In April, the 9th Circuit again affirmed that scraping data from a public website did not by itself constitute a violation of the Computer Fraud and Abuse Act (“CFAA”). HiQ Labs, Inc. v. LinkedIn Corporation, Case No. No. 17-16783 (9th Cir. April 18, 2022). See Ninth Circuit Again Holds Data Scraping From Public Websites Not Barred by CFAA.
Consistent with this decision, in May the Justice Department announced that it
will not bring “exceeds authorized access” cases based on the theory that a defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances.
DOJ Charging Policies: 9-48.000 – COMPUTER FRAUD AND ABUSE ACT
The battle over data scraping, however, is ongoing, with American Airlines suing The Points Guy over its app that allows consumers to manage their frequent flyer accounts with American. American Airlines, Inc. v. Red Ventures LLC (Case No. 4:22-cv-0044-P N.D. Tex). As alleged by American Airlines, the app uses consumers’ passwords with American to access their AAdvantage®user information and expropriate American’s proprietary data while also using American’s protected trademarks.
The Points Guy engages in far more than just data scraping, as American claims that their access to the American Advantage program “increases the burdens and costs to run and maintain such systems,” and causes “harm to its content and programs, and expenses from being forced to investigate the unauthorized access and abuse of its computers and servers.” According to American, these are “precisely the sorts of harms that the CFAA was designed to prevent.”
The court agreed with American Airlines, finding that the Complaint “states a plausible CFAA violation claim because it contains factual allegations that the Defendants accessed American’s proprietary information without authorization, thereby causing damage and loss to American, as contemplated by the CFAA.” American Airlines, Inc. v. Red Ventures LLC (Case No. 4:22-cv-0044-P N.D. Tex July 15, 2022.)
American Airlines is distinguishable from the 9th Circuit LinkedIn decision since that involved a public website, while her the Points Guy is accessing non-public password-protected information.
Cyber Report 