CFAA ruling could curb data grabs

Amazon won a preliminary injunction on March 9 after telling a federal judge that Perplexity’s shopping browser crossed the line from browsing into illegal access under the Computer Fraud and Abuse Act, a 1986 anti-hacking law. Perplexity has now appealed to the United States Court of Appeals for the Ninth Circuit. (iapp.org, eff.org) The fight sounds narrow, but the tool at the center is simple: Perplexity’s Comet browser can compare prices across sites and place an order after a user asks it to. The Electronic Frontier Foundation says Amazon is trying to use computer-crime law to block a product that can steer shoppers to cheaper rivals. (eff.org) That law was written for break-ins, not bargain hunting. The Electronic Frontier Foundation told the Ninth Circuit that the Computer Fraud and Abuse Act should cover bypassing real security barriers, not ordinary use of pages that are publicly visible on the web. (eff.org) The key Supreme Court case here is Van Buren v. United States, decided on June 3, 2021. The Court said a person “exceeds authorized access” when they enter parts of a computer system that are off-limits, not when they use information they were allowed to see for a bad reason. (supremecourt.gov, oyez.org) The Supreme Court warned that a broader reading would turn everyday rule-breaking into a crime. Its opinion said that treating terms-of-service violations as federal hacking could sweep in a “breathtaking amount of commonplace computer activity.” (supremecourt.gov, iapp.org) The Ninth Circuit has already moved in that narrower direction in the LinkedIn and hiQ Labs fight. In April 2022, it said scraping data from publicly available LinkedIn profiles likely falls outside the Computer Fraud and Abuse Act because public pages do not have the kind of closed gate the statute targets. (proskauer.com, iapp.org) The problem is that the district court in Amazon’s case leaned on an older Ninth Circuit decision, Facebook v. Power Ventures, from 2016. In that case, the court said access became unlawful after Facebook sent a cease-and-desist letter and Power kept going. (cdn.ca9.uscourts.gov, eff.org) If that older rule controls, a company could turn conduct into a potential crime just by sending a letter. The Electronic Frontier Foundation says that would let platforms threaten journalists, researchers, and comparison tools without changing a password screen or adding any real technical lock. (eff.org) The group’s example is concrete: housing researchers often create multiple test accounts with different race, gender, or language settings to see whether a site shows different offers. Under a broad reading, a company that dislikes that testing could claim the researchers became criminals once they were told to stop. (eff.org) This is why the case reaches beyond one browser and one retailer. If the Ninth Circuit says public web pages can become off-limits by letter alone, price-comparison tools, scraping-heavy market research, and data-enrichment projects that pull information from open sites all get riskier overnight. (eff.org, proskauer.com)