On September 9, 2019, the United States Court of Appeals for the Ninth Circuit (the “Court”) upheld a preliminary injunction obtained by data analytics company, hiQ Labs (“hiQ”), preventing LinkedIn from blocking hiQ’s access to publicly available LinkedIn member profiles. In concluding that hiQ had raised sufficiently “serious questions” on the factual and legal issues presented by the case, the decision provides insight into the Court’s interpretation of the Computer Fraud and Abuse Act (the “CFAA”) and how the statute applies in the context of data scraping of publicly available data. The decision touches briefly on individual privacy rights, while focusing the majority of its attention on the companies’ respective rights. The Court’s decision, which does not itself decide the issues on the merits but does preview the Court’s thinking, will invariably play into the ultimate resolution of the litigation.
Background
hiQ touts itself as a data science company that uses bots and other tools to collect data about individuals from public sources of information, including public LinkedIn profiles, which it then analyzes and sells to business clients to (1) identify employees who may be at risk of being recruited away and (2) identify gaps in a company’s employees’ collective areas of expertise. hiQ scrapes only data from public profiles and does not access profiles restricted by LinkedIn’s privacy settings—as the Court put it, “the data hiQ was scraping was available to anyone with a web browser.”
LinkedIn endeavors to limit such data scraping by explicitly prohibiting in its online User Agreement the use of bots to scrape information, and by employing tools that block, according to the decision, “approximately 95 million automated attempts to scrape data every day, and [restrict] over 11 million accounts suspected of violating its User Agreement, including through scraping.” In May 2017, LinkedIn sent hiQ a cease-and-desist letter, demanding that hiQ stop accessing and copying data from LinkedIn’s server. LinkedIn asserted that, under relevant precedent, any future use by hiQ of publicly available LinkedIn user data would violate the CFAA, the Digital Millennium Copyright Act, California Penal Code § 502(c), and the California common law of trespass. The letter also stated that LinkedIn had implemented technical measures to block hiQ from scraping data.
In response, hiQ sought a preliminary injunction preventing LinkedIn from blocking hiQ’s access to the publicly available data and seeking a declaratory judgment that LinkedIn could not bar hiQ’s future access, based on tortious interference and unfair competition claims. The district court granted hiQ’s preliminary injunction and ordered LinkedIn to remove any barriers to hiQ’s access of the data. LinkedIn appealed the grant of the preliminary injunction.
Ninth Circuit Decision
Court upholds district court’s findings
On appeal, the Court evaluated the district court’s decision using an abuse of discretion standard. The four factors governing imposition of a preliminary injunction are: (1) likelihood of success on the merits, (2) irreparable harm to the plaintiff, (3) balance of equities, and (4) public interest. Because the factors are weighed together, a finding that the equities heavily favor the plaintiff reduces the necessary showing with respect to likelihood of success on the merits, such that plaintiffs need only show “serious questions going to the merits.”
First, the Court agreed with the district court’s determinations both that hiQ faced irreparable harm and that the equities weighed heavily in favor of hiQ, whose business risked “extinction” absent the preliminary injunction. The Court weighed the threat to hiQ’s business against LinkedIn’s assertions that hiQ’s activity threatens LinkedIn members’ privacy. For example, LinkedIn argued that many members who have public profiles nevertheless choose to exercise a “Do Not Broadcast” option when making changes to their profile; threatening their privacy by scraping information they chose not to broadcast in turn threatens LinkedIn’s goodwill with its members.
The Court recognized some merit to LinkedIn’s privacy concerns but had little sympathy overall. First, it found that there was little evidence to show that LinkedIn users with public profiles maintain an expectation of privacy with respect to their publicly posted information. Second, the Court stated there was no evidence to indicate that people chose not to broadcast their data to prevent their employers from seeing it (as LinkedIn suggested) as opposed to simply not wanting to annoy people with alerts. And third, the Court noted that LinkedIn’s own programs use member data in much the same way that hiQ did. Focusing more on the companies’ respective interests than individual users’ interests, the Court agreed with the district court’s conclusion that LinkedIn’s interest in preventing hiQ from scraping data did not outweigh hiQ’s interest in continuing its business.
Second, having determined that the balance of hardships tipped decidedly in favor of hiQ, the Court further agreed with the district court that hiQ raised serious factual and legal questions to be considered during the merits stage. Namely:
- whether the CFAA’s restriction on access “without authorization” (which LinkedIn sought to invoke in its cease-and-desist letter) applies to information that is generally open to the public;
- whether LinkedIn’s blocking of hiQ’s access to the data on which hiQ’s business relies constitutes tortious interference with hiQ’s client contracts; and
- whether selectively banning a potential competitor from accessing and using otherwise public data constitutes unfair competition under California law.
Finally, the Court agreed with the district court that the public interest favors granting a preliminary injunction. The Court thus affirmed the district court’s imposition of a preliminary injunction, and remanded for further proceedings.
Court favors accessibility of public information and limits to CFAA’s application
In arriving at its decision, the Court discussed its interpretation of the CFAA and issues related to accessing content on the Internet more broadly. The Court expressed concern with creating “information monopolies”—whereby companies like LinkedIn would have the power to control who can collect and use public data made available on the Internet—which concern seemed to inform its analysis of the issues.
The CFAA, which LinkedIn sought to invoke in its cease-and-desist letter, provides that “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C). The question the litigation seeks to answer is “whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of statute.” The Court found that hiQ has raised serious questions about the viability of that argument.
Under the Court’s reading, the CFAA only applies to “private” data that is protected by a “password gate” or other form of authentication. The Court based this reading, in part, on the logic that “without authorization” means “without permission,” and publicly available data, for which permission is not needed to access it in the first place, can never be accessed “without authorization” as required for the CFAA to apply. The Court further supported its reading of the statute by invoking (i) the statute’s legislative history, which it said demonstrates that the CFAA is intended to apply only to conduct akin to “breaking and entering”—an unlawful intrusion into an otherwise inaccessible space—and (ii) the Court’s prior opinions that hold, contrary to its sister circuits, that violations of a website’s terms of use do not give rise to CFAA violations.
In assessing LinkedIn’s “legitimate business purpose” defense against hiQ’s charge of tortious interference, the Court likewise discounted the defense for similar reasons: “If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential competitors from accessing and using that otherwise public data, the result—complete exclusion of the original innovator in aggregating and analyzing the public information—may well be considered unfair competition under California law.”
Mentioned only in a footnote, the Court explicitly left open the possibility that data scraping may still be subject to trespass to chattel claims.
It bears reminding that the Court’s decision only confirms that hiQ has established the necessary elements for a preliminary injunction. The merits remain to be decided by the district court, in the first instance, on remand. Items to watch for the district court’s resolution of include:
- whether data scraping of publicly available data will be viewed as a violation of the CFAA in light of the cease-and-desist letter sent by LinkedIn;
- whether blocking access to publicly available data, knowing that the blocked company relies on that data for fulfillment of its contractual obligation, gives rise to viable tortious interference lawsuits and, where the blocking company uses the blocked data for the same purposes as the company it seeks to block, unfair competition lawsuits; and
- whether data scraping of publicly available data is subject to trespass to chattel claims.
