US court fully legalized website scraping and technically prohibited it
Yesterday, the U.S. 9th Circuit Court of Appeals decided (pdf) that scrapping public sites was not against the CFAA (Computer Fraud and Abuse Act).
This is a really important decision. The court not only legalized this practice, but forbade it to prevent competitors from automatically removing information from your site if the site is publicly available. The court confirmed the clear logic that the bot-scraper entry is legally no different from the browser entry. In both cases, the "user" requests open data - and does something with it on his side.
Now many site owners are trying to put technical obstacles to competitors who fully copy their information that is not protected by copyright. For example, ticket prices, commodity lots, open user profiles, etc. Some sites consider this information “theirs,” while scraping is regarded as “theft”. Legally, this is not so, which is now officially fixed in the United States.
The decision was made during a lawsuit LinkedIn (owned by Microsoft) against a small data analysis company called hiQ Labs.
HiQ scraped data from public profiles of LinkedIn users, and then used it to consult employers whose employees posted their resumes on the site.
LinkedIn suffered hiQ activity for several years, but in 2017 sent a request to the company (cease-and-desist letter) to stop automated data collection from profiles. Among other things, LinkedIn claimed that hiQ violates the Computer Fraud and Abuse Act (CFAA), the main US law against hackers. Adopted more than 30 years ago, this law prohibits "access to a computer without authorization or with exceeding access rights."
The demand has become an existential threat to hiQ, as LinkedIn is the primary data source for hiQ. The analytic firm had no choice but to sue on LinkedIn. She sought not only the legalization of scraping, but also a ban on technical obstacles.
In 2017, the trial court sided with hiQ . The defendant filed an appeal, and yesterday the 9th Circuit Court of Appeal agreed with a lower court - he stated that the law on computer fraud and abuse does not apply to information available to the general public .
“The CFAA was adopted to prevent a deliberate invasion of someone else’s computer - in particular, computer hacking,” the court decision said. The Court observes that the participants in the trial repeatedly made analogies with physical crimes, such as hacking and penetration. According to the judges, this means that the CFAA applies only to information or computer systems that are initially closed to the public - usually this is indicated by the requirement for authorization at the entrance.
Here is the relevant piece of the judgment:
The court noted that CFAA was originally enacted in the 1980s specifically to protect certain categories of computers containing military, financial, or other sensitive data. But when the law was extended to more computers in 1996, the Senate report said its goal was to "increase privacy." In other words, his goal is to protect private, private information.
HiQ collects information only from public LinkedIn profiles. By definition, any member of the public has the right to access this information.
Most importantly, the appeals court also upheld a lower court ruling that prohibits LinkedIn from interfering with hiQ's scraping of its site . This fundamentally changes the balance of power in considering similar cases in the future.
Perhaps this is the specificity of American law. In this case, hiQ claimed that LinkedIn's technical measures to block scraping interfere with hiQ's own-client contracts that rely on this data. In legal jargon, this is called “tortious interference with contract,” which is prohibited by US law.
In Russia, protecting your site from bots, including scrapers, is considered normal practice, even if the site owner does not own the intellectual rights to the published information (for example, user profiles). As far as we know, this topic has not yet passed legal examination in the framework of the lawsuit.
This is a really important decision. The court not only legalized this practice, but forbade it to prevent competitors from automatically removing information from your site if the site is publicly available. The court confirmed the clear logic that the bot-scraper entry is legally no different from the browser entry. In both cases, the "user" requests open data - and does something with it on his side.
Now many site owners are trying to put technical obstacles to competitors who fully copy their information that is not protected by copyright. For example, ticket prices, commodity lots, open user profiles, etc. Some sites consider this information “theirs,” while scraping is regarded as “theft”. Legally, this is not so, which is now officially fixed in the United States.
The decision was made during a lawsuit LinkedIn (owned by Microsoft) against a small data analysis company called hiQ Labs.
HiQ scraped data from public profiles of LinkedIn users, and then used it to consult employers whose employees posted their resumes on the site.
LinkedIn suffered hiQ activity for several years, but in 2017 sent a request to the company (cease-and-desist letter) to stop automated data collection from profiles. Among other things, LinkedIn claimed that hiQ violates the Computer Fraud and Abuse Act (CFAA), the main US law against hackers. Adopted more than 30 years ago, this law prohibits "access to a computer without authorization or with exceeding access rights."
The demand has become an existential threat to hiQ, as LinkedIn is the primary data source for hiQ. The analytic firm had no choice but to sue on LinkedIn. She sought not only the legalization of scraping, but also a ban on technical obstacles.
In 2017, the trial court sided with hiQ . The defendant filed an appeal, and yesterday the 9th Circuit Court of Appeal agreed with a lower court - he stated that the law on computer fraud and abuse does not apply to information available to the general public .
“The CFAA was adopted to prevent a deliberate invasion of someone else’s computer - in particular, computer hacking,” the court decision said. The Court observes that the participants in the trial repeatedly made analogies with physical crimes, such as hacking and penetration. According to the judges, this means that the CFAA applies only to information or computer systems that are initially closed to the public - usually this is indicated by the requirement for authorization at the entrance.
Here is the relevant piece of the judgment:
The court noted that CFAA was originally enacted in the 1980s specifically to protect certain categories of computers containing military, financial, or other sensitive data. But when the law was extended to more computers in 1996, the Senate report said its goal was to "increase privacy." In other words, his goal is to protect private, private information.
HiQ collects information only from public LinkedIn profiles. By definition, any member of the public has the right to access this information.
Most importantly, the appeals court also upheld a lower court ruling that prohibits LinkedIn from interfering with hiQ's scraping of its site . This fundamentally changes the balance of power in considering similar cases in the future.
Perhaps this is the specificity of American law. In this case, hiQ claimed that LinkedIn's technical measures to block scraping interfere with hiQ's own-client contracts that rely on this data. In legal jargon, this is called “tortious interference with contract,” which is prohibited by US law.
In Russia, protecting your site from bots, including scrapers, is considered normal practice, even if the site owner does not own the intellectual rights to the published information (for example, user profiles). As far as we know, this topic has not yet passed legal examination in the framework of the lawsuit.
All Articles