The Supreme Court recently issued a long-awaited ruling addressing a key provision of the Computer Fraud and Abuse Act (an anti-hacking statute originally enacted in the mid-80s). Initial reports were that it narrowed the scope of the Computer Fraud and Abuse Act. However, it did not resolve a few key questions and does not offer clarity for scraping/aggregation activity. (The case name is Van Buren v. U.S.)
The case involved a police officer who accessed records—that he was otherwise entitled to access, using a log-in—for an improper purpose. The Court held that violating some policy or implicit rule regarding access does not render access “without authorization.” Specifically, the Computer Fraud and Abuse Act only imposes liability, the Court held, where someone accesses a part of a computer they are not entitled to access at all and obtains information. Because Van Buren had a password and could access the information in question, he could not be held liable under the Computer Fraud and Abuse Act.
In a footnote, the Court says that it’s not specifying what types of limitations (code based or contractual limitations) on access are legally relevant for Computer Fraud and Abuse Act purposes.
The ruling does not address, among other things:
- password sharing;
- overcoming technical limitations (such as use of proxy IPs; rotating IPs); and
- whether access that overcomes these limitations is “exceeding authorized access.”
The ruling also does not address the scenario where a website owner sends a cease and desist letter, expressly revoking access that may have been conferred via a terms of service. Cases have relied on these types of “access restrictions” in determining whether someone is authorized to access a website. These scenarios continue to be grey area activities in terms of the Computer Fraud and Abuse Act.
Unfortunately, the ruling does not offer much clarity when it comes to scraping/aggregation activity. If you are a website owner looking to prevent access, you may be able to continue to use technical tools or legal threats to limit access to the site. Similarly, if you are an aggregator looking to access a website, your access may be limited by these actions of the website.
hiQ and LinkedIn are also involved in an aggregation case that has received a lot of attention. The Ninth Circuit held that LinkedIn could not bar hiQ from accessing LinkedIn listings because those listings were not typically behind a log-in or paywall. LinkedIn had requested the Supreme Court to review the Ninth Circuit’s ruling. Following the Van Buren case mentioned above, LinkedIn submitted a supplemental brief asking the Court to take up the case. LinkedIn’s brief highlights that Van Buren left a lot unanswered, including what type of restrictions a website owner can point to in arguing that access was “without authorization”. Specifically, LinkedIn pointed to the fact that it used some technical measures and sent a demand letter.
All of this underscores that scraping and aggregation continue to be in the grey area, legally speaking.