In an amicus brief filed Friday, EFF and the Internet Archive argued to the Ninth Circuit Court of Appeals that the Supreme Court’s recent decision in Van Buren v. United States shows that the federal computer crime law does not criminalize the common and useful practice of scraping publicly available information on the internet.
The case, hiQ Labs, Inc. v. LinkedIn Corp., began when LinkedIn attempted to stop its competitor, hiQ Labs, from scraping publicly available data posted by users of LinkedIn. hiQ Labs sued and, on appeal, the Ninth Circuit held that the Computer Fraud and Abuse Act (CFAA) does not prohibit this scraping.
LinkedIn asked the Supreme Court to reverse the decision. Instead, the high court sent the case back to the Ninth Circuit and asked it to take a second look, this time with the benefit of Van Buren.
Our brief points out that Van Buren instructed lower courts to use the “technical meanings” of the CFAA’s terms—not property law or generic, non-technical definitions. It’s a computer crime statute, after all. The CFAA prohibits accessing a computer “without authorization”—from a technical standpoint, that presumes there is an authorization system like a password requirement or other authentication stage.
But when any of the billions of internet users access any of the hundreds of millions of public websites, they do not risk violating federal law. There is no authentication stage between the user and the public website, so “without authorization” is an inapt concept. Van Buren used a “gates-up-or-down” analogy, and for a publicly available website, there is no gate to begin with—or at the very least, the gate is up. Our brief explains that neither LinkedIn’s cease-and-desist letter to hiQ nor its attempts to block its competitor’s IP addresses are the kind of technological access barrier required to invoke the CFAA.
Lastly, our brief acknowledges LinkedIn’s concerns about how unbridled scraping may harm privacy online and invites the company to join growing advocacy efforts to adopt consumer and biometric privacy laws. These laws will directly address the collection of people’s sensitive information without their consent and won’t criminalize legitimate activity online.