Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the sort of bad development we expected after the United States Court of Appeals for the Ninth Circuit delivered two dangerously expansive interpretations of the CFAA last year—despite our warnings that the decisions would be easily misused.
The CFAA is a criminal law with serious penalties. It was passed in the 1980s with the aim of outlawing computer break-ins. Since then, it has metastasized in some jurisdictions into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads) or corporate computer policies. Violating a computer use policy should by no stretch of the imagination count as felony. But the Ninth Circuit’s two decisions—Facebook v. Power Ventures and U.S. v. Nosal—emboldened some companies, almost overnight, to amp up their CFAA threats against competitors.
Luckily, a court in San Francisco has called foul, questioning LinkedIn’s use of the CFAA to block access to public data. The decision is a victory—a step toward our mission of holding the Ninth Circuit to its word and limiting its two dangerous opinions to their “stark” facts. But the LinkedIn case is in only its very early stages, and the earlier bad case law is still on the books.
The U.S. Supreme Court has the opportunity to change that, and we urge them to do so by granting certiorari in U.S. v. Nosal. The Court needs to step in and shut down abuse of this draconian and outdated law.
Background
The CFAA makes it illegal to engage in “unauthorized access” to a computer connected to the Internet, but the statute doesn’t tells us what “authorization” or “without authorization” means. This vague language might have seemed innocuous to some back in 1986 when the statute was passed, reportedly in response to the Matthew Broderick movie War Games. In today’s networked world, where we all regularly connect to and use computers owned by others, this pre-Web law is causing serious problems.
If you’ve been following our blog, you’re familiar with Facebook v. Power Ventures and U.S. v. Nosal. Both cases adopted expansive readings of “unauthorized access”—and we warned the Ninth Circuit that they threatened to transform the CFAA into a mechanism for policing Internet use and criminalizing ordinary Internet behavior, like password sharing.
Unfortunately, we were right.
Within weeks after the decisions came out, LinkedIn started sending out cease and desist letters citing the bad case law—specifically Power Ventures—to companies it said were violating its prohibition on scraping. One company LinkedIn targeted was hiQ Labs, which provides analysis of data on LinkedIn user’s publicly available profiles. Linkedin had tolerated hiQ’s behavior for years, but after the Power Ventures decision, it apparently saw an opportunity to shut down a competing service. LinkedIn sent hiQ letters warning that any future access of its website, even the public portions, were “without permission and without authorization” and thus violations of the CFAA.
Scraping publicly available data in violation of a company’s terms of use comes nowhere near Congress’s original intent of punishing those who break into protected computers to steal data or cause damage. But companies like LinkedIn still send out threatening letters with bogus CFAA claims. These letters are all too often effective at scaring recipients into submission given the CFAA’s notoriously severe penalties. Since demand letters are not generally public, we don’t know how many other companies are using the law to threaten competitors and stomp out innovation, but it’s unlikely that LinkedIn is alone in this strategy.
Luckily here, in the face of LinkedIn’s threats, hiQ did something that a lot of other companies don’t have the resources or courage to do: it took LinkedIn’s claims straight to court. It asked the Northern District of California in San Francisco to rule that its automated access of publicly available data was not in violation of the CFAA, despite LinkedIn’s threats. hiQ also asked the court to prohibit LinkedIn from blocking its access to public profiles while the court considered the merits of its request.
hiQ v. Linkedin: Preliminary Injunction Decision
Earlier this month, Judge Edward Chen granted hiQ’s request, enjoining LinkedIn from preventing or blocking hiQ’s access or use of public profiles, and ordering LinkedIn to withdraw its two cease and desist letters to hiQ. Although Judge Chen didn’t directly address the merits of the case, he expressed serious skepticism over LinkedIn’s CFAA claims, stating that “the Court is doubtful that the Computer Fraud and Abuse Act may be invoked by LinkedIn to punish hiQ for accessing publicly available data” and that the “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.”
Judge Chen’s order is reassuring, and hopefully a harbinger of how courts going forward will react to efforts to use to the CFAA to limit access to public data. He’s not the only judge who feels that companies are taking the CFAA too far. During a Ninth Circuit oral argument in a different case in July, Judge Susan Graber—one of the judges behind the Power Ventures decision—pushed back on [at around 33:40] Oracle’s argument that automated scraping was a CFAA violation.
It’s still discouraging to see LinkedIn actively advocate for such a shortsighted expansion of an already overly broad criminal law—an outcome that could land people in jail for innocuous conduct—rather than trying to compete to provide a better service. The CFAA’s exorbitant penalties have already caused great tragedies, including playing a role in the death of our friend, Internet activist Aaron Swartz. The Internet community should be trying to fix this broken law, not expand it. Opportunistic efforts to expand it are just plain shameful.
That’s why we’re asking the Supreme Court to step in and clarify that using a computer in a way that violates corporate policies, preferences, and expectations—as LinkedIn is claiming against hiQ—cannot be grounds for a CFAA violation. A clear, unequivocal ruling would go a long way to help stop abusive efforts to use the CFAA to limit access to publicly available data or to enforce corporate policies.
We hope the Supreme Court takes up the Nosal case. We should hear from the high court this fall. In the meantime, we hope LinkedIn takes Judge Chen’s recent ruling as a sign that’s its time to back away from its shameful abuse of the CFAA.