In a ninth Circuit Court ruling last week, the Court sided with hiQ Labs which had been barred from accessing LinkedIn for the purposes of scraping public profiles. hiQ Labs, a data analytics company which identifies employees who may be looking to depart, won a preliminary injunction against LinkedIn. This is the second court which has evaluated the case and sided against the Microsoft subsidiary.
argued that scraping after a cease-and-desist letter was “without
authorization” under the federal Computer Fraud and Abuse Act (CFAA), but hiQ
Labs argued that the content was public and that scraping public data was not
akin to hacking.
ruled that “there is little evidence that LinkedIn users who choose to
make their profiles public actually maintain an expectation of privacy with
respect to the information that they post publicly, and it is doubtful that
continued, “LinkedIn invokes an interest in preventing ‘free riders’ from using
profiles posted on its platform. But LinkedIn has no protected property
interest in the data contributed by its users, as the users retain ownership
over their profiles.”
Law Review summarized the case:
Most notably, the Ninth Circuit held that HiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.
In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court HiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.”…
On appeal, the parties offered dueling visions of what the law surrounding the CFAA and scraping should be:
LinkedIn: “[A]uthorization from LinkedIn—the server’s owner—is ‘needed’ to avoid CFAA liability, regardless of whether those servers also host data that LinkedIn generally makes available on its website. hiQ lacked that required “authorization” once LinkedIn sent hiQ its cease-and-desist letter and implemented additional technological barriers restricting bot access.”
HiQ: “LinkedIn does not grant permission to access its public content because those pages are, by definition, open for all to see and use. hiQ, like any other Internet user, simply requests LinkedIn’s public pages, and LinkedIn’s servers automatically provide them. There is no “authorization” for LinkedIn to revoke. Reading the statute in accordance with the language’s ordinary significance, “without authorization” refers to circumstances where authorization is a prerequisite to access.”National Law Review
access without authorization under the CFAA generally covers hacking and
employee access after permission has been rescinded. As public profiles
are not subject to passwords, the question of whether the CFAA applied was in
likely that when a computer network generally permits public access to its
data, a user’s accessing that publicly available data will not constitute
access without authorization under the CFAA,” wrote the Court. “The data
hiQ seeks to access is not owned by LinkedIn and has not been demarcated by
LinkedIn as private using such an authorization system. HiQ has therefore
raised serious questions about whether LinkedIn may invoke the CFAA to preempt
hiQ’s possibly meritorious tortious interference claim.”
ruling supports web scraping of public sites. What it doesn’t address is
whether harvesting member data for the purposes of generating datasets which
counter the interests of social media sites and its members is against the
public interest. This question may be more of a public policy question than
a legal one. Members join LinkedIn for the purposes of professional
networking, job searching, and self-marketing. While public LinkedIn does
not publish emails or direct dials, it includes work and educational histories,
interests, affiliations, and other personal content. Furthermore, it is
easy to guess at emails making it fairly trivial to assemble email files for
spammers. It is very possible, that the HiQ Labs ruling conforms with US
law but due to the Personally Identifiable Information content being gathered
is counter to European GDPR. The result could well be the loss of public
LinkedIn profiles or a thinning of publicly posted profiles.
focused on the CFAA and did not evaluate other arguments when granting relief.
“State law trespass to chattels claims may still be available. And
other causes of action, such as copyright infringement, misappropriation,
unjust enrichment, conversion, breach of contract, or breach of privacy, may
also lie,” stated the Court.
Orin Kerr, a
law professor at UC Berkeley called the ruling a “major decision for the
open internet. It doesn’t establish that scraping websites is completely
legal, but it goes a long way toward establishing that it’s not a federal
In the case
of HiQ, they offer predictive attrition models which could result in
individuals not being hired or employees not being promoted. “Keeper is
the first HCM tool to offer predictive attrition insights about an
organization’s employees based on publicly available data,” says the firm.
While some high-value employees may enjoy additional leverage due to
these models, others may be mistrusted.
imagine other detrimental use cases such as credit companies tracking
employment and lowering credit scores. The result would be higher
interest costs and a lowered ability to find a job. The result would be
decreased transparency and truthfulness on LinkedIn.
As such, the
scraping of LinkedIn data could undermine the trust members have in LinkedIn or
limit the permissions granted to LinkedIn. If LinkedIn played
fast-and-loose with member data, they would have less standing, but LinkedIn
does not permit downloading of member data to Excel or the uploading of member
data to CRMs. Sales Navigator treats member data as view only in its SNAP
connectors. Thus, LinkedIn is placing data privacy rules on itself that
it cannot place on third-parties that gather LinkedIn data. More broadly,
parent company Microsoft has committed itself to GDPR as a global data privacy
David Raab of the Customer Data Platform Institute had a tongue-in-cheek view
of the case: “In what I like to think of as CSI: Obvious Division, a federal
appeals court ruled that LinkedIn can’t block scraping of published member data
because people had no expectation of privacy for their public profiles.
It’s rather amazing LinkedIn thought they could win with that one.”