hflawreport.com January 21, 2021 TECHNOLOGY To Scrape or Not to Scrape: The Potential Legal Implications of Using Web Scraping for Market Research By Douglas A. Rappaport, Peter I. Altman and Kelly Handschumacher, Akin Gump Strauss Hauer & Feld LLP Through the use of automated processes Potential Sources of performed by software, a web scraper visits a website and attempts to gather relevant data Liability for Unlawful or information that may be provided on the Web Scraping site, such as consumer product reviews or social media profile data. That information may Computer Fraud and Abuse Act be readily accessible through a simple Google search, or it may require access through a The CFAA is a criminal statute that also click-through terms-of-service agreement or a provides a private right of action that is firewall. Some investment advisers interested commonly invoked in web-scraping cases. in web scraping conduct that activity in-house, Among other possible violations, the CFAA while others may look to outside vendors to proscribes “intentionally access[ing] a accumulate the information. computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . The law regarding web scraping, however, is information from any protected computer.” still developing and implicates a large number Courts have disagreed, however, on what of statutory regimes and areas of common constitutes access without authorization law. For example, web-scraping activity may or exceeding authorization. implicate federal statutes, such as the Computer Fraud and Abuse Act (CFAA), Digital In hiQ Labs, Inc. v. LinkedIn Corp. (hiQ), the Millennium Copyright Act (DMCA) and insider Ninth Circuit affirmed the district court’s order trading laws; state blue sky laws; privacy laws; granting a preliminary injunction barring and common law claims, such as breach of LinkedIn from blocking hiQ from accessing and contract, fraud and trespass to chattels. This scraping information from publicly available article provides an overview of the evolving LinkedIn member profiles for use in hiQ’s area of web-scraping law and practical data-analysis products. LinkedIn did not guidance to investment advisers considering require a password or other authentication to web scraping. access the public profile data. LinkedIn’s terms of use, however, prohibited web scraping, and LinkedIn sent a cease-and-desist letter to hiQ demanding that it stop. ©2021 Hedge Fund Law Report. All rights reserved. 1 hflawreport.com The Ninth Circuit held that hiQ had shown a hiQ was scraping was available to anyone with likelihood of success on the merits of its claim a web browser.” that a user’s act of accessing data made available by the owner to the general public Although hiQ and other litigation out of the does not constitute access “without Ninth Circuit have dominated the recent authorization” under the CFAA. When reaching headlines in the space, the U.S. Supreme Court its decision, the court opined that a person may has agreed to hear a CFAA case that will likely violate the CFAA’s prohibition on accessing a impact the law of web scraping. Specifically, computer “without authorization” when he or the Supreme Court granted certiorari in April she “circumvents a computer’s generally 2020 in U.S. v. Van Buren (Van Buren), an applicable rules regarding access permissions, Eleventh Circuit decision that addressed the such as username and password requirements, question of whether a person who is authorized to gain access to a computer.” The court, to access information on a computer for however, further held that it is “likely that when certain purposes violates the CFAA if he or she a computer network generally permits public accesses the same information for an improper access to its data, a user’s accessing that purpose. Van Buren was a Georgia police publicly available data will not constitute officer who was convicted of violating the CFAA access without authorization under the CFAA.” and honest-services wire fraud based on his LinkedIn filed a petition for a writ of certiorari use of the Georgia Crime Information Center in March 2020, which is currently pending (GCIC) database to obtain information on a before the U.S. Supreme Court. particular person in exchange for money. In a previous litigation under the CFAA – On appeal, Van Buren argued that he did not Facebook, Inc. v. Power Ventures, Inc. (Power exceed authorized access within the meaning Ventures) – the Ninth Circuit held that a user of the CFAA because he was authorized as a accesses a computer “without authorization” police officer to access the GCIC database and under that statute when he or she continues to distinguished his improper use of the GCIC circumvent technological measures employed database from his legitimate right to access by the operator to block that user’s access. it. The Eleventh Circuit affirmed Van Buren’s Power Ventures involved the blocking of a CFAA conviction, arguably creating a split user’s IP address to prevent access to with the Ninth