LinkedIn loses data scraping case against startup hiQ

16 Aug 2017

In a ruling that could have wider implications on internet privacy issues, a federal judge in San Francisco has ordered LinkedIn to stop blocking startup company hiQ Labs from scraping LinkedIn personal profiles for data.

San Francisco based hiQ analyzes workforce data scraped from public profiles. LinkedIn invoked a federal anti-hacking law in telling hiQ to stop. LinkedIn also installed technical blocks to prevent hiQ from accessing otherwise publicly available information on LinkedIn users.

But District Judge Edward Chen's preliminary injunction on Monday gives LinkedIn a day to remove those blocks.

LinkedIn, which is a part of Microsoft, says it may challenge the ruling.

LinkedIn spokeswoman Nicole Leverich said, "We will continue to fight to protect our members' ability to control the information they make available on LinkedIn."

According to AP, many other companies also oppose data scraping in favour of licensing data for a fee.

In a statement, hiQ said the company "believes that public data must remain public" and that big companies shouldn't stifle innovation by hoarding public data.

hiQ relies on access to the public profiles of LinkedIn members to create products it sells to employers like eBay and GoDaddy. LinkedIn had sent hiQ a cease and desist letter in May, cutting off the data miner's access and threatening action under the Computer Fraud and Abuse Act (CFAA) if hiQ tried to circumvent the block. HiQ sued in June.

As Reuters puts it, LinkedIn claimed it has a right to protect the privacy of its users by blocking users that violate its terms of service, just as a public library might cut off borrowing privileges for someone who used a fake ID or refused to return a book. HiQ countered that it never trespassed but only accessed LinkedIn data available to the entire world, like any onlooker in a public square.

Both sides brought in legal luminaries - former US Solicitor General Donald Verrilli of Munger Tolles & Olson for LinkedIn; Harvard prof Laurence Tribe and Farella Braun & Martel for hiQ - for a preliminary injunction hearing last month.

Judge Chen agreed in Monday's opinion that it makes sense to draw an analogy between the CFAA and physical trespass laws. The CFAA was enacted to deter computer hackers, who are literally computer trespassers.

But as Reuters points out, the law was enacted in 1986, before ordinary people could even access computer networks, and the question is whether it applies in the internet age.

Judge Chen, relying heavily on the reasoning of George Washington University law professor Orin Kerr in a 2016 paper 'Norms of Computer Trespass', concluded that the key consideration is whether the computer owner has imposed a virtual lock on its doors, in the form of passwords or other software restricting public access.

Under Judge Chen's analysis, a user could be considered unauthorised, in the statutory language of the CFAA, if it tampered with those virtual locks or stole a key to open them. But if the computer owner has left its doors open, Judge Chen said, users are authorised to pass through them.

''The court intuitively understands that where an individual does not have permission to enter, he would be trespassing if he did so,'' the judge explained. ''Even if the door is open to the public for business, the shop owner may impose limits to the manner and scope of access (eg, by restricting access to a storage or employees-only area). But if a business displayed a sign in its storefront window visible to all on a public street and sidewalk, it could not ban an individual from looking at the sign and subject such person to trespass for violating such a ban. LinkedIn, here, essentially seeks to prohibit hiQ from viewing a sign publicly visible to all.''

Judge expressed concern about whether businesses like LinkedIn can take advantage of the CFAA for their own purposes, ''a result that Congress could not have intended when it enacted the CFAA over three decades ago'', the judge wrote. Under LinkedIn's formulation of the CFAA, he said, website owners could cut off access based on users' race or gender. Political campaigns could block rival campaigns or unsympathetic news organisations. Companies could hobble competitors that sought to use public information about their products or pricing.

In short, Judge Chen wrote, ''a broad reading of the CFAA could stifle the dynamic evolution and incremental development of state and local laws addressing the delicate balance between open access to information and privacy – all in the name of a federal statute enacted in 1984 before the advent of the World Wide Web.''

The CFAA was enacted in 1986 as an amendment to a 1984 computer fraud law that was part of an omnibus anti-crime bill.