“Data Scraping” Does Not Violate the Computer Fraud and Abuse Act if the Data is Publicly Available

ALEXANDRIA — A federal district court in the Eastern District of Virginia recently held that an event planner who “scraped” data about hotels, restaurants, bars, and meeting rooms from a publicly available Web site did not violate the Computer Fraud and Abuse Act (CFAA).

The plaintiff in Cvent, Inc. v. Eventbrite, Inc., 2010 U.S. Dist. LEXIS 96354 (E.D. Va. Sept. 14, 2010) operated a Web site that assisted customers in locating venues for organizing large-scale events. The Web site contained a massive database that listed detailed information about venues all over the world, including the availability, capacity, and amenities of meeting rooms in various cities. Defendant Eventbrite offered event planning services through its Web site and set out to create a similar “Venue Directory” that would contain information about hotels, restaurants, bars, and meeting rooms.

Rather than aggregate this data on its own, however, Eventbrite hired a computer engineer to “scrape” the data from Cvent’s online database. “Data scraping” is a technique in which an automated program scans and copies information that was intended for human viewing. The legal issue was whether data scraping violates laws prohibiting the unauthorized access of data from protected computers.

Credit: NIST

Cvent argued that Eventbrite’s scraping violated section 1030(a)(2) of the CFAA, which prohibits accessing a protected computer without authorization—or exceeding authorized access—in order to obtain information. In dismissing this claim, the court noted the distinction between unauthorized use of data and unauthorized access to data. Only unauthorized access constitutes a violation of the CFAA. Cvent’s database, however, was publicly available on its Web site and could be accessed without any password or login information. In the court’s words, “the entire world was given unimpeded access” to Cvent’s database and Eventbrite had therefore not violated the CFAA when it scraped that information.

Cvent argued unsuccessfully that it had, in fact, limited Eventbrite’s access by virtue of a “browsewrap” agreement containing its Terms of Use, which stated that “No competitors or future competitors are permitted to access our site or information, and any such access… is unauthorized.” The court noted, however, that despite this language, Cvent took no “affirmative steps” to prevent competitors from accessing its database. Because the browsewrap agreement was not prominently displayed, and could only be discovered by following a series of links, no reasonable user could be expected to notice it.

Cvent, Inc. v. Eventbrite, Inc. stands in contrast to Snap-On Business Solutions Inc. v. O’Neil & Associates, Inc., 2010 U.S. Dist. LEXIS 37688 (N.D. Ohio Apr. 16, 2010), another data scraping case decided last spring in which the court refused to grant the defendant summary judgment on the plaintiff’s CFAA claims. There, the information on the targeted Web site had been password-protected and the log-in screen alerted visitors that their use of the site was governed by an End User License Agreement, which users could link to directly. Because of these features, the court concluded that a genuine issue of fact existed as to the scope of authorization and the existence of a contract.

These cases offer important lessons for Web site operators concerned about data scraping. As Cvent demonstrates, the operators of targeted Web sites may be without recourse under the CFAA if the information was made publicly available. However, the Snap-On case provides examples of measures that Web site operators can take to protect themselves.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s