digital screen and computer code

Does Screen Scraping Violate the Computer Fraud and Abuse Act?

April 15, 2020 | Purdue Global Law School

Screen scraping,” the process of using automated bots to collect data from public websites, has long been contentious. Businesses use scraped data to create aggregation sites, seed other services, and gain competitive intelligence, claiming that their practices fall under the “fair use” provision of the Copyright Act. Organizations whose content is scraped often claim copyright infringement or unfair business practices.

LinkedIn took a novel approach in attempting to shut down the screen-scraping activities of competitor hiQ Labs. The social media giant sent a cease-and-desist letter, arguing that hiQ’s actions violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA imposes criminal liability for accessing a computer system “without authorization” and allows a person who has suffered damages as a result of a violation of the law to bring a civil suit under certain circumstances.

hiQ took the offensive, filing suit against LinkedIn in the District Court for the Northern District of California. The company sought a preliminary injunction preventing LinkedIn from restricting access to its member profiles. hiQ claimed that its conduct was lawful, and that LinkedIn’s actions threatened the survival of its business. The district court judge granted the injunction and LinkedIn appealed.

18 U.S.C. § 1030 Provides Vague Language, Harsh Penalties

Prior to the enactment of laws prohibiting computer-related crime, such activities were prosecuted under mail fraud and wire fraud statutes. Because the applicability of those statutes was limited, the Comprehensive Crime Control Act of 1984 specifically criminalized computer fraud. Enacted in 1986, the CFAA amended the computer fraud law to make hacking a crime by extending the tort of trespass to computer systems.

Congress sought to protect states’ interests in prosecuting such crimes by limiting the CFAA to cases with a “compelling federal interest.” Initially, the CFAA defined “protected computer” as one “exclusively for the use of a financial institution or the United States Government” or “used in” interstate or foreign commerce. However, the Act was amended in 2008 to include computers “affecting” interstate commerce.

As a practical matter, any computer connected to the internet would seem to “affect” interstate commerce and so comes under the ambit of the law. What’s more, 18 U.S.C. § 1030(a)(2)(C) criminalizes any access that is unauthorized or exceeds authorization to “information from any protected computer.”

The penalties for accessing a computer and obtaining information are separated into three tiers:

  • “Simple” violations are misdemeanors punishable by up to one year in prison.

  • Violations involving information valued at more than $5,000, those for commercial or financial gain, or those that further a criminal or tortious act are felonies punishable by up to five years.

  • Repeat offenses are punishable by up to 10 years.

Fines and other penalties may also be assessed.

Noteworthy Cases Involving the CFAA

The vague language of the CFAA led to the prosecution of Aaron Schwartz, a computer programmer, internet pioneer, and hacktivist who set up a computer to download academic articles from digital library JSTOR using an MIT guest account. Facing up to 35 years in prison and $1 million in fines for 11 counts of CFAA violations and two counts of wire fraud, Schwartz committed suicide after rejecting a plea bargain of six months in federal prison.

Schwartz’s death brought calls to amend the CFAA. In 2013, Rep. Zoe Lofgren (D-Calif.) introduced H.R. 2454, known as “Aaron’s Law,” which would eliminate the “exceeds authorized access” language, clarify what access “without authorization” means, and make the penalties more proportional to the crime. Lofgren stated:

It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute. Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

Schwartz was not prosecuted for terms-of-service violations, but others have been. In 2008, Lori Drew was indicted for setting up a fake Myspace account to cyberbully Megan Meier, who committed suicide. A jury found Drew guilty of one misdemeanor count, but U.S. District Court Judge George Wu granted Drew’s motion for acquittal. Wu found that if the CFAA encompassed violations of a website’s terms of service, the statute would be unconstitutionally vague and define criminal conduct via contract.

Court: CFAA Not Applicable to Public Websites

The hiQ case once again raised the specter that the CFAA would apply to terms-of-service violations. LinkedIn took the matter a step further by sending cease-and-desist letters warning screen scrapers that they were acting without authorization.

Because LinkedIn appealed from a preliminary injunction, the Ninth Circuit Court of Appeals did not address the merits of the parties’ claims. Instead, the court focused on whether the district court had established the requisites necessary for injunctive relief. In affirming the district court’s ruling, the Ninth Circuit panel found that hiQ had established a likelihood of irreparable harm to its business and raised serious questions as to the merits of its claims and LinkedIn’s defenses.

In reaching this conclusion, the Ninth Circuit analyzed the statute and its legislative history to determine whether hiQ had a right to conduct its screen-scraping activities after it received LinkedIn’s cease-and-desist letter. The court held that the CFAA distinguishes “between ‘private’ computer networks and websites, protected by a password authentication system and ‘not visible to the public,’ and websites that are accessible to the general public.” Scraping public information, such as LinkedIn member profiles, did not fall within the scope of the statute.

LinkedIn plans to appeal the decision to the Supreme Court.

Learn More About Cyber Law

Purdue Global Law School offers an online Executive Juris Doctor program for those who are interested in gaining legal skills for careers other than law and who do not intend to become a practicing attorney. This program features a law and technology track that provides advanced legal training on matters related to cyber law. Single courses in technology and the law are also available.

We also offer an online Juris Doctor for those who wish to become an attorney licensed in California. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.