data scraping

Another Web Scraping Dispute Focused on Travel Data

By Jeffrey Neuburger on November 17, 2023

Flight and travel data has always been valuable for data aggregators and online travel services and has prompted litigation over the years.
Latest suit from Air Canada against a rewards travel search site raises some interesting liability issues under the CFAA.
The implications of this case, if the plaintiffs are successful, could impact the legal analysis of web scraping in a variety of circumstances, including for the training of generative AI models.

In a recent post, we recounted the myriad of issues raised by recently-filed data scraping suits involving job listings, company reviews and employment data. Soon after, another interesting scraping suit was filed, this time by a major airline against an award travel search site that aggregates fare and award travel data. Air Canada alleges that Defendant Localhost LLC (“Localhost” or “Defendant”), operator of the Seats.aero website, unlawfully bypassed technical measures and violated Air Canada’s website terms when it scraped “vast amounts” of flight data without permission and purportedly caused slowdowns to Air Canada’s site and other problems. (Air Canada v. Localhost LLC, No. 23-01177 (D. Del. Filed Oct. 19, 2023)).[1]

The complaint alleges that Localhost harvested data from Air Canada’s site and systems to populate the seats.aero site, which claims to be “the fastest search engine for award travel.”

It also alleged that in addition to scraping the Air Canada website, Localhost engaged in “API scraping” by impersonating authorized requests to Air Canada’s application programming interface.

hiQ and LinkedIn Reach Settlement in Landmark Scraping Case

By Jeffrey Neuburger on December 8, 2022

UPDATE: On December 8, 2022, the court issued an order granting the Consent Judgment and Permanent Injunction.

On December 6, 2022, the parties in the long-running litigation between now-defunct data analytics company hiQ Labs, Inc. (“hiQ”) and LinkedIn Corp. (“LinkedIn”) filed a Stipulation and Proposed Consent Judgment (the “Stipulation”) with the California district court, indicating that they have reached a confidential settlement agreement resolving all outstanding claims in the case.

This case has been a litigation odyssey of sorts, to the Supreme Court and back: it started with the original district court injunction in 2017, Ninth Circuit affirmance in 2019, Supreme Court vacating of the order in 2021, Ninth Circuit issuing a new order in April 2022 affirming the original injunction, and back again where we started, the lower court in August 2022 issuing an order dissolving the preliminary injunction, and the most recent mixed ruling on November 4^th, 2022. It certainly has been one of the most heavily-litigated scraping cases in recent memory and has been closely followed on our blog. Practically speaking, though, the dispute had essentially reached its logical end with the last court ruling in November – hiQ had prevailed on the Computer Fraud and Abuse Act (CFAA) “unauthorized access” issue related to public website data but was facing a ruling that it had breached LinkedIn’s User Agreement due to its scraping and creation of fake accounts (subject to its equitable defenses).

Data Scraper’s Declaratory Action Seeking Green Light to Scrape LinkedIn Survives Motion to Dismiss

By Jeffrey Neuburger on November 21, 2022

On November 15, 2022, a California district court declined to dismiss a declaratory judgment action brought by a data scraper, 3taps, Inc. (“3taps”), against LinkedIn Corp. (“LinkedIn”). (3taps, Inc. v. LinkedIn Corp., No. 18-00855 (N.D. Cal. Nov. 15, 2022)). 3taps is seeking an order to clarify whether the federal Computer Fraud and Abuse Act (CFAA) (or its California state law counterpart) prevents it from accessing and using publicly-available data on LinkedIn, and whether scraping such data would also subject it to an action brought by LinkedIn for breach of contract or trespass.

This is not 3tap’s first experience with scraping litigation (see prior post). But if this dispute sounds strangely familiar and reminiscent of the long-running dispute between hiQ Labs and LinkedIn (which we’ve followed closely), it is. The 3taps action traces its origin, in part, to the original hiQ ruling in August 2017, where this same judge first granted a preliminary injunction in favor of hiQ, enjoining LinkedIn from blocking hiQ’s access to LinkedIn members’ public profiles. Following that ruling, 3taps sent a letter to LinkedIn stating that it also intended to scrape publicly-available data from LinkedIn. LinkedIn responded that while it was not considering legal action against 3taps, it cautioned that “any further access by 3taps to the LinkedIn website and LinkedIn’s servers is without LinkedIn’s or its members’ authorization.” Thus, the hiQ ruling, 3taps’s letter to LinkedIn, and LinkedIn’s reply were the genesis of the current declaratory judgment action filed by 3taps against LinkedIn.[1]

Court Finds hiQ Breached LinkedIn’s Terms Prohibiting Scraping, but in Mixed Ruling, Declines to Grant Summary Judgment to Either Party as to Certain Key Issues

