United States: In Blockbuster Ruling, Ninth Circuit Affirms hiQ Injunction — CFAA Claim Likely Not Available For Scraping Publicly Available Website Data

In a ruling that is being hailed as a victory for web scrapers and the open nature of publicly available website data, the Ninth Circuit today issued its long-awaited opinion in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019). The crucial question before the court was whether once hiQ Labs, Inc. ("HiQ") received LinkedIn Corp.'s ("LinkedIn") cease-and-desist letter demanding it stop scraping public LinkedIn profiles, any further scraping of such data was "without authorization" within the meaning of the federal Computer Fraud and Abuse Act (CFAA). The appeals court affirmed the lower court' order granting a preliminary injunction barring the professional networking platform LinkedIn from blocking HiQ, a data analytics company, from accessing and scraping publicly available LinkedIn member profiles to create competing business analytic products. Most notably, the Ninth Circuit held that HiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access "without authorization" under the CFAA.

In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court HiQ decision: while the Ninth Circuit's decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is "presumptively open to all," entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches. Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not "resolve the companies' legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court."

Overview of the hiQ Dispute

Since the California district court ruling in August 2017, LinkedIn's appeal and Opening Brief in October 2017 and hiQ's subsequent Answering Brief and LinkedIn's Reply Brief, and the oral argument in March 2018, it's been a long wait for the Ninth Circuit's decision in this case. Before we dive deeper into the ruling, a brief summary the lower court proceedings is necessary.

The hiQ dispute involves LinkedIn's challenge to hiQ's scraping of public profile data to create a competing business analytics product. After receiving a cease-and-desist letter from LinkedIn that demanded HiQ stop its scraping activity and stated, principally, that HiQ's further access would be a violation of the federal CFAA, hiQ filed a declaratory judgment seeking a preliminary injunction barring LinkedIn from blocking hiQ's access to LinkedIn public profiles. Significantly, LinkedIn had sent the cease-and-desist letter to hiQ after years of tolerating hiQ's access and use of its data; in fact, hiQ's business model of employee data analysis at the time of the litigation was wholly dependent on crunching LinkedIn data that users elected to publish publicly. The key question concerning the applicability of the CFAA in this case was whether, by continuing to access public LinkedIn profiles after LinkedIn explicitly revoked permission to do so, hiQ had "accessed a computer without authorization" within the meaning of the CFAA.

The lower court issued a preliminary injunction, finding that the balance of equities favored hiQ, and distinguished the Ninth Circuit Power Ventures precedent that had held that a commercial entity that accesses a website after permission has been explicitly revoked can, under certain circumstances, be civilly liable under the CFAA. The lower court expressed "serious doubt" as to whether LinkedIn's revocation of permission to access the public portions of its site renders hiQ's access "without authorization" within the meaning of the CFAA. In the lower court's view, the CFAA was intended instead to deal with "hacking" or "trespass" onto private, often password-protected mainframe computers, and the district court was "reluctant" to expand its scope absent convincing authority.

On appeal, the parties offered dueling visions of what the law surrounding the CFAA and scraping should be:

  • LinkedIn: "[A]uthorization from LinkedIn—the server's owner—is 'needed' to avoid CFAA liability, regardless of whether those servers also host data that LinkedIn generally makes available on its website. hiQ lacked that required "authorization" once LinkedIn sent hiQ its cease-and-desist letter and implemented additional technological barriers restricting bot access."
  • HiQ: "LinkedIn does not grant permission to access its public content because those pages are, by definition, open for all to see and use. hiQ, like any other Internet user, simply requests LinkedIn's public pages, and LinkedIn's servers automatically provide them. There is no "authorization" for LinkedIn to revoke. Reading the statute in accordance with the language's ordinary significance, "without authorization" refers to circumstances where authorization is a prerequisite to access."

The CFAA Issue on Appeal

In the decision, the Ninth Circuit held that HiQ made an adequate showing at this stage to support an injunction prohibiting LinkedIn from selectively blocking hiQ's access to public member profiles based on, among other things, the merits of its tortious interference with contract claim. While a full discussion of the merits of that claim are beyond the scope of this post, the court was compelled to consider LinkedIn's defense that HiQ could not succeed on its tortious interference with contact and related state claims because its access to LinkedIn's site was "unauthorized" under the CFAA. .

The pivotal CFAA question is whether once hiQ received LinkedIn's cease-and-desist letter, any further scraping and use of LinkedIn's data was "without authorization" within the meaning of the CFAA and thus a violation of the statute. If so, hiQ would have no legal right of access to LinkedIn's data and so could not succeed on any of its state law claims.

Liability under the CFAA arises when a person who "intentionally accesses a computer without authorization ... and thereby obtains ... information from any protected computer." 18 U.S.C. § 1030(a)(2)(C). "Without authorization" is not defined, but in the quintessential case, the CFAA is invoked to remedy incidences of computer hacking or when an employee accesses a corporate network after having had his or her permission rescinded.

In the scraping context, as seen by this highly-contested dispute, CFAA "without authorization" liability presents nuanced issues. In short, the appeals court was asked to decide whether the CFAA's "without authorization" provision is limited to computer information for which access permission, such as password authentication, is generally required.

