Web scraping is the process of loading and extracting large amounts of data from the pages of websites in an automated fashion and saving the data available on the websites to a file on your computer or database.
Scraping can be used for legitimate business purposes, such as use by price comparison sites and market research companies, and for illegitimate purposes, like copyright theft and price undercutting, which can cause the targeted site to suffer financial losses.
Website operators have asserted various civil claims against “web scrapers” (or “scrapers”) including copyright claims, trespass to chattels claims, contract claims, and Computer Fraud and Abuse Act ("CFAA") claims. This blog post will focus on claims under the CFAA.
The CFAA was originally intended as an anti-hacking statute, so its application to scraping—which usually involves accessing publicly-available data on a publicly-available website—is not always intuitive. Congress passed the CFAA in 1986 to criminalize and counteract computer hacking. Section 1030(c) catalogs the criminal penalties for committing these offenses, which range from fines to imprisonment for 20 years to life. In 1994, Congress expanded the act to also permit civil actions for victims of crimes prohibited by the act. The CFAA protects computers in which there is a federal interest—federal computers, bank computers, and computers used in or affecting interstate or foreign commerce. The statute shields these types of computers from trespass, damage, and being used as instruments of espionage or fraud.
Plaintiffs asserting CFAA claims against scrapers usually allege a violation of subsection 1030(a)(2). This subsection prohibits accessing a computer without authorization or exceeding authorization, resulting in exposure to protected computer-housed information. The determinative question in assessing the viability of a CFAA claim for scraping is -- Did the scraper access the website without authorization or exceeding authorization?
In deciding the issue of authorization, courts often rely upon whether the website gave users sufficient notice that access was not authorized. For example, courts have found that a CFAA claim may exist for scraping where the website took security measures to limit access, such as by requiring a password, and the users bypassed those measures in accessing the website. Similarly, courts have found a valid claim may exist where the website took affirmative steps to prevent a user’s access (for example, by blocking a user’s IP address or sending a user to cease and desist letters) once it discovered a user’s scraping activities, and the user continued scraping. In contrast, courts have dismissed CFAA claims against scrapers where the website and information were publicly available and did not require any login, password, or other individualized grants of access.
For example, in United States v. Nosal, the Ninth Circuit held that access without authorization under the CFAA “does not extend to violations of use restrictions,” but concerns “hacking—the circumvention of technological access barriers.” In reaching its decision, the court emphasized the legislative history of the CFAA, noting that it was enacted primarily to address the growing problem of computer hacking. The court stated that applying the CFAA to use violations would “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” The court also noted the absurd results that would follow from potentially criminalizing violations of website use restrictions, which, the court noted, nearly everyone who uses a computer is guilty of.
If you have any questions about data scraping, contact firstname.lastname@example.org.
Written by Stephanie Kostiuk - Founder, OpenDoor GC