and Second Circuits over the password-protected information after issuing interpretation of the statute’s provision a cease-and-desist letter. In contrast to hiQ, regarding conduct that “exceeds authorized the court in Power Ventures found that access.” The Supreme Court’s decision in Facebook had “‘tried to limit and control Van Buren could bear on whether scraping access to its website’ as to the purposes for data that one is authorized to access for which [defendant] sought to use it,” specifying certain purposes – such as browsing as a that “Facebook require[d] its users to register potential customer or participating as a with a unique username and password.” The member of a social media network – but not court emphasized that, although the defendant authorized to access for web-scraping in Power Ventures was “gathering user data purposes, constitutes a breach of the CFAA. that was protected by Facebook’s username and password authentication system, the data ©2021 Hedge Fund Law Report. All rights reserved. 2 hflawreport.com In another important 2020 decision, a D.C. circumvent a technological measure that federal district court held that the CFAA’s effectively controls access to a work protected access provision did not criminalize the under this title.” At least one federal court has violation of a consumer website’s terms of held that a party faces liability under Section service. In Sandvig v. Barr, academic 1201(a)(1)(A) of the DMCA when it uses bots researchers brought a pre-enforcement to circumvent security measures that control challenge, alleging that the CFAA violated the nonhuman access to copyrighted material First Amendment right to free speech by on a webpage. criminalizing certain terms-of-service violations related to employment websites. It is also worth noting the general copyright On the parties’ cross-motions for summary principle that, although compilations of facts judgment, the court held that it need not can be protected by copyright, authors may address the First Amendment issue because not copyright their ideas or the facts they the CFAA did not criminalize the violation of narrate. Accordingly, if the data scraped are a consumer website’s terms of service. In so purely facts without a creative component, holding, the court observed that the majority then there is no copyright claim. of courts that have examined whether violating the terms of service of consumer websites Privacy Statutes constitutes a criminal CFAA violation have found no liability. Web scraping may also implicate the privacy statutes of states and other jurisdictions. For In short, although the scope of the CFAA’s example, the E.U.’s General Data Protection access provision is unsettled, significant Regulation and the California Consumer authority suggests that the scraping of publicly Privacy Act of 2018 grant consumers a variety available information, such as from LinkedIn of rights and protections with respect to member profiles, does not violate the CFAA. their personal information. Web-scraping Likewise, it suggests that violation of a activity that compiles personally identifiable website’s terms of use alone, without more, information could implicate a variety of privacy may not violate the CFAA. statutes – and potentially subject a web scraper to government and private litigation. Copyright/DMCA See our two-part series on the GDPR: “Impact” In addition, the operator of a website that (Feb. 21, 2019); and “Compliance” (Feb. 28, is the target of web scraping may bring 2019). See also “A Roadmap to Understanding a claim for copyright infringement against the and Complying With the California Consumer user of the web-scraping device by proving: Privacy Act” (Nov. 14, 2019). 1. its ownership of a valid copyright; and Insider Trading 2. the user’s copying of the original elements of the work in question. Under certain circumstances, web scraping could also potentially violate federal insider Copyrightable work is further protected by the trading law or state blue sky laws. For example, DMCA, which provides that “[n]o person shall using affirmative misrepresentations to obtain ©2021 Hedge Fund Law Report. All rights reserved. 3 hflawreport.com material nonpublic information through Courts, however, have held that defendants web scraping and then trading based on that must be on notice of a website’s terms of information could potentially constitute service for the terms to be enforced against insider trading. them. For this reason, a “clickwrap” agreement to the terms of service – requiring the user to In addition, the Second Circuit held in SEC v. consent to terms through an affirmative click Dorozhko that trading on information obtained before being granted access – is more likely through computer hacking could be insider to give rise to an enforceable contract than a trading if the information was obtained by “browsewrap” agreement, where a link to the “deceptive” means, such as misrepresenting terms of use is posted on the site and user one’s identity.