As Everyone Expected Years Ago, hiQ’s CFAA Wins Don’t Mean It Can Freely Scrape–hiQ v. LinkedIn (Guest Blog Post, Part 1 of 2)

by Kieran McCarthy

[Eric’s note: this is the first of a two-part series on the denouement of the hiQ v. LinkedIn case. This part explains the most recent ruling, a devastating but not unexpected loss for hiQ. The next part debunks some of the myths that have grown up around the hiQ case during the years of judicial confusion it has caused.]

hiQ Labs, Inc. v. LinkedIn Corp. is known—at least by casual observers—as the most pro-web-scraping case in the history of US legal jurisprudence. In two separate opinions, the Ninth Circuit affirmed a preliminary injunction that gave hiQ Labs an affirmative right to access certain public profile data on LinkedIn’s site. So positive were these opinions for advocates of an open internet, that the Electronic Frontier Foundation declared “Victory!” when they were decided.

But scratch the surface, and this appears to have been a Pyrrhic victory. hiQ Labs has been dormant and effectively insolvent since 2019. Since then, an unspecified Generous Benefactor has been funding its legal fight, but apart from the trips to the Ninth Circuit on the CFAA claim, things haven’t been going well. In the fall of 2020, hiQ Labs had its antitrust claims dismissed. In spring 2021, hiQ Labs had its motion to dismiss denied on LinkedIn’s misappropriation, breach of contract, and trespass to chattels claims. Earlier this fall, the court dissolved its famous preliminary injunction on the basis that hiQ was no longer a going concern.

On November 4th (spoiler alert!), Ned Stark finally lost his head.

Judge Chen of the Northern District of California granted LinkedIn’s summary judgment motion on its breach of contract claim, granted summary judgment for LinkedIn on hiQ’s unfair competition and tortious interference claims, denied hiQ Labs’ motion on its CFAA claim, and granted in part LinkedIn’s motion for spoliation sanctions. The opinion.

Breach of Contract

On the breach of contract claim, LinkedIn moved for summary judgment on the basis that 1) hiQ’s scraping of its site violated the terms of its User Agreement, and 2) hiQ’s use of “turkers” to make fake accounts breached the terms of its User Agreement.

hiQ argued that LinkedIn’s User Agreement was self-contradictory and ambiguous. LinkedIn’s User Agreement includes a provision that warns users that public data may be copied and used by others. hiQ argued that this was a tacit acknowledgement that its conduct was expected and customary use of the site. The court disagreed:

Informing members that their data may be “see[n], cop[ied], and use[d]” does not contradict the prohibition against “scrap[ing], crawl[ing], or spider[ing] the Server.” The two concepts are not mutually exclusive—a warning to members that a third party may collect their public-facing data is not a blessing for third parties to do so through expressly prohibited means. Thus, the contract’s language itself does not create ambiguity within the User Agreement.

Judge Chen concluded that “the relevant language of the User Agreement unambiguously prohibits hiQ’s scraping and unauthorized use of the scraped data.”

With respect to the “turkers”, hiQ argued that it was not liable for its turkers’ conduct because they were independent contractors. The court found that the turkers were acting as agents of hiQ, and that hiQ was therefore liable for their conduct.

Affirmative Defenses

Additionally, hiQ raised four affirmative defenses to the breach of contract claim: 1) unclean hands, 2) waiver, 3) estoppel, and 4) unconscionability.

The court dismissed the unclean hands defense for failure to cite any analogous case law in support of its position.

hiQ argued that LinkedIn’s User Agreement was unconscionable because its terms were so overbroad that according to the literal language of the agreement, every visitor to the site was in some ways in violation of the agreement, allowing LinkedIn to selectively enforce the agreement for anti-competitive reasons. The court granted summary judgment on the unconscionability defense because “[n]o reasonable user would so interpret the User Agreement.”

The court found that summary judgment was improper on the waiver and the estoppel claims, as the court found that a reasonable jury could find in favor of hiQ on those defenses. That’s the closest thing to a silver lining there is in this opinion for hiQ Labs.

Noerr-Pennington/Cal. Civ. Code 47(b)

One of the most surprising parts of this opinion was the court’s treatment of hiQ’s intentional interference with a contract tort and unfair competition law claims. In the initial preliminary injunction ruling, the court gave an unusually rosy assessment of hiQ’s likelihood of success on those claims; here, the court slammed the door on those claims based on an obscure provision of the California Civil Code, Cal. Civ. Code Section 47(b), a form of litigation privilege which bars a claim based on communications from a judicial or quasi-judicial proceeding. hiQ argued that the pre-litigation communications that LinkedIn claimed gave rise to this privilege were part of a broader, anti-competitive scheme to shut down hiQ. The court was unreceptive to those arguments.

Five years ago, hiQ was the implicit beneficiary of a rarely employed legal theory (the essential facilities doctrine) that was used to justify a pro-scraping ruling. Now, it lost its strongest claims because of an even more obscure legal doctrine.

