Web Scraping is Legal: US Court Says Scraping Public Data from a Website Without Permission is NOT Illegal

Two years after a lower court correctly decided that LinkedIn couldn’t use the Computer Fraud and Abuse Act (CFAA) to stop third parties from scraping its website, the 9th Circuit appeals court in California ruled that it’s not illegal to scrape data from public websites without any prior approval. This is a big victory for the little guys.

The ruling comes after a long legal battle between a small data analytics firm HiQ and Microsoft-owned LinkedIn. The popular social platform site sent a cease-and-desist letter to HiQ, demanding it to stop scraping the site. In a countersuit, HiQ sued the LinkedIn to prevent it from scraping public content from its website. The 9th Circuit rules in favor of HiQ, holding that scraping a public website likely does not violate the CFAA, even after website owner prohibits with a cease-and-desist letter; language strongly suggests CFAA only applies to bypassing authentication.

In discussing the CFAA, the 9th Circuit panel’s language strongly suggests CFAA only applies to prevent hacking and bypassing authentication and not to stop companies from blocking people/companies they dislike:

For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access
to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by
LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.14 We note that entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be
available.15 And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie. See, e.g., Associated Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp. 2d 537, 561 (S.D.N.Y. 2013) (holding that a software company’s conduct in scraping and aggregating copyrighted news articles was not protected by fair use).

The 9th Circuit panel also added:

The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: “It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering’ . . . .’” H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of “‘hackers’ who have been able to access (trespass into) both private and public computer systems”). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.”11 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99-612, at 5–6 (1986) (describing “the expanding group of electronic trespassers,” who trespass “just as much as if they broke a window and crawled into a home while the occupants were away”).

The Computer Fraud and Abuse Act is a United States cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984.