LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).
Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts. Once established, these new accounts could be used to view millions of LinkedIn member profiles. The software bots copied personal information off of those viewable pages, which contain extensive personal information. Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.
LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident. The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers. LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?
The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information. According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account. Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.
The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network. Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes. The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted. On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.
The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”