The US Ninth Circuit Court of Appeals declared on April 18 that scraping data from a public website does not violate the Computer Fraud and Abuse Act (CFAA), a judgment that is considered a landmark ruling.
The verdict by the US Ninth Circuit of Appeals is the latest development in LinkedIn’s long-running legal battle to prevent a competitor from online scraping sensitive information from users’ public accounts.
Last year, the case reached the US Supreme Court, but it was sent to the Ninth Circuit for further review by the original appeals court.
The Ninth Circuit maintained its original decision this week, finding that scraping data that is publicly available on the internet does not violate the CFAA, which defines what constitutes computer hacking under US law.
The latest ruling is a significant victory for archivists, scholars, researchers, and journalists who utilise technologies to mass-collect or scrape, publicly available information on the internet. Long-running programmes to archive websites that are no longer available and to use publicly accessible data for academic and research investigations have been placed in legal limbo in the absence of a judgement.
However, there have been some particularly egregious examples of online scraping, raising privacy and security issues.
For example, Clearview AI, an American facial recognition company, claims to have swiped billions of social network profile photographs, prompting lawsuits from major digital giants. It is worth noting that amid the Ukraine-Russia crisis, the prior has been using this technology to find out Russian assailants, combat misinformation and identify the dead.
Users’ data has been scraped by several companies over the years, including Facebook, Instagram, Parler, Venmo and Clubhouse.
It was LinkedIn that originally filed the case in the Ninth Circuit against hiQ Labs, a company that analyses employee attrition using public data. hiQ’s widespread web scraping of LinkedIn user accounts, according to the online platform, was against its terms of service, amounted to hacking, and thus violated the CFAA.
The Ninth Circuit ruled in 2019 that the CFAA does not prohibit anyone from scraping publicly available data, and LinkedIn lost the case against hiQ.
The Ninth Circuit said it relied on a Supreme Court ruling from last June when the country’s highest court took its first look at the decades-old CFAA. The Supreme Court narrowed the definition of a CFAA violation to those who gain unauthorised access to a computer system, rather than a broader interpretation of exceeding existing authorization, which the court argued could have resulted in criminal penalties being imposed on a “breath-taking amount of commonplace computer activity”.
The Supreme Court used the “gate-up, gate-down” analogy to say when the gates of a computer or website are up — and so information is publicly available — no authorisation is necessary.
In a statement, LinkedIn spokesperson Greg Snapper said: “We’re disappointed in the court’s decision. This is a preliminary ruling and the case is far from over.”
“We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn. When your data is taken without permission and used in ways you haven’t agreed to, that’s not okay. On LinkedIn, our members trust us with their information, which is why we prohibit unauthorised scraping on our platform,” he added.