Dec 212017

Northern District of California Enjoins LinkedIn from Preventing Scraping of Public User Profiles

Ryan Sandrock
, , , ,

In a decision that may have profound implications for social media companies, the big data industry and website terms of use everywhere, Judge Edward Chen of the Northern District of California granted hiQ Labs’ motion for preliminary injunction on August 14, 2017, enjoining LinkedIn from “preventing hiQ’s access, copying, or use of public profiles on LinkedIn’s website.” hiQ Labs, Inc. v. LinkedIn Corporation (N.D. Cal. No. 3:17-cv-03301-EMC). The case is on appeal and will be heard by the Ninth Circuit in 2018.

LinkedIn Sends a Cease and Desist Letter to hiQ

According to the complaint, hiQ scrapes information from LinkedIn user profiles and uses the scraped information to create workforce data products that it sells to employers (e.g. a product identifying employees who might be recruited by other companies). As Judge Chen summarized in his opinion, “hiQ’s [business] model is predicated entirely on access to data LinkedIn users have opted to publish publicly.”

LinkedIn sent a cease and desist letter to hiQ in May 2017, demanding that hiQ stop scraping information from LinkedIn user profiles. LinkedIn’s letter stated that, by accessing LinkedIn’s data, hiQ had violated state and federal law, including California Penal Code Section 502(c), state common law of trespass, federal Computer Fraud and Abuse Act (“CFAA”), and the Digital Millennium Copyright Act (“DMCA”).

hiQ Sues Linkedin and Seeks Injunctive Relief

 The parties could not resolve the matter, and hiQ filed a complaint asserting both claims against LinkedIn under the “unfair” prong of Section 17200 of the California Unfair Competition Law (“UCL”), California Constitution, and other provisions of state law and also seeking a declaration that hiQ’s conduct did not violate the laws asserted by LinkedIn in the cease and desist letter. hiQ did not file any state or federal antitrust claims. hiQ then moved for a temporary restraining order and preliminary injunction, emphasizing the threatened irreparable harm—it would go out of business if LinkedIn prevailed. The Court held a hearing on hiQ’s request for a temporary restraining order on June 29, 2017. The parties then entered into a standstill agreement pending resolution of hiQ’s motion for preliminary injunction. After the parties filed supplemental briefs, the Court held a hearing on the preliminary injunction on July 27, 2017.

Court Finds That There Are Serious Questions Regarding Whether LinkedIn Violated the Unfair Prong of California Unfair Competition Law

Judge Chen granted the injunction in an August 14, 2017 opinion. He found credible hiQ’s claim that it would have to shut its doors if it lost the case—that it faced an “existential threat.” Because Judge Chen found that the balance of hardships “tip[ped] sharply in hiQ’s favor,” hiQ only had to show that there were “serious questions going to the merits” as to its claims. Judge Chen found that there were such questions as to hiQ’s claims under the UCL (he ruled against hiQ on its claims for injunctive relief under the California Constitution and a promissory estoppel theory.) His UCL ruling concluded that hiQ had raised serious questions as to whether LinkedIn was “unfairly leveraging its power in the professional networking market to secure an anticompetitive advantage in another market—the data analytics market.” He did not define the bounds of either market.  He emphasized the possibility that LinkedIn was motivated by anti-competitive purpose, although he also noted LinkedIn’s arguments that anti-scraping efforts helped respect user privacy preferences and were necessary cybersecurity measures. He cited an announcement by LinkedIn’s CEO that suggested to Judge Chen that LinkedIn was developing a product to compete with hiQ and that it took action against hiQ because LinkedIn “wanted exclusive control over that data for its own business purpose.” He did not discuss hiQ’s argument that LinkedIn’s member profiles constituted an antitrust “essential facility.”

Court Questions Whether CFAA Applies to Accessing Publicly Available Data

Judge Chen also provided a lengthy analysis rejecting LinkedIn’s argument that the Computer Fraud and Abuse Act applied, the CFAA preempted hiQ’s state claims, and that hiQ’s access to Linkedin’s computers violated the CFAA.  Judge Chen distinguished two cases cited by LinkedIn, Facebook Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016) and U.S. v. Nosal (Nosal II), 844 F.3d 1024 (9th Cir. 2016).  In the former, the Ninth Circuit considered a defendant’s operation of a website that pulled information from password-protected Facebook member profiles after Facebook had sent a cease and desist letter. The Ninth Circuit found the defendant’s access of this information to be an unauthorized access of Facebook’s computers under the CFAA.  In the latter, the Ninth Circuit held that an employee who used revoked access credentials to access confidential information violated the CFAA. Judge Chen distinguished those cases on the ground that none of the data in those cases was publicly available data but rather was data protected by a password authentication system.

In several strongly-worded sections, Judge Chen expressed concern that extending the CFAA to accessing publicly available data raised serious issues. For instance, he concluded that LinkedIn’s interpretation of the CFAA could mean that merely viewing a website could be a crime—“effectuating the digital equivalence of Medusa.” He also delved into the history of the CFAA, explaining that the CFAA was intended to deal with hacking onto “private, often password-protected mainframe computers” and expressing reluctance to apply the law to the access of websites open to the public. He worried that doing so “would have sweeping consequences well beyond anything Congress could have contemplated” when drafting the CFAA.

Appeal and Next Steps

LinkedIn filed a Notice of Appeal on September 5, 2017. The parties completed briefing on December 13, 2017. Several third-parties submitted amicus briefs. Oral argument will likely take place in March 2018.

Ryan Sandrock

rsandrock@sidley.com

You might also like
Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1