By Jeffrey Neuburger on November 11, 2022

On November 4, 2022, a California district court took up the parties cross-motions for summary judgment in the long-running scraping litigation involving social media site LinkedIn Corp.’s (“LinkedIn”) challenge to data analytics firm hiQ Labs, Inc.’s (“hiQ”) scraping of LinkedIn public profile data. (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-3301 (N.D. Cal. Nov. 4, 2022)). The court mostly denied both parties’ motions for summary judgment on the principal scraping-related issues related to breach of contract and CFAA liability. While the court found that hiQ breached LinkedIn’s User Agreement both through its own scraping of LinkedIn’s site and using scraped data, and through its use of independent contractors (so-called “turkers”), who logged into LinkedIn to run quality assurance for hiQ’s “people analytics” product, there were factual issues surrounding hiQ’s waiver and estoppel defenses to its own scraping activities that foreclosed a judgment in favor of either party on that claim. Similarly, the court found material issues of fact which prevented a ruling on hiQ’s statute of limitations defense to LinkedIn’s claims under the Computer Fraud and Abuse Act (CFAA) based on emails exchanged among LinkedIn staff back in 2014 about hiQ’s activities that may or may not have given LinkedIn constructive knowledge about hiQ’s scraping activities and started the statute of limitations clock.

District Court Decision Brings New Life to CFAA to Combat Unwanted Scraping

By Jeffrey Neuburger on November 10, 2022

On October 24, 2022, a Delaware district court held that certain claims under the Computer Fraud and Abuse Act (CFAA) relating to the controversial practice of web scraping were sufficient to survive the defendant’s motion to dismiss. (Ryanair DAC v. Booking Holdings Inc., No. 20-01191 (D. Del. Oct. 24, 2022)). The opinion potentially breathes life into the use of the CFAA to combat unwanted scraping.

In the case, Ryanair DAC (“Ryanair”), a European low-fare airline, brought various claims against Booking Holdings Inc. (and its well-known suite of online travel and hotel booking websites) (collectively, “Defendants”) for allegedly scraping the ticketing portion of the Ryanair site. Ryanair asserted that the ticketing portion of the site is only accessible to logged-in users and therefore the data on the site is not public data.

The decision is important as it offers answers (at least from one district court) to several unsettled legal issues about the scope of CFAA liability related to screen scraping. In particular, the decision addresses:

the potential for vicarious liability under the CFAA (which is important as many entities retain third party service providers to perform scraping)
how a data scraper’s use of evasive measures (e.g., spoofed email addresses, rotating IP addresses) may be considered under a CFAA claim centered on an “intent to defraud”
clarification as to the potential role of technical website-access limitations in analyzing CFAA “unauthorized access” liability

To find answers to these questions, the court’s opinion distills the holdings of two important CFAA rulings from this year – the Supreme Court’s holding in Van Buren that adopted a narrow interpretation of “exceeds unauthorized access” under the CFAA and the Ninth Circuit’s holding in the screen scraping hiQ case where that court found that the concept of “without authorization” under the CFAA does not apply to “public” websites.

Taking Cue from the Supreme Court’s Van Buren Decision, Ninth Circuit Releases New Opinion Holding Scraping of Publicly Available Website Data Falls Outside of CFAA

By Jeffrey Neuburger on April 21, 2022

On remand from the U.S. Supreme Court, the Ninth Circuit earlier this week again affirmed the lower court’s order preliminarily enjoining LinkedIn Corp. (“LinkedIn”) from blocking data analytics company hiQ Labs, Inc.’s (“hiQ”) access to publicly available LinkedIn member profiles. (hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9^th Cir. Apr. 18, 2022)) (“hiQ II”). In what might be considered an emphatic, pro-scraping decision (even more so than its first, now-vacated 2019 decision), the appeals court found that hiQ “raised at least serious questions” that its scraping of public LinkedIn member profile data, even after having had its access revoked and blocked by LinkedIn, is lawful under the federal Computer Fraud and Abuse Act (CFAA).

The panel concluded that the reasoning of last year’s Supreme Court decision in Van Buren v. U.S., which interpreted the “exceeds authorized access” provision of the CFAA, reinforced the Ninth Circuit’s interpretation that the concept of “without authorization” under the CFAA does not apply to public websites. Thus, while the law relating to screen scraping remains unclear in many respects – particularly as scraping technology and the applied uses of public website data continue to evolve – this important new decision by the Ninth Circuit carries the reasoning forward from Van Buren and limits the applicability of the CFAA as a tool against the scraping of publicly available website data.