Motion to Dismiss Based on Statute of Limitations

hiQ moved for summary judgment of LinkedIn’s CFAA claim on the theory that it was time-barred based on the statute’s two-year statute of limitations.

For those who have been casually following this case, perhaps you might be wondering why hiQ did not also move to dismiss the CFAA claim based on the two very favorable Ninth Circuit opinions that affirmed its right to access public data. I cannot speak to the precise rationale for hiQ’s counsel’s actions, but I believe the reason is because subsequent discovery uncovered alleged evidence that not all of hiQ’s scraping consisted of public data. According to LinkedIn:

Previously, hiQ moved to dismiss LinkedIn’s CFAA counterclaim on the merits for failure to state a claim. But before this Court decided that motion, fact discovery revealed for the first time that hiQ had actively concealed critical facts concerning the nature and scale of its scraping—most notably that its primary product, Keeper, depended not merely on scraping what hiQ calls “public” data, but on using fake, logged-in accounts to obtain information behind LinkedIn’s password barrier. On the basis of this and other newly uncovered information, LinkedIn amended its CFAA counterclaim (unopposed by hiQ), and hiQ withdrew its motion to dismiss, pledging to address the merits on summary judgment. But now, hiQ has rightly concluded that it has no argument on the merits in light of the revelations during discovery.

Docket entry 358, LinkedIn Opposition to hiQ’s Motion for Summary Judgment.

With that, the CFAA opinion here is not as consequential as it would have been had the facts been as we had thought they were at the outset of litigation. Either way, the court denied hiQ Labs’ motion for summary judgment because it said that there was a genuine issue of material fact about who knew what and when, and whether that knowledge should be attributed to LinkedIn.

Spoliation Sanctions

Finally, the court partially granted LinkedIn’s motion for spoliation sanctions. Apparently, hiQ failed to preserve certain data, because it could not afford to pay its cloud server hosts when it ran out of money. When it did not pay its bills, data that was consequential to the litigation got deleted.

The court found that the spoliation was negligent, rather than intentional. The court issued a permissive adverse jury instruction, as opposed to the mandatory one that LinkedIn requested.

Big Picture

Ultimately, none of these legal holdings are that far afield from any other legal precedent—except for Judge Chen’s and the Ninth Circuit’s prior preliminary injunction opinions from this exact same case. Those opinions made broad and sweeping and policy statements about the power dynamics between scrapers and data hosts that this opinion makes no attempt to resolve. Notably, the Ninth Circuit said:

We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.

hiQ Labs I, 938 F.3d 985 at 1005; hiQ Labs II at 43.

Here we are, a few months later, and Judge Chen finds LinkedIn’s prohibition on data scraping in its User Agreement enforceable. And he makes no attempt to address the obvious policy dissonance between this opinion and those prior opinions.

We can interpolate why based on a variety of factors. The CFAA is in part a criminal statute and breach of contract claims are not. Preliminary injunction proceedings include a policy component and breach of contract claims do not. The facts of this case are not precisely what we originally thought. But that’s all speculation and guesswork.

Given the nature of Judge Chen’s prior PI opinion and the Ninth Circuit rulings, I expected at least some discussion of the policy implications of LinkedIn’s prohibiting data scraping through a contract. Judge Chen relied heavily on the policy implications when he decided five years ago that it should not be allowed to prohibit scraping under the CFAA. In many countries, such as Spain, for example, any purported contractual prohibition on collecting and using public data is void as against public policy. And while invalidating contracts based on public policy is rare, if ever there were a case to expect that conversation, I expected to see it discussed here.

The policy issues that the Ninth Circuit grappled with in the two hiQ Labs opinions have not changed. But the practical reality is that the district court did a complete 180 on the substantive issues before it. LinkedIn can enforce the prohibition on scraping in its User Agreement—which will likely allow it to receive a permanent injunction to prevent hiQ from accessing its data. That may not matter much to hiQ Labs since it is no longer a going concern. But that conclusion matters a lot to many other businesses that rely on access to public data as the lifeblood of their business.

__

Eric’s Comments

Kieran’s forthcoming sequel post provides a helpful post-mortem on the hiQ litigation generally, but I want to make sure you didn’t miss two critical points in this post:

1) The court said, unambiguously, that hiQ breached LinkedIn’s TOS. hiQ might have excuses, but the default legal principle is that scraping can be a TOS violation (at least, when the defendant is on notice of the terms).

2) hiQ’s CFAA “victories” mean nothing if it loses the breach of contract ruling. Either contracts or the CFAA is sufficient to stop hiQ’s scraping. hiQ had to win all of the legal doctrines to validate the legitimacy of its scraping. It couldn’t do that.

The baffling rulings in this case have wreaked havoc on the public’s understanding of the CFAA and scraping law. For that reason, I never taught any of the hiQ rulings in my Internet Law course. I’m not likely to start now.