Authorization as Authentication in Computer Fraud and Abuse Act

The award-winning search tool Seats.aero lets users find availability for discounted flights they can book using airline points or miles. It accomplishes this by constantly scraping data from airline websites and using that information to build a database of discounted flights. Miffed at the idea that the tool’s scraping was empowering users to systematically find cheap airfare, Air Canada sued Seats.aero in 2023, claiming that automated inquiries to its publicly accessible interfaces violated its Terms of Service and thereby violated the Computer Fraud and Abuse Act (CFAA). A federal district court in Delaware rejected Air Canada’s request for a preliminary injunction, reasoning that CFAA violations hinge on whether a “gate” exists that separates public webpages from private data, not on the dataholder’s desires, Terms of Service, or notices. And because Seats.aero scraped publicly available webpages and didn’t circumvent any gate between public and private data, the court argued, it didn’t run afoul of the CFAA.

This dispute highlights an ongoing legal uncertainty haunting newsrooms, researchers, and developers who use bots to scrape online data: Many dataholder plaintiffs want courts to consider their terms of service, robots.txt files, cease-and-desist letters, and generic anti-bot measures as binding, dispositive indicators of authorization under the CFAA. Although most courts have declined to do so, instead turning to tests like “gates-up-or-down,” a clear, positive formulation of the correct standard still evades CFAA jurisprudence. Such a gap motivates this article, which argues that “without authorization” in the CFAA should be interpreted to mean circumvention of an authentication gate with individualized technological control, as suggested by Van Buren v. United States and affirmed by HiQ v. LinkedIn. I argue that the Van Buren reading of “gates-up-or-down” and the Ninth Circuit’s post-remand decision in HiQ v. LinkedIn confirm that public webpages do not create CFAA liability, notwithstanding the terms of service, cease-and-desist, robots.txt files, and IP blocks that dataholders implement. I propose the Authentication or Equivalent (A/E) Test, a doctrinal rule of judgment that (1) safeguards platforms’ autonomy over genuinely nonpublic areas and (2) defends research and journalism that depend on publicly available web data.

The Supreme Court in Van Buren read “authorization” in the CFAA context to take on a gates-up-or-down meaning. This reading established a false dichotomy that the gates are either up (completely open access) or down (no access at all) for the relevant computer system or a particular area within it. And Van Buren treats both “without authorization” inquiries and “exceeding authorized access” as gate-up-or-down decisions, a point the Ninth Circuit reinforced in its 2022 opinion in HiQ. For illustration, consider Seats.aero. When award airfare ticket results are visible without logging in, the “gates” are up and the CFAA does not bite. This intrusion-based reading seeks to avoid the mistaken conversion of robots.txt declarations, private terms of service, or cease-and-desist letters into property rules on the open web. The problem is that some post-Van Buren courts still treat these non-gate measures as de facto property rules. Some examples include post-C&D scraping with IP-block evasion in Craigslist v. 3Taps and continued access to password-protected pages after revocation in Facebook v. Power Ventures.

This ongoing ambiguity motivates this article, where I propose an authentication-based view of authorization. Doing so, however, first requires a distillation of the core doctrines from Van Buren and HiQ. The foundation laid by the Supreme Court and the Ninth Circuit treats the CFAA’s “authorization” as a technological gate in two landmark cases. In Van Buren v. United States, the Court considered whether a person who has authorized access to a computer system violated the CFAA’s “exceeds authorized access” clause by obtaining information protected by authorization for improper use, in contrast to accessing a system that he is forbidden from entering in the first place. The Court emphasizes the CFAA’s demarcation in distinguishing between outsiders (“without authorization”) and insiders who cross technical partitions (“exceeds authorized access”). As Van Buren is an insider, he has access to license-plate data, but his breach of the CFAA by misusing it does not violate the “without authorization” provision. Critically, the Court adopted a unified, “gates-up-or-down” reading for both “without authorization” and “exceeds authorized access.” By this reading, the Court rejects a purpose- or circumstance-dependent view of “exceeds authorized access.” Here, the inquiry is whether the user crossed a technical boundary (e.g., an authentication gate), not whether they had an improper motive.

On remand after Van Buren, the Ninth Circuit reaffirmed a preliminary injunction allowing scraping of public LinkedIn profiles in HiQ v. LinkedIn, in which a small data research company scraped data in public LinkedIn profiles. The panel argued that a public webpage, such as a LinkedIn profile, has no limitations, so the concept of “without authorization” does not apply. Building on the interpretation of gates in Van Buren, the court explained that authorization is required only for systems with explicit, erected gates, which LinkedIn does not have. It also clarifies that password-gated systems differ from session-gated systems (like Facebook’s in Power Ventures), as the latter can have authorization revoked by individuals, while robots.txt is not an access gate but only a convention. In HiQ, the concept of authorization, in its gate analogy, is further clarified to mean credentials or equivalent technical gates, not merely terms or robots.txt. This gate-based holding should be kept as it keeps the CFAA anti-intrusion and prevents unilateral ToS/robots.txt from becoming de facto property rules that chill research and interoperability.

Website owners’ contrary view is unworkable because it collapses “authorization” into private policy which are unremarkable. Specifically, website owners often deploy non-gate measures on public webpages. This includes robots.txt exclusion, cease-and-desist letters (C&D), and terms of service. These tools should not be considered as “authorization” under CFAA, as they are rarely read and negotiated, frequently presented and revised unilaterally, and often imposes blanket bans of scraping regardless of degrees of intrusion. Treating these policies as “authorization” converts limits on usage into gates against access, turning ordinary ToS breaches into CFAA violations. It contradicts HiQ’s core holding that public sites do not impose access limitations or blocks, rendering “without authorization” empty and meaningless.

