Advertisement
Advertisement

“So that’s all I can say on the matter,” Ton-That added.

Hon-That may be correct that scraping the data isn’t currently illegal under federal law, but whether or not his company is exposing itself to civil liability is less clear. The 9th U.S. Circuit Court of Appeals ruled in a case between LinkedIn and data analytics firm hiQ Labs last year that scraping public data isn’t a violation of the 1986 Computer Fraud and Abuse Act (CFAA), the infamously vaguely written federal law that criminalizes hacking. Staff attorney Jamie Lee Williams of the Electronic Frontier Foundation, a nonprofit digital rights group known for its work on privacy cases, wrote in a recent blog post that it would be a mistake to try to ban automated public data scraping via the CFAA, as it would criminalize the many mundane uses of the technique and the act could be abused by corporations looking to stamp out competition. (Notably, while hiQ raised arguments that the case should be thrown out on First Amendment grounds, the court declined to rule on them in its decision.)

Advertisement

Facebook had previously told the New York Times that it was investigating and “will take appropriate action if we find they are violating our rules,” though it didn’t tell the paper whether it had also sent a cease and desist. Stanford Internet Observatory director and former Facebook chief information security officer Alex Stamos told the Times that the 9th Circuit ruling had “eviscerated the legal argument that Facebook used to use on scammers and spammers.” Twitter accused Clearview of violating its policies in its cease and desist letter, but it’s not clear if its terms of service would be sufficient to stop the company in court.

Stamos did tweet, however, that he thought there was a case that Clearview had violated the copyrights of the millions of people the photos originally belonged to by repurposing them without authorization, for profit, and in violation of Facebook’s terms of service. That could result in a class action. Facebook recently settled in a similar case in Illinois, which passed a law in 2008 requiring opt-in consent for biometrics collection, to the tune of $550 million.

Advertisement

As Wired noted, there’s no federal law and only a handful of state laws protecting user data, like the California Consumer Privacy Act and the Illinois law, so in the meantime companies like Facebook have mainly turned to making it hard to scrape their sites with technical barriers. Those include measures like requiring sign-in and/or limiting what search engines can index on the site. That’s not enough, according to Williams.

Advertisement

If the CFAA “is the best we can do to protect our privacy with these very complicated, very modern problems, then I think we’re screwed,” Williams told Wired. “... We need a comprehensive privacy statute that covers biometric data.”

Correction: A previous version of this article inaccurately attributed a quote to Ton-That. The person who made the “dystopian future” remark was Kirenaga Partners founder David Scalzo.