On Oct. 10, the U.S. Supreme Court denied petitions for certiorari in two noteworthy cases from the Court of Appeals for the Ninth Circuit: Facebook, Inc., v. Power Ventures, Inc. and United States v. Nosal. The cert denial leaves standing the appellate court’s broad interpretation of the Computer Fraud and Abuse Act, which has become a controversial legal tool affecting commercial collection and use of data.
Most criticism of the CFAA is devoted to the potential of its criminal provisions to enable disproportionately severe prosecutions for minor offenses when interpreted broadly. However, the CFAA has an equally serious if less-publicized role in the online commercial realm. Major technology companies have begun to use the statute to bring civil suits against parties other than traditional “black-hat” hackers. In particular, suits targeting former employees who access trade secrets are on the rise, as well as suits against other companies whose automated tools collect information from bigger corporations, an industry practice known as “data scraping.” Critics claim these suits expand the CFAA far beyond its intended purpose and fashion it into an anti-competitive hammer for established tech giants. The plaintiffs argue that they need the law to protect their users’ privacy and their own interests in their data.
Lawsuits are on the rise against companies whose automated tools collect information from bigger corporations, a practice known as “data scraping
The Westin Research Center took the Supreme Court’s move as an opportunity to explore these cases and their impact on privacy professionals.
The CFAA
The Computer Fraud and Abuse Act is a crucial piece of the United States’ data protection landscape. Enacted in 1986 to amend a 1984 statute criminalizing intrusion into governmental computer systems, the CFAA extended criminal liability for “unauthorized access of a protected computer” to protect private sector computers. In 1994, Congress created a powerful tool for technology companies when it amended the CFAA to add a civil cause of action. For the tech industry, the critical provision is 18 U.S.C. § 1030 (a)(2)(C), which applies liability to anyone who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains ... information from any protected computer.” Violations of the statute are a federal crime and provide a civil cause of action for “any person who suffers damage or loss by reason of a violation … against the violator.” Private companies can sue those who they believe have accessed their computers without authorization and seek hefty penalties, whether the alleged intruder is a private citizen or another company.
To bring a claim under the CFAA, a prosecutor or civil plaintiff must show two initial elements:
- The defendant accessed the plaintiff’s computers without authorization OR while exceeding their authorization.
- The computer system accessed was a "protected computer."
Modern technology has massively expanded the statute’s reach by fundamentally altering the second element, which originally functioned to constrain the statute’s reach. "Protected computers" were substantially less common in 1986 than they are today. Under the CFAA, a “protected computer” is one “which is used in or affecting interstate or foreign commerce or communication” — essentially every computer connected to the modern internet.
Civil plaintiffs must also demonstrate that the unauthorized access caused one of the following in order to bring a lawsuit:
- Loss to one or more persons during any one-year period … aggregating at least $5,000 in value.
- Modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
- Physical injury to any person.
- A threat to public health or safety.
However, the CFAA defines loss to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.” (emphasis added). As a result, plaintiffs (particularly larger companies) can often meet the loss requirement simply by investigating whether an intrusion took place at all.
Given the law’s applicability to nearly all modern computers, and the ease of meeting the damage threshold for civil claimants, the key remaining question is how to define the scope of “authorized access.” The Ninth Circuit has sought to do this in a pair of recent decisions.
Facebook v. Power Ventures and CFAA Civil Liability
In Power Ventures, the Ninth Circuit was asked to address whether a private company’s receipt of a cease-and-desist letter was sufficient to place it on notice that continuing to access the sender’s computer network would place it in violation of the CFAA’s prohibition on “accesses[ing] a computer without authorization.”
Power Ventures was a tech startup that marketed itself as a platform where users could simultaneously manage multiple social media accounts. Its business model was dependent on its ability to access Facebook’s servers as well as the networks of other social media companies. In December 2008, Power Ventures began a promotional campaign that encouraged prospective users to distribute promotional material generated by Power Ventures. Users would click a button on Power Ventures’ website that enabled the company to send ads via the prospective user’s Facebook account to the user’s Facebook network.
Almost immediately after its promotional campaign began, Facebook sent Power Ventures a cease-and-desist letter, expressly declaring that Power Ventures was not authorized to access its servers. Facebook also began using IP-screening software in an attempt to block known addresses from which Power Ventures was accessing its network. Power Ventures responded by ignoring the cease-and-desist and circumventing Facebook’s blocking attempts by changing its IP address. Facebook then sued, alleging violations of the CFAA, California state law, federal copyright law, and the Digital Millennium Copyright Act. Facebook relied on the argument that Power Ventures’ access to the Facebook site became “unauthorized” for the purposes of the CFAA after it received Facebook’s cease-and-desist letter.
The district court granted summary judgment to Facebook and awarded more than $3 million in damages, finding that Power Ventures had violated the CAN-SPAM Act, the CFAA, and California state law.
