LinkedIn Enjoined From Blocking Scraper–hiQ v. LinkedIn

Screen Shot 2017-08-15 at 7.22.20 AMhiQ Labs has scraped LinkedIn public profiles for several years. hiQ offers two products, entirely predicated on LinkedIn-scraped data: (1) a prediction to employers which employees were mostly likely to be recruited away, and (2) a summary of employee skills.

LinkedIn sent a cease and desist letter telling hiQ to stop scraping or face litigation. The parties tried to resolve the dispute but were unable to. hiQ then filed a preemptive lawsuit seeking declaratory relief, and sought a preliminary injunction allowing it to access public LinkedIn profiles pending resolution of the dispute.

It was a bold move–and it paid off, at least for the moment.

Judge Chen granted hiQ’s request for an injunction, meaning that it can continue to aggregate information from public LinedIn profiles. While an appeal is inevitable, the order has a lot of language that open internet advocates will like.

Privacy concerns: In the balance of harms analysis, LinkedIn asserted its users’ privacy concerns, saying that hiQ’s scraping threatened its users’ privacy. The court is not persuaded. LinkedIn cited its ‘do not broadcast’ feature, which 50M users have adopted, that restricts the publicizing of changes to users’ profiles. The court says there could be many reasons why users would utilize the ‘do not broadcast’ feature other than for privacy. LinkedIn also distinguished between hiQ’s scraping and LinkedIn’s data sharing services, which LinkedIn discloses in its privacy policy. The court is skeptical that the privacy policy actually reflects reasonable privacy expectations because users don’t read such policies. Finally, the court says that LinkedIn’s assertion of users’ privacy concerns seems duplicitous: “LinkedIn…trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case….LinkedIn’s own actions do not appear to have zealously safeguarded those privacy interests.”

The CFAA: Regarding the CFAA, the big question is whether LinkedIn’s cease and desist letter expressly revoked hiQ’s permission to access the site. In craigslist v. 3Taps, Judge Breyer said yes. Judge Chen takes a different tack. Examining Nosal II and Power Ventures, the court says that those cases deal with password-protected information—neither of those cases, which allowed unauthorized access claims based on access following express revocation of permission, involved publicly available information. Judge Chen comes back to the CFAA’s purpose and says it “was not intended to police traffic to publicly available websites on the Internet.” He likens LinkedIn’s publication of its data to a business displaying “a sign in a storefront window” which “it may not prohibit on pain of trespass a viewer from photographing [the sign]…or viewing…with glare reducing sunglasses.” He agrees with hiQ that interpreting the CFAA in a manner urged by LinkedIn would “expand its scope well beyond computer hacking.” Judge Chen says it’s problematic because such revocation could obscure things like discrimination or (more apropos in this case) anti-competitive conduct.

Among other relief, the court grants hiQ relief against LinkedIn for implementing any technological barriers. The order directs LinkedIn to roll back any such barriers to the extent they’ve been implemented.

California Constitution (Pruneyard) Claim: The court also is sympathetic to hiQ’s argument that LinkedIn, as a publicly available website, is the Internet-equivalent of a modern shopping center. California’s constitution limits the rights of some property owners to exclude people. Specifically, in Pruneyard, the California Supreme Court found that a shopping mall owner could not exclude those wanting to enter to engage in political speech. The court notes that no court has extended Pruneyard to the internet “generally”. The court says the analogy between the shopping mall and the internet is “imperfect” and there are numerous line-drawing problems that will likely come up. The court concludes that the sweeping implications of hiQ’s argument and the lack of authority weigh in LinkedIn’s favor on this point.

UCL claim: The court also considers hiQ’s claim that LinkedIn revoked its access for improper purposes. Specifically, hiQ made an anti-trust claim that LinkedIn was leveraging its power in the professional networking market to secure an advantage in the data analytics market. The court says this claim is likely viable. hiQ plausibly asserts LinkedIn is the dominant player in the networking space, that LinkedIn’s competing against hiQ in the data analytics space, and that LinkedIn shut off access to hiQ in order to quash its product.

Other arguments: The court rejects hiQ’s promissory estoppel claim and declines to rule on its First Amendment arguments (based on the doctrine of constitutional avoidance).

__

This is a blockbuster ruling and has the potential to reshape internet law doctrine in many key respects.

Judge Chen’s CFAA ruling diverges from Judge Breyer’s ruling in the 3Taps case, where Judge Breyer found that craigslist effectively revoked access and set up a CFAA claim by sending a cease and desist letter. It’s tough to characterize the two decisions as anything other than directly conflicting.

As mentioned above, there is a lot of language that open internet advocates and researchers can get excited about in this order. Consider the language below in Judge Chen’s conclusion:

at issue is the right to receive and process publicly available information. In view of the vast amount of information publicly available, the value and utility of much of that information is derived from the ability to find, aggregate, organize, and analyze data . . . conferring on private entities such as LinkedIn, the blanket authority to block viewers from accessing information publicly available on its website for any reason, backed by sanctions of the CFAA, could post an ominous threat to public discourse and the free flow of information promised by the Internet.

