Computer Fraud and Abuse Act

Subscribe to Computer Fraud and Abuse Act via RSS

A Green Light for Screen Scraping? Proceed With Caution…

UPDATE:  As expected, LinkedIn appealed the lower court’s decision to grant a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block the defendant’s data scraping activities.  LinkedIn’s brief was filed on October 3, 2017.  In

UPDATE: On January 18, 2019, the Ninth Circuit affirmed the award of damages and injunctive relief in favor of Facebook. (Facebook, Inc. v. Power Ventures, Inc., No. 17-16161 (9th Cir. Jan. 18, 2019) (unpublished)). The California district court in 2017 had awarded Facebook almost $80,000 in CFAA damages, representing only the period after Facebook sent its cease and desist letter to the defendant and including expenses both for technical measures to block Power Ventures from accessing Facebook servers and expenses for negotiating with Power Ventures to voluntarily stop its activities and destroy the data.  The lower court also granted Facebook’s request for a permanent injunction barring defendant from, among other things, accessing Facebook for a commercial purpose without permission.

  • Unauthorized Access: A former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violates the CFAA. [U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016)]
  • Data Scraping: A commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA. However, a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA, a ruling that runs contrary to language from one circuit level decision regarding potential CFAA liability for screen scraping activities (See e.g., EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)). [Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th July 12, 2016)]

This past week, the Ninth Circuit released two important decisions that clarify the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.  The Act was originally designed to target hackers, but has lately been brought to bear in many contexts involving wrongful access of company networks by current and former employees and in cases involving the unauthorized scraping of data from publicly available websites.

Operators of public-facing websites are typically concerned about the unauthorized, technology-based extraction of large volumes of information from their sites, often by competitors or others in related businesses.  The practice, usually referred to as screen scraping, web harvesting, crawling or spidering, has been the subject of many questions and a fair amount of litigation over the last decade.

However, despite the litigation in this area, the state of the law on this issue remains somewhat unsettled: neither scrapers looking to access data on public-facing websites nor website operators seeking remedies against scrapers that violate their posted terms of use have very concrete answers as to what is permissible and what is not.

In the latest scraping dispute, the e-commerce site QVC objected to the Pinterest-like shopping aggregator Resultly’s scraping of QVC’s site for real-time pricing data.  In its complaint, QVC claimed that Resultly “excessively crawled” QVC’s retail site (purpotedly sending search requests to QVC’s website at rates ranging from 200-300 requests per minute to up to 36,000 requests per minute) causing a crash that wasn’t resolved for two days, resulting in lost sales.  (See QVC Inc. v. Resultly LLC, No. 14-06714 (E.D. Pa. filed Nov. 24, 2014)). The complaint alleges that the defendant disguised its web crawler to mask its source IP address and thus prevented QVC technicians from identifying the source of the requests and quickly repairing the problem.  QVC brought some of the causes of action often alleged in this type of case, including violations of the Computer Fraud and Abuse Act (CFAA), breach of contract (QVC’s website terms of use), unjust enrichment, tortious interference with prospective economic advantage, conversion and negligence and breach of contract.  Of these and other causes of action typically alleged in these situations, the breach of contract claim is often the clearest source of a remedy.

The Ninth Circuit, sitting en banc, has upheld a district court’s dismissal of criminal charges under the Computer Fraud and Abuse Act that were predicated on misappropriation of proprietary documents in violation of the employer’s computer use policy. United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS

UPDATE: As discussed in this blog post, a panel of the U.S. Court of Appeals for the Ninth Circuit overruled the district court in United States v. Nosal (9th Cir. Apr. 28, 2011).

********

The debate over the applicability of the Computer Fraud and Abuse Act in cases of alleged employee disloyalty has yielded quite a few rulings over the last several years, and generated a circuit split last September with the Ninth Circuit decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In that civil action alleging employee theft and misappropriation of trade secrets, the appeals court rejected an expansive interpretation of the CFAA, concluding that an employee’s authorization to access an employer’s computer network is not automatically revoked when the employee is acting in a manner that is disloyal to the employer’s interest. The Ninth Circuit explicitly rejected the contrary reasoning of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In the Citrin case, Judge Posner authored a panel ruling that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby lacks authorization within the meaning of the CFAA.

The battleground in those two cases was whether a former employer could bring a civil action under the CFAA against former employees who accessed the employer’s computer network, while still employed, for disloyal purposes. The prize in these and many other such cases is the opportunity for the employer to pursue what what would have otherwise likely been largely a matter of state law in federal court. But the CFAA is primarily a criminal statute, and expansive interpretation could (and has) resulted in federal criminal prosecutions in what have been typically state law cases.

However, the Ninth Circuit’s narrower construction in LVRC v. Brekka ruling has now been applied in  one of those criminal cases, resulting in the dismissal of some but not all of the CFAA charges against one defendant in United States v. Nosal, 3:08-cr-00237-MHP(N.D. Cal. Jan. 6, 2009)

The federal Computer Fraud and Abuse Act, 18 U.S.C. §1030, criminalizes access to a computer that is either “"without authorization"” or that "“exceed[s] authorized access,"” and provides a civil right of action for violations as well. In the last several years, a split has developed in the federal courts on the question of whether an employee’s access to an employer’s computer, even if it was “authorized” in the ordinary course of business, ceases to be authorized if the purpose if the access is to further an act that is disloyal to the employer. The Ninth Circuit has now weighed in on the issue in an opinion rendered today in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), and has taken a position diametrically opposed to that of  an influential Seventh Circuit opinion, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).