Case Summary and Outcome

The United States Court of Appeals for the Ninth Circuit again reaffirmed the decision of the District Court to grant a preliminary injunction on LinkedIn’s conduct which selectively prevented hiQ from obtaining and using information shared by LinkedIn users and was available publicly to anyone viewing with a web browser. Using automated bots, hiQ scraped information from public profiles of users on LinkedIn and used this information to provide “business analytics” services to clients. The Supreme Court remanded the case for further consideration The panel had ruled that LinkedIn’s cease-and-desist letter to hiQ would endanger the latter’s business. By balancing equities, hiQ’s concerns regarding running a business outweighed the privacy concerns raised by LinkedIn. In this judgement, the Court settles the serious question raised by hiQ with regard to whether accessing “without authorization” under the Computer Fraud and Abuse Act “limits the scope of statutory coverage to computer information for which access permission is generally required.” The Court reiterated Van Buren’s concern that a wide interpretation of CFAA would make it a “sweeping internet-policing mandate”.

Facts

Founded in 2012, the appellant, hiQ scraped information posted by the users on the professional networking website LinkedIn on their public profiles for data analytics using two tools. ‘Keeper’ enabled its business clients to provide career development opportunities and other perks such as identifying employees who would most likely be recruited by competitors. The second tool ‘Skill Mapper’ helped clients to identify employee gaps etc., to provide for internal training and reduce external recruitments.

Linkedin had sent a cease-and-desist letter to hiQ in June 2017 claiming violation of its User Agreement and laws including the CFAA 18. U.S.C. § 1030 (g), Digital Millennium Copyright Act (DMCA) and the common law of trespass. Further, LinkedIn implemented measures to put a halt to hiQ’s scrapping activity and demanded that hiQ stop accessing and copying data from its servers.

HiQ contended that without accessing LinkedIn’s public pages, it would be breaching its contracts with clients and that such access was a matter of right. LinkedIn argued that alternatives to public data exist and that such unfettered access to its data would diminish its long-standing goodwill and threaten the privacy of its members. HiQ then filed a suit seeking injunctive relief along with a request for a temporary restraining order against LinkedIn’s imposition of technical barriers.

The district court granted the motion, ordering LinkedIn to withdraw its cease-and-desist letter and refrain from blocking hiQ’s access to public profiles. The district court based its decision on the ‘sliding-scale’ approach and noted that hiQ’s claims raised serious questions on merits and that public interest favoured granting a preliminary injunction. Giving companies such as LinkedIn freedom to decide who can collect and use public data risks the creation of information monopolies which would be a disservice to public interest. After this order, the defendant filed an appeal in the Ninth Circuit Court of Appeals, which affirmed this preliminary injunction granted to hiQ by the district court.

LinkedIn then filed a writ of certiorari before the Supreme Court. The Supreme Court granted certiorari, vacated the appeals judgement and remanded the case back in light of Van Buren v. United States 210 L. Ed. 2d 26. The Circuit Court affirmed the preliminary injunction and stated that Van Buren had confirmed its decision that hiQ had raised serious questions regarding the invocation of the CFAA by the defendant to preempt hiQ’s potential “meritorious tortious interference claim”. In Van Buren, the Court had held a police sergeant did not violate the CFAA when he “ran a license-plate search in a law enforcement computer database in exchange for money as he was authorized to use the database for his work. Interpreting the “exceeds authorized access” clause, the Court further held that the CFAA “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. ” [pg. 34].

Thus, in circumstances as the present case where the access is publicly available, it would amount to a selective denial of access or ban, and not “lack of authorisation.” While defining public information, the Ninth Circuit Court resorted to the interpretation under the Stored Communications Act 18 U.S.C. §2701 to hold that such information is categorized as readily accessible to masses if the “means of access are widely known, and if a person does not in the course of gaining access encounter any warnings, encryptions, password requests or other indicia of intended privacy” [p. 32, HiQ Labs v. LinkedIn Corp., 938 F.3d 985 (2019)] The court also reaffirmed that CFAA is an anti-intrusion statute and not a “misappropriation statute.” In summary, the court held that access “without authorization” is permissible unless information for which authorization is required is not delineated as “private through use of a permission requirement of some sort” [p. 29, HiQ Labs v. LinkedIn Corp., 938 F.3d 985 (2019)]

Decision Overview

: Judge Berzon delivered the majority opinion of the United States Court of Appeal for the Ninth Circuit, with concurrence by Judge Wallace.

