without entering a password.
In its request for review, LinkedIn urged the High Court to overturn the Ninth Circuit opinion on several grounds, including that it violated CFAA policy and left public website operators like itself without means. to protect user data against unauthorized attacks. scrapers, such as hiQ.
Link with the decision of Van Buren CFAA
In another recent decision, Van Buren v. United States, the Supreme Court overturned and returned the criminal conviction of a former police officer for a criminal offense to the CFAA. In this case, Van Buren, a former police sergeant, performed a license plate search on a law enforcement computer database in exchange for money. Van Buren’s conduct clearly violated his department’s policy, which allowed access to the database only for law enforcement purposes. Van Buren has been charged with a criminal offense under the CFAA, which places criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”
The term “exceeds authorized access” is defined to mean “to access a computer with an authorization and use that access to obtain or modify information on the computer that the user is not authorized to obtain or modify” .
On appeal, Van Buren argued that the CFAA’s “exceeds authorized access” clause only applies to those who obtain information to which their computer access does not extend, and not to those who abuse it. access they have otherwise.
The Supreme Court defined the issue as if Van Buren had violated the CFAA, making it illegal to access a computer with permission and to use such access to obtain or modify information in the computer that the user does not have the right to “get” or modify. . The court concluded that he had not done so. He considered that this provision covers those who obtain information from particular areas of the computer, such as files, folders or databases, to which their computer access does not extend. It does not cover those who, like Van Buren, have inappropriate motives for obtaining information that is otherwise available to them.
One of the interesting questions based on the LinkedIn case is what constitutes “authorized access”. A LinkedIn user who has successfully logged into their account manually is “authorized” to access public information on this site. However, LinkedIn’s terms of service specifically prohibit data scraping.
The interpretation of the “in order to obtain” clause is also a problem. The language “to obtain” probably refers to “access”. If so, how the user accesses the data may be relevant. Given the ban on using data scraping to access LinkedIn data, this form of access was likely not allowed.
This poses an interesting question about what is meant by “authorized access”. On the one hand, a user is authorized to access LinkedIn data. On the other hand, a user agrees not to do so using scratch technology.
Hopefully the Supreme Court’s review of LinkedIn will provide additional insight into how to resolve these and other data scraping issues.
This column does not necessarily reflect the opinion of the Bureau of National Affairs, Inc. or its owners.
Write for us: Guidelines for authors
James G. Gatto is a partner in Sheppard Mullin’s intellectual property firm in the Washington, DC office.
Pouneh Almasi is a partner in the intellectual property practice of Sheppard Mullin.