On August 14, 2017, the District Court for the Northern District of California, in hiQ Labs, Inc. v. LinkedIn Corp., granted Plaintiff hiQ Labs, Inc.'s (hiQ) motion for a preliminary injunction over the objection of Defendant LinkedIn Corporation (LinkedIn). The injunction allows hiQ to continue scraping LinkedIn's publicly available user data, which hiQ uses to provide services to employers seeking to retain employees or attract new ones. The Court's decision may be destined for the Ninth Circuit, however, because it ruled that scraping of publicly available data may be permissible, even in the face of technical barriers or explicit prohibitions by the data owners, which arguably runs counter to current Ninth Circuit case law.
The litigation began in May of 2017, when LinkedIn served a cease and desist letter on hiQ, arguing that hiQ's scraping of LinkedIn data violated state and federal law, including California Penal Code 502(c), the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, state common law of trespass, and the Digital Millennium Copyright Act (DMCA). hiQ responded by suing LinkedIn, asserting affirmative rights under the California common law, the Unfair Competition Law (UCL), and the California Constitution. hiQ also sought declaratory relief that it has not and will not violate the CFAA, the DMCA, the California Penal Code, or the common law of trespass by scraping LinkedIn's public profiles.
In reaching its decision, the Court balanced hiQ's interest against that of LinkedIn and its users and departed from Ninth Circuit precedent. First, the Court balanced hiQ's survival as a business against LinkedIn users' privacy interests. Since hiQ would have to either go out of business or completely change its business model if LinkedIn blocked it from scraping publicly available profiles, the Court reasoned that hiQ would suffer irreparable harm. On the other hand, the Court discounted LinkedIn's argument that its users would suffer harm via compromise of their privacy. The Court was unconvinced by LinkedIn's concerns because LinkedIn showed "little evidence of users' actual privacy expectation" and because "LinkedIn allows other third-parties to access user data without its members' knowledge or consent."
Second, the Court reasoned that the CFAA likely does not bar hiQ's scraping. The CFAA creates civil and criminal liability for any person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). Prior to this ruling, market players assumed that scraping efforts might violate the CFAA when expressly disallowed by data owners, given two opinions issued by the Ninth Circuit last year. But this Court reached the opposite conclusion in this case because hiQ scrapes only publicly available data and distinguished on that ground.
The Court's opinion also took a historical look at the CFAA and reasoned that Congress could not have meant the CFAA, when it was passed in 1984, to bar scraping of publicly available data because the Internet did not exist in 1984. The Court recalled that, instead of preventing scraping, the CFAA was originally designed to provide a legal remedy to the hacking of computer systems. Moreover, the Court observed that siding with LinkedIn would create the "digital equivalence of Medusa," wherein "merely viewing a website in contravention of a unilateral direction from a private entity would be a crime" (emphasis in original). The Court noted that such a regime would lead to a parade of horribles, including blocking access on the "basis of race or gender discrimination," politically motivated blocking of news media or rival candidates, or companies preventing "competitors or consumer groups from visiting their websites to learn about their products or analyze pricing."
Most notably, the Court advanced a much narrower interpretation of the CFAA's "without authorization." The Court noted that a better interpretation would be to require data owners wishing to protect their data from scraping to employ an "authentication system, such as password protection." This narrow interpretation means that even when a data owner employs technical countermeasures like IP blockers, a scraper would not be without authorization, even when it circumvents a countermeasure because the publicly viewable data was "not protected by an authentication gateway."
For the moment, companies trying to protect data against scraping should consider making data at least semi-private, if possible, or, if not, implementing technological measures to prevent scraping. Scraping companies, on the other hand, might consider cautiously expanding scraping efforts into publicly available data. However, no one should make drastic changes to their business plans, because this opinion is likely going to the Ninth Circuit. It is certainly a development to watch if either you have publicly available data you want to protect or there is publicly available data you want to gather and use.