On October 11, 2019, LinkedIn Corp. (“LinkedIn”) filed a petition for rehearing en banc of the Ninth Circuit’s blockbuster decision in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the original panel concerned the scope of Computer Fraud and

UPDATE:  On October 22, 2018, the court denied the defendant’s CEO’s motion to dismiss for lack of personal jurisdiction. Subsequently, on January 2, 2019, the parties settled the matter and stipulated to a dismissal of the case.

This past week, a Texas district court denied a bid from a web service for a temporary restraining order (TRO) to enjoin a competitor that allegedly scraped a large amount of proprietary data from its closed site via several user accounts. (BidPrime, LLC v. SmartProcure, Inc., No. 18-478 (W.D. Tex. June 18, 2018)). While tempting to draw a general legal conclusion about the permissibility of scraping from this decision, the decision was in fact based on the judgement of the court that scraping was unlikely to continue during the pendency of the litigation.

Nonetheless, the dispute highlights the host of legal issues that can arise when an entity accesses a website or database to scrape data for competitive or other reasons using user credentials or fake accounts or proxies to mask its true identity. For example, the plaintiff BidPrime, LCC (“BidPrime”) sought injunctive relief based upon claims under the federal Computer Fraud and Abuse Act (CFAA) and state law counterpart, state trade secret law, and breach of contract, among others. Whether such claims are viable are of course dependent on the specific facts and circumstances of the dispute, the restrictions contained in the website terms of use, what countermeasures and demands the website owner made to the web scraper to prevent unwanted access, and the state of the current interpretation of applicable law. This decision did not analyze these factors beyond concluding that ongoing scraping was unlikely.

Such Scraping “Plausibly Falls within the Ambit of the First Amendment”

The Ninth Circuit is currently considering the appeal of the landmark hiQ decision, where a lower court had granted an injunction that limited the applicability of the federal Computer Fraud and Abuse Act (CFAA) to the blocking of an entity engaging in commercial data scraping of a public website.  While we wait for that decision, there has been another fascinating development regarding scraping, this time involving a challenge to the CFAA brought by academic researchers.  In Sandvig v. Sessions, No. 16-1368 (D.D.C. Mar. 30, 2018), a group of professors and a media organization, which are conducting research into whether the use of algorithms by various housing and employment websites to automate decisions produces discriminatory effects, brought a constitutional challenge alleging that the potential threat of criminal prosecution under the CFAA for accessing a website “without authorization” (based upon the researchers’ data scraping done in violation of the site’s terms of use) violates their First Amendment rights.

In a preliminary decision, a district court held that the plaintiffs have standing and allowed their as-applied constitutional challenge to the CFAA to go forward with regard to the activity of creating fictitious accounts on web services for research purposes.  The decision contains vivid language on the nature of the public internet as well as how the plaintiffs’ automated collection and use of publicly available web data would not violate the CFAA’s “access” provision even if a website’s terms of service prohibits such automated access (at least with respect to the facts of this case, which involves academic or journalistic research as opposed to commercial or competitive activities).

UPDATE:  On February 22, 2018, the district court granted 3taps’s motion to relate its action to the ongoing hiQ v. LinkedIn litigation. This motion was based upon a local Northern District of California rule that holds that cases should be related when the actions concern substantially the same parties, transaction or event, and there would be an “unduly burdensome duplication of labor…or conflicting results” if the cases were heard before different judges.  As a result, the 3taps case, over the opposition of LinkedIn, was reassigned to Judge Edward Chen, who also presided over the lower court proceedings in the hiQ v. LinkedIn litigation.

In the latest development in the legal controversy over scraping, 3taps, Inc. (“3taps”), a data aggregator and “exchange platform” for developers, filed suit against LinkedIn seeking a declaratory judgment that 3taps would not be in violation of the Computer Fraud and Abuse Act (CFAA) if it accesses and collects publicly-available data from LinkedIn’s website. (3Taps Inc. v. LinkedIn Corp., No. 18-00855 (C.D. Cal. filed Feb. 8, 2018)).  The basis of 3Taps’s complaint is last year’s hotly-debated California district court ruling (hiQ Labs, Inc. v. LinkedIn, Corp., 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017)), where the court granted a preliminary injunction compelling LinkedIn to disable any technical measures it had employed to block a data analytics company from scraping the publicly available data on LinkedIn’s website. The hiQ ruling essentially limited the applicability of the CFAA as a tool against the scraping of publicly-available website data.  [For an analysis of the hiQ lower court decision, please read the Client Alert on our website].

