The District court of Northern California recently rendered a decision, hiQ Labs, Inc. v. LinkedIn, regarding the scope of the Computer Fraud and Abuse Act (CFAA). In the case at hand, a new question was brought before the court regarding whether continuing to access publicly available data even after the data processor has explicitly revoked his or her permission to do so is a violation of the CFAA. In other words, can such conduct be considered as accessing a computer without authorization?

The question is new in the sense that the courts have only ruled on private (not publicly available) data.

However, it must be underlined that the California Court did not directly address the merits of the case. The plaintiff had requested a preliminary injunction. Thus, the scope of the ruling is limited. Nonetheless, the Court’s ruling provides guidance on further legal trends.

Mathias Avocats analyses the case.

The CFAA: an appropriate framework?

The CFAA explicitly prohibits any person from “intentionally

[accessing] a computer without authorization or [exceeding] authorized access, and thereby [obtaining] information from a protected computer” (18 U.S.C. § 1030 (a) (2) (C)). The person’s conduct may be subject to civil and criminal liability.

In Musachio v. United States, the Supreme Court explained that the statute provides “two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly”.

However, the statute does not define the terms “authorization” and “without authorization”. The lack of definition may not have been an issue in 1986 when the CFAA was enacted but it has become a hurdle. Indeed, Internet has become a leading communication vector. As such, the interpretation of the terms “authorization” and “without authorization” becomes crucial. Without a clear definition of these terms, how can one know if his or her conduct is criminal? How can an abusive use of the statute be curtailed?

It must be underlined that the CFAA was intended to deal with hacking or trespass onto private, often password protected computers. It appears that Congress had no intention of legislating on publicly available data.

The CFAA is a broad framework aiming at protecting private protected computers but it has loopholes. This namely explains the importance of judicial decisions regarding the interpretation of what constitutes “unauthorized access to a protected computer” and the reason for which hiQ Labs v. LinkedIn may have a significant impact.

What are the facts of the case?

HiQ Labs’ business involves providing information to businesses about their workforces based on statistical analysis of publicly available data. HiQ Labs namely analyses data from publicly available LinkedIn profiles and sells the information to its client businesses.

LinkedIn had tolerated hiQ Labs’ activities for several years before sending a cease and desist letter and demanding that hiQ Labs immediately cease to collect data from LinkedIn’s public profiles. LinkedIn argued that hiQ Labs’ activities were against LinkedIn’s User Agreement and the CFAA seeing as it had implemented technical measures to prevent hiQ Labs from accessing its website. HiQ Labs seized the District court of Northern California and requested a preliminary injunction allowing it to access public LinkedIn profiles pending resolution of the dispute.

The Court granted the injunction namely on the grounds that it “is doubtful that the Computer Fraud and Abuse Act may be invoked by LinkedIn to punish hiQ for accessing publicly available data; the broad interpretation of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago”. Therefore, hiQ Labs can continue to aggregate information from public LinkedIn profiles.

This case is a small step towards circumventing the broad interpretations of the Act by the Ninth Circuit. Two decisions rendered by the court must be considered:

  • In Facebook, Inc. v. Power Ventures, Inc, the Ninth Circuit held that “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly”. The facts are similar to hiQ Labs. Power Ventures operated a site extracting and aggregating Facebook users’ social networking information. Facebook sent a cease and desist letter to Power Ventures. The Ninth Circuit found that Power Ventures had violated the CFAA by circumventing IP barriers and continuing to access Facebook servers. Such conduct was “without authorization”.
  • In United-States v. Nosal (Nosal II), Mr. Nosal, a former employee, persuaded current employees of the company to use their login credentials to access and collect confidential information. Mr. Nosal’s computer access credentials had been revoked. The Ninth Circuit held that Mr. Nosal acted without authorization and thus violated the CFAA.

Therefore, in both cases the defendant was found in violation of the statute. The Ninth Circuit broadly interprets “without authorization” to mean any conduct going against the company’s website policy. Both decisions have been criticized namely as going against Congress’s intent.

The crucial difference is that in hiQ Labs the data was publicly available. If a good or piece of information is publicly available, does one need authorization to access it? It appears not.

What are the next steps?

HiQ Labs, Inc. v. LinkedIn seems to illustrate a slight evolution in the legal trend. It remains to be seen whether other courts will follow the District court’s reasoning.

The case also aims at impeding the abuse of cease and desist letters from large corporations or groups. Once again, only time will tell what impacts hiQ Labs, Inc. v. LinkedIn will have.

Let us note that the Supreme Court will decide this fall whether it will take up the Nosal case. Mathias avocats will be sure to keep you informed.