Kesselman Brantly Stockinger LLP
With the widespread use of social media among all generations, vast amounts of publicly available data exist that automated bots can scrape information from and provide to other companies for commercial use. In hiQ Labs, Inc. v. LinkedIn Corp., — F.3d — (2019), 2019 WL 4251889 (9th Cir. Sept. 9, 2019), the Ninth Circuit weighed in, albeit on a limited record, on whether hiQ’s use of public information scraped by bots on LinkedIn, violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and whether LinkedIn’s prevention of such conduct could support an intentional interference with contract claim brought by hiQ. To be specific, the Ninth Circuit reviewed whether the district court’s grant of a preliminary injunction in favor of hiQ was an abuse of discretion. But, the decision provides a glimpse into how the Ninth Circuit Court of Appeals views some important issues on the merits.
I. BACKGROUND FACTS
LinkedIn is a professional networking website that was founded in 2002 and hosts 500 million members. hiQ Labs, 2019 WL 5251889, at *2. LinkedIn admits that it does not own the information that users post to their personal profiles; members own the content and LinkedIn is granted “only a non-exclusive license to ‘use, copy, modify, distribute, publish, and process’ that information.” Id. Members choose among privacy settings and decide whether portions of their profile are open to the public. LinkedIn has “taken steps to protect the data on its website from what it perceives as misuse or misappropriation” and “employs several technological systems to detect suspicious activity and restrict automated scraping.” Id. LinkedIn’s User Agreement provides that users agree not to “[s]crape or copy profiles and information of others through any means” or “[c]opy or use the information, content or data on LinkedIn in connection with a competitive service (as determined by LinkedIn).” Id. & n. 5.
hiQ is a data analytics company founded in 2012 that uses automated bots to scrape information from public LinkedIn profiles. Id. at *3. It uses that information to yield analytics that it then sells to business clients, including information on employees who are at risk for being recruited away and information to help employers recognize skill gaps in their workforce. Id. hiQ regularly organized conferences discussing its business model and LinkedIn representatives attended such conferences. Id.
More recently, LinkedIn has explored ways to capitalize on the data contained in public profiles and launched a competing product to one of hiQ’s products. In May 2017, LinkedIn sent hiQ a cease-and desist letter asserting that hiQ was in violation of LinkedIn’s User Agreement and demanded that hiQ stop scraping data from its server. Id. The letter also informed hiQ that if it continued to scrape data, it would be in violation of the CFAA, the Digital Millennium Copyright Act (“DMCA”), California Penal Code §502(c), and common law trespass. Id. LinkedIn terminated hiQ’s LinkedIn membership. Id. at *2, n 5. hiQ filed suit seeking injunctive relief and a declaratory judgment that LinkedIn could not lawfully invoke CFAA, the DMCA, California Penal Code § 502(c), or common law trespass against it. Id. at *4.
The district court granted hiQ’s motion for preliminary injunction and ordered LinkedIn to remove any barriers to hiQ’s access to LinkedIn’s public profiles located on its servers. Id. LinkedIn appealed.
II. NINTH CIRCUIT RULING
While the Ninth Circuit reviewed the district court’s decision for abuse of discretion and had a limited record to evaluate, the Ninth Circuit addressed a number of notable topics, including (a) whether LinkedIn users have an expectation of privacy in how data in their public profiles is used; (b) whether LinkedIn has a viable “legitimate business purpose” defense to hiQ’s tortious interference with contract claim; (c) whether hiQ violated the CFAA in scraping LinkedIn servers without authorization; and (d) whether prohibiting LinkedIn’s conduct is in the public interest.
LinkedIn Users Do Not Have An Expectation of Privacy In Their Public Profiles
Selectively Blocking HiQ’s Access to Data Was Not A Justified Trade Practice
The Ninth Circuit agreed with the district court that hiQ had demonstrated a likelihood of succeeding on its intentional interference with contract claim. The Court noted, however, that LinkedIn did not even challenge hiQ’s ability to make out the claim. Id. at *8. Instead, LinkedIn argued that its alleged interference was subject to a “legitimate business purpose” defense. Id. The Ninth Circuit acknowledged that under California law, interference can be justified when “the means of interference involve no more than recognized trade practices” and the conduct is “within the realm of fair competition.” Id. (citing Buxbom v. Smith, 23 Cal. 2d 535, 546 (1944) and Inst. of Veterinary Pathology, Inc. v. Cal. Health Labs., Inc., 116 Cal. App. 3d 111, 127 (1981). Recognized trade practices include activities such as advertising, price-cutting or hiring – “all practices which may indirectly interfere with a competitor’s contracts but do not fundamentally undermine a competitor’s basic business model.” Id. at *9 (citing Buxbom, 23 Cal. 2d at 546-47).
