Scraping Dispute Highlights Need for CFAA Review

A court ruling concerning electronic screen scraping could be up for appeal if the Electronic Privacy Information Center (EPIC) gets its way. That could have significant ramifications not only for companies publishing information online but for US computer abuse law in general.

The case involves a dispute between talent analytics company HiQ Labs and LinkedIn. HiQ uses software to scrape the online professional social network's data, effectively automating manual web browsing to collect the information from public-facing web pages automatically. It then analyzes this data to help companies make decisions such as what kinds of training to offer their workers. Unhappy about this, LinkedIn sent it a cease and desist letter.

Ruling on the dispute, the Ninth District Court of Appeals said that automated scraping of publicly accessible data doesn’t violate the Computer Fraud and Abuse Act (CFAA), which is the US government's anti-hacking law. Digital rights advocacy group the Electronic Frontier Foundation, which had filed an amicus brief supporting HiQ Labs, praised the decision at the time.

The EFF had argued that information published online and publicly available is fair game, even if someone has to log into an online account to access it for free, and so it shouldn’t matter whether they get it via a software bot or a web browser. If the ruling had gone the other way, the organization worried that it would have stopped journalists and researchers from accessing valuable information.

EPIC isn’t happy about it. The non-profit, which filed an opposing amicus brief to the EFF in the Ninth District case, has urged the Supreme Court to review it. It cites Clearview AI, a facial recognition company that has scraped millions of photographs from sites including social media as part of a facial recognition system used by foreign intelligence services.

“Under the rule adopted by the Ninth Circuit in this case, the companies may be required to allow Clearview AI and other third parties to scrape users’ data and use the data for their own purposes, regardless of the terms that users of the service are otherwise required to follow,” EPIC said. “That cannot be the right outcome.”

EPIC’s position is that situations like Clearview’s mass-scraping shouldn’t be allowed to happen.

The dispute highlights two conflicting values: freedom of access, and privacy of information. This case pits the two against each other.

It also highlights an ongoing issue with the CFAA, a law first introduced in 1986, a year before Cisco shipped its first router and five years before Tim Berners-Lee published the first website. Its opponents warn that prosecutors have routinely tried to use the CFAA as a weapon, applying it to modern technology situations that didn’t exist when it was first created. The prosecution of online activist Aaron Swartz, which his supporters say was overly aggressive and contributed to his eventual suicide, is a case in point.

The Supreme Court is already due to hear a case that brings the CFAA’s interpretation and scope into question. It involves former US police officer Nathan Van Buren, convicted for violating the CFAA in 2017 after he sold information from a police database for $6,000. Critics argue that the prosecution is invalid because he used his own account inappropriately rather than hacking into anything. It’s another indication that a review of this aging law is long overdue.

What’s Hot on Infosecurity Magazine?