Yesterday the U.S. Ninth Circuit Court of Appeals found (.pdf) in favor of data analytics company HiQ Labs, which had been scraping data and building products from LinkedIn public profiles. It’s a case that has a lot of implications — and may still be appealed.
CFAA and anti-hacking rules. LinkedIn tried to stop HiQ by using, among other things, the Computer Fraud and Abuse Act (CFAA), which is a federal cybersecurity and anti-hacking law. In basic terms, the CFAA says that a computer may not be accessed without authorization or in excess of authorization.
The profile data on LinkedIn was and is public. But LinkedIn didn’t like HiQ scraping its content and issued a cease-and-desist order in 2017. The letter stated that HiQ was in violation of LinkedIn’s user agreement as well as California and federal law, including the CFAA among others. LinkedIn also said that it would technically block HiQ’s efforts to scrape the site.
HiQ sued for a preliminary injunction against LinkedIn and won at the district court level. The court ordered LinkedIn to allow HiQ access to the content again. LinkedIn appealed to the Ninth Circuit.
Who’s “authorized” to access website content. A central question in the case involved determining, once HiQ received LinkedIn’s cease-and-desist letter, whether it was “without authorization” under CFAA. The Ninth Circuit said no.
CFAA contemplates information that is not publicly accessible (e.g., password protected). Public LinkedIn profiles were not password protected. In simple terms: only if the LinkedIn data was non-public would the company have been able to invoke CFAA to block HiQ’s access.
LinkedIn argued that HiQ violated the terms of its user agreement. The Ninth Circuit pointed out that its status as a “user” was terminated by LinkedIn with the cease-and-desist letter. In addition, LinkedIn didn’t claim any ownership interest in the public profile content. And while LinkedIn also said it was also seeking to protect users’ privacy rights in blocking HiQ, the court didn’t buy that argument regarding public profile information — where there was little or no expectations of privacy.
Other potential ways to block scraping. The case was substantially about CFAA, though there were other claims the court discussed. In the end, it didn’t say a website owner doesn’t have any recourse against wholesale appropriation of its public content. The court said that other laws could apply: “state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.”
The Ninth Circuit didn’t analyze the application of any of these theories to the facts of HiQ, however. It simply said they might apply to protect against scraping or content appropriation.
In response to the decision, a LinkedIn spokesperson offered the following statement: “We’re disappointed in the court’s decision, and we are evaluating our options following this appeal. LinkedIn will continue to fight to protect our members and the information they entrust to LinkedIn.”
Why we should care. This case may not be over and could ultimately wind up before the U.S. Supreme Court. Its broadest interpretation, however, appears to be: any “public” online data not owned or password protected by a publisher — and facts cannot be copyrighted — can be freely captured by third parties.
At the end of the opinion, the court expressed concern about “giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.”