> your server replying 200 OK should implicitly be considered permission to access that resource
I do see your point and how you could disagree with my statement above. However, if the store owner forgets you next time and says "Come on in! Oh and here is a take-home menu with all our items and prices" but then calls the police to have you removed, there is a problem.
Now imagine said store owner actually owns several locations possibly even with different public names and doesn't want to serve said customer. They could provide a list of all addresses of stores they run explicitly banning permission. Otherwise, that customer walking into store B would need to be told again they would not be served at time of entry.
Assuming the CFAA C&D from LinkedIn does have legal standing here... If hiQ were using IP addresses and not DNS resolution to crawl, how would they know a particular IP is a LinkedIn resource they aren't allowed to access? Did the C&D provide all addresses they are not permitted to access?
My point is that its not black and white, and certainly not clear that this should be covered by the CFAA under "hacking".
Edit: You could also make the argument and analogy to a restraining order which places the responsibility for compliance on the banned party. However those don't just happen because one entity sends a letter to another entity, it needs to be explicitly granted via the legal process.
I think the more accurate comparison is that the owner sent you a C&D saying you're banned from the restaurant, and then you try to say "oh, I though the C&D didn't apply any more because the waitress let me in." Would anyone seriously believe that?
The law applies to people, not computers. The only question is: did Linked In convey its revocation of hiQ's implied license in a way a reasonable person would understand? The computer code is only relevant if a reasonable person would take the HTTP status code to take precedence over the C&D letter.
> your server replying 200 OK should implicitly be considered permission to access that resource
I do see your point and how you could disagree with my statement above. However, if the store owner forgets you next time and says "Come on in! Oh and here is a take-home menu with all our items and prices" but then calls the police to have you removed, there is a problem.
Now imagine said store owner actually owns several locations possibly even with different public names and doesn't want to serve said customer. They could provide a list of all addresses of stores they run explicitly banning permission. Otherwise, that customer walking into store B would need to be told again they would not be served at time of entry.
Assuming the CFAA C&D from LinkedIn does have legal standing here... If hiQ were using IP addresses and not DNS resolution to crawl, how would they know a particular IP is a LinkedIn resource they aren't allowed to access? Did the C&D provide all addresses they are not permitted to access?
My point is that its not black and white, and certainly not clear that this should be covered by the CFAA under "hacking".
Edit: You could also make the argument and analogy to a restraining order which places the responsibility for compliance on the banned party. However those don't just happen because one entity sends a letter to another entity, it needs to be explicitly granted via the legal process.