With Implications for Web Scraping by Hedge Funds: Supreme Court Adopts Narrow Definition of “Authorized Access” in Computer Fraud and Abuse Act Case

On June 3, the United States Supreme Court decided Van Buren v. United States,¹ a Computer Fraud and Abuse Act (CFAA) case with important implications for investment advisers and hedge funds that scrape web data as a source of research.

The facts of the case have nothing to do with the financial services industry. Rather, they involve a Georgia police officer found guilty of violating the CFAA for accepting a bribe to run a license plate number through a police database in order to determine whether the owner was an undercover police officer. The theory of his CFAA conviction was that he intentionally accessed a computer “without authorization or exceed[ing] authorized access.” The officer had permission to access the database, but the Eleventh Circuit held that he violated the CFAA by exceeding the scope of his authorized access and using the database in a manner that his employer did not allow. Thus, although the officer had authority to access the license plate database, his improper use of the database’s data was a criminal offense under the CFAA.²

The Supreme Court reversed. In so doing, it rejected the Eleventh Circuit’s aggressive reading of the CFAA, which the First, Fifth, and Seventh Circuits also had followed.

In her opinion for the 6-3 majority, Justice Amy Coney Barrett wrote that when the CFAA refers to “information in the computer that the accesser is not entitled so to obtain,” it refers only to “information that a person is not entitled to obtain by using a computer that he is authorized to access.”³ The CFAA therefore “does not cover those who ... have improper motives for obtaining information that is otherwise available to them.”⁴ The practical consequence of this holding is that a violation of the CFAA “stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”⁵

In other words, when a person is allowed to access information, accessing that information will not result in a CFAA violation, irrespective of (1) the person’s motives for accessing the information and (2) whether the owner of the information authorized the person to access it only for specific purposes. The CFAA is instead focused on more traditional “hacking” in the form of “breaking into” a computer system or database to obtain information.

For fund managers using scraped data, the Supreme Court’s decision is an encouraging step in providing more certainty around the legal risks surrounding the use of web-scraped data.

The Supreme Court will soon have an opportunity to address a case specifically involving web scraping. In 2019, the Ninth Circuit held in hiQ Labs, Inc. v. LinkedIn Corp. that it is not a violation of the CFAA for a data analytics company to use information that it scrapes from public LinkedIn profiles to provide its clients with insights on their workforces.⁶ LinkedIn filed a petition for writ of certiorari in the Supreme Court, which is now fully briefed and awaiting disposition.⁷

¹ Van Buren v. United States, No. 19-783.
² United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
³ Van Buren, No. 19-793, slip op. at 5, 8 (quoting 18 U.S.C. § 1030(e)(6)).
⁴ Id., slip op. at 1.
⁵ Id., slip op. at 13.
⁶ hiQ Labs, Inc. v. LinkedIn Corp., 985 F.3d 985 (9th Cir. 2019).
⁷ LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116.