The Ninth Circuit’s Decision in hiQ v. LinkedIn: Data Scraping May Have a Future, But for How Long?
Do companies that gather public information have an obligation to make that information available en masse to would-be competitors? Do competitors have a right to access those companies’ websites to get that information? And do the interests in a free and open Internet prevail over the privacy of millions of citizens whose information is being “scraped” for commercial purposes they neither specifically anticipated nor approved?
These provocative policy questions at the heart of hiQ Labs, Inc. v. LinkedIn Corp., received a broad exposition from the Ninth Circuit, but a narrow decision. The panel affirmed that “serious questions” going to the merits support the district court’s preliminary injunction, allowing hiQ continuing access to LinkedIn’s public website. But the Court’s opinion suggests that the merits of this case ultimately may sidestep the most challenging of these questions. Yet, hiQ may also give the courts the opportunity to re-formulate how existing legal doctrines created for physical property should apply to new technology-based torts.
Background
LinkedIn is the leading online site for professional networking. Since 2002, more than 500 million individuals have posted details from their resumes and professional accomplishments to connect with other professionals, potential clients, and future employers. LinkedIn allows its “members” to restrict access to certain information, but two key facts were noted by the court: the vast majority of members allow public access to at least some of their postings; and those members, not LinkedIn, own their information.
HiQ is a data analytics company that accumulates and analyzes public data posted on LinkedIn, which it then sells to corporate employers. HiQ offers its business clients two analytics, which informs these companies which of their employees are at greatest risk of poaching by other companies, and what gaps these employees may have in their skill sets. Spun positively, hiQ potentially benefits not only its clients, but also LinkedIn users, whose employers use these analytics to determine how best to retain their valuable workforce through career development, competitive bonuses, and other perks.
For several years, hiQ alleges, LinkedIn knew of and tolerated hiQ’s automated data collection from LinkedIn’s public areas. That changed in 2017 when, a month before LinkedIn planned to release its competitive data analytics products, LinkedIn sent hiQ a cease and desist letter revoking hiQ’s user agreement, and threatening hiQ with liability under federal and state law, including the Computer Fraud and Abuse Act (“CFAA”) and parallel California penal code sections, the Digital Millennium Copyright Act (“DMCA”), and state trespass tort law. HiQ responded with a complaint seeking a declaratory judgment that it did not engage int these violations, and injunctive relief and damages based on tortious interference with contract and prospective business relations, unfair competition under California law, and violations of constitutional free speech guarantees.
The district court granted hiQ’s request for a preliminary injunction, finding that hiQ would suffer irreparable harm from exclusion from the LinkedIn public website; and, that serious questions were presented as to whether LinkedIn’s actions constituted unfair competition and intentional interference, and whether the CFAA applied where access to publicly available information was freely granted to others. In an opinion issued September 9, 2019, a panel of the Ninth Circuit affirmed.
Irreparable Harm to a Competitor vs. the Privacy Interests of LinkedIn Members
The district court and Court of Appeals had little trouble finding irreparable harm to hiQ, whose business model depends on access to data available publicly on LinkedIn, but not from other sources (e.g., registration-based sites such as Facebook). The panel viewed LinkedIn’s rejoinder that hiQ could amass its own user data, as LinkedIn had done, as tantamount to an admission of irreparable harm. HiQ is a data analytics company, not a consumer-facing membership site; and a company that must change its business model to survive incurs irreparable harm.
LinkedIn countered that unauthorized data scraping both threatens the privacy of its members and unfairly free-rides on the goodwill it developed with its members by safeguarding their privacy interests. Despite the seriousness of the questions, the panel discounted LinkedIn’s professed privacy concerns. The court doubted that LinkedIn members had any expectation of privacy in publicly-posted information. Moreover, LinkedIn intended to exploit the same public information in competition against hiQ. Further undermining any free-riding concerns, the panel noted, LinkedIn claimed no property interest in data that its members own and deem public.
Does Data Scraping Violate Federal and State Law?
LinkedIn’s primary defense against injunctive relief was that it had the right to exclude hiQ from accessing the data “without authorization” under the CFAA – a federal statute that would preempt hiQ’s state causes of action.[1] Once hiQ received the cease and desist letter, LinkedIn contended, hiQ’s further access was unauthorized and in violation of the CFAA.[2]
The panel noted that although “without authorization” is undefined by the CFAA, its plain meaning had to be tempered by the purpose of the Act: to proscribe intrusions, analogous to breaking and entering, not data misappropriation. And because the CFAA imposes both criminal and civil liability, “authorization” should be interpreted more narrowly “so as not to turn a criminal hacking statute into a sweeping Internet-policing mandate.”
Accordingly, the court interpreted “authorization” as requiring an affirmative grant of permission, like a password, and agreed with the district court that hiQ raised serious questions whether the CFAA could apply to computer systems otherwise open to the general public. The court recognized its interpretation, though consistent with prior Ninth Circuit case law, was not universally shared. The panel cited a circuit split with cases holding the CFAA applicable to breaches of confidentiality or contract restraints,[3] or to access exceeding authorization limits.[4]
That said, the court observed, without deciding, that LinkedIn might not be powerless to limit such intrusions. Trespass to chattels may apply to web scraping that exceeds the owner’s consent. Even here, however, case law conflicts on whether physical harm to the website’s servers is required, or whether a bot’s or web crawler’s use of computing resources is sufficient.
