What the Supreme Court Opinion in Van Buren Means for Web Scraping

//

Since the early 2000s, the most important federal law governing web scraping in the United States has been the Computer Fraud and Abuse Act (“CFAA”). For host websites that wanted to stop scraping, the CFAA has been the go-to legal remedy to threaten web scrapers.

For the first time since the law was enacted in 1984, on June 3, 2021, the Supreme Court decided a case involving the CFAA, Van Buren v. United States.

The facts of the case are as follows:

Nathan Van Buren, a former police sergeant, ran a license-plate search in a law enforcement computer database in exchange for money. Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes. We must decide whether Van Buren also violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

Van Buren v. United States at 1.

The Supreme Court said that the police sergeant did not violate the CFAA by accessing the database for improper reasons.

Obviously, this case doesn’t have anything to do with web scraping, at least not literally. But where it does impact web scraping is that the CFAA has often been used to litigate against web scrapers who purportedly “exceed authorized access” by scraping a website where the host website didn’t want them to scrape.

The main holding of this case is that the Supreme Court adopted the “narrow” interpretation of CFAA liability. More precisely, the Court’s articulation of the law is that liability under the CFAA stems from “a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” Van Buren at 13. If you can legally access a computer system, then your subsequent activity does not exceed authorized access, even if the downstream activity might arguably be prohibited in some way.

So if you’re a web scraper, or any other computer user, your liability under the CFAA is now governed by a simple question: Do you have a legal right to access the location where you are scraping? If the answer is yes, then CFAA liability should not accrue to your conduct, even if the website you’re scraping thinks that you’re accessing their databases or information “for an improper purpose.”

The one squishy part of the Court’s opinion to me is footnote 8, which says “[f]or present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies. Cf. Brief for Orin Kerr as Amicus Curiae 7 (urging adoption of code-based approach).” Van Buren at fn. 8.

I’m certain that host sites will argue that this still leaves open the possibility of CFAA liability for violating a terms of use agreement. To me, this is an implausible and unacceptable reading of the opinion. Specifically, the Court says “An interpretation [of the CFAA] that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.”

The way I read footnote 8, companies can restrict access by policy or by code, but they must do so unequivocally and the restriction must follow the statute.

Imagine four folders on a company cloud drive: Folder A is accessible to everyone. Folder B is accessible to everyone but can only be used for “appropriate company purposes.” Folder C is inaccessible to everyone but the CEO, but only by written policy. You can click on it without hacking or engaging in any technical creativity whatsoever. Folder D is off limits, but there is an actual passcode that only the CEO knows. You’d have to hack the password to get in to the folder.

According to Van Buren, a company employee accessing folders C and D to arrange a drug deal would be violating the CFAA. An employee accessing folders A and B would not be. The distinction is that folders C and D are off limits for all purposes, whether by code or by policy. Folder C requires no “hacking,” but it’s still off limits. That makes it potentially subject to CFAA liability.

No doubt, many data monopolists will argue that they can still enforce no-scraping prohibitions in terms of use agreements under the CFAA. They will write into their terms of use that scrapers do not have “access” to their websites. But these arguments are inconsistent with Van Buren, in my opinion. These are mere downstream prohibitions on what can be done with information, not general access restrictions, and are therefore not violations of the CFAA.*

In sum, this opinion is a victory for web scraping advocates, albeit an incomplete one. It does not provide many broad and sweeping quotes that might serve as unequivocal defenses of scraping generally, but it certainly seems to get rid of some of the worst interpretations of the worst understandings of the CFAA. Specifically, the Supreme Court expressly casts aspersions on overbroad criminal prosecutions with the CFAA, and it prohibits prosecutions and litigation against persons and companies who visit a site or computer with legal access and then do something the host site might not like.

To be clear, this is not the last word on the law of web scraping. Many other legal claims, from breach of contract, to trespass to chattels, to copyright infringement, to unjust enrichment and others, have been and will continue to be pursued against web scrapers. But at least in terms of the main federal law that governs web scraping, the legal outlook for web scraping in the United States just got a little brighter.

*Please note that this blog is simply my interpretation of the Supreme Court opinion in Van Buren. There’s no guarantee that every judge in the United States will interpret it in the same way that I have.