The Legal Boundary of Data Scraping in Light of Van Buren v. United States
The controversial HiQ v. LinkedIn, 938 F.3d 985 (9th Cir. 2019) opinion concerning data scraping was vacated and remanded this June by the Supreme Court to be reconsidered in light of the recently decided case Van Buren v. United States, 141 S. Ct. 1648 (2021). This blog will delve into the reasoning of Van Buren and predict the final decision of HiQ v. LinkedIn.
To begin, let’s recall the basic facts of HiQ v. LinkedIn. HiQ is a data analytics company that uses automated bots to scrape public information from LinkedIn users’ profiles, including name, job title, and work history. It then uses an algorithm to yield “people analytics” based on the information and sells them to business clients for profit. LinkedIn sent a C&D letter, asking HiQ to stop accessing and copying the data based on the User Agreement. During trial, LinkedIn claimed that HiQ violated the Computer Fraud and Abuse Act of 1986 (“CFAA”), which states that criminal liability will be inflicted if someone “intentionally accesses a computer without authorization or exceeds authorized access,” and thereby obtains computer information. 18 U.S.C. §1030(a)(2). The legal issue here is whether HiQ’s further scraping after receiving the C&D letter constitutes an act “without authorization or exceed[ing] authorized access.”
Applying this interpretation to HiQ v. LinkedIn, HiQ’s bots have authorized access to LinkedIn’s servers and thereby were entitled so to obtain LinkedIn’s member profiles since they’re public data. Although the User Agreement stated that the LinkedIn users own the profile information and only LinkedIn was licensed to use, copy, publish, and process them, HiQ’s data scraping activities won’t be considered to “exceed authorized access” under the CFAA. Despite the probable same result, this reasoning focusing on the statutory terms will be very different from the analysis of whether HiQ’s conduct is analogous to “breaking and entering” in the vacated 9th Circuit opinion.
Apart from providing explicit explanation of the CFAA in the computer context, this case also provokes much reflection on data law. There’s still no clear legislation on the ownership of data, but it seemed the 9th Circuit accepted that data subjects own the data while the platform may be licensed to process data. As for data scraping, it’s essential to abide by the robots.txt rules and not to circumvent any technical measures implemented by the website owner for an ordered and peaceful Internet ecosystem.