Looking at the legislative history and precedent, the Ninth Circuit stated that the CFAA was enacted to prevent computer hacking, and that it should be best understood as "an anti-intrusion statute and not as a misappropriation statute." Thus, the court concluded that the CFAA's "without authorization" provision is "inapt" with regard to access to public LinkedIn profiles and that HiQ raised a serious question as to whether the CFAA's "without authorization" provision should only apply to computer information protected by access controls (e.g., password authentication). The Ninth Circuit distinguished its Power Ventures precedent, which held that that a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA but that a social media aggregation site had accessed Facebook's computers "without authorization" after receiving an individualized cease-and-desist letter. While Power Ventures involved the gathering of social media user profile data protected by a username and password authentication system, the data hiQ was scraping was available to anyone with a web browser.

"[I]t appears that the CFAA's prohibition on accessing a computer 'without authorization' is violated when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA. [emphasis added]. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ's possibly meritorious tortious interference claim."

Unanswered Questions and Looking Ahead

Screen or web scraping is an issue that has been controversial since the early days of e-commerce. Content aggregators and data users are always thinking of new and productive uses for data readily accessible from websites, with scraping as an obvious technical measure to access that data. Many advocate that content on publicly-available websites is implicitly free to harvest and exploit, while web services hosting valuable user-generated content or other data typically wish to exercise control over which parties can access and use it for commercial purposes. The CFAA has been one of the most potent legal tools used by website owners to challenge scraping activities. While the law surrounding screen scraping remains uncertain, the Ninth Circuit clarified whether scraping data from a public-facing website likely violates the CFAA "unauthorized access" provision, even if a website operator revokes a data scraper's access via a cease-and-desist letter.

In considering the balance of equities surrounding the lower court's grant of a preliminary injunction, the court enunciated multiple pro-scraping sentiments, echoing the lower court's concern that allowing large internet platforms to selectively restrict access to publicly available website data would not necessarily be in the public interest:

"We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest."

While the hiQ decision is certainly a scraping-positive decision, it leaves many unanswered questions. HiQ, while advocating an open lane for scraping public website data, is not a complete green light for scraping in general. The Ninth Circuit held that the CFAA is likely not a viable claim for limiting the scraping of publicly available web data, yet other questions and issues are lurking:

  • The calculus in any particular CFAA-scraping dispute will depend on the nature of the data at issue, as evidenced by the varying holdings in the Ninth Circuit's Power Ventures decision, which involved password-protected social media profiles, and HiQ, which involved "public" LinkedIn member data. Indeed, the HiQ court, in weighing whether the injunction was in the public interest, noted the nature of LinkedIn's user-generated data and implicitly differentiated it from proprietary or private data:

"LinkedIn's asserted private business interests—'protecting its members' data and the investment made in developing its platform' and 'enforcing its User Agreements' prohibitions on automated scraping'—are relatively weak. LinkedIn has only a non-exclusive license to the data shared on its platform, not an ownership interest. Its core business model—providing a platform to share professional information—does not require prohibiting hiQ's use of that information, as evidenced by the fact that hiQ used LinkedIn data for some time before LinkedIn sent its cease-and-desist letter."

  • While the crux of the decision involved the CFAA issue, LinkedIn had advanced other claims, including breach of contract, unjust enrichment and trespass to chattels. The court did not consider these claims on appeal, and noted that website operators concerned about unwanted data scraping may have causes of action beyond the CFAA, such as copyright infringement, misappropriation, breach of contract, or privacy-related claims. As we've seen in other cases involving scraping or unwanted access, such claims may be viable.
  • In today's e-commerce environment, many online marketplaces scrape publicly available price data from competitors and other retailers to glean dynamic pricing and benchmarking analytics. The HiQ holding would appear to limit the availability of a CFAA cause of action for such activities, though, as previously discussed, other potential state causes of action remain and entities are still encouraged to follow certain risk management practices when engaged in scraping.
  • While the Ninth Circuit's decisions regarding technology law are often considered persuasive authority, other jurisdictions outside of the Ninth Circuit are not bound by its decisions. Thus, the reach of the hiQ court's interpretation of CFAA liability for scraping public websites is yet to be determined (and it is possible that the entire Ninth Circuit will hear the case en banc).
  • What will be the practical result of the HiQ holding? LinkedIn and other platforms will always remain wary of "free riders" that wish to use their databases for commercial purposes. But will the decision impel LinkedIn and other similar platforms to put such data behind an authentication wall? As the court noted, many LinkedIn users intend their profiles to be accessed by other members or the public and such a radical change of access could undermine its own business model: "Of course, LinkedIn could satisfy its 'free rider' concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line."
  • Websites may still enact protective measure against malicious automated activity that threatens the integrity of their networks. The Ninth Circuit noted, in dicta, that the injunction does not preclude LinkedIn from continuing to engage in "technological self-help against bad actors."

In Blockbuster Ruling, Ninth Circuit Affirms hiQ Injunction — CFAA Claim Likely Not Available For Scraping Publicly Available Website Data

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions