Court of appeals rules web scraping doesn’t violate anti-hacking law

On Monday, September 9th, 2019, LinkedIn lost their appeal in the 9th U.S. Circuit Court of Appeals against hiQ Labs Inc. The court ruled that hiQ could continue scraping publicly available information off the site. See the ruling here.

In 2017, LinkedIn sent a cease-and-desist to hiQ that they had violated the 1986 Computer Fraud and Abuse Act (CFAA). This act is vaguely written for a time when the internet was not widespread. It makes it illegal to access a “protected computer” without or in excess of “authorization”. There are a lot of things that can be interpreted from this, including possibly web scraping.

hiQ then sued LinkedIn in order to have their scraping activities declared as not hacking but also sought an order banning LinkedIn from interfering. They won an injunction preventing LinkedIn from blacklisting them from their site with technical tools in 2017. The ruling on Monday upholds the injunction and found scraping publicly available data does not violate the CFAA.

Circuit Judge Marsha Berzon wrote in the ruling:

Affirming the district court’s grant of the preliminary injunction in favor of hiQ, the panel concluded that hiQ established a likelihood of irreparable harm because the survival of its business was threatened. The panel held that the district court did not abuse its discretion in balancing the equities and concluding that, even if some LinkedIn users retain some privacy interests in their information notwithstanding their decision to make their profiles public, those interests did not outweigh hiQ’s interest in continuing its business. Thus, the balance of hardships tipped decidedly in favor of hiQ.

hiQ vs LinkedIn

It was also noted that none of the computers for which the CFAA applied were accessible to the general public. The difference here is that what hiQ is scraping are public LinkedIn profiles that the users are intending to be available to anyone with an internet connection.

What about profiles only visible when logged in?

Judge Berzon expands on this as well. Most (all?) profiles at LinkedIn are not accessible unless you are logged into LinkedIn. Regardless, the 9th Circuit Court didn’t care.

LinkedIn invokes an interest in preventing “free riders” from using profiles posted on its platform. But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles. And as to the publicly available profiles, the users quite evidently intend them to be accessed by others, including for commercial purposes—for example, by employers seeking to hire individuals with certain credentials. Of course, LinkedIn could satisfy its “free rider” concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line.

hiQ vs Linked

“…LinkedIn has not protected property interest in the data contributed by its users, as the users retain ownership over their profiles.” Ouch. Take that LinkedIn.

The court did say that if LinkedIn really wanted to stop the web scraping, “…by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line.”

Leave a Reply

Your email address will not be published. Required fields are marked *