Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court: Unclear when networking site became aware of data scraping

    Privacy, Cyber Risk & Data Security

    On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.

    As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.

    In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.

    Privacy, Cyber Risk & Data Security Courts Data Scraping Consumer Protection Computer Fraud and Abuse Act State Issues California Appellate Ninth Circuit

  • DOJ will not charge researchers who report cybersecurity flaws in “good faith”

    Agency Rule-Making & Guidance

    On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that access computers “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.” Instead, the policy directive focuses the DOJ’s resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer— such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” The new policy directive explains, however, that “claiming to be conducting security research is not a free pass for those acting in bad faith,” and provides that “discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”

    Agency Rule-Making & Guidance DOJ Computer Fraud and Abuse Act Privacy/Cyber Risk & Data Security

  • 9th Circuit: Networking site cannot deny data scraping access to publicly available profiles

    Privacy, Cyber Risk & Data Security

    On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.

    The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.

    On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.

    In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest.  The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.  
     

    Privacy/Cyber Risk & Data Security Courts Appellate Ninth Circuit Cyber Risk & Data Security Computer Fraud and Abuse Act Data Scraping

Upcoming Events