United States: hiQ Labs, Inc. v. LinkedIn Corp.: A Federal Court Weighs In On Web Scraping, Free Speech Rights, And The Computer Fraud And Abuse Act

In recent years, a number of firms in a variety of industries have utilized automated research methods, including web scraping tools and certain forms of artificial intelligence such as bots, to gather information from a variety of sources. For example, asset managers use these tools for research purposes, and third-party vendors use them to obtain information, which they then re-package and sell to investors. Although this practice is increasingly common, questions remain regarding potential exposure to liability for both users of these tools and website hosts who implement technological barriers to prevent their use and protect information.

With that said, a U.S. District Judge in the Northern District of California has issued a novel opinion in hiQ Labs, Inc. v. LinkedIn Corp., with potentially far-reaching impact on the use of automated research tools. In granting a preliminary injunction guaranteeing a company the right to scrape data, the court found that the public nature of the information sought potentially vitiates the application of the federal Computer Fraud and Abuse Act’s (“CFAA”) civil and criminal provisions and other legal restrictions on scraping and similar forms of data harvesting. In reaching its decision, the court even suggested, albeit without specifically holding, that serious questions exist as to whether there is a free speech right under the California State Constitution to access and obtain information that has already been made publicly available on the internet.

Background

Plaintiff, hiQ Labs, Inc. (“hiQ”), brought a federal action against Defendant, LinkedIn Corp. (“LinkedIn”), the popular business and professional social network, asserting claims under California common law, California’s Unfair Competition Law, and the California State Constitution. hiQ Labs, Inc. v. LinkedIn Corp., No. 17-CV-03301-EMC, 2017 WL 3473663, at *1 (N.D. Cal. Aug. 14, 2017). At the heart of the dispute is hiQ’s business model, which consists of selling public information to businesses about their employees. Id. at *1. In practice, hiQ collects that information exclusively from employees’ public LinkedIn profiles by using web scraping or harvesting tools, a method of utilizing computer software to automatically extract data from websites. Id. at *1-2. The company then conducts an analysis of the information for businesses to provide key employment-related data, including, for example, whether employees are at a high risk of leaving a company or being recruited by another business, as well as summaries of skills possessed by certain employees. Id. at *1. LinkedIn eventually sent hiQ a cease and desist letter, alleging that hiQ’s unauthorized data scraping violated LinkedIn’s user agreement, which prohibited certain methods of data collection from the site, including scraping. Id. at *2.

Following failed efforts of resolving the dispute out of court, LinkedIn implemented technical barriers to prevent hiQ from accessing the site, which included systems intended to identify, monitor, and block data scraping activity. Id. hiQ responded by bringing an action in U.S. District Court for the Northern District of California, initially seeking a temporary restraining order against LinkedIn and moving for an order to show cause why a preliminary injunction should not be issued. Id. at *2. After the court held a hearing on the TRO, hiQ’s preliminary motion was eventually converted to a motion for a preliminary injunction by way of a standstill agreement. Id. hiQ also sought a declaration from the court that its actions would not violate, among other laws, the Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act (CFAA), the California Penal Code, and the common law of trespass to chattels. Id. In response, LinkedIn argued that hiQ’s web scraping efforts, in addition to violating LinkedIn’s terms and conditions of use, threatened the privacy of LinkedIn users. Id. at *3-4. LinkedIn also contended that hiQ’s conduct violated the CFAA and, consequently, that hiQ’s state law claims were preempted by federal law. Id. at *4. Rejecting LinkedIn’s arguments, the court ultimately granted hiQ’s motion for a preliminary injunction, barring LinkedIn from continuing to prevent hiQ’s access to the public user profiles. Id. at *13-14. In doing so, the court provided some of the most extensive analysis to date regarding both access to public information on the internet and the legal frameworks governing the practice of scraping web data.

