Taking Cue from the Supreme Court’s Van Buren Decision, Ninth Circuit Releases New Opinion Holding Scraping of Publicly Available Website Data Falls Outside of CFAA

On remand from the U.S. Supreme Court, the Ninth Circuit earlier this week again affirmed the lower court’s order preliminarily enjoining LinkedIn Corp. (“LinkedIn”) from blocking data analytics company hiQ Labs, Inc.’s (“hiQ”) access to publicly available LinkedIn member profiles. (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9^th Cir. Apr. 18, 2022)) (“hiQ II”). In what might be considered an emphatic, pro-scraping decision (even more so than its first, now-vacated 2019 decision), the appeals court found that hiQ “raised at least serious questions” that its scraping of public LinkedIn member profile data, even after having had its access revoked and blocked by LinkedIn, is lawful under the federal Computer Fraud and Abuse Act (CFAA).

The panel concluded that the reasoning of last year’s Supreme Court decision in Van Buren v. U.S., which interpreted the “exceeds authorized access” provision of the CFAA, reinforced the Ninth Circuit’s interpretation that the concept of “without authorization” under the CFAA does not apply to public websites. Thus, while the law relating to screen scraping remains unclear in many respects – particularly as scraping technology and the applied uses of public website data continue to evolve – this important new decision by the Ninth Circuit carries the reasoning forward from Van Buren and limits the applicability of the CFAA as a tool against the scraping of publicly available website data.

Last June, following Van Buren and the Supreme Court’s separate ruling vacating and remanding the Ninth Circuit’s prior decision in the hiQ case, we had a few questions about how the appeals court would interpret the CFAA’s “without authorization” provision on remand in light of the so-called “gates up or down” approach to the CFAA espoused by the Supreme Court in Van Buren. In particular, we were waiting to see whether the appeals court would consider a website owner’s technical measures to selectively block a specific entity’s access to public website data as effectively bringing crashing down the “gates” of authorized access (and, with it, potential CFAA liability). The long wait is over and the Ninth Circuit has answered these questions with its pro-scraping, open web interpretation of the CFAA (with respect to public websites). While some additional legal questions remain unanswered in this case, it appears the CFAA “without authorization” issue has been firmly resolved, at least as far as the Ninth Circuit is concerned.

However, though one issue may has been resolved, others remain. As stated in our 2017 Client Alert about the lower court’s hiQ decision, entities engaged in scraping should still tread carefully. As the Ninth Circuit itself says in hiQ II: “Entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply.”

Also, of course, this litigation does not involve the also-controversial practice of scraping mobile applications. Because the methodology involved in that type of scraping is significantly different, it is possible that a court could come to a different conclusion with respect to the CFAA in that circumstance. Continue Reading

Tags: CFAA, CFAA authorization, data scraping, hiQ case, PUBLIC SOCIAL MEDIA DATA, publicly available website data, screen scraping, unauthrorized access, Van Buren decision

President Biden Signs Executive Order Detailing National Policy Objectives for Digital Assets

By Jeffrey Neuburger on March 10, 2022 Posted in Blockchain, Digital Currency, Regulatory

On March 9, 2022, the President issued an Executive Order (the “E.O.”) that articulates a high-level, wide-ranging national strategy for regulating and fostering innovation in the burgeoning digital assets space. The strategy is intended to encourage innovation yet still provide adequate oversight to control systemic risks and the attendant investor, business, consumer and environmental concerns.

The E.O. is very broad in scope. It focuses on the myriad of issues associated with “digital assets,” a term defined in a way to capture a wide variety of existing and emerging “crypto” implementations. Specifically, the E.O. defines digital assets to include “all central bank digital currencies (CBDCs), regardless of the technology used, and to other representations of value, financial assets and instruments, or claims that are used to make payments or investments, or to transmit or exchange funds or the equivalent thereof, that are issued or represented in digital form through the use of distributed ledger technology.” Significantly, the E.O. does not make an attempt at defining the regulatory status of digital assets and notes a digital asset “may be, among other things, a security, a commodity, a derivative, or other financial product.”

