Judge says LinkedIn's reading of hacking law would have troubling consequences.
A California federal court has handed a setback to LinkedIn in a case that could determine whether scraping a public website triggers anti-hacking law. The 25-page ruling, released on Monday, holds that federal anti-hacking law isn't triggered by scraping a website, even if the website owner—LinkedIn in this case—explicitly asks for the scraping to stop.
The case pits a business analytics startup called hiQ against the Microsoft-owned behemoth LinkedIn. HiQ scrapes data from publicly available portions of the LinkedIn website, then sells reports to employers about which of their employees seem to be looking for new jobs. LinkedIn sent hiQ a cease-and-desist letter warning that continued scraping could subject hiQ to liability under the Computer Fraud and Abuse Act (CFAA), the anti-hacking legislation Congress enacted in 1986.
But critics argued that the LinkedIn interpretation of the law could have sweeping and harmful consequences. After all, lots of people scrape publicly available websites, and they don't always do so with the approval of website owners.
Judge Edward Chen bought this argument. In fact, he quoted extensively from Kerr's arguments in his opinion. If his ruling is upheld on appeal, it would not only beat back LinkedIn's expansive reading of the CFAA, but it would give us greater clarity about how to draw the line between legal data harvesting and illegal hacking.
Passwords mark the boundary between public and private
The CFAA is more than 30 years old, yet its exact meaning remains a subject of vigorous debate. The reason is that the CFAA was written in vague language—and was crafted before modern technologies like the Web and social media sites were invented.
The CFAA makes it a crime to "access a computer without authorisation or exceed authorised access." LinkedIn argued that this made the case straightforward: its cease-and-desist letter—as well as technical measures like its robots.txt file and IP-based blocking—made it clear that hiQ wasn't authorised to access LinkedIn's servers. Hence, LinkedIn argued, hiQ had accessed its servers without authorisation, in clear violation of the law.
But Judge Chen concluded that the issue isn't so simple. When you publish a website, you implicitly give members of the public permission to access it, he ruled. Allowing website operators to revoke that permission on a case-by-case basis, backed up by the force of federal criminal law, could have serious consequences that Congress could not have intended
The ruling is great news as lots of businesses are built on connecting data from a lot of sources and scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." If scraping without consent becomes illegal, startups like HiQ and many of our customers would have a harder time getting off the ground. For companies like ours that also offer scraping and data extraction services we believe in an open data world and anything not sat behind a password was always clearly meant to be public and accessible.