This almost looks like it was written by an EFF lawyer.

The fact that Judge Chen actually prevented LinkedIn from implementing technological measures, and did so relatively casually, is somewhat jaw-dropping. Does this mean that LinkedIn cannot rate-limit hiQ, or decide it wants to implement robots.txt?

The court alludes to the fact that LinkedIn had been “tolerating” hiQ’s access for “years.” Unfortunately, the ruling does not provide many additional details about this and this fact also does not figure centrally into the ruling, although it undoubtedly influenced the court’s view of the equities.

LinkedIn’s privacy arguments rang hollow. It appeared to have scant actual complaints regarding the practices in question. More importantly, LinkedIn appeared to be talking outside of both sides of its mouth when it came to privacy. This is something the big social networks have to contend with. In fact, a particularly interesting aspect of Judge Chen’s ruling is how he used LinkedIn’s own arguments against it. In a privacy case against LinkedIn, LinkedIn argued that it was using publicly available information to encourage users’ contacts to join LinkedIn. (See my blog post on that ruling: “Email Harvesting: Repeated Emails From LinkedIn May Violate Publicity Rights.”) Judge Chen says that similarly, hiQ is merely accessing information that users have “chosen to make public.” The networks walk a fine line with it comes to issues such as privacy and the First Amendment, and this case is a great illustration that very often their arguments in one case can be used against them in another.

I was surprised to see discussion of LinkedIn’s user agreement relegated to a footnote. hiQ had to agree to it in order to set up its page (which Judge Chen notes LinkedIn disabled). While the court notes that hiQ’s aggregation wasn’t “dependent” on the user agreement, couldn’t the restrictions in the agreement arguably bind hiQ on a forward looking basis? Perhaps this would be viewed as overreaching but that’s how this question would normally be approached as a matter of contract doctrine.

It was also surprising to see little or no discussion at all of robots.txt and LinkedIn’s behavior with respect to search engines generally. The players in the internet have a generally accepted understanding, even a norm, of when crawling by search engines is appropriate. It would have been useful to see discussion of LinkedIn’s treatment of crawling generally and what parts of its site it allowed the search engines to crawl. The networks also walk a fine line here, always being interested in search-directed traffic, but at the same time, opening themselves up to the argument that if something is open to being crawled by a general purpose search engine, it should also be allowed to be crawled by a vertical one.

The biggest blockbuster is probably Judge Chen’s conclusion about the likelihood of success on the antitrust-based unfair competition claims. Antitrust arguments against the big networks are perennially bandied about (see, for example this New York Times Opinion piece), but they have rarely gotten any traction in court. (Facebook recently settled a case brought by a gaming company alleging that Facebook used its monopoly power to obtain benefits as a purveyor of virtual currency.) The part of Judge Chen’s order that is probably getting the most attention in LinkedIn’s legal department (and those of others) are the pages where he says hiQ could plausibly state an antitrust claim. (Given that Microsoft owns LinkedIn, there may be heightened sensitivity to this point.)

This is a big win for hiQ. But it will not be the last word, given that it will undoubtedly be appealed.

Eric’s Comments:

* I agree with Venkat that this is a blockbuster ruling, because it conflicts with numerous precedents and because (if it survives on appeal) it would significantly reshape the expectations of many web publishers and other website operators. However, I would be shocked if this ruling survives any appeal intact, so the chaos this opinion creates may be short-lived.

* I was confused about how the court distinguished Power Ventures. It’s true that Power Ventures used the login credentials of Facebook users, but the court flatly says “none of the data in Facebook…was public data.” I’m pretty sure this is just wrong. Facebook users can make some or all of their profiles publicly available, so surely some of the data gathered Power Ventures had been “public” data….?

* The opinion doesn’t mention what, if any, APIs or datafeeds LinkedIn offers. In the Power Ventures case, the availability of Facebook’s API seemingly helped its case because it was clear Power Ventures was skirting Facebook’s API rules. On the other hand, making an API available confirms that a site’s data protection efforts have nothing to do with protecting users’ privacy, thus mooting one of LinkedIn’s key arguments in this case. Still, I wonder how this case looks different if LinkedIn offered an API subject to various limitations.

* Oral arguments were done by heavyweight litigators who surely cost the parties a lot of money: Prof. Laurence Tribe of Harvard Law for hiQ; former Solicitor General Donald Verrilli for LinkedIn. In this clash of the giants, score one for Prof. Tribe.

