In 2021 the United States Supreme Court finally considered what constitutes unauthorized access under the Computer Fraud and Abuse Act. It put a bullet in the head of the terms of service theory of unauthorized access. United States v. Van Buren involved a similar fact pattern as the Second Circuit’s “cannibal cop” CFAA unauthorized access case United States v. Valle. Cops access police databases outside the scope of the departmental policy to either stalk women or sell information. In both instances, the courts held that improper use of a network isn’t unauthorized access. Both defendants used valid authorization and access credentials for their network access. Van Buren – like Valle -didn’t bypass technical barriers and SCOTUS, following most of the lower courts, held that violating policies or agreements isn’t unauthorized access.
There are two key issues here. First, the problem of private actors determining felony criminal law. The CFAA is a dual civil and criminal statute, and if you can write your own definition of unauthorized CFAA access in your clickwrap Terms of Service then theoretically those terms govern the felony. Given that this contravenes close to a millennium of our legal traditions it gives the courts pause. Second, allowing private actors to determine what constitutes unauthorized access under the CFAA allows those actors to block access to public data on publicly facing private servers. This is dangerous to the free flow of information, as it is a type of censorship, and has deep implications for our information economy -whether news, markets, politics, entertainment, and the gamut. This issue is one of the most significant CFAA issues of the day and is central to a case the Supreme Court remanded to the Ninth Circuit for rehearing in consideration of Van Buren.
hiQ Labs v LinkedIn starts with the Plaintiff hiQ Labs filing for a declaratory judgment against LinkedIn because LinkedIn threatened to sue hiQ for copying public data off LinkedIn’s publicly facing private servers. HiQ Labs is a data analytics company providing human resource systems with technical studies on the behavior of human capital. To obtain data points for these studies, hiQ Labs copies public data from public-facing servers. For several years, and with LinkedIn’s knowledge and consent, hiQ Labs copied LinkedIn’s public-facing data from users’ profiles to conduct studies to assist employers to retain talent.
In 2016 when LinkedIn entered the analytics business it sent cease-and-desist letters to hiQ Labs and other companies that were using automated bots to copy public user data that LinkedIn seeks to monopolize and monetize – but not claim as its own lest it risks losing CDA § 230 protection. Because if the data is LinkedIn’s, and not third-party user content, LinkedIn is liable for the content under § 230. LinkedIn is attempting to have its cake and eat it too through its attempt to privatize public data on publicly facing private servers. The stakes are high for the future of the free flow of information on the internet.
The Ninth Circuit, in upholding the injunction the District Court granted in hiQ’s favor, zeroed in on the issue:
It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.
This October, on remand, hiQ came out stronger in the oral arguments and briefing at the Ninth Circuit. No decision yet. EFF and the Reporters Committee for Freedom of the Press weighed in with solid amicus briefs pointing out the dangers of LinkedIn’s positions. Whatever the outcome, the losing side will petition the Supreme Court for review. The stakes are too high.
– Tor Ekeland / Michael Hassard