Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsDoes Screen Scraping Violate the Computer Fraud and Abuse Act?
digital screen and computer code

Does Screen Scraping Violate the Computer Fraud and Abuse Act?

April 15, 2020 | Purdue Global Law School

Screen scraping,” the process of using automated bots to collect data from public websites, has long been contentious. Businesses use scraped data to create aggregation sites, seed other services, and gain competitive intelligence, claiming that their practices fall under the “fair use” provision of the Copyright Act. Organizations whose content is scraped often claim copyright infringement or unfair business practices.

LinkedIn took a novel approach in attempting to shut down the screen-scraping activities of competitor hiQ Labs. The social media giant sent a cease-and-desist letter, arguing that hiQ’s actions violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA imposes criminal liability for accessing a computer system “without authorization” and allows a person who has suffered damages as a result of a violation of the law to bring a civil suit under certain circumstances.

hiQ took the offensive, filing suit against LinkedIn in the District Court for the Northern District of California. The company sought a preliminary injunction preventing LinkedIn from restricting access to its member profiles. hiQ claimed that its conduct was lawful, and that LinkedIn’s actions threatened the survival of its business. The district court judge granted the injunction and LinkedIn appealed.

18 U.S.C. § 1030 Provides Vague Language, Harsh Penalties

Prior to the enactment of laws prohibiting computer-related crime, such activities were prosecuted under mail fraud and wire fraud statutes. Because the applicability of those statutes was limited, the Comprehensive Crime Control Act of 1984 specifically criminalized computer fraud. Enacted in 1986, the CFAA amended the computer fraud law to make hacking a crime by extending the tort of trespass to computer systems.

Congress sought to protect states’ interests in prosecuting such crimes by limiting the CFAA to cases with a “compelling federal interest.” Initially, the CFAA defined “protected computer” as one “exclusively for the use of a financial institution or the United States Government” or “used in” interstate or foreign commerce. However, the Act was amended in 2008 to include computers “affecting” interstate commerce.

As a practical matter, any computer connected to the internet would seem to “affect” interstate commerce and so comes under the ambit of the law. What’s more, 18 U.S.C. § 1030(a)(2)(C) criminalizes any access that is unauthorized or exceeds authorization to “information from any protected computer.”

The penalties for accessing a computer and obtaining information are separated into three tiers:

  • “Simple” violations are misdemeanors punishable by up to one year in prison.

  • Violations involving information valued at more than $5,000, those for commercial or financial gain, or those that further a criminal or tortious act are felonies punishable by up to five years.

  • Repeat offenses are punishable by up to 10 years.

Fines and other penalties may also be assessed.

Noteworthy Cases Involving the CFAA

The vague language of the CFAA led to the prosecution of Aaron Schwartz, a computer programmer, internet pioneer, and hacktivist who set up a computer to download academic articles from digital library JSTOR using an MIT guest account. Facing up to 35 years in prison and $1 million in fines for 11 counts of CFAA violations and two counts of wire fraud, Schwartz committed suicide after rejecting a plea bargain of six months in federal prison.

Schwartz’s death brought calls to amend the CFAA. In 2013, Rep. Zoe Lofgren (D-Calif.) introduced H.R. 2454, known as “Aaron’s Law,” which would eliminate the “exceeds authorized access” language, clarify what access “without authorization” means, and make the penalties more proportional to the crime. Lofgren stated:

It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute. Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

Schwartz was not prosecuted for terms-of-service violations, but others have been. In 2008, Lori Drew was indicted for setting up a fake Myspace account to cyberbully Megan Meier, who committed suicide. A jury found Drew guilty of one misdemeanor count, but U.S. District Court Judge George Wu granted Drew’s motion for acquittal. Wu found that if the CFAA encompassed violations of a website’s terms of service, the statute would be unconstitutionally vague and define criminal conduct via contract.

Court: CFAA Not Applicable to Public Websites

The hiQ case once again raised the specter that the CFAA would apply to terms-of-service violations. LinkedIn took the matter a step further by sending cease-and-desist letters warning screen scrapers that they were acting without authorization.

Because LinkedIn appealed from a preliminary injunction, the Ninth Circuit Court of Appeals did not address the merits of the parties’ claims. Instead, the court focused on whether the district court had established the requisites necessary for injunctive relief. In affirming the district court’s ruling, the Ninth Circuit panel found that hiQ had established a likelihood of irreparable harm to its business and raised serious questions as to the merits of its claims and LinkedIn’s defenses.

In reaching this conclusion, the Ninth Circuit analyzed the statute and its legislative history to determine whether hiQ had a right to conduct its screen-scraping activities after it received LinkedIn’s cease-and-desist letter. The court held that the CFAA distinguishes “between ‘private’ computer networks and websites, protected by a password authentication system and ‘not visible to the public,’ and websites that are accessible to the general public.” Scraping public information, such as LinkedIn member profiles, did not fall within the scope of the statute.

LinkedIn plans to appeal the decision to the Supreme Court.

Learn More About Cyber Law

Purdue Global Law School offers an online Executive Juris Doctor program for those who are interested in gaining legal skills for careers other than law and who do not intend to become a practicing attorney. This program features a law and technology track that provides advanced legal training on matters related to cyber law. Single courses in technology and the law are also available.

We also offer an online Juris Doctor for those who wish to become an attorney licensed in California. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

JD Program: Study at, or graduation from, this law school may not qualify a student to take the bar examination or be admitted to practice law in jurisdictions other than California. A student who intends to seek admission to practice law in a jurisdiction other than California should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence. 

EJD Program: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student who intends to seek admission to practice law should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.