* It’s interesting that the seminal case in online trespass, Intel v. Hamidi, isn’t mentioned once. That opinion dealt with a lot of the same policy issues as this case (but 15 years ago!), including much of the stuff the court explores by reviewing Prof. Orin Kerr’s work. The even-earlier eBay v. Bidder’s Edge, also an ND Cal opinion and also a case involving significant anti-competitive issues, didn’t make an appearance either.

* Similarly, the court’s offline analogy was explored some in the Hamidi case. It is, as usual, terrible:

An analogy to physical space, while inevitably imperfect when analyzing the digital world, may be helpful. With respect to a closed space (e.g., behind a locked door which requires a key to pass), the Court intuitively understands that where an individual does not have permission to enter, he would be trespassing if he did so. Even if the door is open to the public for business, the shop owner may impose limits to the manner and scope of access (e.g., by restricting access to a storage or employees-only area). But if a business displayed a sign in its storefront window visible to all on a public street and sidewalk, it could not ban an individual from looking at the sign and subject such person to trespass for violating such a ban. LinkedIn, here, essentially seeks to prohibit hiQ from viewing a sign publicly visible to all.

[in a footnote, the court continues:] To take the analogy above another step, when a business displays a sign in a storefront window for the public to view, it may not prohibit on pain of trespass a viewer from photographing that sign or viewing it with glare reducing sunglasses.

FFS. First, of course there’s no real property trespass when there is no physical encroachment on the retailer’s premises. See, e.g., every First Year Property course. Second, and more importantly, viewing or taking a photo of a sign through a window consumes absolutely zero scarce resources of the retailer. Viewing content–even that intended for public consumption–DOES consume scarce resources of the website operator, i.e., the server’s processing power, electricity and Internet connectivity. To me, that’s fatal to the analogy. Warning to my Internet Law students: bogus offline analogies, even accompanied a disclaimer that the analogy will be terrible, are a fast track to getting an opportunity to repeat my course.

* Like Venkat, I’m curious why there was no discussion about contracts a la Register.com v. Verio and its stupid “continuing to take benefits knowing there were terms attached which had been communicated in a C&D letter” (and don’t forget the case raised huge competition concerns). I’m also curious why there was no discussion about common law trespass to chattels or copyright.

* The court’s discussion of the First Amendment includes this passage:

Because the Court rejects LinkedIn‟s interpretation on the grounds discussed above, it need not reach hiQ’s First Amendment arguments.

Yet, despite this declaration that it need not keep talking, the court keeps talking…

LinkedIn is not a state official or governmental agency; it is a private party and there is no evidence that the CFAA has served to compel or encourage LinkedIn to withdraw hiQ‟s authorization to access its website.

So far so good. But then…

because the act of viewing a publicly accessible website is likely protected by the First Amendment [cite to Packingham], the doctrine of constitutional avoidance might well be properly considered in interpreting the CFAA, even if the First Amendment were not directly implicated in this particular case….The doctrine of constitutional avoidance, if applicable, would substantiate the Court’s doubt about the applicability of the CFAA to hiQ’s conduct.

What does that even mean?

Also, I’m going to blog another case citing Packingham for the plaintiff soon. Collectively, it looks like some courts are reading Packingham to enshrine a general purpose right of users to get content without restriction on the Internet–which would be an interesting and potentially far-reaching implication of the ruling.

* The court’s discussion about antitrust should send chills down the spines of Facebook and Google. They leverage their data advantages to compete effectively in multiple markets.

[Note: the picture above is from hiQ’s website which has a page devoted to this case (“Our Commitment to Privacy, Free Speech and Fair Use“).]

Case citation: hiQ Labs, Inc. v. LinkedIn, 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017).

Related posts:

Scraping Lawsuit Survives Dismissal Motion–CouponCabin v. Savings.com

QVC Can’t Stop Web Scraping–QVC v. Resultly (Forbes Cross-Post)

Multiple Listing Service Gets Favorable Appellate Ruling in Scraping Lawsuit

Anti-Scraping Lawsuits Are Going Crazy in the Real Estate Industry (Catch-Up Post)

College Course Description Aggregator Loses First Round in Fight Against Competitor in Scraping Case — CollegeSource v. AcademyOne

Anti-Scraping Lawsuit Largely Gutted–Cvent v. Eventbrite

Interesting Database Scraping Case Survives Summary Judgment–Snap-On Business Solutions v. O’Neil

Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures — Facebook v. Power Ventures

Power.com Up For Auction — Facebook v. Power Ventures

Power.com Counterclaims Dismissed — Facebook v. Power Ventures

Judge Denies Facebook’s Request for Judgment on the Pleadings and Strikes Power.com Counterclaims — Facebook v. Power.com

Craigslist Wins Routine But Troubling Online Trespass to Chattels Ruling in 3Taps Case (Catch-up Post)

Craigslist’s Anti-Consumer Lawsuit Threatens to Break Internet Law–Craigslist v. 3Taps/Padmapper (Forbes Cross-Post)