Last June, following Van Buren and the Supreme Court’s separate ruling vacating and remanding the Ninth Circuit’s prior decision in the hiQ case, we had a few questions about how the appeals court would interpret the CFAA’s “without authorization” provision on remand in light of the so-called “gates up or down” approach to the CFAA espoused by the Supreme Court in Van Buren. In particular, we were waiting to see whether the appeals court would consider a website owner’s technical measures to selectively block a specific entity’s access to public website data as effectively bringing crashing down the “gates” of authorized access (and, with it, potential CFAA liability). The long wait is over and the Ninth Circuit has answered these questions with its pro-scraping, open web interpretation of the CFAA (with respect to public websites). While some additional legal questions remain unanswered in this case, it appears the CFAA “without authorization” issue has been firmly resolved, at least as far as the Ninth Circuit is concerned.

However, though one issue may has been resolved, others remain. As stated in our 2017 Client Alert about the lower court’s hiQ decision, entities engaged in scraping should still tread carefully. As the Ninth Circuit itself says in hiQ II: “Entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply.”

Also, of course, this litigation does not involve the also-controversial practice of scraping mobile applications. Because the methodology involved in that type of scraping is significantly different, it is possible that a court could come to a different conclusion with respect to the CFAA in that circumstance.

Supreme Court Vacates LinkedIn-HiQ Scraping Decision, Remands to Ninth Circuit for Another Look

By Jeffrey Neuburger on June 16, 2021

On June 14, 2021, in a closely-watched dispute involving the Computer Fraud and Abuse Act (CFAA), the Supreme Court granted LinkedIn Corp.’s (“LinkedIn”) petition for certiorari filed in the hiQ web scraping case. It subsequently vacated the Ninth Circuit 2019 opinion and remanded the case to the Ninth Circuit for further consideration in light of the Supreme Court’s decision from earlier this month in Van Buren v. United States, 593 U. S. ___ (June 3, 2021). (LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116, 593 U.S. ___ (GVR Order June 14, 2021)).

In Van Buren, the Supreme Court reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the CFAA, ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her.

The LinkedIn-hiQ dispute involves a different part of the CFAA’s “unauthorized access” section than the Van Buren case. The question in the hiQ dispute concerns the scope of CFAA liability to unwanted web scraping of publicly available social media profile data and whether once data analytics firm hiQ received a cease-and-desist letter from LinkedIn demanding it stop scraping public profiles, any further scraping of such data was “without authorization” within the meaning of the CFAA. In 2017 the lower court issued a preliminary injunction, expressing “serious doubt” as to whether LinkedIn’s revocation of permission to access the public portions of its site rendered hiQ’s access “without authorization” within the meaning of the CFAA. On appeal, in 2019 the Ninth Circuit affirmed, notably ruling that: “It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.” In 2020 LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s ruling. And now, in the wake of Van Buren, the Supreme Court has vacated the appeals court ruling and sent the case back to the Ninth Circuit for further consideration.

So what’s next? Some thoughts:

hiQ Files Opposition Brief with Supreme Court in LinkedIn CFAA Data Scraping Dispute

By Jeffrey Neuburger on June 29, 2020

Last week, hiQ Labs, Inc. (“hiQ”) filed its brief urging the Supreme Court to deny LinkedIn Corp.’s (“LinkedIn”) petition for a writ of certiorari in the Ninth Circuit’s blockbuster ruling in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In the prior ruling, the appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing of that publicly available data will not constitute access “without authorization” under the CFAA. Considering the decision wrongly decided, LinkedIn filed its petition requesting Supreme Court review in March 2020. In it, LinkedIn declared that the hiQ decision was “unprecedented” and “denied operators of public-facing websites a critical means of protecting user data from unauthorized third-party scrapers.”

hiQ initially signaled its intent not to file any opposition, but the Court requested a response in April 2020.

In its opposition, hiQ framed the issue as:

“Whether a professional networking website may rely on the Computer Fraud and Abuse Act’s prohibition on ‘intentionally access[ing] a computer without authorization’ to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.”

French Data Protection Authority Speaks to Web Scraping

By Jeffrey Neuburger on May 14, 2020

Late last month, the French data protection authority, the CNIL, published guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes. The guidance is noteworthy in two…

LinkedIn Files Petition to the Supreme Court in hiQ Web Scraping Case

By Jeffrey Neuburger on March 11, 2020

This past week, LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s blockbuster ruling in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). The case concerned the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In the appellate court ruling, the appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Mostly notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA. LinkedIn feels otherwise, and posed, as the question presented:

“Whether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.”

New Media and Technology Law Blog

data scraping

Another Web Scraping Dispute Focused on Travel Data

District Court Decision Brings New Life to CFAA to Combat Unwanted Scraping

French Data Protection Authority Speaks to Web Scraping

About Proskauer Rose LLP

Topics

Archives