A Federal Judge recently blocked LinkedIn from restricting another company from using data from LinkedIn’s website. The suit involves Linkedin and hiQ Labs, Inc. The suit also has significant ramifications for job-seekers and employers. See LinkedIn Profiles Used to Alert Employers Which Employees are Job-Hunting.
hiQ Labs Business Depends Upon Access to LinkedIn Profiles
hiQ Lab offers data analytics services that can be used to identify employees job-hunting or likely to join a competitor. It does this by automatically “scraping” data from publicly available LinkedIn profiles. hiQ Lab’s business model relies exclusively on access to data LinkedIn users have opted to publish publicly.
In the suit, hiQ Labs sought an injunction to prevent LinkedIn from blocking its access to public profiles. The Judge granted hiQ Labs’ injunction on August 14, 2017. Here is a copy of the hiQ Labs v LinkedIn, 8-14-17 Injunction Order. In sum:
- LinkedIn cannot prevent hiQ Labs from accessing, copying, or using public profiles on LinkedIn‟s website.
- LinkedIn cannot put in place any mechanism (whether legal or technical) with the effect of blocking hiQ Labs’ access to LinkedIn’s members’ public profiles.
- To the extent LinkedIn had put in place technology to prevent hiQ Labs from accessing this information, it must be removed within 24 hours of issuing the Court’s Order.
The Court’s decision was met with surprise and concern from industry tech experts. A great explanation for both was provided by David Berlind, editor in chief of Programmable Web, Why Forcing LinkedIn to Allow Scrapers Sets a Dangerous Precedent for the API Economy.
Limiting the Computer Fraud and Abuse Act?
While I don’t dispute the technological concerns raised by Mr. Berlind, I think the Judge’s decision also provides a positive direction from a legal perspective.
First, the Court signaled its reluctance to expand the federal Computer Fraud and Abuse Act (CFAA) to support LinkedIn’s claim. LinkedIn initially threatened to sue hiQ Labs for CFAA violations. Rather than sit and wait, hiQ Labs took preemptive action in filing suit and seeking an injunction against LinkedIn.
The CFAA, as initially enacted, criminalized computer hacking. However, it expanded over the years to extend to civil claims. It also often applies to conduct that does not bear any semblance to “computer hacking.” But this mutation has not been without concern. Here is how the Judge in the hiQ Labs opinion summarized the conflict:
As hiQ points out, application of the CFAA to the accessing of websites open to the public would have sweeping consequences well beyond anything Congress could have contemplated; it would ‘expand its scope well beyond computer hacking.’ Under LinkedIn’s interpretation of the CFAA, a website would be free to revoke ‘authorization’ with respect to any person, at any time, for any reason, and invoke the CFAA for enforcement, potentially subjecting an Internet user to criminal, as well as civil, liability.
(internal citations omitted).
The CFAA’s expansion to civil liability often creates perverse results. For example, I represented a former executive in a discrimination and breach of contract suit against her former employer. The executive had retained copies of a handful of emails with a supervisor. These emails, however, solely discussed the executive’s terms of compensation and benefits. Further, the emails were not a secret and were properly disclosed in the litigation.
The defendant employer, however, manufactured the claim that possession of these emails made for a CFAA violation. It claimed an employee handbook that discussed the ownership of company information and returning company property had been violated. This claim didn’t gain traction with the judge or mediator, but it was not for lack of trying by defense counsel.
Similarly, the hiQ Labs opinion echoed the concern about needlessly expanding the CFAA:
… the Court has serious doubt whether LinkedIn’s revocation of permission to access the public portions of its site renders hiQ‟s access “without authorization” within the meaning of the CFAA.
Second, LinkedIn argued that hiQ Lab’s manner of accessing the publically available information on the site (by using software to automate the scraping of user data) also violated the CFAA. The Court disagreed:
A user does not ‘access’ a computer ‘without authorization’ by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.
Similarly, it is not uncommon for companies to make similar arguments about the method of access creating CFAA liability when suing a former employee.
A common example is when an employee is given computer access in one context, but accessing it or using it in another. It may be as innocuous as downloading company data to work remotely (e.g., over the weekend, while traveling, or on vacation). But the act of removing the data from the company’s networked environment – even where the employee had permission to access the data in the first place – has been claimed to be a violation.
The LinkedIn/hiQ Labs case is not over, but winning at the injunction stage is often a huge spoiler on who will ultimately prevail. For more information about this case or issues under the Computer Fraud and Abuse Act, contact attorney Jason Shinn. He represents companies and individuals in computer fraud, misappropriation of trade secret, and other business claims.