Data Scraping

Parts of today’s online business and technology market rely on operating websites with two characteristics:  (1) making access to data available to the general public and (2) protecting that data from web scraping.  Website owners and web scrapers will want to watch hi’Q Labs’ litigation against LinkedIn Corp. to see if these two characteristics are, in fact, compatible, something placed in doubt by the United States Court of Appeals for the Ninth Circuit in HiQ Labs, Inc. v. LinkedIn Corp., 2019 U.S. App. LEXIS 27107, ___ F.3d ___, 2019 WL 4251889 (9th Cir. Sep 9, 2019).

In hiQ Labs, the Ninth Circuit narrowly interpreted the meaning of “without authorization” in the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to deny LinkedIn’s appeal of the District Court’s preliminary injunction forbidding LinkedIn from preventing hiQ Labs from scraping LinkedIn servers for publicly available information.

In apparent contravention of LinkedIn’s User Agreement, hiQ scraped the profiles of LinkedIn members for information that was viewable by any member of the general public.  HiQ did not scrape the profiles of those LinkedIn members whose privacy settings precluded access by the general public.  HiQ used the scraped information to produce “people analytics” it sold to businesses.  LinkedIn was likley aware of this activity because LinkedIn personnel had attended hiQ events selling its product over several years.  When LinkedIn developed a competing product, however, it sent a cease-and-desist letter to hiQ claiming the scraping activities violated LinkedIn’s User Agreement.  LinkedIn also took technical measures to prevent hiQ from accessing its website and warned hiQ that it risked violating the CFAA if it continued scraping.

Claiming a right to scrape and copy publicly available information, hiQ sued and obtained a preliminary injunction prohibiting LinkedIn from denying hiQ access to the information in LinkedIn profiles visible to the general public.  LinkedIn appealed, arguing in part that given the cease-and-desist letter, hiQ would violate the CFAA provision against intentionally accessing a computer without authorization to obtain information from a protected computer.  The Ninth Circuit disagreed.

The Ninth Circuit noted that authorization is “an affirmative notion” indicating access must be restricted except to those specifically permitted.  In order for a website to be accessed without authorization, then, the website’s generally applicable rules require some indication of permission.  Since LinkedIn allows anyone with a computer and an Internet connection to access publicly available portions of LinkedIn member profiles, LinkedIn’s generally applicable rule is access without authorization.  As a result, hiQ Labs had a strong argument that despite LinkedIn’s User Agreement and the cease-and-desist letter, hiQ’s could access LinkedIn servers to scrap publicly available information without violating the CFAA.  The existence of a strong argument was enough for the Ninth Circuit to affirm the District Court’s order granting the preliminary injunction.  The Ninth Circuit noted other legal bases might exist to allow LinkedIn to ban hiQ and it was not addressing those.

By Robert Eatinger & David Verhey

Partners at Dunlap Bennett & Ludwig

https://www.dbllawyers.com/when-you-let-everyone-in-stop-is-not-enough/