Access to Public Information, Defamation / Reputation
Aécio Neves da Cunha v. Twitter Brasil
On Appeal Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The United States Court of Appeals for the Ninth Circuit affirmed the decision of the District Court to grant a preliminary injunction against LinkedIn’s conduct which selectively prevented hiQ from obtaining and using information shared by LinkedIn users and available publicly to anyone viewing with a web browser. With the assistance of automated bots, hiQ scraped information from users public profiles on LinkedIn including name, work history, job titles and skills, and used the information to yield “people analytics” in order to sell it to its business clients. The panel ruled that a cause-and-desist action against hiQ preventing access to data on LinkedIn server established “a likelihood of irreparable harm” and threatened the survival of its business. Thus, in balancing equities, the court held that hiQ’s interest in continuing business decidedly outweighed privacy interests of some LinkedIn users in their information, irrespective of their decision to make profiles public. The panel further ruled that hiQ raised a serious question as to whether accessing “without authorization” under the Computer Fraud and Abuse Act “limits the scope of statutory coverage to computer information for which access permission is generally required.”
Founded in 2012, the appellant, hiQ, scraped information posted by the users of the professional networking website LinkedIn on their public profiles for the purpose of data analytics using, primarily, two tools. The first one, “Keeper”, enabled its business clients to provide career development opportunities, bonuses and other perks and identify those employees which were subject to the greatest risk of being recruited from competitors. The second tool called “Skill Mapper” helped its clients identify employee skills and gaps therein to offer internal training and promote mobility, thus reducing employers’ expenditure on external recruitments.
In June 2017, LinkedIn sent a cease-and-desist letter to hiQ claiming violation of LinkedIn’s User Agreement and violation of state and federal law, including the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030(g), Digital Millennium Copyright Act (DMCA) and the common law of trespass. LinkedIn further implemented certain technical measures to detect, monitor and block hiQ’s bot scraping activity and demanded that hiQ stopped accessing and copying data from LinkedIn servers.
HiQ contended that it had a right to access LinkedIn’s public pages, in absence of which it would be unable to conduct its business and will be forced to breach its existing contracts with clients. LinkedIn, on the other hand, maintained that alternatives to public data on its platform do exist and an unfettered access to such data threatens the privacy of its members and puts at risk the goodwill generated by it over the years. HiQ subsequently filed a suit seeking injunctive relief, while also filing a request for a temporary restraining order against LinkedIn’s conduct imposing technical barriers.
The district court granted the motion, ordering LinkedIn to withdraw its cease-and-desist letter and to refrain from putting in place any technical or legal measures to block hiQ’s access to public profiles. Based on a “sliding scale” approach to determine the balance of hardship while granting an injunctive relief, the district court concluded that hiQ raised serious questions on the merits and that public interest favoured granting preliminary injunction. Following the district court’s order, the defendant filed an appeal to the U.S. Ninth Circuit Court of Appeals, which affirmed the grant of preliminary injunction in favour of hiQ by the district court.
Accordingly, LinkedIn filed a writ of certiorari before the Supreme Court, which currently stands pending.
Judge Berzon delivered the majority opinion of the United States Court of Appeal for the Ninth Circuit, with concurrence by Judge Wallace.
The principle issue before the Court was whether the professional networking website LinkedIn could prevent its competitor, hiQ, from accessing, collecting and using information shared by LinkedIn users on their public profiles, available for viewing by anyone through a web browser. The claim advanced by LinkedIn was based on the ground that once the cease-and-desist letter was issued by it, any further act of scraping information was “without authorization” as per the Computer Fraud and Abuse Act 18 U.S.C. § 1030(a)(2). Further, in order to scrape LinkedIn data, hiQ required access to LinkedIn’s servers, which are “protected computer(s)” within the meaning of 18 U.S.C. § 1030(g).
