On June 14, 2021, in a dispute involving the Computer Fraud and Abuse Act (CFAA), the Supreme Court granted LinkedIn Corp.’s (“LinkedIn”) motion for certiorari filed with the To remove case of web scraping. He subsequently left the 2019 Ninth Circuit opinion and remanded the case to the Ninth Circuit for further consideration in light of the Supreme Court’s decision earlier this month in Van Buren v United States, 593 United States ___ (June 3, 2021). (LinkedIn Corp. v. HiQ Labs, Inc.No. 19-1116, 593 US ___ (GVR Order June 14, 2021)).

In From the neighborsthe Supreme Court overturned an Eleventh Circuit decision and adopted a narrow interpretation of “exceed unauthorized access” under the CFAA, ruling that an individual “exceed authorized access” when accessing a computer with authorization but then he obtains information located in particular areas of the computer, such as files, folders or databases, that are off limits to him or her.

The LinkedIn-hiQ dispute involves a different part of the “unauthorized access” section of the CFAA than that of the From the neighbors case. The question in the To remove the dispute concerns the scope of the CFAA’s liability for the unwanted web scraping of publicly available social media profile data, and whether once data analytics firm hiQ received a cease-and-desist letter from LinkedIn asking to stop scraping of public profiles, any further scraping of that data was “unauthorized” under the CFAA. In 2017 the trial court released a preliminary injunction, which expressed “serious doubts” that withdrawing LinkedIn’s authorization to access the public portions of its site rendered hiQ’s access “authorized” under the CFAA. On appeal, in 2019 the Ninth Circuit stated, specifically stating that: “It is likely that when a computer network generally permits public access to its data, a user’s access to that publicly available data will not constitute unauthorized access under the CFAA.” In 2020 LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit ruling. And now, in the wake of From the neighborsthe Supreme Court reversed the appellate court’s ruling and returned the case to the Ninth Circuit for further consideration.

So what’s next? Some thoughts:

Direct effect of From the neighbors

THE To remove AND From the neighbors the cases involve different parts of the CFAA’s “unauthorized access” provision. So, in custody, while the From the neighbors maintaining “exceeds authorized access” under the CFAA will provide some clarity on how the Ninth Circuit might interpret the CFAA generally and how to view authorization generally, it will be up to the appellate court to determine whether hiQ’s continued scraping as a result of LinkedIn’s blocking efforts constitutes “unauthorized access” (a term not defined under the CFAA).

In particular, From the neighbors espoused a “gates up and down” approach to CFAA accountability:

“Van Buren’s account of subsection (a)(2) has a sense of statutory structure because it deals with ‘without permission’ and ‘exceeds authorized access’ clauses consistently. According to Van Buren’s reading, liability under both clauses arises from a gate-up or down investigation: a computer system may or may not be accessed, and certain areas may or may not be accessed within a computer system. internal to the system. And reading both clauses to take a gate-up or down approach aligns with understanding the computing context of access as an entrance.

Therefore, the question in To remove will likely depend on whether technical measures to block access to the LinkedIn site, followed by a formal revocation of access, truly lower the access gate (for CFAA accountability purposes) or whether the gate for site content public web site is always active and no liability of the CFAA can arise for such access to publicly available website data.

Very different permission issue in From the neighbors

Setting aside the Court’s examination of the CFAA’s “exceeding authorized access” issue in From the neighborsthe issuance of the permit in From the neighbors case was clear (i.e., the former police officer had authorized access to the license plate database in question, but had accessed it for an improper purpose). However, in the To remove scraping context, the “permissionless” CFAA issue is more nuanced. The appeals court will again be asked to decide whether the “no authorization” provision of the CFAA is limited to computer information for which authorization to access is generally required, such as password authentication.

The Note 8 is back in the spotlight

When the Supreme Court in From the neighbors discussed the concept of a “gates up or down” approach to understanding the CFAA’s “no authorization” and “exceed authorized access” clauses, wrote the following: “According to Van Buren’s interpretation, liability under both clauses stem from a gate-up or down query: you may or may not be able to access a computer system, and you may or may not be able to access certain areas within the system. There, he dropped the one that promises to be one of the most cited footnotes in subsequent lower court decisions, footnote 8, which leaves some questions – relevant to the LinkedIn case – for another day. In footnote 8, the Court stated: “Ai For present purposes, there is no need to examine whether this investigation addresses only technological (or “code-based”) limitations on access, or instead also looks at limitations contained in contracts or policies”. Having declined to decide whether access authorized involves only code-based restrictions, the Court returned the matter to the Ninth Circuit with the To remove postponement.

In his Extra short deposited in Cassation following the art From the neighbors decision, LinkedIn raised this very issue, stating the uncertainty surrounding whether the measures taken by the website operators are effective “gates” blocking authorized access or not:

“Websites employ a myriad of strategies that may or may not qualify as ‘gates,’ from code-based measures such as password requirements and LinkedIn technical lockout measures, to express communications such as cease and desist letters, to contracts and policies mentioned in Van Buren.”

LinkedIn said it placed “gates” around its servers using code-based technical measures to block hiQ bots and scraping activity, and also by sending a cease-and-desist letter revoking access. However, with the Supreme Court refusing to grant LinkedIn’s appeal on the merits, it will presumably be up to the Ninth Circuit to analyze the ambiguity of footnote 8 to decide which measures raise or lower the “gates” of authorization.

Final thoughts

With From the neighbors having taken a narrow approach to the CFAA’s “exceeds authorized access” provision, it would not be surprising if the Ninth Circuit reached the same narrow conclusion as its 2019 ruling regarding “unauthorized access.” Regardless of the outcome, the appellate court’s review of the case may offer some clarity as to whether only measures based on the code can lower clearance gates or whether other actions can achieve the same revocation of access in the context of the public website content. Also, since the To remove case concerns publicly available website data, it is possible that the issue prevails once again in the renewed analysis of the preliminary injunction of the court, both from a legal and public order / stock balance point of view. Recall, such matters were vital in his original reasoning on these matters:

“Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category (information for which access is open to the public and authorization is not required).”

“We agree with the district court that giving companies like LinkedIn the freedom to decide, on any basis, who can collect and use data, data that the companies do not own, which they otherwise make publicly available to viewers, and which the companies themselves collect and use: it risks the possible creation of information monopolies which would be contrary to the public interest”.

However, it remains to be seen how the Ninth Circuit will ultimately rule when it revisits this case, particularly given the multiple large-scale incidents of unwanted scraping of social media content that have occurred over the past year, perhaps bolstering the political argument of LinkedIn on the need to protect user privacy. Needless to say, we’ll be watching closely.