The Computer Fraud and Abuse Act is a federal law Congress enacted in the mid-1980’s to keep up with the changing landscape of criminal conduct in the digital age and to address growing concerns over real and hypothetical computer-based crimes. In its most basic form, the law prohibits unauthorized access to a computer or computer system.
In 1990, a computer science graduate student, Robert Morris, became the first person convicted under the law after releasing the Internet’s first worm. The student, now a tenured faculty member at MIT, crashed “more than 6,000 computers nationwide,” mostly university and military computers, in what the New York Times called (at the time) the nation’s “most serious computer ‘virus’ attack.” Mr. Morris reportedly claimed he did not intend to cause harm or to engage in fraudulent behavior and that the rapid replication of the virus was an experiment gone wrong.
In the nearly three decades since the first conviction under the CFAA, the law has been applied to cases like Mr. Morris’s and others commonly understood as computer hacking incidents—where someone gains access to a computer system or website, without authorization, and causes harm or steals data. But over the years, there have been questions about the law’s scope and what other kinds of behavior might be illegal under the law.
In 2016, the rumor that sharing your Netflix password could be a federal crime swept social media in the wake of a decision in the Ninth Circuit Court of Appeals, U.S. v. Nosal. The case was not about Netflix specifically but involved Mr. Nosal using someone else’s login credentials to gain access to a computer system after his own credentials and access had been revoked. Other employees shared their login information with Mr. Nosal and he used the borrowed credentials to access and use company information for a competing business. Mr. Nosal’s conviction was upheld under the rationale using an authorized employee’s credential to access the system did not make Mr. Nosal an authorized user. There are competing views about whether the ruling could mean that password sharing in other contexts (such as using a friend’s password to watch Netflix through their account) could be a federal crime.
This year, social networking site LinkedIn and its ongoing battle with the self-described “data science company” HiQ is making headlines. HiQ reportedly scrapes (pulls and collects) information from LinkedIn user profiles, bundles the information, and markets it as part of “enterprise solutions” the company sells. One service or solution is called “Keeper.” HiQ claims, “Keeper is the first HCM tool to offer predictive attrition insights about an organization’s employees based on publicly available data. The solution turns those attrition insights into consumable, easy-to-deploy action plans so HR and business leaders can retain their key talent.” In other words, the company pulls data from employees’ LinkedIn pages and uses the information to help employers identify those employees likely planning to leave their jobs.
LinkedIn claimed this practice violates the Computer Fraud and Abuse Act and HiQ disagreed. HiQ sued, asking a federal court to determine that its practice is not a crime under the CFAA. In August 2017, the U.S. District Court for the Northern District of California ruled that LinkedIn could not stop HiQ from scraping data from publicly available profiles on the site. The Court noted, “The CFAA was not intended to police traffic to publicly available websites,” rather, it “was intended instead to deal with ‘hacking’ or ‘trespass’ onto private, often password-protected mainframe computers.” The Court apparently was not convinced by LinkedIn’s argument that HiQ’s bots access “private” profile information that LinkedIn users chose not to make publicly visible.
This month, the Ninth Circuit Court of Appeals heard arguments from both sides. LinkedIn again argued HiQ’s practices jeopardize the privacy LinkedIn promises its users and, if allowed to continue, will lead to public sites restricting access. HiQ argued that LinkedIn users already make their information public and that a profile on the site is a user’s “billboard to the public.” They also argued LinkedIn is more concerned about cutting off competitors like HiQ than protecting privacy.
The Court took the companies’ respective arguments under advisement. While HiQ claims it has a “crystal ball” that can predict “turnover risks,” it must wait for the Court’s ruling to see what the future of its data scraping practices will be.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2018. All rights reserved.