Scraping data from a website likely doesn’t violate anti-hacking laws as long as the data is public, a US court has concluded. Yesterday, the Ninth Circuit Court of Appeals said LinkedIn probably couldn’t tell an analytics company to stop pulling profile information from its platform. LinkedIn had sent the company, HiQ, a cease-and-desist letter — which has been enough to declare companies “unauthorized” in earlier cases. Here, however, the court ruled that LinkedIn couldn’t use anti-hacking rules to control how HiQ used the data.

As University of California, Berkeley professor and computer law expert Orin Kerr lays out, this seemingly limits one section of the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits accessing a computer “without authorization.” It was conceived as a way to punish hacking in the 1980s, but it’s frequently used against companies that access social media website data. Facebook, for instance, stopped a company called Power Ventures from automatically aggregating social media posts with users’ permission.

Yesterday’s ruling distinguished between how Facebook and LinkedIn guard their data. Facebook “tried to limit and control access to its website,” requiring users to log in with a username and password. But “the data HiQ was scraping was available to anyone with a web browser.” Therefore, LinkedIn couldn’t specifically order HiQ to stop accessing this publicly available information under the CFAA.

Sending a cease-and-desist letter isn’t enough to deny access

Many civil liberties advocates opposed the Power Ventures decision, and as Techdirt’s Mike Masnick writes, the court is drawing a pretty fine line between Facebook and LinkedIn. Facebook’s data might have been password-protected, but users were freely granting account access to Power Ventures. It seems plausible to call this access “authorized” as well — but the LinkedIn ruling disagrees with that logic.

The court also says LinkedIn could still potentially claim other violations, including copyright infringement — this is just a preliminary ruling on specific issues. But ruling out CFAA charges is a big deal, because the CFAA can be broadly weaponized against anybody who uses a computer in a way a company or government disagrees with. Kerr calls the ruling a “critical limit” on the law’s interpretation.

As Stanford Internet Observatory director Alex Stamos pointed out on Twitter, this comes with trade-offs. “Cease and desist letters followed by civil action or criminal CFAA referrals are one of the few legal tools available to large providers looking to stop spammers or scrapers,” Stamos wrote. Now, that option appears much less viable. That’s annoying in the case of spammers, but it also raises privacy questions at a point when companies are using big public data sets to train tools like facial recognition algorithms. Even so, Stamos reiterated that he agreed with the court’s decision.