We have been covering the hiQ-LinkedIn data-scraping saga for several years now on CPW. (See previous posts here, here, here, and here).

After well-publicized litigation that made its way to the Supreme Court and back again, the United States District Court for the Northern District of California ruled[1] that the provisions of a website user agreement that prohibit anti-scraping and fake profiles are enforceable in a breach of contract claim. Businesses should take note and ensure that their own conduct enforces their terms and conditions in order to prevent violators from successfully claiming affirmative defenses. If a business knows of a violation, and wants to have enforceable terms, it should pursue remedying that violation.

I. Case Background

By way of background, hiQ operated a business that relied on web data collected about hiQ’s client’s employees sourced from the public portions of those employees’ LinkedIn profiles. That is, hiQ’s data analytics business depended entirely on access to the data in LinkedIn profiles that are set to “public”. i.e., made visible to the general public by LinkedIn users.

After receiving a cease-and-desist letter from LinkedIn requiring hiQ to “immediately cease and desist unauthorized data scraping and other violations of LinkedIn’s User Agreement”, hiQ filed a request in U.S. District Court for (inter alia) an injunction against LinkedIn for LinkedIn’s forbidding hiQ’s access to LinkedIn public profiles[2]. With respect to the Computer Fraud and Abuse Act (CFAA), hiQ stated that scraping of data from public LinkedIn profiles does not violate CFAA even after LinkedIn sent its cease-and-desist letter. In 2017, Judge Chen sided with hiQ and issued the preliminary injunction, stating that:

“In sum, viewed in a proper context, the Court has serious doubt whether LinkedIn’s revocation of permission to access the public portions of its site renders hiQ’s access “without authorization” within the meaning of the CFAA.”[3]

On appeal, Judge Berzon of the Ninth Circuit affirmed in 2019:

“… the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly-available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system.”[4]

In 2020, LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s decision.[5] Then, after the clarification about the meaning of “exceeds authorized access” in Van Buren, LinkedIn submitted a supplemental brief,[6] noting that Van Buren addressed “exceeds authorization” under CFAA but left open the question of what type of restrictions a website owner can use to argue that access to the website for web data sourcing is “without authorization.” In supporting its claim that hiQ had accessed LinkedIn Profiles without authorization, LinkedIn pointed out that it had employed “technical code-based measures to prevent hiQ from scraping data (which hiQ circumvented via bots).”

On July 14, 2021, the Supreme Court remanded LinkedIn[7] for reconsideration by the Ninth Circuit in light of the “gates-up or gates-down” analysis from Van Buren. On April 18, 2022, the Ninth Circuit reaffirmed[8] its original narrow interpretation that CFAA liability only arises when the access is unauthorized. In its opinion, the Ninth Circuit ruled that “the concept of ‘without authorization’ does not apply to public websites”[9] and that “without authorization” means “when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer.”[10]

Pending the results of other litigation and application of Van Buren to other facts and circumstances, scraping areas of a website that require an authorized username and password remain risky under the CFAA. Given the narrow interpretation of “exceeds authorized access” in Van Buren and the Ninth Circuit’s application of the narrow interpretation in its reconsideration of LinkedIn 1, website operators likely will turn to other legal arguments to stop third parties from using their websites for web data sourcing.

Triggering CFAA liability by violating contractual restrictions on the use of a website (i.e., a website user agreement or terms of use), without more, also seems less likely. As noted above, Van Buren held that violating a department policy was insufficient to violate CFAA’s prohibition on access that exceeds authorization. This view is consistent with the Ninth Circuit’s decision in a criminal CFAA case,[11] the Ninth Circuit held that CFAA liability requires more than violating a user agreement:

“Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands … Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit. Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.”[12]

Citing Nosal in a later case, the Ninth Circuit confirmed that “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.”[13] The holdings in these decisions likely would hold up under Van Buren‘s “gates up” or “gates down” analysis. A user agreement restricts why a user can access a particular website but, without more, the website operator has not restricted access or put the “gates down” for computers or information on them.