The Ninth Circuit reversed in part, affirmed in part, and remanded the case back to the district court. While the Circuit panel reversed the district court’s CAN-SPAM ruling, it agreed that Power Ventures violated the CFAA by continuing to access Facebook’s servers after receiving a cease-and-desist letter. The panel “distill[ed] two general rules” regarding the CFAA: (1) that a defendant violates the statute when accessing a computer without permission or “when such permission has been revoked explicitly”; and (2) that the violation of a website’s terms of service “without more” cannot trigger liability under the CFAA. Power Ventures’ continued use of Facebook’s platform to send advertising materials to Facebook’s users rose to the level of a violation. In a key footnote, the Court clarified the definition of “something more” when it determined that Facebook’s cease-and-desist letter “plainly put Power Ventures on notice that it was no longer authorized” because the letter warned Power Ventures that it may have violated federal and state law as well as Facebook’s terms of service. In another critical footnote, the Power Ventures Court determined under the facts it “need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.”
The Ninth Circuit’s decision means that CFAA liability does not immediately arise from a terms-of-service violation. However, a company can create grounds for a CFAA suit, including even criminal prosecution, by sending a cease-and-desist letter informing a potential defendant that (1) he or she is no longer authorized to access the sender’s computer; and (2) continued access may violate the CFAA. Online civil rights advocates argue that the CFAA has been distorted from its original anti-hacking purpose and is being used by overzealous prosecutors to target disproportionately minor offenses — and that adopting a position espoused by LinkedIn in a case currently pending (see below) would instantly criminalize multitudes of otherwise innocent users. Critics of broadly interpreting the CFAA also argue that it would give private plaintiffs too much power, as breach of contract in other contexts does not give rise to federal criminal liability and cannot usually be created unilaterally. Users often have very little control over the content of terms of service or other agreements that govern their access and use of online content.
Nosal v. United States and CFAA Criminal Liability
The Ninth Circuit referenced an earlier set of CFAA decisions in support of its Power Ventures holding. The Nosal decisions are a series of criminal cases arising from the prosecution of David Nosal for violations of the CFAA. Nosal, a former employee of executive talent search agency Korn/Ferry, left his employer in order to start a competing business in 2004. When Nosal left Korn/Ferry, the company terminated his access to its networks. Shortly after leaving the company, Nosal solicited several then-current employees to join him at his new competing venture, and induced them to use their valid Korn/Ferry credentials to access large amounts of the company’s proprietary data, including the leads, source lists, and the contact information of prospective candidates, before leaving the company. Nosal also approached his former executive assistant for valid login credentials in order to acquire ongoing access to Korn/Ferry’s systems; she acquiesced, and Nosal used her credentials to access Korn/Ferry’s network on behalf of her new business. Nosal and his colleagues were initially indicted on 20 counts of violating the CFAA in 2008.
In the first case, referred to as Nosal I, prosecutors alleged that Nosal and his co-conspirators violated the CFAA by knowingly using the current employees’ credentials to access Korn/Ferry’s systems to obtain information for use in Nosal’s competing business in violation of Korn/Ferry’s computer use policy. The case was dismissed by the trial court; a Ninth Circuit panel affirmed the dismissal on appeal and held that “exceeding authorized access” in violation of Section 1030(a)(4) did not include bare violations of terms of service. Subsequently, the Circuit agreed to rehear the case en banc; the full circuit upheld the panel’s decision that the use of an active employee’s credentials in violation of the employer’s computer use policy to obtain proprietary information from the employer did not “exceed authorized access” sufficient for a CFAA violation if the employee was otherwise authorized to access the information and did not circumvent security measures in order to do so.
The en banc decision was not the end of the matter. Prosecutors refiled charges and obtained a second conviction based on Nosal’s use of his former executive assistant’s login information. Nosal obtained the executive assistant’s permission to use her login information, but for obvious reasons was never authorized by Korn/Ferry to access its computers. In Nosal II, the Circuit was asked to clarify whether "authorization" under the meaning of the CFAA could be provided by the holder of a secure login, or must come from the owner of the protected computer. The Ninth Circuit determined that Nosal’s use of an employee’s secure login information without the employer’s permission in order to obtain proprietary information did qualify as “unauthorized access” under the CFAA, even if the user obtained the current employee’s permission to use their credentials, a result that many privacy advocates feared might criminalize routine password sharing.
Taken together, the court’s Nosal decisions emphasize a distinction between “exceeding authorization” and “without authorization,” and along with the Power Ventures decision, strongly indicate the ability of a data controller to affirmatively withdraw authorization. Although Nosal I clarified that the violation of a Terms of Use agreement alone could not create CFAA liability, Nosal II and Power Ventures together indicate that “authorization” for computer access must originate with the owner of the computer and can be withdrawn by that owner. Furthermore, the circuit’s decisions suggest a withdrawal of authorization that puts the deauthorized party on notice of potential CFAA liability may itself serve as grounds for that liability in the event of future access.
HiQ v. LinkedIn: The CFAA after Nosal and Power Ventures
With the Supreme Court’s denials of certiorari, Power Ventures and Nosal are likely to stand as the preeminent authorities on the CFAA for the time being. At least one lower court has already attempted to distinguish both cases, however, apparently responding to warnings that the decisions may turn the CFAA into an anti-competitive superweapon; allowing data controllers to unilaterally create major civil or even criminal liability by sending "deauthorization" notices to new competitors or ordinary users.
