Last fall, the Ninth Circuit affirmed a lower court ruling enjoining LinkedIn from blocking hiQ from scraping data from its site finding that hiQ’s scraping of data from LinkedIn users’ public profiles did not violate the Computer Fraud and Abuse Act (“CFAA”).
In Sandig v. Barr, academic researchers who intend to test whether employment websites discriminated based on race and gender by providing false information to
the target websites in violation of these websites’ terms of service, brought a pre-enforcement challenge that this practice did not violate the CFAA in the federal court for the District of Columbia. The Court followed the hiQ decision to conclude that the CFAA “does not criminalize mere terms-of-service violations on consumer websites.”
The court framed the question as “what sort of “permission requirement” constitutes enough of a barrier to trigger criminal liability under the CFAA if bypassed (i.e, accessing a computer without authorization or exceeding authorized access). The Justice Department took a very strict view that:
[a]n announcement on the homepage of a website that access to any further content is conditioned on agreeing to lengthy terms of service—or even one term of service—would, the government argues, constitute such a requirement.
The court, however, rejected this view as courts have been reluctant to delegate criminal law to the lawyers drafting website terms. Instead, the court concluded that
agreeing to such contractual restrictions, although that may have consequences for civil liability under other federal and state laws, is not sufficient to trigger criminal liability under the CFAA. In other words, terms of service do not constitute “permission requirements” that, if violated, trigger criminal liability.
Sandig v. Barr, Case No. 2016-1368 (JDB) (March 27, 2020).