Case Law, CFAA, Compliance, News, Open Source, Publicly Available Information, Web Crawling, Web Scraping

hiQ v. LinkedIn – Key Takeaways

In one of the more recent landmark web scraping cases, hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. 2019), the Ninth Circuit affirmed the district court’s grant of a preliminary injunction in favor of hiQ, a data analytics company, prohibiting LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. The litigation between the two vendors was centered around LinkedIn’s invocation of the Computer Fraud and Abuse Act (CFAA). The CFAA is a federal cyber-security law that was created in 1984 to prevent hacking and “unauthorized access” to computers and networks.

HiQ is a data analytics vendor that provides business intelligence sourced to publicly available, publicly facing data that is web scraped from LinkedIn. One of the important questions raised by the case, and asked by legal/compliance teams at hedge funds, is where the line between public and private data sits. Is the publicly facing data truly public?

What happened exactly?

Let’s look at LinkedIn’s business first. Yes, the data contained on LinkedIn’s platform belongs to the business and is stored in their network. But, the data is not something that originated from LinkedIn itself – it is all submitted by users of the LinkedIn platform. The data, at the time of the case, was accessible to anyone who visited the site. From hiQ’s perspective, the rationale was that since the data was publicly facing and accessible to anyone – no issue in scraping it. From LinkedIn’s point of view, there are Terms of Use/Terms of Service that explicitly prohibit the use of crawlers, scrapers and automation tools. A visitor is expected to read and be legally bound by the Terms of Service while using the platform.

LinkedIn, naturally, acting in accordance with their Terms of Service and banned IP addresses associated with web crawlers and terminated accounts of suspected offenders. This is how hiQ got caught. But, the vendor was able to circumvent the IP ban and mask their IP addresses. LinkedIn hit back with a cease-and-desist letter, asserting that the hiQ violated LinkedIn’s Terms of Service and the Computer Fraud and Abuse Act. HiQ responded back with a lawsuit seeking injunction against LinkedIn to prevent them from blocking hiQ’s access to the data until the case was resolved.

Ninth Circuit’s Ruling

In LinkedIn’s cease-and-desist letter, they cited web scraping precedent case Facebook v. Power Ventures, No. 17-16161 (9th Cir. 2019). Power Ventures was a company that allowed users to login and manage all of their social networking accounts in one place. In 2008, Facebook sued the company, alleging violation of the CFAA and the California state CFAA equivalent law when it allowed users to access Facebook data after it blocked a specific IP address used by Power Ventures to connect to the Facebook data. In the Power Ventures ruling, the Ninth Circuit found that even though the Power Venture’s scraper had permission to access Facebook accounts using passwords and scrape data, it continued to do so in violation of Facebook’s issued cease-and-desist letter. This meant that Power Ventures was in violation of the CFAA. Key point here is that the court was of the opinion that requiring a login before providing access to the data would render it as private and not public data.

With hiQ, the Ninth Circuit determined that the company was likely to be successful in its claim that the automated access to publicly facing data was not a violation of the CFAA. The Ninth Circuit ultimately upheld the preliminary injunction.

Moving Forward – Key Takeaways

  • This case confirmed that web scraping is vital to a number of industries – commercial use and internal use for companies.
  • The ruling suggests that judges in the future will have more leeway and limits the significance of precedent like Power Ventures.
  • The Ninth Circuit affirmed that any data that required no password or authorization to access and was freely available was fair game for scraping. No authorization to access is implicit unless steps were taken to restrict general access.
  • The CFAA exists to combat hacking and cannot be used as a catch-all for enforcing a website’s Terms of Service.
  • The end-user of a platform owns the data. Any platforms or apps we share data with are merely licensed to use it but do not own it.

**March 2020 Update

On March 10, 2020, LinkedIn filed a petition for writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s ruling in LinkedIn’s case against hiQ and the granting of the preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn profiles. The case concerns the scope of the Computer Fraud and Abuse Act (CFAA) liability associated with web scraping. The argument rests on the Computer Fraud and Abuse Act and also touches on the potential privacy implications for data misuse. Regardless of what happens though, this litigation will continue as hiQ recently filed an amended complaint to, among other things, add a number of antitrust claims. An opinion by the Supreme Court on the relationship between webscraping and the CFAA would be huge.

Stay tuned!

Share this:

Leave a Reply