The Court’s Key Findings

In conducting its preliminary injunction analysis, the court first concluded that the likelihood of irreparable harm from allowing LinkedIn to prevent hiQ from continuing to access the information weighed heavily in favor of hiQ, as the company’s business model relied entirely on accessing that information. Id. at *2-4. The court thus found irreparable harm in the fact that the company would likely be forced to shut down if it were prevented from obtaining the information. Id. at *4. In the second step of the court’s analysis, it also held that hiQ had raised “serious questions” going to the merits as to one of its claims. Id. at *12. In reaching its holding, however, the court was first required to address a threshold question of whether hiQ’s claims were preempted by federal law under the CFAA. Id. at *4-9

The CFAA imposes civil and criminal liability where an individual “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). As the court noted, the statute “provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Id. at *4 (internal citation omitted). Thus, in addressing hiQ’s conduct, the court analyzed whether “hiQ . . . ‘accesse[d] a computer without authorization’ within the meaning of the CFAA.” Id. The court first rejected the proposition that “LinkedIn’s revocation of permission to access the public portions of its site renders hiQ’s access ‘without authorization’” under the CFAA. Id. at *8. The court then went on to also reject LinkedIn’s argument that hiQ’s use of web scraping methods constituted “access” obtained “without authorization,” stating that there were “‘serious questions’ as to the applicability” of the Act to hiQ’s conduct given that the information at issue was publicly available. Id. at *9. In particular, the court made the key observation that “[a] user does not ‘access’ a computer ‘without authorization’ by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.” Id. at *8. The court spurned a broad reading of the CFAA, stating that the “application of the CFAA to the accessing of websites open to the public would have sweeping consequences well beyond anything Congress could have contemplated; it would ‘expand its scope well beyond computer hacking.’” Id. at *6. (citation omitted). Relying on an analogy to support its ruling, the court also invoked the law of trespass, finding that LinkedIn sought “to prohibit hiQ from viewing a sign publicly visible to all,” suggesting that hiQ’s conduct also did not amount to a trespass sufficient to give rise to liability under the CFAA. Id. at *7. In summary, while the court concluded that LinkedIn could use anti-bot measures to prevent intrusions in the future, it expressed doubt, at least at the preliminary injunction stage, that the CFAA applied to hiQ’s scraping methods where the information obtained was publicly available. Id. at *8-9.

Having found that hiQ’s claims were not preempted under the CFAA, the court then went on to address the potential merits of hiQ’s claims under state law. The court first addressed hiQ’s free speech claim under the California State Constitution. Id. at *10-11. hiQ argued that LinkedIn is a public forum, and therefore hiQ had a free speech right “to access that marketplace on equal terms with all other people and that LinkedIn’s private property rights in controlling access to its computers cannot take precedence.” Id. at *10. Although recognizing that the California Constitution affords broader free speech protection than the First Amendment to the U.S. Constitution, the court found that hiQ had failed to raise “serious questions” regarding whether LinkedIn’s conduct violated hiQ’s free speech rights under state law. Id. at *11. Specifically, the court declined to hold that publicly accessible websites could constitute “public fora” for purposes of free speech protection given “the potentially sweeping implications . . . and the lack of any more direct authority.” Id. at * 11. However, in its analysis, the court discussed at length the California Supreme Court’s decision in Robins v. Pruneyard Shopping Ctr., 23 Cal. 3d 899, 905, 153 Cal. Rptr. 854, 592 P.2d 341 (1979) aff'd, 447 U.S. 74, 100 S. Ct. 2035, 64 L. Ed. 2d 741 (1980), in which the court held that California’s “guarantee of free expression may take precedence over the rights of private property owners to exclude people from their property.” Id. at *10. In Pruneyard, the California Supreme Court issued a decision, later affirmed by the U.S. Supreme Court, concluding that the State Constitution protected political speech at a private shopping mall, specifically noting “the importance of the shopping mall as a public forum and center of community life.” Id. at *10 (citing Pruneyard 23 Cal. 3d at 910). After questioning the salience of Pruneyard, the court ultimately found the comparison between a mall and the internet to be problematic with respect to free speech rights. Id. at *10. The court, however, also specifically limited its ruling on hiQ’s public forum-based free speech claim to the preliminary injunction stage by stating, “at this juncture, the Court has doubts about whether Pruneyard may be extended wholesale into the digital realm of the Internet,” thus leaving open the possibility that hiQ could succeed on the merits of its claim at a later time. Id. at * 10 (emphasis added).