A California district court issued an important opinion in a dispute between a ticket sales platform and a ticket broker that employed automated bots to purchase tickets in bulk. (Ticketmaster L.L.C. v. Prestige Entertainment, Inc., No. 17-07232 (C.D. Cal. Jan. 31, 2018)). For those of us who have been following the evolution of the law around the use of automation to scrape websites, this case is interesting. The decision interprets some of the major Ninth Circuit decisions of recent memory on liability for web scraping.  Indeed, two weeks ago, we wrote about a case in which the Ninth Circuit interpreted certain automated downloading practices under the CFAA and CDAFA. Also, we wrote about and are awaiting the decision in the hiQ v. LinkedIn appeal before the Ninth Circuit. Also prior posts on the topic include a discussion of a noteworthy appeals court opinion that examined scraping activity under copyright law and the scope of liability under the DMCA anticircumvention provisions.  These seminal decisions and the issues they raise were expressly or implicitly addressed in the instant case. While we will briefly review some of the highlights of this decision below, the case is a must-read for website operators and entities that engage in web scraping activities.

This past week, the Supreme Court denied the petitions for certiorari in two noteworthy Ninth Circuit decisions that had interpreted the scope of liability under the federal Computer Fraud and Abuse Act (CFAA) in the context of wrongful access of company networks by employees and in instances involving unwanted data

UPDATE: On January 18, 2019, the Ninth Circuit affirmed the award of damages and injunctive relief in favor of Facebook. (Facebook, Inc. v. Power Ventures, Inc., No. 17-16161 (9th Cir. Jan. 18, 2019) (unpublished)). The California district court in 2017 had awarded Facebook almost $80,000 in CFAA damages, representing only the period after Facebook sent its cease and desist letter to the defendant and including expenses both for technical measures to block Power Ventures from accessing Facebook servers and expenses for negotiating with Power Ventures to voluntarily stop its activities and destroy the data.  The lower court also granted Facebook’s request for a permanent injunction barring defendant from, among other things, accessing Facebook for a commercial purpose without permission.

  • Unauthorized Access: A former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violates the CFAA. [U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016)]
  • Data Scraping: A commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA. However, a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA, a ruling that runs contrary to language from one circuit level decision regarding potential CFAA liability for screen scraping activities (See e.g., EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)). [Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th July 12, 2016)]

This past week, the Ninth Circuit released two important decisions that clarify the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.  The Act was originally designed to target hackers, but has lately been brought to bear in many contexts involving wrongful access of company networks by current and former employees and in cases involving the unauthorized scraping of data from publicly available websites.

For years, craigslist has aggressively used technological and legal methods to prevent unauthorized parties from scraping, linking to or accessing user postings for their own commercial purposes.  In a prior post, we briefly discussed craigslist’s action against a certain aggregator that was scraping content from the craigslist site (despite having

UPDATE: As discussed in this blog post, a panel of the U.S. Court of Appeals for the Ninth Circuit overruled the district court in United States v. Nosal (9th Cir. Apr. 28, 2011).

********

The debate over the applicability of the Computer Fraud and Abuse Act in cases of alleged employee disloyalty has yielded quite a few rulings over the last several years, and generated a circuit split last September with the Ninth Circuit decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In that civil action alleging employee theft and misappropriation of trade secrets, the appeals court rejected an expansive interpretation of the CFAA, concluding that an employee’s authorization to access an employer’s computer network is not automatically revoked when the employee is acting in a manner that is disloyal to the employer’s interest. The Ninth Circuit explicitly rejected the contrary reasoning of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In the Citrin case, Judge Posner authored a panel ruling that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby lacks authorization within the meaning of the CFAA.

The battleground in those two cases was whether a former employer could bring a civil action under the CFAA against former employees who accessed the employer’s computer network, while still employed, for disloyal purposes. The prize in these and many other such cases is the opportunity for the employer to pursue what what would have otherwise likely been largely a matter of state law in federal court. But the CFAA is primarily a criminal statute, and expansive interpretation could (and has) resulted in federal criminal prosecutions in what have been typically state law cases.

However, the Ninth Circuit’s narrower construction in LVRC v. Brekka ruling has now been applied in  one of those criminal cases, resulting in the dismissal of some but not all of the CFAA charges against one defendant in United States v. Nosal, 3:08-cr-00237-MHP(N.D. Cal. Jan. 6, 2009)