Scraping public data from a website is probably not hacking, the court says

Scraping data from a website is probably not a violation of anti-hacking laws as long as the data is public, concludes a US court. Yesterday, the Ninth Circuit Court of Appeals LinkedIn said probably could not tell an analysis company that stops retrieving profile information from its platform. LinkedIn had sent the company, HiQ, a letter that was enough to declare companies "unauthorized" in previous cases. However, the court ruled that LinkedIn could not use anti-hack rules to determine how HiQ used the data.

As a University of California, a professor at Berkeley and an expert in computer law Orin Kerr explains, this seems to be limiting part of the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits access to a computer "without permission". It was conceived as a way to punish hacking in the 1980s, but it is often used against companies that have access to website data from social media. Facebook for example a company stopped called Power Ventures for automatically collecting posts on social media with user permission.

Yesterday's ruling made a distinction between how Facebook and LinkedIn guard their data. Facebook "tried to limit and control access to its website", whereby users had to log in with a username and password. But "the data that HiQ was collecting was available to anyone with a web browser." Therefore, LinkedIn could not specifically instruct HiQ to stop accessing this publicly available information under the CFAA.

Many advocates of civil liberties were against the Power Ventures decision and such Techdirt, Mike Masnick writes, the court draws a fairly fine line between Facebook and LinkedIn. Facebook data may be password protected, but users granted free access to Power Ventures. It seems plausible to have this access also & # 39; authorized & # 39; – but the LinkedIn statement does not agree with that logic.


The court also says that LinkedIn may still be able to claim other violations, including copyright infringement – this is just a preliminary ruling on specific issues. But excluding CFAA costs is a big problem because the CFAA can be widely armed against anyone using a computer in a way that a company or government disagrees with. Kerr calls the statement a & # 39; critical limit & # 39; for the interpretation of the law.

As Alex Stamos, director of Stanford Internet Observatory, stated on Twitter, this is accompanied by considerations. "Stopping and stopping letters followed by civil action or criminal CFAA referrals are one of the few legal tools available to large providers who want to stop spammers or scrapers," Stamos wrote. Now that option seems much less feasible. This is annoying in the case of spammers, but it also raises questions about privacy when companies use large public data sets to train tools such as face recognition algorithms. Yet Stamos reiterated that he agreed with the court's decision.