   On Thursday, December 19, 2019, 07:36:59 PM PST, Razer <g2s@riseup.net>
   wrote:

   jim bell wrote:
   > Data of more than 267 million Facebook users has been exposed online
   [1]https://mol.im/a/7811595 via [2]http://dailym.ai/android
   >
   > Jim Bell's comment:
   > Article refers to "an illegal process called scraping...".
   > I am not aware that "scraping" is illegal, or even wrong.
   >        Jim Bell
   >FCC says passing it on or using the information for personal gain is,
   and there's no reason to scrape pages unless one of those two are
   operational.
   Document that.   Somewhat to the contrary
   is: [3]https://blog.zwillgen.com/2019/09/11/ninth-circuit-rules-scrapin
   g-public-website-likely-not-cfaa-violation/
   [partial quote follows]

NINTH CIRCUIT RULES THAT SCRAPING A PUBLIC WEBSITE IS LIKELY NOT A CFAA
VIOLATION

   Published On September 11, 2019 | By Marc Zwillinger, Stacey
   Brandenburg and Zach Lerner | [4]Alternative Data
   [5]Twitter [6]LinkedIn [7]Facebook [8]Reddit [9]Copy Link [10]Email
   [11]Print

   In the highly-anticipated decision in the [12]hiQ Labs v. LinkedIn
   case, the Ninth Circuit upheld the preliminary injunction against
   LinkedIn, prohibiting it from barring hiQās scraping of public profiles
   from its site. In so doing, the court held that the Computer Fraud and
   Abuse Act, 18 U.S.C. Ā§ 1030 (āCFAAā) is likely not violated by the
   scraping of publicly available data even after receipt of a
   cease-and-desist letter. Notwithstanding that this decision is not a
   full adjudication of the case ā but rather a determination of whether
   hiQ has a likelihood of success on the merits and if the injunction is
   necessary to prevent irreparable harm ā the courtās analysis of the
   CFAA claims significantly extends a body of CFAA-related caselaw
   suggesting that the CFAA cannot be used to prevent webscraping of
   public content.

Procedural Posture

   The Ninth Circuit did not decide the entire case on its merits. Rather,
   it only analyzed whether the preliminary injunction issued against
   LinkedIn should be affirmed. In so doing, it found that the balance of
   hardships tipped in hiQās favorāunder the applicable legal standard,
   hiQ only had to demonstrate that it had raised āserious questions going
   to the meritsā of the legal issues in the case. Thus, the opinion is
   not a final ruling on any of the described claims, and its treatment of
   the issues could still be revisited by the court after summary judgment
   or a trial on the merits if the case proceeds.

Analysis of Decision

   The district court entered the injunction against LinkedIn after
   analyzing the four preliminary injunction factors. As part of this
   analysis, the district court found that hiQ was likely to have success
   on the merits of its state law claims that LinkedIn had tortiously
   interfered with hiQās contracts by seeking to block it from accessing
   public profiles on the LinkedIn website. Such blocking was alleged to
   be a death knell to hiQās business, preventing the company from
   collecting the data that fuels its operations and thus, causing it to
   violate its customer contracts. After finding that the district court
   had correctly concluded that LinkedIn likely knew of these contracts as
   well as hiQās business expectations and may not have been within the
   realm of fair competition, the Ninth Circuit needed to determine if
   hiQās conduct amounted to a CFAA violation. If it was, the CFAA would
   preempt all of hiQās claims against LinkedIn and justify LinkedInās
   steps to block hiQās traffic. But, as described below, the Ninth
   Circuit found that the CFAA is unlikely to cover hiQās scraping
   activities as applied to LinkedIn public profiles.

CFAA Claim

   The court identified the pivotal CFAA question as āwhether once hiQ
   received LinkedInās cease-and-desist letter, any further scraping and
   use of LinkedInās data was āwithout authorizationā within the meaning
   of the CFAA.ā The court focused its analysis on the statuteās original
   legislative purpose, stating the CFAA is ābest understood as an
   anti-intrusion statuteā and ātherefore we look to whether the conduct
   at issue is analogous to ābreaking and enteringā.ā The court explained
   that the CFAA is āpremised on a distinction between information
   presumptively accessible to the public and information for which
   authorization is generally requiredā¦.ā Therefore, the court suggested
   that publicly available information does not require authorization to
   access in the first place and similarly cannot have such authorization
   revoked. The court also analogized to the concept of āwithout
   authorizationā as used in the Stored Communications Act, where computer
   communication systems are generally divided into sites āaccessible to
   the general public,ā and sites that are ānot visible to the public,ā
   i.e. restricted or private. Restricted systems ā like Facebook ā
   require passwords or other credentials to access them.

   Accordingly, the court articulated three categories of computer
   information for purposes of the CFAA analysis:
    1. Information for which access is open to the general public and
       permission is not required;
    2. Information for which authorization is required and has been given;
       and
    3. Information for which authorization is required and has not been
       given (or not given for the part of the system accessed).

   In the courtās view, LinkedInās public profiles fall into the first
   category, (whereas the court suggested, in dicta, that Facebookās
   private profiles, which require the creation of username and passwords
   to access, would fall into the second or third category as the case may
   be). Computer information in the first category needs no authorization
   by the site owner to access, and therefore attempts to deny access
   under the CFAA through Terms of Service and/or cease-and-desist letters
   are ineffective. As such, ā[i]t is likely that when a computer network
   generally permits public access to its data, a userās accessing that
   publicly available data will not constitute access without
   authorization under the CFAA.ā
   [end of partial quote]

References

   1. https://mol.im/a/7811595
   2. http://dailym.ai/android
   3. https://blog.zwillgen.com/2019/09/11/ninth-circuit-rules-scraping-public-website-likely-not-cfaa-violation/
   4. https://blog.zwillgen.com/category/alternative-data/
   5. https://blog.zwillgen.com/#twitter
   6. https://blog.zwillgen.com/#linkedin
   7. https://blog.zwillgen.com/#facebook
   8. https://blog.zwillgen.com/#reddit
   9. https://blog.zwillgen.com/#copy_link
  10. https://blog.zwillgen.com/#email
  11. https://blog.zwillgen.com/#print
  12. http://cdn.ca9.uscourts.gov/datastore/opinions/2019/09/09/17-16783.pdf