Public Interests in Freedom of Information vs. Data Privacy
The panel balanced three competing public interests. First, although LinkedIn itself had a legitimate interest in blocking abusive users, attacks on servers, and ID theft, this case posed none of those threats. Second, while LinkedIn members had the right to maintain privacy over personal information, the case concerned only information that the members posted as publicly available information; and LinkedIn planned to use the same information to compete against hiQ. Third, the court gave precedence to the public interest in avoiding information monopolies, so that companies could not lock up information intended to be made broadly available and that the companies did not own.
Unfair Competition Claims Await a Future Merits Decision.
HiQ’s complaint further asserted that LinkedIn, in violation of California’s Unfair Competition Law, blocked hiQ’s access to the data for anticompetitive purposes. According to the complaint, LinkedIn as the dominant power in online professional networking was an “essential facility,” and violated “the policy and spirit” of antitrust law by denying access to a competitor. Further, LinkedIn unfairly leveraged its dominance in the networking market to attain anticompetitive advantages in the separate data analytics market.
The district court observed that “unfair” practices under the UCL are broader than under the Sherman Act, and that hiQ plausibly alleged LinkedIn unfairly terminated hiQ’s access (a change to its prior course of dealing) in anticipation of releasing products to compete against hiQ. Accordingly, the district court found serious questions under the UCL claims further supported issuance of the injunction.
A full exposition of these competition issues – described by the Supreme Court as ”at or near the outer boundary of [Sherman Act] § 2 liability”[5] – would surely inspire gigabytes of commentary from the antitrust bar on market definition, monopoly leveraging, reasonable justifications, and the ongoing vitality of the essential facilities doctrine. Regrettably, but perhaps predictably given the thorniness of the issues and the thumbnail UCL allegations in hiQ’s complaint, the panel found it unnecessary to reach the unfair competition issues.
Instead, the district court found, and the court of appeals affirmed, that hiQ presented serious questions on the merits of its claim for intentional interference with its contracts with employers. LinkedIn knew of hiQ’s activities for several years, and knew of hiQ’s contracts and opportunities with several employers; and, as described above, LinkedIn’s purported justifications based on the CFAA or member privacy were weak.
Next Stop – District Court, or Supreme Court?
The Ninth Circuit’s express acknowledgment of a circuit split on a question of statutory interpretation under the CFAA could portend certiorari to the Supreme Court. The panel further noted divergent approaches as to how the common-law tort of trespass to chattels could apply to persons banned or restricted from access to publicly-available web servers. Yet this case simply may not be the right vehicle to settle these issues. The Ninth Circuit postured its analysis tentatively, as “serious questions” awaiting further analysis, rather than as a definitive holding. The complexity and breadth of the issues presented here commends a more comprehensive presentation and analysis of the underlying facts and competing policies at stake.
Still, online companies can glean valuable insights from the district court and panel opinions:
- First, website owners are not left powerless to counter unauthorized intrusions by bots and competitors. Technological means of “authorization” – such as passwords or authentication – still may provide the necessary predicate for statutory and common-law legal protections.
- Second, courts may view more skeptically attempts by commercial site owners to leverage user privacy interests against competitors. But one should not extrapolate too far from the facts here, where members designated their data as publicly accessible. For most password-protected or account-based websites that collect user data, hiQ should still allow site owners to assert user-imposed privacy limits against unwanted data scraping.
- Third, the panel’s opinion still applies the CFAA intact to its most pertinent use cases. Hacking via brute force attacks or access by stolen or borrowed passwords remain squarely within the crosshairs of the CFAA and state trespass law. However, hiQ suggests that the time is ripe for a re-examination of whether or how traditional tort theories should be applied to new technological contexts, and whether decisions such as eBay v. Bidder’s Edge[6] would be decided differently today. Ultimately, hiQ may present an opportunity not just to find a better way to shoe-horn new technologies into old paradigms, but to fashion instead a better-fitting pair of shoes.
Edited by Gary J. Malone
_________________________
[1] 18 U.S.C. § 1030(a)(2)(C) imposes civil and criminal liability on any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer….”
[2] Although LinkedIn asserted justifications under other federal and state laws, it had only raised the CFAA justification before the panel. Nevertheless, LinkedIn likely would have fared no better under those other theories. A DMCA claim for unlawful circumvention requires both an underlying copyrighted work and a circumvention or effective technological protection measures. Here, LinkedIn could claim no ownership over member data scraped by hiQ, and LinkedIn applied no technological protections against access to the public areas of its website. While the panel did address state trespass law (as discussed below), the panel questioned whether trespass could apply without some injury to LinkedIn’s property interests.
[3] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001).
[4] United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).
[5] Verizon Communications Inc. v. Law Offices of Curtis V. Trinko, LLP, 540 US 398, 409 (2004); see Aspen Skiing Co. v. Aspen Highlands Skiing Corp., 472 U. S. 585 (1985).
[6] EBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (finding trespass by auction aggregation site that crawled eBay website for data).