While the E.O. itself doesn’t really set forth any new requirements, it puts into motion a process that may yield specific regulatory approaches to digital assets.

Read the full post on our Blockchain and the Law blog.

Tags: cryptocurrency regulation, digital assets, executive order, federal policy

In the Coming ‘Metaverse’, There May Be Excitement but There Certainly Will Be Legal Issues

By Jeffrey Neuburger and Jonathan Mollod on December 3, 2021 Posted in Blockchain, Contracts, Digital Currency, Internet, Mobile, Online Commerce, Privacy, Quantum Computing, Social Media, Technology

The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.” The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.

Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?

As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.

In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.

In order for the metaverse to become a reality – that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out. Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated. Continue Reading

Tags: blockchain-based payment systems, DeFi, legal issues, metaverse, metaverse agreements, metaverse digital assets, metaverse economy, metaverse IP issues, metaverse legal challenges, metaverse privacy, smart contracts, web 3.0

GPL Open Source Litigation Could Open the Door to Other Suits

By Jeffrey Neuburger on October 26, 2021 Posted in Contracts, Licensing, Open Source, Software

In today’s digital age, the question isn’t whether there is open source software being used in a company’s products, but how it is being used and what license governs its use. Open source is ubiquitous. Despite its widespread use over the past decade, the provisions of open source licenses have been interpreted by only a handful of U.S. and foreign courts. Open source-related disputes do not usually reach court as open source advocacy groups that enforce open source license provisions often work out a resolution between the parties without litigation.

However, one recent open source dispute has reached the courthouse. As discussed below, a new case filed in California state court could test the enforcement of one of the most common family of open source licenses, the GNU General Public Licenses or “GPL.” If the plaintiff is successful, the case could have the effect of expanding enforcement of GPL licenses under the rubric of consumer protection and allow a broad range of parties to bring claims under the GPL as third party beneficiaries of those licenses.

Last week, the Software Freedom Conservancy, Inc. (“SFC”) filed a complaint against smart-TV manufacturer Vizio, Inc. (“Vizio”) alleging a failure to comply with the GNU General Public License Version 2 (“GPLv2”) and GNU Lesser General Public License Version 2.1 (“LGPL v2.1”) (collectively, the “GPL Licenses”). SFC alleges that, over the last four years, Vizio distributed smart TVs that included executable versions of Vizio’s “SmartCast code. The SmartCast code, it alleged, contained modifications to the Linux kernel and other code obtained by Vizio pursuant to the GPL Licenses. SFC asserts that Vizio did not release the corresponding modified source code (as enhanced, modified or otherwise altered by Vizio) or accompany their smart TVs with a written offer to supply such code upon demand, as is required under the GPL Licenses. (Software Freedom Conservancy, Inc. v. Vizio, Inc., No. 30-2021-01226723 (Cal. Super. Orange Cty Filed Oct. 19, 2021)). Continue Reading

Tags: breach of contract, GPL, GPL compliance, GPL open source license, open source litigation, open source software, smart TV platform, source code

English High Court Clarifies Appropriate Causes of Action in Data Claim Where Defendant Was a Victim of Third-Party Cyber-Attack

By Steven Baker, Vishnu V. Shankar and Julia Bihary on October 5, 2021 Posted in Data Security, Privacy

In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack. The decision has made it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach, and has also brought into question how such claims may be funded going forward (particularly, via “After-the-Event insurance”).

Read the full post on Proskauer’s Privacy Law blog.

Tags: After-the-event insurance, ATE Insurance, BREACH OF CONFIDENCE, BREACH OF STATUTORY DUTY, COMMON LAW NEGLIGENCE, CYBER ATTACK, DATA BREACH, DATA BREACH LITIGATION, DATA PROTECTION ACT, ICO, INFORMATION COMMISSIONER'S OFFICE, MISUSE OF PRIVATE INFORMATION, THIRD-PARTY CYBER ATTACK

Southwest Airlines Wins Injunction Barring Travel Site from Scraping

By Jeffrey Neuburger on October 4, 2021 Posted in Contracts, Internet, Online Commerce, Screen Scraping

UPDATE: On December 23, 2021, the parties reached a settlement, as Southwest filed an unopposed motion for entry of final judgment and a permanent injunction containing the same restrictions as the temporary injunction issued in September. Under the proposed permanent injunction, Kiwi would be barred from scraping flight and fare information from Southwest’s site, publishing any Southwest flight or fare information on kiwi’s site or app (or selling any Southwest flights), or otherwise using Southwest’s site for any commercial purpose or in a manner that violates Southwest’s site terms.

UPDATE: On November 1, 2021, the parties filed a Joint Notice of Settlement indicating that they have reached a settlement agreement in principle. The terms of the settlement were not disclosed.

UPDATE: On October 28, 2021, the defendant Kiwi.com, Inc. filed a notice of appeal to the Fifth Circuit seeking review of the district court’s ruling granting Southwest Airlines Co.’s motion for a preliminary injunction.

On September 30, 2021, a Texas district court granted Southwest Airline Co.’s (“Southwest”) request for a preliminary injunction against online travel site Kiwi.com, Inc. (“Kiwi”), barring Kiwi from, among other things, scraping fare data from Southwest’s website and committing other acts that violate Southwest’s terms. (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. Sept. 30, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirst, LLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007) (a case cited in the current court opinion)), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.

In this case, the Texas court found that Southwest had established a likelihood of success on the merits of its breach of contract claim. Rejecting Kiwi’s arguments that it did not assent to Southwest’s terms, the court found that Kiwi had knowledge of and assented to the terms in multiple ways, including by agreeing to the terms when purchasing tickets on Southwest’s site. In all, the court found the existence of a valid contract and Kiwi’s likely breach of the terms, which prohibit scraping Southwest’s flight data and selling Southwest flights without authorization. The court also found that Southwest made a sufficient showing that Kiwi’s scraping and unauthorized sale of tickets, if not barred, would result in irreparable harm. In ultimately granting Southwest’s request for a preliminary injunction, the Texas court also found that Southwest also demonstrated the threatened injury if the injunction is denied outweighed any harm to Kiwi that will result if the injunction is granted and that the injunction would be in the public interest.

What made this result particularly notable is that the preliminary injunction is based on the likelihood of success on the merits of Southwest’s breach of contract claim and Kiwi’s alleged violation of Southwest’s site terms, as opposed to other recent scraping disputes which have centered around claims of unauthorized access under the federal Computer Fraud and Abuse Act (CFAA). Continue Reading

Tags: breach of contract, CFAA, fare information, preliminary injunction, public website data, screen scraping, violation of site terms, web scraping

SEC Brings First Enforcement Action Against Alternative Data Provider

By Robert Leonard, Jeffrey Neuburger, Joshua M. Newville and Samuel J. Waldon on September 16, 2021 Posted in Alternative Data, Mobile, Regulatory

On September 14, 2021, the Securities and Exchange Commission (“SEC”) filed a settled securities fraud action against App Annie Inc., one of the largest sellers of market data on how apps on mobile devices are performing, and its co-founder and former CEO and Chairman Bertrand Schmitt. The settlement is the first enforcement action brought by the SEC against an alternative data provider. As part of the settlement, App Annie agreed to pay a $10 million civil penalty and Schmitt agreed to pay a $300,000 penalty and to be barred from serving as an officer or director of a public company for three years.

For further discussion of this enforcement, please see our Client Alert posted on Proskauer’s website.

