In a ninth Circuit Court ruling last week, the Court sided with hiQ Labs which had been barred from accessing LinkedIn for the purposes of scraping public profiles. hiQ Labs, a data analytics company which identifies employees who may be looking to depart, won a preliminary injunction against LinkedIn. This is the second court which has evaluated the case and sided against the Microsoft subsidiary.
LinkedIn argued that scraping after a cease-and-desist letter was “without authorization” under the federal Computer Fraud and Abuse Act (CFAA), but hiQ Labs argued that the content was public and that scraping public data was not akin to hacking.
The Court ruled that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.”
The Court continued, “LinkedIn invokes an interest in preventing ‘free riders’ from using profiles posted on its platform. But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”
The National Law Review summarized the case:
Most notably, the Ninth Circuit held that HiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.
In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court HiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.”…
On appeal, the parties offered dueling visions of what the law surrounding the CFAA and scraping should be:
LinkedIn: “[A]uthorization from LinkedIn—the server’s owner—is ‘needed’ to avoid CFAA liability, regardless of whether those servers also host data that LinkedIn generally makes available on its website. hiQ lacked that required “authorization” once LinkedIn sent hiQ its cease-and-desist letter and implemented additional technological barriers restricting bot access.”
HiQ: “LinkedIn does not grant permission to access its public content because those pages are, by definition, open for all to see and use. hiQ, like any other Internet user, simply requests LinkedIn’s public pages, and LinkedIn’s servers automatically provide them. There is no “authorization” for LinkedIn to revoke. Reading the statute in accordance with the language’s ordinary significance, “without authorization” refers to circumstances where authorization is a prerequisite to access.”National Law Review
Intentional access without authorization under the CFAA generally covers hacking and employee access after permission has been rescinded. As public profiles are not subject to passwords, the question of whether the CFAA applied was in question.
“It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA,” wrote the Court. “The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.”
Thus, the ruling supports web scraping of public sites. What it doesn’t address is whether harvesting member data for the purposes of generating datasets which counter the interests of social media sites and its members is against the public interest. This question may be more of a public policy question than a legal one. Members join LinkedIn for the purposes of professional networking, job searching, and self-marketing. While public LinkedIn does not publish emails or direct dials, it includes work and educational histories, interests, affiliations, and other personal content. Furthermore, it is easy to guess at emails making it fairly trivial to assemble email files for spammers. It is very possible, that the HiQ Labs ruling conforms with US law but due to the Personally Identifiable Information content being gathered is counter to European GDPR. The result could well be the loss of public LinkedIn profiles or a thinning of publicly posted profiles.
The Court focused on the CFAA and did not evaluate other arguments when granting relief. “State law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie,” stated the Court.
Orin Kerr, a law professor at UC Berkeley called the ruling a “major decision for the open internet. It doesn’t establish that scraping websites is completely legal, but it goes a long way toward establishing that it’s not a federal crime.”
In the case of HiQ, they offer predictive attrition models which could result in individuals not being hired or employees not being promoted. “Keeper is the first HCM tool to offer predictive attrition insights about an organization’s employees based on publicly available data,” says the firm. While some high-value employees may enjoy additional leverage due to these models, others may be mistrusted.
One could imagine other detrimental use cases such as credit companies tracking employment and lowering credit scores. The result would be higher interest costs and a lowered ability to find a job. The result would be decreased transparency and truthfulness on LinkedIn.
As such, the scraping of LinkedIn data could undermine the trust members have in LinkedIn or limit the permissions granted to LinkedIn. If LinkedIn played fast-and-loose with member data, they would have less standing, but LinkedIn does not permit downloading of member data to Excel or the uploading of member data to CRMs. Sales Navigator treats member data as view only in its SNAP connectors. Thus, LinkedIn is placing data privacy rules on itself that it cannot place on third-parties that gather LinkedIn data. More broadly, parent company Microsoft has committed itself to GDPR as a global data privacy standard.
Analyst David Raab of the Customer Data Platform Institute had a tongue-in-cheek view of the case: “In what I like to think of as CSI: Obvious Division, a federal appeals court ruled that LinkedIn can’t block scraping of published member data because people had no expectation of privacy for their public profiles. It’s rather amazing LinkedIn thought they could win with that one.” .dialogRendere