The Court held that LinkedIn’s conduct blocking hiQ’s access to the data on LinkedIn’s servers was not a trade practice recognized as an acceptable justification for contract interference. Id. Moreover, the Court recognized that because the interference was done in furtherance of LinkedIn’s own plans to introduce a competing data analytics tool, the conduct may not be “within the realm of fair competition.” Id. The Court stated: “If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential competitors from accessing and using that otherwise public data, the result – complete exclusion of the original innovator in aggregating and analyzing the public information – may well be considered unfair competition under California law.” Id & n.9. Because the Court found hiQ had a likelihood of success on the merits of its tortious interference with contract claim, it did not further reach the merits of hiQ’s unfair competition claim. Id. at *10. The Ninth Circuit’s ruling further protects data mining companies’ contracts with buyers of such data, especially where the data is publicly available.
LinkedIn’s CAFA Defense Was Inapplicable
LinkedIn claimed that even if hiQ’s state law causes of action had merit, those claims were preempted by the CFAA which hiQ allegedly violated by accessing LinkedIn’s servers to scrape public profiles. Id. at *10. The key question the Court addressed was “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA.” Id. Noting that the Ninth Circuit has defined “without authorization” as a non-technical term that means accessing a computer without permission, (citing United States v. Nosal (Nosal II), 844 F.3d 1024, 1028 (9th Cir. 2017)) the Ninth Circuit noted that Nosal II “did not address whether access can be ‘without authorization’ . . . where, as here, prior authorization is not generally required, but a particular person – or bot – is refused access.” Id. at *11.
After reviewing the legislative history of the CFAA, the Ninth Circuit concluded that the statute was enacted to prevent hacking and can be analogized to forced entry, thus it “is best understood as an anti-intrusion statute and not as a ‘misappropriation statute.’” Id. In this regard, the Ninth Circuit split with the First Circuit and Eleventh Circuit. Id. (citing EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). The Ninth Circuit further concluded that hiQ’s conduct was not similar to “breaking and entering” because the statute is meant to apply to unauthorized access to private information and does not apply to information for which access is open to the general public and permission is not required. Id. at 12. Thus, the Ninth Circuit established that, under similar circumstances, scraping servers of public information cannot violate the CFAA. The Court did specify however, that other causes of action may apply including trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy. Id. at *14.
Public Interest Considerations Favor hiQ
Both hiQ and LinkedIn made serious arguments for why the injunction was either for or against the public interest. hiQ asserted that “letting established entities that already have accumulated large user data sets decide who can scrape that data from otherwise public websites gives entities outsized control over how such data may be put to use.” Id. at *15. LinkedIn argued that the preliminary injunction will “invite malicious actors to access LinkedIn’s computers and attack its servers” and it “will be forced to choose between leaving their servers open to such attacks or protecting their websites with passwords, thereby cutting them off from public view.” Id. The Ninth Circuit agreed with the district court that, on balance, consideration of the public interest favors hiQ’s position and that allowing companies like LinkedIn to choose who has access to public data “risks the possible creation of information monopolies that would disserve the public interest.” Id. The Ninth Circuit concluded by stating that it did not view the injunction as “opening the door to malicious activity” because it would not stop LinkedIn from continuing to engage in measures to protect itself from harmful attacks on its servers. Id.
This decision is an important one in setting the stage for the prevention of public data monopolies by the social media giants. This decision can be leveraged by smaller data rivals who will be able to argue, at least in the Ninth Circuit, that they should be able to compete with technology giants in the use of public data.
 Importantly, the Ninth Circuit specified that “[t]his case deals only with profiles made visible to the general public.” Id.