Scraping Away at the CFAA
The Supreme Court’s Interpretation of “Exceeds Authorized Access” Limits the Scope of the Statute’s Application to Data Scrapers
21 June 2021
In a long awaited decision that has a significant application for data scraping, the Supreme Court issued on June 3, 2021 its decision in Van Buren v. United States, significantly limiting the scope of the Computer Fraud and Abuse Act by holding that users who access information that they are entitled to obtain but use that information for improper purposes do not violate the statute. The majority opinion adopted a narrow interpretation of the statute that will make it more difficult to pursue both civil and criminal actions based on alleged misappropriation of data.
Background of Van Buren
Congress passed the CFAA in 1984, providing for criminal and civil liability for users who access computers either without authorization or in a manner that exceeds their authorization. Over the years, many have criticized the law as poorly drafted, and there has been extensive litigation regarding its scope. In Van Buren, the government brought a CFAA prosecution against a Georgia police officer who took a bribe to run a license plate check. While the officer was entitled to use the relevant database to run license plate checks, he clearly violated departmental policy, which authorized him only to run checks for valid law enforcement purposes. The government advocated a broad reading of the phrase “exceeds authorized access” and argued that the CFAA prohibits impermissible use of information even when access to that information is lawful. Justice Barrett, writing for the majority, rejected this view because it “incorporate[d] purposebased limits” into this phrase without any textual basis.
Significantly, the statute defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (emphasis added). Justice Barrett focused on the word “so” in the statute and framed the dispute as whether Van Buren was “entitled so to obtain” the license plate information. Justice Barrett reasoned that the government’s interpretation would make the phrase cover “information one was not allowed to obtain in the particular manner or circumstances in which he obtained it.” Justice Barrett examined the structure of the statute, and endorsed Van Buren’s position that “the phrase ‘is not entitled so to obtain’ …refers to information that one is not allowed to obtain by using a computer that he is authorized to access” (emphasis in original).
In addition to focusing on the text, the Court also discussed policy concerns and the practical implications of the government’s broader reading of the statute. The Supreme Court cited a mundane example of employees using a work computer for a personal purpose, such as sending a personal email, to illustrate how a broad interpretation “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” The Court concluded that this would criminalize every violation of a computer-use policy.
Justice Thomas dissented, with the Chief Justice and Justice Alito joining, arguing that the statute applied when persons used computers for improper reasons. The examples cited in the majority opinion did not persuade Justice Thomas, who dismissed the majority’s concern that the statute would criminalize an overbroad swath of conduct since “[m]uch of the Federal Code criminalizes common activity.” He opined that “[i]t is understandable to be uncomfortable with so much conduct being criminalized, but that discomfort does not give us authority to alter statutes.”
CFAA and Data Scraping
LinkedIn filed a petition for cert before the Supreme Court ahead of the Van Buren decision. The Ninth Circuit, when it first considered the case, held in favor of hiQ, which argued LinkedIn cannot rely on the CFAA to prevent a competitor from accessing information that is publicly available for anyone with a web browser.The Van Buren and LinkedIn cases address different prongs of the CFAA, with Van Buren focusing on the “exceeds authorized access” prong and LinkedIn focusing on the “without authorization” prong. Nonetheless, the Van Buren opinion likely means the Ninth Circuit will again find for hiQ, because the Supreme Court's remand indicates that it's interpretation of "exceeds authorized access" directly bears on the meaning of the "without authorization" prong.
LinkedIn, apparently recognizing the challenging terrain set out for CFAA claims in the Van Buren opinion, argued in a supplemental brief filed shortly after the Van Buren opinion that the Supreme Court did not conclusively resolve the question of what constitutes accessing a site without authorization. Indeed, the Van Buren majority noted that: “we need not address whether this inquiry turns only on technical (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.” Nonetheless, the Supreme Court's remand suggests that it believes it has given the circuits sufficient guidance on the CFAA to resolve the pending split. While the Van Buren decision did not directly address data scraping, it signals that the Supreme Court would likely be unsympathetic to arguments that the CFAA reaches the alleged misuse of data by scrapers who compile publicly available information from websites. Justice Barrett criticized the government’s expansive reading of the statute, noting that the government’s approach could result in the criminalization of “everything from embellishing an online-dating profile to using a pseudonym on Facebook.”Justice Barrett’s reasoning will bolster the arguments of hiQ and others that data scraping does not constitute a violation of the CFAA.
Under Van Buren, as long as a data scraper relies on publicly accessible information, it is unlikely that a violation of a website’s terms of service will constitute a civil or criminal violation of the CFAA. However, websites on the receiving end of scraping can still set up technical barriers to prevent scraping and contravention of those barriers could potentially constitute a CFAA violation if the activity results in unauthorized access to the site. Further, even without the CFAA, websites that are targeted for scraping may still pursue actions against data scrapers based on contract, tort and intellectual property law claims.