However, businesses took solace from these Ninth Circuit decisions in the enforceability of their terms and conditions ‘contracts’, as long as they enforced the terms. As we note below, in HiQ 2, LinkedIn’s terms specifically prohibited scraping and the use of fake profiles, and thus, the HiQ 2 Court ruled that LinkedIn can rely on those provisions in breach of contract claims. Questions of fact remain regarding the scraping restrictions and unauthorized use of the scraped data due to LinkedIn’s own conduct. As to the independent contractors hired by hiQ to manually review profiles, ‘turkers,’ their LinkedIn accounts also were forbidden by clauses prohibiting fake profiles, and the HiQ 2 Court granted summary judgment in favor of LinkedIn on its breach of contract claim.

II. Summer 2022: The Lower Court Dissolves the Preliminary Injunction Previously Granted to hiQ in Win for LinkedIn

Following the Court’s issuance of a preliminary injunction in favor of hiQ in August 2017, hiQ encountered significant operational challenges. As a result of hiQ’s wind-down events, LinkedIn filed a motion to dissolve the preliminary injunction on the grounds that there was a significant change in facts that warranted the dissolution of the injunction. The court granted the motion, finding that LinkedIn “carried its burden to establish a significant change in fact”—namely, that hiQ no longer has an ongoing business.

III. Fall 2022: LinkedIn Moves for Summary Judgment On Its Breach of Contract Claim

After facing difficulty in establishing its CFAA claims, LinkedIn argued it should be granted summary judgment on the basis that hiQ’s data scraping and the use of fake profiles violated LinkedIn’s User Agreement (inter alia) that hiQ accepted prior to accessing LinkedIn’s online services. Specifically, LinkedIn’s User Agreement[14] expressly prohibits scraping of its site and creating fake profiles.

As to scraping, Section 8 of the User Agreement (“LinkedIn ‘DOs’ and ‘DON’Ts’”) states:

8.2 Don’ts. You agree that you will not:

  • . . . Scrape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work); . . .
  • Use manual or automated software, devices, scripts[,] robots, other means or processes to access, “scrape,” “crawl” or “spider” the Services or any related data or information;
  • Use bots or other automated methods to access the Services, add or download contracts, send or redirect messages;[15] . . .

As to the turkers’ fake profiles, LinkedIn’s User Agreement states:

8.2 Don’ts. You agree that you will not:

  • . . . Create a false identity on LinkedIn; …”

In the recently-decided HiQ 2, the Court found that:

“hiQ relied on LinkedIn for its data primarily by scraping wholly public LinkedIn profiles using automated software. hiQ had continuously attempted to circumvent LinkedIn’s general technical defenses since May 2014. It experimented and attempted to reverse engineer LinkedIn’s systems and to avoid detection by simulating human site-access behaviors. hiQ also hired independent contractors known as ‘turkers’ to conduct quality assurance while ‘logged-in’ to LinkedIn by viewing and confirming hiQ customers’ employees’ identities manually.”[16]

In agreeing with LinkedIn, the HiQ 2 Court concluded that “hiQ breached LinkedIn’s user agreement both through its own scraping of LinkedIn’s site and using scraped data, and through turkers’ creation of false identities on LinkedIn’s platform.”[17]

The HiQ 2 decision also is consistent with other decisions from the Ninth Circuit. For example, in Facebook Inc. v. BrandTotal[18], the Court held, on BrandTotal’s breach of contract claim, that:

“BrandTotal designed a computer program to systematically identify, capture, and transmit certain types of data from Facebook’s products without user intervention. Because BrandTotal used “automated means” to access and collect data from Facebook’s website without obtaining Facebook’s permission as required by the terms of service, the Court concludes that BrandTotal has not shown a likelihood of success, or even serious issues, on its claim for declaratory judgment that it did not breach those terms. Because the record tends to suggest that BrandTotal breached at least the provision regarding automated access, the Court does not reach the parties’ arguments as to other contract terms at issue.”

The holding in HiQ 2 is good news for a number of businesses because it offers a pathway for fighting scraping and other user violations – at least in the Ninth Circuit. But, the Ninth Circuit cautions that enforceability requires that the business actively enforce its user agreements when it is aware of a violation. As the year wraps up, businesses may wish to consider revisiting their policies and internal procedures for policing user conduct to ensure that they are consistent and actively enforced.