Court Says CFAA Isn't Meant To Prevent Access To Public Data, Orders LinkedIn To Drop Anti-Scraper Efforts

Some good pushback against the CFAA (Computer Fraud and Abuse Act) has been handed down by a federal court. LinkedIn, which has frequently sued scrapers under both the CFAA and DMCA, just lost an important preliminary round to a company whose entire business model relies on LinkedIn's publicly-available data.

hiQ Labs scrapes LinkedIn data from users whose accounts are public, repackages it and sells it to third party recruiters and HR departments, allowing companies to track employee skills and get a read on which employees might be planning to jump ship.

LinkedIn didn't care much for another business piggybacking on its data (and likely cutting back ever so slightly on the number of third parties it sells this data to), so it sued hiQ, alleging the scraping of publicly-available data violated the CFAA. This has completely backfired. hiQ has obtained an injunction preventing LinkedIn from blocking its scraping efforts. [h/t Brad Heath]

In short, the court finds the hardships are all on hiQ's side: if LinkedIn blocks the scraping, the company will likely close. The decision [PDF], importantly, notes this isn't what the CFAA was put in place to guard against. It also adds that if it sided with LinkedIn's arguments, the internet itself would suffer.

In summary, the balance of hardships tips sharply in hiQ's favor. hiQ has demonstrated there are serious questions on the merits. In particular, the Court is doubtful that the Computer Fraud and Abuse Act may be invoked by LinkedIn to punish hiQ for accessing publicly available data; the broad interpretation of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.

And there's more bad news for LinkedIn:

Furthermore, hiQ has raised serious questions as to whether LinkedIn, in blocking hiQ's access to public data, possibly as a means of limiting competition, violates state law.

LinkedIn tried to argue continued access by hiQ would threaten its own business, mainly through supposed violations of its customers' privacy. It notes many of its users (50 million to be exact) have deployed LinkedIn's "Do Not Broadcast" option, which limits notifications about changes to accounts. Out of the 50 million users, LinkedIn claims three have alleged harm from third-party data collection. LinkedIn says hiQ's scraped determinations about poachable employees could harm users whose accounts remain public, but are utilizing the "Do Not Broadcast" feature.

The court is not entirely unsympathetic to LinkedIn's arguments. But it is mostly unsympathetic, partially because LinkedIn appears to be vastly overstating the privacy concerns of its users...

These considerations are not without merit, but there are a number of reasons to discount to some extent the harm claimed by LinkedIn. First, LinkedIn emphasizes that the fact that 50 million users have opted into the "Do Not Broadcast" feature indicates that a vast number of its users are fearful that their employer may monitor their accounts for possible changes. But there are other potential reasons why a user may opt for that setting. For instance, users may be cognizant that their profile changes are generating a large volume of unwanted notifications broadcasted to their connections on the site. They may wish to limit annoying intrusions into their contacts.

Second, LinkedIn has presented little evidence of users' actual privacy expectation; out of its hundreds of millions of users, including 50 million using Do Not Broadcast, LinkedIn has only identified three individual complaints specifically raising concerns about data privacy related to third-party data collection. Docket No. 49-1 Exs. A-C. None actually discuss hiQ or the "Do Not Broadcast" setting.

...and partially because LinkedIn doesn't appear to care all that much about its users' privacy.

Third, LinkedIn's professed privacy concerns are somewhat undermined by the fact that LinkedIn allows other third-parties to access user data without its members' knowledge or consent. LinkedIn offers a product called "Recruiter" that allows professional recruiters to identify possible candidates for other job opportunities. LinkedIn avers that when users have selected the Do Not Broadcast option, the Recruiter product respects this choice and does not update recruiters of profile changes. However, hiQ presented marketing materials at the hearing which indicate that regardless of other privacy settings, information including profile changes are conveyed to third parties who subscribe to Recruiter. Indeed, these materials inform potential customers that when they "follow" another user, "[f]rom now on, when they update their profile or celebrate a work anniversary, you'll receive an update on your homepage. And don't worry - they don't know you're following them." LinkedIn thus trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case.

As for the alleged CFAA violations, the court find nothing that agrees with LinkedIn's legal theory public information anyone can access somehow turns into unauthorized access when a company accesses it via a scraper.

A user does not "access" a computer "without authorization" by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.

But it goes further, laying down in explicit detail how ruling in LinkedIn's favor would severely damage open access on the internet.

Under LinkedIn's interpretation of the CFAA, a website would be free to revoke "authorization" with respect to any person, at any time, for any reason, and invoke the CFAA for enforcement, potentially subjecting an Internet user to criminal, as well as civil, liability. Indeed, because the Ninth Circuit has specifically rejected the argument that "the CFAA only criminalizes access where the party circumvents a technological access barrier," Nosal II, 844 F.3d at 1038, merely viewing a website in contravention of a unilateral directive from a private entity would be a crime, effectuating the digital equivalence of Medusa. The potential for such exercise of power over access to publicly viewable information by a private entity weaponized by the potential of criminal sanctions is deeply concerning...

[T]he CFAA as interpreted by LinkedIn would not leave any room for the consideration of either a website owner's reasons for denying authorization or an individual's possible justification for ignoring such a denial. Website owners could, for example, block access by individuals or groups on the basis of race or gender discrimination. Political campaigns could block selected news media, or supporters of rival candidates, from accessing their websites. Companies could prevent competitors or consumer groups from visiting their websites to learn about their products or analyze pricing. Further, in addition to criminalizing any attempt to obtain access to information otherwise viewable by the public at large, the CFAA would preempt all state and local laws that might otherwise afford a legal right of access (e.g., state law rights asserted by hiQ herein). A broad reading of the CFAA could stifle the dynamic evolution and incremental development of state and local laws addressing the delicate balance between open access to information and privacy - all in the name of a federal statute enacted in 1984 before the advent of the World Wide Web.

The case will still proceed forward, but the outlook isn't that bright for LinkedIn. It has been ordered to drop any anti-circumvention efforts it put in place within 24 hours and rescind the cease-and-desist orders it sent to hiQ. On top of there being zero chance it will prevail on its CFAA claims, the company will now have to defend itself against state law counterclaims by hiQ. This legal effort -- probably deployed in hopes of achieving a quick settlement -- is going to add up to real dollars in legal fees alone.