US Supreme Court gives LinkedIn another shot at stymieing web scraping The US Supreme Court has offered Microsoft's LinkedIn another chance to prevent hiQ from scraping its public profiles. In 2019, the US Ninth Circuit Court of Appeals sided with a lower court that two years earlier found data science biz hiQ Labs did not violate the Computer Fraud and Abuse Act (CFAA) by scraping publicly …
Instead of sending it back to the lower court they should send it back to the government and tell them to write the law properly so it's clear what they meant instead of accepting a poorly written law that means it needs 10 judges and dozens of lawyers just to work out whether or not the intent of the law's being broken.
Politicians are rubbish at writing laws, almost all of them are written with an agenda aligned to the politicians beliefs and are not necessarily in the best interests of the majority of the citizens.
Courts are the usual place for ambiguous laws to be refined and in theory made fair, hence the need for separation of powers between the Executive, Legislature and Judiciary.
There are two different issues here:
1) Whether it is a criminal act to access information a website deliberately posts without effective access controls but with some policies.
2) Whether it is a privacy violation to scrape personal information (PII) without the permission of the person concerned.
It is important that these two are clearly distinguished. To me it is clear that 1 is NOT illegal - and that for the effective operation of the web it needs to remain not illegal. If accessing unprotected data on the web is illegal without permission the whole World Wide Web concept falls apart. if you don't want people to access information on your website then employ effective access control mechanisms to disallow it. It is not reasonable that you can criminalize based on how much information is accessed, by whom, or for what purpose. If LinkedIn want the commercial benefits which accrue from some people being able to freely access data then they have to live with the commercial disadvantages that allow everyone else, including competitors, to have access.
The second question is more complex. It is certainly clear that accessing and storing personal information without permission from the person concerned is illegal in reasonable countries. However, it is not clear who is most in the wrong here: LinkedIn for publishing that information without access controls or the scraper. The answer to that is complex and will depend on issues like whether LinkedIn had made it clear to users that their information would be published like that and received permission. It is clear that the scraper is liable under reasonable privacy laws for processing PII without permission. However LinkedIn would even more liable for publishing the information if they did so without explicit and informed permission.
Put all the servers that don't want their information scraped in the .scouts-honour top level domain. You literally have to send "scouts-honour" to get any access to data.
Another approach is for entry to the server initially to encounter a screen that goes "I promise not to do naughty things on this server". You have to click on "Promise" to get through. After that, it's set in a cookie.
Your formulation of item 1 is far too vague.
Van Buren quite rightly narrowed the scope of the CFAA. I think it's important that decision be interpreted in the circuits to mean that ToS alone, or any other sort of implied contract, is not a sufficient gate to invoke criminal penalties under the CFAA.
In this case, however, hiQ took two steps to deliberately and positively exceed authorized access. They developed and deployed technological countermeasures to LinkedIn's technological gatekeepers; and they ignored a cease-and-desist notification from LinkedIn's lawyers.
Allowing that activity to invoke the CFAA is a much higher bar than simply ToS violation. Ordinary use of the public web doesn't require deliberate positive technological bypass of gatekeepers,1 and it certainly doesn't require ignoring an official and direct statement from the site owner forbidding the activity.
Now, you might apply the "Aaron Swartz" test here and say that even those should be insufficient tests to allow the CFAA to apply. And I agree the Swartz case is extremely unfortunate, and a clear case of excess by an unscrupulous prosecutor to the point of outright malice (as with some other CFAA prosecutions). But the CFAA is the law of the land, and as with many laws some contingency must be brought to bear. hiQ are not Swartz; they are not a private individual attempting, rightly or not, to make publicly-funded research more widely available. They're a commercial entity trying to make a profit from someone else's intellectual property, the law be damned.
1What's a "positive ... bypass"? Employing technology which manipulates an interface in a manner other than what's intended by its owner. Using NoScript, say, or an ad blocker, wouldn't be a positive use; there the user is preventing some unwanted software from executing on his or her own equipment. It's a negative bypass.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
