Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the sort of bad development we expected after the United States Court of Appeals for the Ninth Circuit delivered two dangerously expansive interpretations of the CFAA last year—despite our warnings that the decisions would be easily misused.
The CFAA is a criminal law with serious penalties. It was passed in the 1980s with the aim of outlawing computer break-ins. Since then, it has metastasized in some jurisdictions into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads) or corporate computer policies. Violating a computer use policy should by no stretch of the imagination count as felony. But the Ninth Circuit’s two decisions—Facebook v. Power Ventures and U.S. v. Nosal—emboldened some companies, almost overnight, to amp up their CFAA threats against competitors.
Luckily, a court in San Francisco has called foul, questioning LinkedIn’s use of the CFAA to block access to public data. The decision is a victory—a step toward our mission of holding the Ninth Circuit to its word and limiting its two dangerous opinions to their “stark” facts. But the LinkedIn case is in only its very early stages, and the earlier bad case law is still on the books.
The U.S. Supreme Court has the opportunity to change that, and we urge them to do so by granting certiorari in U.S. v. Nosal. The Court needs to step in and shut down abuse of this draconian and outdated law.
The CFAA makes it illegal to engage in “unauthorized access” to a computer connected to the Internet, but the statute doesn’t tells us what “authorization” or “without authorization” means. This vague language might have seemed…