Scraping public website data does not violate CFAA, judge rules

The decision is a rare limitation on the Computer Fraud and Abuse Act.
(Getty Images)

Scraping public data from a website without the website’s authorization is not a violation of the Computer Fraud and Abuse Act, a U.S. federal court ruled Monday, limiting a U.S. anti-hacking law that academics have criticized for allowing broad legal action against innocuous activity.

The U.S. Court of Appeals for the Ninth Circuit on Monday refused to overturn a preliminary injunction that required professional networking site LinkedIn to allow talent management startup hiQ Labs to gather data from users’ public profiles. Microsoft-owned LinkedIn had installed technical safeguards to stop hiQ from sweeping up data on members until a court in 2017 ordered LinkedIn to stop blocking that automated collection. LinkedIn appealed, alleging hiQ had broken CFAA, among other things, by using LinkedIn data in a way LinkedIn did not intend.

“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles,” Judge Marsha Berzon wrote in the decision. “And as to the publicly available profiles, the users quite evidently intend them to be accessed by others[.]”

San Francisco-based hiQ incorporates LinkedIn data into software it sells to employers to help determine whether they will be able to retain employees. The company had argued it would face irreparable harm without an injunction, saying it would need to cease business operations.


The Computer Fraud and Abuse Act, enacted in 1986, makes it illegal to knowingly access a computer without authorization, obtain anything of value from a computer via fraudulent means, or intentionally create damage with a computer, among other activities. Researchers and academics for years have called for legal reforms that make the language in the law more specific to prevent heavy-handed prosecutions against those who are conducting benign analysis.

LinkedIn had sought to invoke the federal anti-hacking law to prevent “free riders” from exploiting its data for their own gain.

“Of course, LinkedIn could satisfy its ‘free rider’ concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line,” Berzon wrote.

The opinion is available in full below.

[documentcloud url=”” responsive=true]

Latest Podcasts