The court then addressed hiQ’s unfair competition claim under California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200 et seq., finding that – unlike its other claims – hiQ had raised “serious enough questions” regarding the potentially anti-competitive nature of LinkedIn’s conduct to support the issuance of a preliminary injunction. Id. *11-12. In so finding, the court pointed to evidence that LinkedIn may have revoked hiQ’s access to the site in an effort to eliminate hiQ as a competitor in the data analytics field. Id. at *11-12. The court then found that hiQ’s remaining promissory estoppel claim failed to raise such serious questions as to the merits to support the issuance of a preliminary injunction. Id. at *12. In the final part of its analysis, the court concluded that the public interest warranted the issuance of a preliminary injunction, noting that providing private parties “the blanket authority to block viewers from accessing information publicly available on its website for any reason, backed by sanctions of the CFAA, could pose an ominous threat to public discourse and the free flow of information promised by the Internet.” Id. at *13. The court thus granted hiQ’s motion for a preliminary injunction, barring LinkedIn from continuing to prevent hiQ’s access to the public LinkedIn user profiles. Id. at *13. The court’s Order, among other things, also required LinkedIn to affirmatively remove any technical barriers that were preventing hiQ’s access within 24 hours. Id.

Best Practice Takeaways

The hiQ court’s decision leaves open the question of whether hiQ will ultimately succeed on the merits of its claims.1 Moreover, other courts may view much of the court’s analysis as dicta and therefore decline to follow its approach moving forward. With that said, the opinion provides a basis for at least some best practice takeaways relating to legal restrictions on scraping and other data harvesting methods moving forward. First, websites employing terms and conditions of use aimed at preventing unauthorized access to information, whether by means of scraping or circumventing security measures, should consider the efficacy of those terms. In particular, the hiQ decision strongly suggests that allegations of “unauthorized access” under the CFAA would have little weight, whether asserted affirmatively or as a federal preemption defense, if the information obtained is otherwise publicly available. In addition, web hosts should consider whether barring users from accessing information on a website based on violations of terms and conditions of use could potentially give rise to civil liability under state or federal law, where information sought is publicly available. By the same token, companies using web scraping methods should be aware that if the information accessed or obtained is not public on its face, a court could impose liability under state or federal law, including the CFAA. Moreover, independent of private litigation, the hiQ court’s decision could leave the door open for possible civil or criminal enforcement proceedings by the SEC or DOJ based on the CFAA, the federal Wire Fraud Statute (18 U.S.C. § 1343), and other federal securities laws, rules and regulations.2 Given the court’s findings in hiQ, such enforcement proceedings could likely turn on the particular conduct involved or method employed to obtain the data, the terms and conditions of use aimed at preventing misuse of information, and, perhaps most importantly, whether the information is non-public. Finally, the hiQ decision leaves unanswered the question of whether the internet is a public forum equivalent to the private mall at issue in the Pruneyard case, the answer to which could have an enormous impact on free speech jurisprudence and internet regulation.

Footnotes

1. It also appears that an appeal was taken by LinkedIn to the Ninth Circuit Court of Appeals on September 5, 2017, which could result in an affirmance or reversal of the District Court’s decision. See hiQ Labs, Inc. v. LinkedIn Corp., 17-16783.

Note that, while potential liability in the context of civil litigation was addressed by the hiQ court, other sources of liability, including SEC Rule 10b-5 (17 C.F.R. 240.10b-5) and the Wire Fraud Statute, have arisen in context of government enforcement actions, specifically in instances where individuals have used hacking methods to obtain material nonpublic information. See, e.g., S.E.C. v. Dubovoy, et al., Civil Action No. 2:15-cv-06076-MCA-MAH (D.N.J. filed Aug. 10, 2015) (amended Aug. 23, 2015); see also S.E.C. v. Dorozhko, 574 F.3d 42 (2d Cir. 2009). Query whether future cases may involve similar factual scenarios in which outsiders either use web scraping tools, other forms of artificial intelligence, or weaknesses in a website security measure to obtain material nonpublic information or proprietary data without authorization of a website host.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.