hiQ v. LinkedIn and the Fight Against Data Scraping Bots
How public is a public website? When are bots permitted to copy information from public websites? Who owns your social media data? These are some of the issues raised by hiQ Labs, Inc. v. LinkedIn Corporation, which is currently under appeal in the Ninth Circuit.[1]
In June 2017, after receiving a cease and desist letter from LinkedIn, hiQ filed an action seeking a declaratory judgment that it was not violating federal or state law by accessing and copying public information from LinkedIn’s website.[2] In August 2017, hiQ was granted a preliminary injunction by Judge Edward M. Chen of the United States District Court for the Northern District of California, prohibiting LinkedIn from blocking hiQ from accessing its website.[3]
Why was LinkedIn blocking hiQ? Because hiQ’s business depends on using software designed to perform automated tasks – commonly known as “bots” – to crawl, or visit and copy, LinkedIn’s website.[4] hiQ then uses the data it “scrapes,” or automatically collects, to create services which alert employers about their employees’ online activity.[5] LinkedIn argued that hiQ’s activity harmed its service because LinkedIn’s members care about the privacy of their profiles and controlling the use of their data.[6]
hiQ, in turn, was motivated to take legal action because data scraping is legally controversial – often, companies whose websites are scraped sue scrapers under the Computer Fraud and Abuse Act (CFAA). The CFAA offers a civil remedy when an individual “intentionally accesses a computer without authorization or exceeds authorized access.”[7] The CFAA, traditionally seen as an anti-hacking statute,[8] has been used to block scraping of websites such as Facebook[9] and Craigslist.[10] In Facebook, Inc. v. Power Ventures, the Ninth Circuit – the same Circuit hearing LinkedIn’s appeal – held that while Power Ventures originally had implicit permission to access Facebook’s website via the consent of its users, Facebook’s cease and desist letter revoked this permission.[11] As a result, from that point forward, Power Ventures was exceeding authorized access and was thus liable under the CFAA.[12] In filing the lawsuit against LinkedIn, hiQ expressed its fear that it would also be held liable.
Judge Chen ultimately decided the motion for preliminary injunction by looking at LinkedIn’s own policies for third-party access to user data, and determining that hiQ had raised serious questions about the applicability of the CFAA to its conduct, as well as about whether LinkedIn had anti-competitive motives behind blocking hiQ’s access to its website.[13]
The Ninth Circuit appeal is ongoing; oral arguments were held on March 15, 2018 and can be viewed on the court’s website. Numerous parties, including 3Taps, craigslist, the Electronic Privacy Information Center, the Electronic Frontier Foundation have filed amicus curiae briefs. How the Ninth Circuit rules in the case will help determine how bots can legally function on the web, for now.
Footnotes