On August 14, 2017, on a motion for preliminary injunction, the District Court for the Northern District of California held that LinkedIn, a social network owned by Microsoft, Inc., could not continue to block hiQ, a data analytic startup, from accessing information from public LinkedIn profiles using web scrapers. hiQ Labs, Inc. v. LinkedIn Corp., 3:17-CV-03301-EMC, slip op. at 1 (N.D. Cal. Aug. 14, 2017). This decision casts doubt on the earlier case law, which has held that the Computer Fraud and Abuse Act (CFAA) protects website owners against third party web scrapers if such scrapers are accessing public data not protected by an authorization gateway such as passwords. Accordingly, this decision has the potential to change the legal landscape regarding the use of web scrapers or bots to collect information on websites; the interpretation of the Computer Fraud and Abuse Act (CFAA) and analogous state statutes; and how websites control or limit access to content they have collected from users.
In hiQ Labs, Inc. v. LinkedIn Corp., the court granted a preliminary injunction in favor of hiQ to prohibit LinkedIn from employing electronic blocking techniques designed to preven hiQ from scraping information from public LinkedIn profiles. See id. at 1. The court’s decision stands in direct contrast to earlier decisions in cases such as, Craigslist Inc. v. 3Taps Inc., 2013 WL 4447520 (N.D. Cal. August 16, 2013), which have decided against the interests of web scrapers.
Following LinkedIn’s cease and desist letter requesting that HiQ terminate its scraping of publicly available content from LinkedIn user profiles, and its use of various blocking techniques to prevent such data collection, hiQ filed a motion for preliminary injunction, claiming that it LinkedIn’s demands and actions were effectively driving hiQ out of business due to its reliance on LinkedIn’s public data. In ruling for hiQ, the court determined that LinkedIn’s actions would likely irreparably harm hiQ and then discussed the applicability of: (1) the CFAA and analogous California state law claims to a web scraper in the position of hiQ, (2) antitrust laws with respect to parties, such as LinkedIn, preventing web scrapers from scraping their data, (3) unfair competition laws, and (4) privacy concerns of parties such as LinkedIn and its users.
CFAA and California Penal Code § 502
With respect to the CFAA, the court explained that the injunction was appropriate because hiQ “raised serious questions as to the applicability of the CFAA to its [web scraping of LinkedIn’s public profile information]” because the CFAA was not designed “to prevent access to publically viewable data not protected by an authentication gateway.” See id. at 16. Therefore, the CFAA’s threshold question of whether a party “accessed” a computer “without authorization” did not apply to hiQ when viewed in this context. See id. at 15.
The court reasoned that its holding was consistent with the considerations behind enactment of the CFAA, ruling that “Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking.” See id., slip op. at 11. And, thus, applying “the CFAA to the accessing of websites open to the public would have sweeping consequences well beyond anything Congress could have contemplated; it would ‘expand its scope well beyond computer hacking.’” Id. In addition, the court found that hiQ’s web scraping was different from the conduct of the defendants in Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016) and United States v. Nosal, 844 F.3d 1024(9th Cir. 2016), which was found to be in violation of the CFAA,. Unlike in these cases, where, according to the court, the respective defendants scraped private data that was protected by authorization techniques, hiQ accessed and scraped only public data that was not protected by any authorization techniques (e.g., password protected). See id., slip op. at 10.
Accordingly, the court ruled that hiQ may not be limited to accessing and scraping LinkedIn’s public profiles or any content open to the public, holding that “a user does not ‘access’ a computer ‘without authorization’ by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public” (emphasis added). See id., slip op. at 11.
In addition, the court also considered whether hiQ potentially violated California Penal Code § 502, a state law claim analogous to CFAA. See id., slip op. at 17-18, n.13. In a footnote, the court determined that: “Though the statute also includes a provision that prohibits ‘knowingly access[ing] and without permission tak[ing], cop[ying], or mak[ing] use of any data from a computer, computer system, or computer network,’ Cal. Pen. Code § 502(c)(2), the [c]ourt similarly concludes [(as it decided in regards to the CFAA)] there are serious questions about whether these provisions criminalize viewing public portions of a website.” See id.
Antitrust, Unfair Competition, and Privacy Concerns
In addition to asserting that its web scraping was not a violation of the CFAA, hiQ also argued that LinkedIn‟s decision to block its access to member data was made for an impermissible anticompetitive purpose – namely that it wants to monetize this data itself with a competing product – and that its conduct therefore constitutes “unfair” competition under California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq.” Id. at 21. hiQ contended that “LinkedIn’s conduct violate[d] the spirit of the antitrust laws (and was therefore anti-competitive) in two ways: first, LinkedIn was unfairly leveraging its power in the professional networking market to secure an anticompetitive advantage in another market – the data analytics market; and second, LinkedIn’s conduct violated the “essential facilities” doctrine, “which precludes a monopolist or attempted monopolist from denying access to a facility it controls that is essential to its competitors.” Id.
In response to hiQ’s arguments, LinkedIn asserted that it acted solely out of concern for member privacy and not to gain exclusive control over the data collected from its members. The court did not find LinkedIn’s position persuasive. The Court found that LinkedIn may have “terminated hiQ‟s access to its public member data in large part because it wanted exclusive control over that data for its own business purposes,” that hiQ “seeks also to collect only information which users have chosen to make public” and that is made publicly available by LinkedIn to third-parties. Id. at 22.
This decision could mark an important shift regarding liability for web scrapers under either the CFAA or analogous state law claims. Underlying each of the recent web scraping cases is the court’s struggle to balance the interests of the public, which includes web scrapers, versus the interests of content providers or platforms, such as LinkedIn, with respect to the data on their webpages. In this case, the court decided that the public interest of hiQ outweighed the interests of LinkedIn because “it is likely that those who opt for the public view setting expect their public profile will be subject to searches, date mining, aggregation, and analysis” and, “on the other hand, conferring on private entities such as LinkedIn, the blanket authority to block viewers from accessing information publicly available on its website for any reason, backed by sanctions of the CFAA, could pose an ominous threat to public discourse and the free flow of information promised by the Internet.” See id. at 24.
Although this decision will likely be appealed, it leaves the current legal landscape, and the tension between website creators and web scrapers, uncertain.