← Glossary / Computer Fraud and Abuse Act (CFAA)

What is Computer Fraud and Abuse Act (CFAA)?

Computer Fraud and Abuse Act (CFAA) is the primary US federal anti-hacking statute, historically weaponised by target sites to criminalise web scraping. Following the landmark hiQ Labs v. LinkedIn and Van Buren Supreme Court decisions, the legal consensus shifted: scraping publicly accessible data without bypassing authentication does not constitute "unauthorized access" under the CFAA. For data pipelines, this means surface web extraction is generally safe from CFAA claims, provided you don't breach technical access barriers.

Legal PrecedenthiQ v. LinkedInPublic DataAuthorizationCompliance
// 02 — definitions

The boundary
of access.

The legal line separating a legitimate public data pipeline from a federal hacking violation, defined entirely by how you handle authentication.

Ask a DataFlirt engineer →

TL;DR

The CFAA penalises accessing a computer "without authorization." For years, companies used it to sue scrapers. Recent rulings clarified that public websites lack an authorization barrier to breach. If anyone can view the data without logging in, scraping it doesn't violate the CFAA. Bypassing a login wall or IP block, however, crosses the line.

01Definition & legal context
The Computer Fraud and Abuse Act (CFAA) is a 1986 US federal law designed to prosecute computer hacking. It makes it illegal to access a computer "without authorization" or to "exceed authorized access." For over a decade, aggressive corporate legal teams used the CFAA to sue web scrapers, arguing that violating a website's Terms of Service or ignoring a Cease & Desist letter constituted "unauthorized access."
02The shift in legal precedent
Two major cases reshaped how the CFAA applies to scraping. In hiQ Labs v. LinkedIn, the 9th Circuit ruled that the CFAA does not apply to publicly accessible data. If a site doesn't require a password, there is no authorization to breach. In Van Buren v. United States, the Supreme Court ruled that violating a policy (like a ToS) does not mean you "exceeded authorized access" if you were technically allowed to access the data in the first place.
03The technical barrier test
Courts now largely rely on the "technical barrier" test. To violate the CFAA, a scraper must bypass a technical access control — like guessing a password, using stolen session cookies, or exploiting an API vulnerability to access private data. Scraping the surface web, even at high volumes, does not meet this threshold because the data is broadcast to anyone who asks for it.
04How DataFlirt handles it
We build our infrastructure to ensure zero CFAA liability for our clients. We only extract data from the surface web. We do not bypass authentication, we do not scrape behind login walls, and we do not use compromised credentials. If a target moves previously public data behind a hard authentication gate, our pipelines automatically halt and flag the endpoint for review rather than attempting to breach the barrier.
05The IP rotation grey area
One remaining legal grey area is IP blocking. Some plaintiffs argue that blocking an IP address is a specific revocation of authorization, and using a proxy network to bypass that block violates the CFAA. While courts are split on this, the safest operational approach is to keep request rates low enough that IP blocks are never triggered in the first place, rendering the legal question moot.
// 03 — the legal tests

How courts
measure access.

The legal tests applied to determine if a scraper violated the CFAA. DataFlirt's compliance engine maps these directly to pipeline execution rules to ensure zero liability exposure.

Public Data Exemption = Aauth = public_url + 0(login_required)
If no login is required, the data is public and CFAA does not apply. hiQ Labs v. LinkedIn (9th Circuit)
Van Buren Test = V = entitled_accesstechnical_barrier_breach
Improper purpose doesn't matter; only breaching a technical barrier triggers liability. Van Buren v. United States
DataFlirt Compliance Score = C = 1 − (auth_bypasses / total_requests)
Strictly maintained at 1.0. We do not scrape behind authenticated gates. Internal SLO
// 04 — compliance pre-flight

Evaluating target
authorization boundaries.

A simulated pipeline pre-flight check evaluating target authorization. If a technical barrier is detected that requires credentialed bypass, the pipeline halts.

compliance checkauth detectionCFAA safe
edge.dataflirt.io — live
CAPTURED
// target authorization check
target.url: "https://target.com/directory/public"
auth.required: false
cfaa.risk_profile: "low · public_data"

// technical barrier evaluation
ip_block.detected: true
ip_block.type: "cloudflare_waf_403"
bypass_action: "rotate_residential_ip"
legal_status: "grey_area · potential_revocation"

// DataFlirt compliance enforcement
policy.enforce_public_only: true
action: "halt_on_auth_prompt"
pipeline.status: cleared for extraction
// 05 — liability vectors

Where CFAA risk
actually materialises.