These errors in classifying authorization have chilling effects for research and journalism based on data and external webpages. Journalists and researchers often use automated tools to analyze publicly available information. In the HiQ case, several leading news organizations submitted amicus curiae briefs in support of HiQ. Their argument conflated restrictions on public webpages with limitations on newsgathering and access to information. In the meantime, courts were still confronting and striking down requests to treat C&D as a gate. For instance, based on HiQ’s distinction between public and private information in its authorization framework, the Central District of California dismissed a CFAA claim premised on visits to a public retail site.

Why are lower courts still misapplying the standards of authorization despite clear holdings from the Supreme Court and the Ninth Circuit, and why not implement a change in statute for the Ninth Circuit to overturn problematic district court statutes? This is because of a series of ambiguities, starting with Congress's failure to clearly define “authorization” in 18 U.S.C. § 1030. Furthermore, the definition of “exceeds authorized access” hinges on the opaque “so to obtain or alter” clause (§ 1030(e)(6)). Van Buren clarifies the latter but leaves the former uncertain.

To resolve this ambiguity, Congress should codify a clear, gate-based standard for “authorization”. Drawing from Van Buren and HiQ, an Authentication‑or‑Equivalent (A/E) Test could be drafted.

Definition: Access without authorization means circumvention of (1) a method of authentication (password, username, or multi-factor authentication, or an equivalent) or (2) an individualized technological measure to which the user has consented that restricts general-public access to the specific information.

What is not authorization on a public page

(1) robots.txt. HiQ identifies adherence of robots.txt text without supplementation as routinely ignored by bots, as it is not an explicity individualized access gate

(2) Terms of service (including contracts against automation and scraping). The Department of Justice policy cautions against exceeding authorized access based on “contracts, terms of service agreements, or employee policies” due to involuntary agreements.

(3) Generic limits and anomaly detection. LinkedIn’s global IPO blocking is only a bot‑mitigation practice not an authentification, as it is not tied to a specific user’s identity or credentials.

(4) Cease-and-desist letters. C&D can help withdraw contractual promotion, but it cannot convert public resources into a gated one, as prior authorization was never required in this situation.

What is categorized as authorization

(1) Specific login credentials (password, multi-factor authentication) that are knowingly set up by the users to reach nonpublic areas.

(2) Individual technical control, like user‑specific paywalls, signed URL checks, or per‑account CAPTCHA tied to session identity, which ties the capabilities of accessing a piece of information to the user’s identity. Clarification: generic, stateless CAPTCHAs on public pages do not qualify; only identity-bound or account-linked challenges count.

Under the A/E test, the categorical distinction between unilateral “no bots” policies and access gates for identity authentication is clear-cut. Namely, the former are using tools, not authorization barriers. The latter, which includes passwords, multi-factor authentication, and account-tied challenges, is a true gate. In the meantime, declining to treat terms as authorization does not leave site owners powerless. It compels an implementation of real gates if CFAA protection for scraping is desired. This balance preserves low-friction access to public pages while channeling CFAA liability to genuine intrusions.

In conclusion, the CFAA should treat automatic visits to the open web as authorization. Van Buren’s “gates‑up‑or‑down” logic and HiQ’s focus on public pages converge on a simple principle: that “without authorization” should be defined only in terms of authentication and equivalent individualized control. Contracts, robots.txt, C&D letters, and blanket IP blocks are not gates, although they may guide certain conduct on public cases. Codifying an Authentication‑or‑Equivalent definition would balance the protection of privacy with safeguarding open access in research and journalism.

Bibliography

Reporters Committee for Freedom of the Press, and 30 Media Organizations. Brief of Amici Curiae the Reporters Committee for the Freedom of the Press and 30 News Media Organizations in Support of Neither Party, HiQ Labs, Inc. v. LinkedIn Corporation, No. 17-16783 (9th Cir. filed July 16, 2021). PDF. https://www.documentcloud.org/documents/21012993-2021-07-16-HiQ-labs-v-linkedin-corp-amicus-brief-filed-by-rcfp-and-30-media-organizations/. Accessed October 28, 2025.

Thomas, David. “L’Occitane Defeats Mass Arbitration Bid in Fight with Consumer Law Firm.” Reuters, April 15, 2024. https://www.reuters.com/legal/government/loccitane-defeats-mass-arbitration-bid-fight-with-consumer-law-firm-2024-04-15/. Accessed October 28, 2025.

United States Court of Appeals for the Ninth Circuit. Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016). PDF. https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf. Accessed October 28, 2025.

United States Court of Appeals for the Ninth Circuit. HiQ Labs, Inc. v. LinkedIn Corporation, 31 F.4th 1180 (9th Cir. 2022). PDF. https://cdn.ca9.uscourts.gov/datastore/opinions/2022/04/18/17-16783.pdf. Accessed October 28, 2025.

United States Department of Justice. “Justice Manual, 9-48.000 — Computer Fraud and Abuse Act.” Updated May 2022. https://www.justice.gov/hi/node/1376721. Accessed October 28, 2025.

United States District Court for the Central District of California. L’Occitane, Inc. v. Zimmerman Reed LLP, No. 2:24-cv-01103. Judgment of Dismissal (April 25, 2025). https://docs.justia.com/cases/federal/district-courts/california/cacdce/2%3A2024cv01103/914293/63. Accessed October 28, 2025.

United States Supreme Court. Van Buren v. United States, 141 S. Ct. 1648 (2021). PDF. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. Accessed October 28, 2025.