Whilst scraping data from websites is a common business practice the world over, there are a number of thorny legal issues which accompany it. One such issue relates to the fact that data are being accessed by scrapers without the website's authorisation – a potential computer misuse offence in the UK.
Of course, a scraper would likely argue that the website has permitted such access by making the data publicly available. Whilst this reasoning is yet to be tested in the UK courts, a federal appeals court in the US has recently reaffirmed that web scraping publicly accessible data is unlikely to violate the US’ computer hacking statute.
The ruling of the US Ninth Circuit of Appeals is the latest instalment in a long running battle between a professional networking website and a data analytics company which uses data scraped from the website for purposes such as identifying employees at greatest risk of being poached.
The website deployed various legal and technical measures to prevent the data analytics company from scraping the public profile data of its users. The data analytics company therefore obtained a preliminary injunction against the website to prevent the website from interfering with its scraping. The website appealed and, following a journey though various courts as well as a related and relevant Supreme Court decision, this ruling upheld that injunction.
The key question was whether, once the data analytics company had received the website’s cease and desist letter, any further scraping and use of the website’s data was without authorisation. In deciding that it wasn’t, the ruling essentially distinguished between password protected, and publicly accessible, data.
This ruling isn’t the final word and various issues - including those related to privacy - are yet to be addressed. Watch this space.
the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.
https://cdn.ca9.uscourts.gov/datastore/opinions/2022/04/18/17-16783.pdf