A recent decision from the Ninth Circuit Court of Appeals in a dispute between LinkedIn and hiQ Labs has spotlighted the thorny legal issues involved in unauthorized web scraping of data from public websites. While some may interpret the LinkedIn decision as greenlighting such activity, this would be a mistake. On close review of the decision, and in light of other decisions that have held unauthorized web scrapers liable, the conduct remains vulnerable to legal challenge.
hiQ and LinkedIn
Founded in 2012, hiQ is a data analytics company that uses automated bots to scrape information from LinkedIn’s website. hiQ targets the information that users have made public for all to see in their LinkedIn profile. hiQ pays nothing to LinkedIn for the data, which it uses, along with its own predictive algorithm, to yield “people analytics,” which it then sells to clients.
In May 2017, LinkedIn sent a cease-and-desist letter to hiQ demanding that it stop accessing and copying data from LinkedIn’s servers. LinkedIn also implemented technical measures to prevent hiQ from accessing the site, which hiQ circumvented.
Shortly thereafter, with its entire business model under threat, hiQ filed suit in the United States District Court for the Northern District of California seeking injunctive relief and a declaration that LinkedIn had no right to prevent it from accessing public LinkedIn member profiles.
Without access to LinkedIn public profile data, hiQ argued that it would likely be forced to breach its existing contracts with clients and to pass up pending deals with prospective clients. hiQ further noted that it was in the middle of a financing round when it received LinkedIn’s cease-and-desist letter and that in light of the uncertainty about the company’s future viability, that financing round stalled. hiQ claimed that if LinkedIn prevailed, it would have to lay off most, if not all, of its employees and shutter its operations.
In August 2017, the district court granted hiQ’s motion for a preliminary injunction. It ordered LinkedIn to withdraw its cease-and-desist letter, to remove any existing technical barriers to hiQ’s access to public profiles, and to refrain from putting in place any legal or technical measures with the effect of blocking hiQ’s access to public profiles.
LinkedIn appealed the district court’s order. More than two years passed.
The LinkedIn Decision
On September 9, 2019, the Ninth Circuit affirmed the district court’s preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles.
The Ninth Circuit concluded that the district court did not abuse its discretion in finding that hiQ established a likelihood of irreparable harm because the survival of its business was threatened. The court further held that the district court did not abuse its discretion in balancing the equities and concluding that, even if some LinkedIn users retain some privacy interests in their information notwithstanding their decision to make their profiles public, those interests did not outweigh hiQ’s interest in continuing its business.
While not ruling in favor of hiQ on the merits, the court held that the district court did not abuse its discretion in finding that hiQ raised serious questions going to (1) the merits of its claim for tortious interference with contract, alleging that LinkedIn intentionally interfered with its contracts with third parties, and (2) the merits of LinkedIn’s legitimate business purpose defense. hiQ also raised a serious question as to whether its state law causes of action for tortious interference and unfair competition were preempted, as LinkedIn alleged as its principal defense, by the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits intentionally accessing a computer without authorization, or exceeding authorized access, and thereby obtaining information from any protected computer. In particular, the court concluded that hiQ had raised a serious question as to whether the CFAA’s reference to access “without authorization” limits the scope of statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required.
In short, the court held that the district court did not abuse its discretion in finding that hiQ had made a sufficient showing under the preliminary injunction standard to obtain an order allowing it to continue to operate its business until the merits of the case were decided.
Notably, the court recognized that at the preliminary injunction stage, it was not resolving the companies’ legal dispute definitively, nor was it addressing all the claims and defenses they had pleaded in the district court. The court noted that it was considering only the claims and defenses that the parties pressed on appeal and for which the companies had invoked additional claims and defenses in the district court. The Ninth Circuit expressed no opinion as to whether any of those other claims or defenses might ultimately prove meritorious.
In particular, the Ninth Circuit recognized that while LinkedIn asserted that it has “claims under the Digital Millennium Copyright Act and under trespass and misappropriation doctrines,” it chose for purposes of the appeal to focus on the CFAA defense, such that this was the sole defense to hiQ’s claims that the Ninth Circuit addressed.
Prohibitions on webscraping can take many forms, and liability for unauthorized web scraping can be imposed under numerous legal theories. That one of those legal theories failed at the preliminary injunction stage in LinkedIn’s case does not mean it will fail in most cases.
While the Ninth Circuit took a narrow view of the scope of the CFAA, not all courts would agree with that view. Even with publicly available data, like that on LinkedIn’s site, some courts have held that accessing a site after being expressly informed that further access is unauthorized can violate the CFAA.
Moreover, the Ninth Circuit was careful to note that victims of webscraping are not without resort, even if the CFAA does not apply. The court recognized that claims for trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, breach of privacy may also lie.
Thus, the decision should not be interpreted as greenlighting unauthorized web scraping. Even in the LinkedIn case itself, it is not clear which party will ultimately prevail.
Importantly, the decision emphasizes the need to act promptly against unauthorized web scraping. The court clearly gave weight to the allegation that LinkedIn was well aware of hiQ’s practices for years before sending the cease-and-desist letter. The court further expressed concern that LinkedIn sent the cease-and-desist letter because it planned to create a new product that competed with hiQ’s services, which the court held could raise concerns under California’s unfair competition laws. To avoid such claims, unauthorized web scrapers should be addressed promptly before they free ride for years and build a business off your data.