The U.S. Court of Appeals for the 9th Circuit has found for the second time that web scraping of publicly accessible data doesn’t violate the Computer Fraud and Abuse Act.
[T]he Ninth Circuit reaffirmed its original decision and found that scraping data that is publicly accessible on the internet is not a violation of the Computer Fraud and Abuse Act, or CFAA, which governs what constitutes computer hacking under U.S. law.
The leading case arguing that password-sharing is impermissible under the Computer Fraud and Abuse Act only says it’s a crime when account access has been affirmatively revoked, which isn’t the case when giving your active account password to services like Award Wallet, KVS Tool, or The Points Guy app.
And the Supreme Court has drawn a distinction between gaining unauthorized access to a computer system (narrow) and exceeding existing authorization (broad). The Computer Fraud And Abuse Act surely belongs in any hang of shame for egregious laws. This one allows corporations to weaponize their terms and conditions, criminalizing use of websites that they publish publicly. Courts are finally starting to push back.
This may have important implications for frequent flyers. Airlines have sought to use the legal muscle of this law to,
- Prevent tracking of fares on their website, for instance Southwest Airlines sues to prevent other sites from displaying their schedules and prices that they publicly list at Southwest.com
- Southwest Airlines has also blocked services that automate check-in for flights exactly 24 hours prior to departure (which determines a passenger’s boarding order, and being able to snipe this might depress ‘early bird check-in’ sales)
- Delta, United, Southwest and American have all, to varying degrees, blocked certain services that help members track their frequent flyer account balances. The Points Guy and American Airlines are currently suing each other over this. Award Wallet recently stopped tracking AAdvantage accounts apparently under legal threat
- American also shut down the ‘Sequence Decoder’ app that flight attendants used to help manage their schedules and pick up extra trips when the airline is short of staff.
This 9th Circuit ruling comes in a case that’s already been to the Supreme Court, and might go back. The appeals court precedent isn’t binding nationwide, and there may yet be circuit splits interpreting the Computer Fraud and Abuse Act (so different law applying in different parts of the country, especially problematic when dealing when access to online networks). So this isn’t the final word, and various forms of access may be distinguishable from this case involving LinkedIn’s attempt to stop Hiq Labs fro accessing and analyzing its user profiles to understand employee attrition.
Nonetheless, this is progress reining in a tool that allows companies to use the government for its own ends, criminalizing what should at most be a civil matter, and limiting the ability of users to manage their own data in the manner they prefer.