Southwest Airlines is embroiled in litigation with a travel aggregator called Kiwi.com. Kiwi has been scraping data from Southwest’s website to sell Southwest flights (with additional fees). Unsurprisingly, Southwest does not like this. Southwest promises customers no additional fees, ever—and Kiwi’s offerings violate that promise.
In an effort to stop Kiwi from reselling Southwest flights, Southwest has pursued several claims against Kiwi, including violation of the CFAA. But, as discussed earlier in LinkedIn Corp. v. hiQ Labs, Inc. and Van Buren v. United States , the Supreme Court recently narrowed the scope of the CFAA in its Van Buren decision. Van Buren explicitly addressed the “exceeds authorized access” of the CFAA, but left open the issue of the precise contours of the “without access” prong of the statute. As Southwest is arguing that Kiwi is accessing the Southwest site without authorization, we can expect further insight into this issue when the district court (N.D. Texas) addresses the fully briefed motion to dismiss the CFAA claim.
Southwest had to pivot from its initial allegations that Kiwi breached applicable website terms prohibiting scraping and therefore violated the CFAA (as Van Buren rejected the use of the CFAA to police amorphous “use-based” access restrictions). However, Southwest presents additional facts beyond the violation of its website terms. First, Southwest points to cease-and-desist instructions it sent to Kiwi, and Kiwi’s continuing scraping afterward. Second, Southwest alleges that Kiwi “hacked” Southwest’s API and has continued to do so despite additional blocking technology by Southwest to prevent Kiwi’s API access.
Kiwi counters by alleging that Van Buren addressed the “without authorization” prong of the CFAA, and that the CFAA cannot address situations when a party has access to any portion of a public website (according to Kiwi, if Kiwi can access file A, then it cannot be prevented by the CFAA from taking file B). This aggressive position would effectively gut the anti-hacking protections of the CFAA.
The court will likely deny the motion to dismiss, as Kiwi is attempting to extend Van Buren far beyond its holding, and would effectively prevent any public website operator from leveraging the CFAA to protect its data. Van Buren addressed the situation where a police officer had access to a license plate database, but used that access for an improper purpose (i.e., selling database information to an undercover FBI officer offering to pay Van Buren for it). Although Kiwi argues valiantly, Van Buren did not hold that permitted access in one area (e.g., a public website) means that the CFAA gates are wide open for all content (such as content specifically restricted by cease-and-desist communications and/or technological measures). Kiwi’s assertion of an all-or-nothing rule would mean that a website owner could not prohibit specific persons or entities from accessing its servers, despite specific efforts to do so.
We should learn soon if the Southwest Court rejects this philosophy, or if the use of the CFAA to prevent data scraping is effectively over.