Ranked by the likelihood of triggering a successful CFAA claim. Bypassing authentication is the brightest red line; scraping public data is the safest.

LEGAL PRECEDENT ·  ·  ·   hiQ v. LinkedIn
JURISDICTION ·  ·  ·  ·   United States
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Bypassing authentication

high risk · Using stolen or fake credentials to access gated data
02

Breaching a paywall

high risk · Circumventing technical payment barriers
03

Ignoring IP bans

grey area · Rotating IPs after a specific block (revoked auth)
04

Ignoring Cease & Desist

low risk · C&D alone doesn't create a technical barrier
05

Scraping public data

safe · Protected under current circuit court rulings
// 06 — our approach

Public means public,

but technical barriers change the math.

DataFlirt operates strictly within the bounds of the publicly available data doctrine. We do not bypass authentication, we do not scrape behind login walls, and we do not use stolen credentials. Our infrastructure is designed to extract data that the target has voluntarily made available to the open web. When a target deploys an IP block, we evaluate whether it constitutes a revocation of authorization under current precedents before rotating proxies. We absorb the compliance complexity so your legal team doesn't have to.

compliance-check.log

Standard compliance evaluation for a new target domain.

target.domain b2b-directory.com
data.classification public_listingsafe
auth.required falseno barrier
robotstxt.status disallow: /adminhonoured
ip_block.history none detected
cfaa.exposure minimalcleared

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About the CFAA, legal precedents, technical barriers, and how DataFlirt ensures pipeline compliance.

Ask us directly →
Does the CFAA make web scraping illegal? +
No. The CFAA criminalises accessing a computer "without authorization." Following the hiQ v. LinkedIn ruling, the courts established that scraping publicly accessible data — data that anyone can view without logging in — does not violate the CFAA because there is no authorization barrier to breach.
What did the hiQ v. LinkedIn case change? +
It fundamentally shifted the legal landscape for scrapers. LinkedIn tried to use the CFAA to stop hiQ from scraping public profiles. The 9th Circuit ruled that the CFAA does not apply to public websites, effectively legalising surface web scraping under federal hacking laws.
Can a Cease and Desist letter trigger a CFAA violation? +
Generally, no. A C&D letter is a legal demand, not a technical barrier. Under the Van Buren precedent, violating a policy or ignoring a letter doesn't constitute "unauthorized access" if the data remains technically accessible to the public. However, it may trigger other claims like trespass to chattels.
How does DataFlirt handle CFAA compliance? +
We strictly adhere to the publicly available data doctrine. We do not scrape behind authenticated gates, we do not bypass login walls, and we do not use compromised credentials. Our pipelines are configured to halt if a target introduces a hard authentication barrier to previously public data.
Is bypassing an IP ban a CFAA violation? +
This is a legal grey area. Some courts have suggested that an IP ban acts as a specific revocation of authorization, making subsequent access via proxy a potential violation. Others argue that if the data remains public, IP rotation is just a network routing choice. We mitigate this by keeping request rates low enough to avoid bans entirely.
What about Terms of Service violations? +
Violating a website's Terms of Service is a breach of contract issue, not a CFAA hacking violation. The Supreme Court in Van Buren clarified that violating terms of use does not automatically equal "unauthorized access" under the CFAA. However, ToS claims are often bundled with other legal threats.
$ dataflirt scope --new-project --target=computer-fraud-and-abuse-act-(cfaa) READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Scraping Security

Publicly Available Data Doctrine

The legal principle that protects the scraping of data openly accessible on the internet.

Read →
Scraping Security

Authorized Access Doctrine

How courts define what constitutes legitimate access versus a hacking violation.

Read →
Scraping Security

Cease and Desist (Scraping)

The legal demand letters often sent to scrapers, and why they rarely invoke the CFAA successfully today.

Read →
Auth Scraping

Terms of Service Gate

The contractual barriers sites use when technical barriers fail to stop scraping.

Read →