The United States Court of Appeals for the Ninth Circuit has ruled against Microsoft-owned social network LinkedIn in its dispute with hiQ Labs over its right to prevent third parties from scraping publicly available data, the scope of data use legislation, and the potential for anti-competitive behaviour. HiQ is a technology business based in San Francisco that trades in corporate and employee data that has been collected or ‘scraped‘ from publicly available web sources such as LinkedIn and then processed and stored on its own servers.
In May 2017, LinkedIn issued a cease-and-desist order against hiQ, citing illegal data scraping and violations of LinkedIn’s user agreement by reselling or sharing data without express authorisation. The correspondence confirmed that as a result, hiQ’s access to and ability to scrape information from LinkedIn’s website had been restricted, and warned that circumventing such measures could result in violations of statutes such as the Federal Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act, the California Penal Code, and common law trespass.
Soon after, hiQ’s CEO Mark Weidick issued a statement on the company’s website, claiming that the company’s “whole existence is related to the principle of public data truly being equally accessible to all members of the public.” LinkedIn’s attempt to enclose this public information – which is accessible to anybody with a web browser – poses a threat not only to hiQ, but to any firm that relies on public sources to inform its services.” HiQ obtained an injunction in August 2017 requiring LinkedIn to lift all restrictions on its access to the website, based on the fact that the data at issue was publicly available and not confidential, and that LinkedIn’s actions could constitute a breach of competition law by endangering the viability of similar businesses, with implications for the concept of free speech of a free, open and accessible internet.
An appeal to the Ninth Circuit of the United States Court of Appeals upheld the lower court’s decision, which was later overturned by the Supreme Court in the wake of the Van Buren v US decision, which looked into the meaning of intentionally accessing a computer “without authorization” or “exceeding authorised access,” narrowing the scope of the CFAA. “The Supreme Court didn’t rule on the merits of the [hiQ] case; instead, it directed that it be reconsidered in light of Van Buren,” explains Ashley Shively, a data and class action partner at Holland & Knight in San Francisco. As a result, the Ninth Circuit revisited its earlier decision, which it confirmed this week. “We’re sad, but this was a preliminary judgement, and the case is far from done,” a LinkedIn representative said, hinting at the prospect of another appeal. We’ll keep fighting to defend our members’ freedom to control what information they share on LinkedIn.”
“We are glad to see that the Ninth Circuit has again affirmed, in light of the Supreme Court’s judgement in Van Buren v United States, the preliminary injunction that our firm helped hiQ achieve in the district court,” said Erik Olson of Farella Braun + Martel, who represented hiQ. The panel’s most recent judgement underscores the limits to which major organisations can utilise the Computer Fraud and Abuse Act to hinder competition from new startups whose business relies on access to publicly available data, while not ruling on the merits of the case.”
COUNSEL
Donald Verrilli, Jonathan Blavin, Nicholas Fram, Rosemarie Ring (now at Gibson, Dunn & Crutcher) and Elia Herrera (now an assistant US attorney) of Munger Tolles & Olson, as well as Joshua Rosenkranz, Eric Shumsky, and Brian Goldman (now the California governor’s deputy legal affairs secretary) of Orrick Herrington & Sutcliffe, represented LinkedIn. Renita Sharma and Terry Witt of Quinn provided advice to hiQ. Emmanuel Urquhart & Sullivan, with Kellogg Hansen Todd Figel & Frederick’s Aaron Panner and Gregory Rapawy, Farella Braun + Martel’s Brandon Wisoff, and academic and Harvard professor emeritus Laurence Tribe. “Despite a trip all the way to the US Supreme Court and back down again, and despite the intervening developments and detours, the underlying legal issues and the relevant factual landscape are remarkably unchanged,” said academic and hiQ’s counsel Tribe, adding that he found the judge’s opinion “entirely persuasive.”
IMPLICATIONS
“Decisions in circuit courts could go different ways in determining whether scraping of websites is a violation of the CFAA, but it is obvious that this is not the case in this Ninth Circuit ruling.” So, even if a website’s terms of service forbade scraping, it would probably not constitute a violation of the CFAA,” Shively argues. “Importantly, the Ninth Circuit didn’t decide on the merits, but on the preliminary injunction, which was granted before the court had heard all the evidence,” she says, pointing out that the injunction obtained by hiQ is at the heart of the case and that the issues raised by the broader dispute have yet to be fully examined in court. Thus the dispute is still at a preliminary stage, despite the initial cease and desist having been issued in May 2017. The ruling upholds a limited reading of the CFAA, a 1986 law whose implementation is unlikely to be what it was intended to be, given that it was enacted at a time when today’s technology was unimaginable.
“Companies that store publicly available information on online sites that do not need a login or password may no longer be able to depend on the CFAA to prevent others from scraping data from those web sites,” Shively argues. “Even if the corporation revokes rights to information by blocking internet protocol addresses or issuing cease and desist letters, and even if there is a breach of web site terms and conditions, the CFAA is no longer something that firms can rely on as long as the data is publicly available.” The unusual case trajectory — an injunction followed by an appeal, a Supreme Court vacated ruling, and a further reexamination by the appellate court – does not exclude out another appeal. “Regardless of what occurs, the underlying matter is still on the table, and there is still case law to be made on it, as well as various types of motions that could be filed in district court,” Shively says.
AN INCREASE IN INTEREST
The lawsuit contained a slew of amici curiae submissions, including one from CoStar Group, which hired Williams & Connolly lawyers John Williams and Nicholas Boyle (now at Latham & Watkins), and another from Craigslist, which hired Latham & Watkins’ Perry Viscounty and Gregory Garre.
Organisations that are not for profit Through in-house legal teams, the Electronic Privacy Information Center (EPIC), Electronic Frontier Foundation (EFF), and digital library Internet Archive, as well as internet search company DuckDuckGo and industry group Reporters Committee for Freedom of the Press (RCFP), which represented 30 news media entities, made submissions. Kenneth Wilton and James Harris of Seyfarth Shaw represented data business 3taps, and Thomas Christopher of the Law Offices of Thomas V. Christopher advised data scraping company Scrapinghub (now Zyte).
The EFF’s senior staff lawyer Andrew Crocker said the Ninth Circuit decision “reaffirmed the commonsense notion that scraping data from a public website against the wishes of the website owner is not a violation of the Computer Fraud and Abuse Act,” and praised the decision as “good news for all those who collect, aggregate, and index publicly available information, as well as the work of journalists, researchers, and watchdog organisations who use automated tools to finesse public information.”
“For data journalists, this verdict is a significant recognition that scraping material a website decides to make public isn’t illegal,” said Grayson Clary, RCFP’s legal fellow. We’re pleased that the Ninth Circuit sided with the open flow of information, and we hope that other courts will follow suit.”
“The court’s ruling is a disappointment and a blow for online privacy [and] wrongly discounted the harms that LinkedIn users suffer when firms like hiQ ignore their privacy preferences to scrape and monetise personal information,” says EPIC’s director of litigation John Davisson, adding that “the court endorsed an overbroad injunction that wrongly blocks LinkedIn from imposing technical limits on hiQ’s access to user data.”