In hiQ Labs Inc., v. LinkedIn, the Northern District of California recently granted a preliminary injunction on behalf of hiQ. HiQ is a "scraping company" that operates by conducting automated analysis of publicly available data on LinkedIn’s website. After the Power Ventures decision, LinkedIn sent hiQ a cease-and-desist notice, alleging hiQ’s conduct violated LinkedIn’s terms of service and warning hiQ that it could face liability under the CFAA if it continued to access LinkedIn’s website. HiQ, which had conducted its scraping operation for several years with LinkedIn’s knowledge, responded by suing LinkedIn. HiQ asked the Northern District to issue a preliminary injunction preventing LinkedIn from denying it access to LinkedIn’s publicly accessible data via IP-blocking, and to determine that hiQ’s practices do not violate the CFAA.
HiQ’s business model relies on its ability access LinkedIn’s publicly available user profile information to provide workforce data analytics, which it does without using a secure login or any other credentials supplied by LinkedIn. Nonetheless, LinkedIn argues hiQ’s behavior is analogous to Power Ventures’ business model — using LinkedIn’s networks in knowing violation of LinkedIn’s policies without its consent — but the Northern District has thus far disagreed.
The District Court has granted hiQ’s motion for a preliminary injunction to prevent LinkedIn from denying it access to information otherwise available without restriction on LinkedIn’s website. The Court rejected LinkedIn’s argument that it can brand future access by hiQ "without authorization" if hiQ is accessing only publicly available data that is not protected by a paywall or secure login and password, via a cease-and-desist notifying hiQ that its practices violated LinkedIn’s terms of service and risked CFAA liability. The District Court determined that both Power Ventures and Nosal were “distinguishable in an important respect: None of the data … was public data.” The District Court said that while the systems accessed in Power Ventures and Nosal could be “fairly characterized as the private interior of a computer system not accessible to the public” the same could not be said of the LinkedIn pages scraped by hiQ.
In finding for hiQ, the District Court relied heavily on Orin Kerr’s 2016 article "The Norms of Computer Trespass." Kerr argues that the normative values we apply to physical trespass can be applied to trespassing in the digital realm. Kerr advocates — and the Northern District appears to accept — a conception of “authorization” where authorization flows from the presence of an “authentication gate.” Kerr distinguishes “speed bumps” such as IP address blocking and reCaptcha tests from a true “authentication gate” that functions to verify that a given user is “the person who has access rights to the information accessed.” Critically, Kerr’s model advocates for an “open norm of the World Wide Web [that] should render access to websites authorized unless it bypasses an authentication gate.” The District Court was persuaded by hiQ’s argument that Kerr’s model could reconcile Nosal and Power Ventures with hiQ’s request for an injunction — specifically, that the critical difference lay in the public accessibility of the data hiQ was scraping. Under the hiQ order, without an authentication gate there was no “authorization” within the meaning of the CFAA for LinkedIn to revoke. Additionally, the District Court expressly rejected LinkedIn’s argument that hiQ’s use of automated ‘scraping’ could create a CFAA violation by determining that the statute referred only to the identity of the party accessing a computer, not the means of access.
Open-internet advocates have hailed the District Court’s hiQ ruling, although LinkedIn has already appealed the injunction, and there is no guarantee the Circuit panel will agree with the lower court. In light of the Supreme Court’s disinterest in clarifying the CFAA itself, any company that receives a cease-and-desist from a data source with which it does not have a contractual arrangement should take the Ninth Circuit’s willingness to find liability to heart.
Conclusion
Companies interested in controlling third-party access to their data should also take note of these cases, regardless of whether access is via automated server scrapers or individual users. Power Ventures suggests that any cease-and-desist notice purporting to "deauthorize" a user must contain reference to the CFAA itself in order to function as a withdrawal of authorization. The Power Ventures court expressly declined to answer the question of whether Facebook’s data could be considered “publicly available” and thus affect potential CFAA liability. HiQ suggests that the CFAA ought not apply at all if the information in question is openly available to the public. To protect their users' data under CFAA, social networking sites should therefore require users to create login credentials, or place their data behind a paywall.
The next few months will show whether the Ninth Circuit is interested in embracing an interpretation of the CFAA that differentiates “publicly available” data for the purposes of “authorized access” as the preliminary injunction granted by the Northern District of California is appealed. HiQ, Inc. will argue that its preliminary injunction should stand (keeping it in business for now) and that the court should ultimately rule in its favor and determine authorization to access data available to the anonymous public at large cannot be revoked in specific cases. LinkedIn, on the other hand, will make the case that the CFAA grants it the authority to “deauthorize” any party that accesses its site, and that a notice of such deauthorization that includes a warning of potential CFAA liability is sufficient to create actual CFAA liability in the event of continued access. The Supreme Court’s denial of certiorari to Power Ventures and Nosal means that any eventual appeal of hiQ will be governed by those decisions only, and that the high court is at the moment unwilling to overrule the Ninth Circuit’s handling of the issue.
photo credit: Bret Arnett Repainting the Door via photopin (license)