More Perspectives About Van Buren v. US (Guest Blog Post)
by guest blogger Kieran McCarthy
[Eric’s comment: this is a supplement to my more comprehensive post on Van Buren v. US]
This was a critically important case with far-reaching policy implications across dozens of industries. 23 amici curiae were filed.
Justice Barrett wrote a 20-page opinion, nearly half of which was dedicated to a textual analysis of the word “so.”
While I don’t have the pedigree to comment on the theoretical drafting practices of the US Supreme Court, as a practitioner in this area of law, I was certainly hoping for a little more oomph on the substance here.
Positives:
- The Court’s decision purges the worst evils of the worst interpretations of the CFAA. Namely, the interpretations that invite criminal liability for a “breathtaking amount of commonplace computer activity.” We must give the Court credit for doing the right thing on that front.
- If lower courts interpret this case the way Eric thinks they should, by removing liability for ToS violations, C&D authorization withdrawals, and other context-based activities that are contingent upon the “drafting practices of private parties,” then I think that will be a very good thing as well.
Negatives:
- The Court could have done 10% more work here and provided broad clarity on very key questions, as Eric points out. It declined the opportunity to do so. In the end, there are remarkably few clear, declarative sentences in this opinion that provide guidance for future cases.
- After the line about “breathtaking amounts of criminal liability,” the second-most important sentence in this decision is “[a]n interpretation [of the CFAA] that stakes so much on a fine distinction controlled by the drafting practices of private parties is hard to sell as the most plausible.” That’s an important sentence, but it’s not as clear is it could be. The court could have said, “Liability under the CFAA cannot be dictated by the drafting practices of private parties.” That would have given lower courts clear, unequivocal guidance. Again, it chose not to do so. Will courts infer the latter from the former? Let’s hope so.
- There are lots of nuances related to access processes in the world of technology. Proxy servers, passwords, ToSs, VPNs, rotating proxies, residential proxies, hidden urls, and so on. This case simply ignores all of them and says “liability under both clauses stems from a gates-up-or-down inquiry.” To paraphrase Orin Kerr, there are lots of access processes that are basically speed bumps. Plaintiffs’ lawyers are going to argue that those speed bumps are gates. We got precious little guidance from SCOTUS on how to distinguish speed bumps from gates. And so I think we now get to look forward to ten to twenty years of case law arguing over which forms of technology constitute “gates.”
Follow-on thoughts:
- It’ll be interesting to see the interplay between this and hiQ Labs. I don’t think this decision overrules the public-private distinction from hiQ Labs, and I doubt they’ll grant cert after this, but it’s a different enough phraseology that might require clarity and resolution. My reading of Van Buren is that publicly available data would by definition be “gates up,” but I wouldn’t be shocked if some lower courts in other circuits viewed things differently.
- In some ways, this could be read as a narrower interpretation of the CFAA than hiQ Labs. For example, I think it may be possible to revisit issues of scraping beneath a valid log-in after this. For one, BrandTotal’s policy discussion said that companies have broad leeway to police password-protected sections of their sites. But if someone has a valid log-in or can create a new one, that would seem to be “gates up” by my understanding of the term.
- Unlike Eric, I have zero faith in Congress’s ability to come up with a better version of the CFAA.
- I think the correct interpretation of the CFAA is a less-prominent CFAA that only applies to clear and unambiguous instances of breaching a bona fide authentication barrier. If lower courts read Van Buren in this way, then it will provide imperfect but reasonable clarity going forward on CFAA issues, and the CFAA will decline in importance over the next decade. The battleground on data-access issues will shift to state-law concerns and IP issues. That said, if lower courts interpret Van Buren to permit companies to draft use-specific “access” restrictions into online contracts of adhesion, [or to otherwise publish information on the open internet and then invoke liability for accessing it against rival companies], we’ll end up right back where we started.
June 14, 2021 update:
There will be no “interplay” between hiQ Labs and Van Buren. On June 14th, the Supreme Court granted cert to vacate the judgment in hiQ Labs and remand for further proceedings in light of Van Buren.
The most important legal precedent for web scraping is now void.
I would expect the outcome in hiQ Labs on remand to be the same. By my reading of Van Buren, public information by definition would be “gates up.” LinkedIn will likely argue that they rescinded access through a cease-and-desist letter and through implementation of some rudimentary technical self-help measures such as IP address blocks. But I think the correct understanding of Van Buren is that what is open to the public is not gated and therefore not subject to liability under the CFAA.