The CFAA 18 U.S.C. § 1030(a)(2)(C) states that “[w]hoever … intentionally accesses computer without authorization or exceeds the authorized access, and thereby obtains…information from any protected computer…shall be punished by fine or imprisonment.” CFAA further authorizes persons suffering damage or loss to bring a civil suit “against the violator to obtain compensatory damages and injunctive relief or any other equitable relief.” [p. 25, 26]
At the outset of the judgment, the Court considered a four-pronged test before granting a preliminary injunction to hiQ, including determining if there is an irreparable harm/injury in absence of the relief, favorable balance of equities, success of the case on merits and public interest. The court found that being a data analytics company, lack of access to LinkedIn’s public data would tantamount to closure of business for hiQ’s Keeper and Skill Mapper services thereby demonstrating a “likelihood of irreparable harm absent a preliminary injunction.” [p. 14]
While noting that LinkedIn’s claim that its members choosing to share information publicly would not want their employers to have access to employee’s sensitive information in order to avoid negative consequences has some merit, the court found that there are reasons to discount them. Thus, according to court, members’ privacy expectations regarding their public profiles is “uncertain at best” because: (i) no evidence that users on the platform maintain an expectation of privacy while posting information publicly; and (ii) no evidence that users exercising “Do Not Broadcast” option (which provides options to members to prevent employers from being alerted to profile changes) do so to prevent their employers from getting alerted to profile changes “made in anticipation of job search” [p. 15], as they may simply wish to avoid annoying notifications to their connections each time there is an update to their profile. Further, employers can always resort to directly consult their employees profiles to check if changes have been made. Finally, the court also emphasized that LinkedIn’s own actions de-legitimizes its argument of user’s expectation of privacy in public profiles, as its “Recruiter” and “talent recruiting, marketing and sales solutions” products allows access to, and export of, user’s public profiles.
Most importantly, the court highlighted that while LinkedIn may seek to prevent “free riders” from accessing its platform, it has no protected interest in the data contributed by its users, as the ownership over the profiles is retained by the users themselves. By making their profiles publicly available, the users evidently intend them to be accessed by others. The court went further, noting that LinkedIn may as well be held accountable for tortious interference in hiQ’s contracts with third parties as it was aware of hiQ’s scraping products as a result of the participation of LinkedIn’s representatives in several “Elevate Conferences” hosted by hiQ in 2015 and its technical barriers were intentionally designed to induce disruption to hiQ’s existing contracts.
Next, while deciding the claim whether scraping and use of LinkedIn’s data was “without authorization” under CFAA, the court emphasized that 18 U.S.C. § 1030(a)(2) suggests that the provision under CFAA is applicable only in situations “where access is not generally available and so a permission is ordinarily required.” [p. 26] Thus, in circumstances as the present case where the access is publicly available, it would amount to a selective denial of access or ban, and not “lack of authorisation.” While defining public information, the court resorted to the interpretation under the Stored Communications Act 18 U.S.C. §2701 to hold that such information is categorized as readily accessible to masses if the “means of access are widely known, and if a person does not in the course of gaining access encounter any warnings, encryptions, password requests or other indicia of intended privacy.” [p. 32] The court also reaffirmed that CFAA is an anti-intrusion statute and not a “misappropriation statute.” In summary, the court held that access “without authorization” is permissible unless information for which authorization is required is not delineated as “private through use of a permission requirement of some sort.” [p. 29]
Thus, for all the aforementioned reasons, the court found that, on balance, hiQ was entitled to preliminary injunction in broader public interest to maximize free flow of information on the internet and prevent possible creation of information monopolies. However, the court also warned that an injunction on LinkedIn’s cease-and-desist letter does not preclude it from engaging in technological self-help against malicious actors.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The judgment expands expression. While the court has see-sawed between user’s expectation of privacy and the flow of information on public platforms, it eventually clearly lays down that allowing companies like LinkedIn a free rein to decide access to information would restrict free flow of information and provide an outsized control over the collection and use of data that they do not own. This would, in turn, be detrimental to public interests.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Access to information without authorization
Access to information on social networking websites by third parties
Let us know if you notice errors or if the case analysis needs revision.