Is Data Scraping Legal?
The question of Data Scraping has been a controversial issue for a long time. The year 2017 witnessed several important developments focused on interpretations of the Computer Fraud and Abuse Act (CFAA) in separate cases involving Craigslist and Linkedin.
What is Data Scraping? Also known as Web Scraping, it is the automated method for extracting large amounts of data from a website, often through the use of Bots.
One of the weapons used against Data Scraping is the Computer Fraud and Abuse Act (CFAA), a federal cybersecurity law enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C. Sec. 1030) which had been included in the Comprehensive Crime Control Act of 1984. The CFAA prohibits accessing a computer without authorization, or in excess of authorization if any. It is designed to protect private password mainframe computers.
In Craigslist, Inc v. Instamotor, Inc, Craigslist claimed that Instamotor scraped Craigslist content to create listings on its own service and sent unsolicited emails to Craigslist users for promotional purposes to sell used cars. Craigslist has become very aggressive in pursuing claims against hackers based on breach of contract (terms of service TOS), violation of the CFAA, and the CAN-SPAM Act (disguised emails).
The case settled in favor of Craigslist for $31 million in a Stipulated Judgment and Permanent Injunction Aug. 3, 2017.
The next case involved a start up company named hiQ, a member of Linkedin (and subject to Linkedin’s TOS). What hiQ did was to scrape information from Linkedin user profiles and use the scraped data to create workforce data products that it sells to employers. Actually, hiQ tracks user generated changes to profiles in areas like work history and skills, and then uses the data to offer two products, one that helps companies identify employees who are at risk of being recruited away, and another product that helps companies map the skillsets of their employees.
The California U.S. District Court held that hiQ can use web scapers to collect information from PUBLIC Linkedin data. The Key factor in the Linkedin case was that hiQ could access and scrape only public data that was not protected by any authorization technique (such as password protected). Interestingly, the Court granted a preliminary injunction to prohibit Linkedin from employing electronic blocking techniques designed to prevent hiQ from scraping information from public linkedin profiles.
Linkedin has appealed to the 9th Circuit Court of Appeals. So we need to wait and see whether data scraping of public data is legal. Still, there is a change in the legal landscape with respect to Data Scraping. Website owners will need to examine how they control or limit access to content they collect from users.
Source: Webinar from https://www.ftcguardian.com/ – I am a charter member