Important legal victory in net scrap case / Boing Boing

The Ninth Circuit Court of Appeals affirmed that the Computer Fraud and Abuse Act (a 1986 anti-hacking law passed after a moral panic over the movie Wargames ) does not prohibit access to public information from websites, even if you do it against the wishes of the website operator.

The case involves Linkedin and Hiq, a company that does "employer analysis" and scrapes public Linkedin profiles to do so. Linkedin launched a competing service and threatened to sue Hiq under CFAA; and Hiq responded by seeking a declaratory judgment that the CFAA did not gain access to publicly available information.

The CFAA defines hacking broadly: "to exceed the authorization" on another's computer is prohibited under the common language of the law. But as the Appeals Court found, the CFAA tried to capture "data intrusions", not violating the terms of the services you were allowed to use.

The Appeal Court did not order Linkedin to interfere with Hiq's scraping, as this would put Hiq out of business before the case could be tried. It remains to be seen whether Linkedin will continue to sue Hiq under other legal theories, or seek other courses of action that may allow it to block Hiq's scrapers.

"None of the computers to which the CFAA originally applied were available to the public," the court writes. "Confirmatory authorization of some kind was presumed required."

When the law was extended to several computers in 1[ads1]996, a Senate report stated that the goal was to "increase privacy and data privacy protection." As a result, the 9th Circuit is the reason that "the prohibition on unauthorized access is properly understood to apply only to private information – information defined as private through the use of a permit requirement of some kind."

In contrast, hiQ only scrapes information from public LinkedIn profiles. By definition, any member of the public is authorized to access this information. LinkedIn claimed that it could selectively revoke the authorization by means of a cease-and-desist letter. But the 9th Circuit found this not explicit. Ignoring a cease-and-desist letter is not analogous to hacking into a private computer system.

Scratching the net does not violate the law against hacking, appeals court rules [Timothy B Lee/Ars Technica]

<! –

->