US: Texas District Court grants preliminary injunction against alleged data scraping

At the start of 2021, Southwest Airlines filed a complaint against, an online travel agency, alleging unauthorized "scraping" of flight and pricing data and unauthorized reselling of Southwest flight tickets. According to Southwest, Kiwi copied flight data and purchased tickets directly from Southwest's website, reselling to over 170,000 customers, inflating fares and tacking on service fees.

Alleging that this conduct directly contravened the Terms and Conditions of the Southwest website, which do not permit online travel agents to sell Southwest tickets without express written approval, Southwest claimed that Kiwi breached the Terms and Conditions (which it agreed to by using Southwest's website) and numerous statutes, including the Computer Fraud and Abuse Act (“CFAA”).

The preliminary injunction

Southwest quickly moved for a preliminary injunction to stop Kiwi's reselling. Kiwi acknowledged the conduct but argued that Southwest was not entitled to injunctive relief, pointing to hiQ Labs v. LinkedIn, 938 F.3d 985 (9th Cir. 2019) and arguing primarily:

  • That the flight data was publicly available to anyone using Southwest's website; and
  • That Kiwi did not assent to the Terms and Conditions on Southwest's website, because conduct that inherently constitutes a breach of the contract cannot be used to show a "reasonable manifestation of assent" necessary for that party to be bound.

On September 30, 2021, the District Court for the Northern District of Texas refuted Kiwi's arguments and granted the preliminary injunction. The Court noted the Ninth Circuit's holding in hiQ that, when a computer network grants public access to its data, a user accessing that publicly available data will not be "without authorization" and therefore not liable under the CFAA.

However, the Court also noted that hiQ had recently been vacated and remanded in light of Van Buren v. U.S., 141 S. Ct. 1648 (2021), which held that a person "exceeds authorized access" when they are given authorization and then access information beyond that authorization or otherwise off-limits to them.

Further, the Court noted that hiQ specifically mentioned that a plaintiff may have breach of contract claims where a CFAA violation does not exist and refuted Kiwi's argument that their noncompliance kept them from being bound. Here, the Terms were hyperlinked at the bottom of each page on Southwest's website, Kiwi had to affirmatively acknowledge and accept the Terms by checking a box with each ticket purchase, and Kiwi had acknowledged one of the many cease-and-desist letters from Southwest which referenced the Terms.

In other news

Another recent ruling, Vox Mktg. Grp. v. Promos, 2021 WL 3710130 (D. Utah Aug. 20, 2021), tackled the issue of access “without authorization” under the CFAA. The plaintiff operated a portal providing clients access to sensitive documents, such as pricing information. The portal was password protected and each document had a unique URL.

The defendant realized it could alter the end of the URL and directly access documents without needing a password. The defendant then exploited this loophole to take sensitive information and solicit the plaintiff’s clients. The court denied the defendant’s motion for summary judgment, holding that “without authorization” does not just include “hacking” a password, but may also include loopholes and workarounds like the one here. Van Buren, the court said, left open whether a person accesses information without authorization “by violating contractual provisions barring any access” to that information, and compared such conduct to trespassing through a locked door by “rattling the handle . . . until the lock disengages.”

In practice

Companies who want to avoid data scraping would do well to follow the example of Southwest and ensure they have multiple ways of demonstrating that people using their platform have assented to be bound by terms and conditions which explicitly condemn data scraping.

Websites can protect their data by having their terms clearly posted, requiring affirmative acknowledgement of their terms via a checkbox or some similar function, and by sending cease-and-desist letters upon learning of unauthorized conduct.