The Ninth Circuit Court of Appeals has handed down a groundbreaking decision today on the federal computer hacking law, the Computer Fraud and Abuse Act (CFAA). In HiQ Labs v. LinkedIn, the court held that scraping a public website is likely not a CFAA violation.
Under the new decision, violating the CFAA requires “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements,” that thus “demarcate” the information “as private using such an authorization system.” If the data is available to the general public, the court says, it’s not an unauthorized access to view it—even when the computer owner has sent a cease-and-desist letter to the visitor telling them not to visit the website.
This is a major case that will be of interest to a lot of people and a lot of companies. But it’s also pretty complicated and easy to misunderstand. This post will go through it carefully, trying to explain what it says and what it doesn’t say.
This decision is critical to maintaining an open web, at least in the United States.