Tags: alternative data, alternative data vendors, material misrepresentations, mobile app performance data, SEC enforcement, Section 10(b) of the Exchange Act

Another NY Court Repudiates Ninth Circuit “Server Test” in Case over Embedded Video

By Jeffrey Neuburger on August 11, 2021 Posted in Copyright, Internet, Online Content, Social Media

On July 30, 2021, a New York district court declined to dismiss copyright infringement claims with respect to an online article that included an “embedded” video (i.e., shown via a link to a video hosted on another site). The case involved a video hosted on a social media platform that made embedding available as a function of the platform. The court ruled that the plaintiff-photographer plausibly alleged that the defendants’ “embed” may constitute copyright infringement and violate his display right in the copyrighted video, rejecting the defendants’ argument that embedding is not a “display” when the image at issue remains on a third-party’s server (Nicklen v. Sinclair Broadcast Group, Inc., No. 20-10300 (S.D.N.Y. July 30, 2021)). Notably, this is the second New York court to decline to adopt the Ninth Circuit’s “server test” first adopted in the 2007 Perfect 10 decision, which held that the infringement of the public display right in a photographic image depends, in part, on where the image was hosted. With this being the latest New York court finding the server test inapt for an online infringement case outside of the search engine context (even if other meritorious defenses may exist), website publishers have received another stark reminder to reexamine inline linking practices. Continue Reading

Tags: display right, embedded video, embeds, fair use, online copyright infringement, server test

Settlement in Plaid Fintech Data Case

By Jeffrey Neuburger on August 7, 2021 Posted in Alternative Data, Mobile, Online Commerce, Privacy

On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”). The settlement features a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The settlement is still subject to court approval.

Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent. Plaintiffs’ complaint also contended that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information. As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward. Continue Reading

Tags: data privacy, financial data privacy, financial transaction data, fintech apps, fintech privacy, mobile data collection, settlement, state privacy claims

Second Circuit Vacates CDA Decision and Reissues a Narrower Opinion Reaching Same Conclusion, Providing Some Practical CDA Lessons for the Future

By Jeffrey Neuburger on July 26, 2021 Posted in Internet, Online Content, Social Media, Video

Less than one week after issuing an order vacating its own March 2021 opinion in an important Communications Decency Act (“CDA”) case and granting a petition for rehearing, the Second Circuit issued a new opinion reaffirming “protection” under Section 230 of the CDA for video-sharing site Vimeo, Inc. (“Vimeo”) (Domen v. Vimeo, Inc., No. 20-616 (2d Cir. July 21, 2021) (amended opinion)).

It’s not completely clear why the Second Circuit decided to grant a rehearing and amend its original opinion to only reach essentially the same holding. It is possible that given the attention surrounding the CDA, the court thought it best to narrow the language of its original holding so it could insulate its ruling from possible Supreme Court review (recall, Justice Thomas previously issued a statement following denial of certiorari in a prior CDA case, that “in an appropriate case,” the Court should consider whether the text of the CDA “aligns with the current state of immunity enjoyed by Internet platforms”). The Second Circuit’s second decision arguably watered down some of its stronger statements in its earlier opinion enunciating broad CDA immunity (e.g., even swapping out the word “immunity” for “protection” when discussing the CDA). The court even mused in dicta near the end of the opinion about the types of claims that might fall outside of CDA protection, as if to intimate that CDA Section 230 immunity is broad, but not as broad as its detractors suggest.

Yet, despite the narrowing of its original opinion, the court reached the same result under the same reasoning. As in the original (now vacated) opinion from March 2021, the Second Circuit’s amended decision relied on Section 230(c)(2), the Good Samaritan provision, which allows online providers to self-regulate the moderation of third party content in good faith without fear of liability. Unlike the original opinion, in the second go-round the appeals court also knocked out the plaintiff’s claims on the merits, finding allegations of discrimination based on the presence of similar videos uploaded by other users that were left up on the site as “vanishingly thin” (thereby further reducing the chance of Supreme Court review). Continue Reading

Tags: account termination, amended opinion, CDA Good Samaritan immunity, CDA immunity, content guidelines, filtering decisions, harassing content, objectionable material, terms of service

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.