LinkedIn Unleashes the CFAA on Unauthorized Bots
LinkedIn, the Facebook for resumes, has filed suit in the Northern District of California against 100 unnamed individuals accused of using bots to scrape information from its website. The suit accuses the Doe defendants of violating the Computer Fraud and Abuse Act, a federal anti-hacking law.
The lawsuit comes just barely a month after the Ninth Circuit expanded the reach of the CFAA, ruling in two cases that the CFAA could criminalize unauthorized password sharing and could impose civil liability for misusing a social network. The LinkedIn suit, though, could seek to push the reach of the CFAA even further.
What Counts as "Without Authorization"
The CFAA imposes criminal and civil penalties for anyone who "intentionally accesses a computer without authorization or exceeds authorized access," obtains information, and causes damage or loss as a result. Since the law was adopted in 1986, courts have struggled to define what counts as accessing a computer "without authorization."
In the first Ninth Circuit case from last month, United States v. Nosil, the Ninth determined that using someone else's username and password to access a computer system, after your own access had been revoked, was unauthorized access under the CFAA -- and a federal crime. "Once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party," according to the court.
A week later, the Ninth decided Facebook v. Vachani, a civil CFAA suit not too unlike LinkedIn's. The now-defunct website Power.com had used its members' Facebook information to recruit new users through the social network. It continued to do so, even after being told by Facebook to stop. That too was use of the website "without authorization," the Ninth ruled.
LinkedIn now wants to use the CFAA to stop the bots that are scraping its website for user information, in violation of the website's terms of service, which prohibit scrapers and crawlers.
LinkedIn, Bots, and the CFAA
The LinkedIn suit could take the recent Ninth Circuit rulings a step further. In both of those cases, access had been affirmatively revoked, by the closing of an account in Nosil and the issuing of a cease and desist letter in Vachani.
Here, though, LinkedIn can point only to its technical defenses against bots and its terms of service. In Vachani, the Ninth Circuit specifically said that a violation of TOS alone could not support a claim of unauthorized access under the CFAA. But that logic is shaky. After all, if a letter demands that a user not misuse a website makes future misuse "unauthorized access," should not a TOS form do the same?
Related Resources:
- LinkedIn Sues Anonymous Data Scrapers (TechCrunch)
- Facebook Defends $3 Million Suit Against Rival Social Network (FindLaw's Technologist)
- How Matthew Broderick Shaped U.S. Cybersecurity Policy (FindLaw's Technologist)
- Sharing Your Password Is a Federal Crime, 9th Circuit Rules (FindLaw's U.S. Ninth Circuit Blog)