The principal issue before the Court was whether LinkedIn could prevent a competitor, hiQ from collecting and using information that LinkedIn users shared on their public profiles, available to anyone with a web browser. In the preliminary injunction, the Court had focused on whether hiQ raised serious questions on the merits for preliminary relief. The present judgement is a reaffirmation of the preliminary injunction in light of Van Buren. LinkedIn had sent hiQ a cease-and-desist letter to hiQ stating that the former would violate the CFAA if any further scrapping of information ‘without authorisation’ would take place. Further, hiQ would require access to LinkedIn’s servers which are “protected computers” within the meaning of 18. U.S.C. § 1030 (g). By using the sliding scale approach, the district court granted hiQ a preliminary injunction which is reviewed in this judgement [p. 14].

The Circuit Court held that to seek a preliminary injunction, it must be established that there is 1) a likelihood to succeed on merits 2) likelihood to suffer irreparable harm in absence of relief 3) balance of equities is in favour and 4) public interest. The court applied the ‘sliding scale’ approach to the aforementioned factors so that when the balance of hardships is in the plaintiff’s favour, it can only deal with serious questions on the merits. As per this approach, it was in hiQ’s favour as it had no viable way of remaining in business other than using LinkedIn’s public profiles for its two tools. The concept of “without authorization” in the CFAA did not apply in this situation as prior authorization is not required unless refused access. The case has been remanded for further proceedings.

The court stated that there was no abuse of discretion in granting the preliminary injunction by the district court. HiQ did not have any other alternative to remaining in business other than using LinkedIn public data for its services. Therefore, hiQ provided for a sufficient likelihood of irreparable harm in absence of a preliminary injunction. For demonstrating the balance of equities, LinkedIn had argued that such unrestricted usage of data would endanger the privacy of its users. The court however noted that there exists little evidence that those who make public profiles on LinkedIn do it intending to keep their information private. Additionally, users who select the “Do Not Broadcast” option do it for several reasons and not just to prevent their employers from being alerted to profile changes in anticipation of a job [p. 18]. Finally, LinkedIn’s “Recruiter” product delegitimized its actions as this allowed for “talent recruiting, marketing and sales solutions” exporting data from public profiles.

The Court reiterated that while LinkedIn wished to prevent “free riders” from using platform data, it cannot be said that LinkedIn owns such data as the users retain ownership over their profiles. Users who make their profiles do it with the intention for it to be accessed by others, including potential employers [p. 19]. The Court went further, noting that LinkedIn may as well be accountable for tortious interference in hiQ’s contracts with third parties as it is aware of hiQ’s scrapping products as a result of the participation of Linkedin’s representatives in several “Elevate Conferences” hosted by hiQ in 2015 and its technical barriers were intentionally designed to induce a disruption in hiQ’s existing contracts.

Next, while deciding the claim whether scraping and use of LinkedIn’s data was “without authorization” under CFAA, the court emphasized that 18 U.S.C. § 1030(a)(2) suggests that the provision under CFAA is applicable only in situations “where access is not generally available and so a permission is ordinarily required.”

The CFAA 18 U.S.C. § 1030(a)(2)(C) states that “[w]hoever … intentionally access a   computer without authorization or exceeds the authorized access, and thereby obtains…information from any protected computer…shall be punished by fine or imprisonment.” CFAA further authorizes persons suffering damage or loss to bring a civil suit “against the violator to obtain compensatory damages and injunctive relief or any other equitable relief” [p. 27, 28].

The court stated that public LinkedIn profiles which are available to anyone with an internet connection fall under the first kind of computer systems as envisioned by the CFAA i.e. “computers for which access is open to the general public and permission is not required” [p. 33, 34]. These categories of computers are inconsistent with Van Buren’s “gates-up-or-down inquiry”  [p. 35]. The Court held that CFAA’s prohibition on accessing a computer “without authorization” is violated only when a person circumvents a computer’s general rules regarding access permissions to gain access. Any access to a user’s public profiles would not constitute access without authorization under the CFAA. The court held that public profiles are not owned by LinkedIn and have not been demarcated as private using an authorization system [p. 40].

Thus, for all the aforementioned reasons, the court found that, on balance, hiQ was entitled to a preliminary injunction in the broader public interest to maximize the free flow of information on the internet and prevent the possible creation of information monopolies. However, the court also warned that an injunction on LinkedIn’s cease-and-desist letter does not preclude it from engaging in technological self-help against malicious actors.