What Recent Rulings in 'hiQ v. LinkedIn' and Other Cases Say About the Legality of Data Scraping
LinkedIn obtained a permanent injunction on Dec. 6 in its six-year-old lawsuit against data scraping company hiQ Labs, which LinkedIn quickly cheered as a “final, decisive victory” that established an “important legal precedent.” While the stipulated injunction does prevent hiQ Labs from scraping LinkedIn’s data, the outcome of the lawsuit notably does not affect previous rulings by the U.S. Court of Appeals for the Ninth Circuit in the case against LinkedIn and in favor of companies that wish to scrape (i.e., automatically collect) publicly available data.
In particular, neither the outcome in this case nor a similar recent victory by Meta Platforms against scraper BrandTotal impacts the principle that platforms may not wield the federal Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030) to prohibit scraping publicly available data from their platforms.
The hiQ Labs case began when LinkedIn sent a cease and desist letter threatening hiQ with CFAA violations if it continued collecting publicly available data from the LinkedIn platform. In general terms, the CFAA is an anti-hacking statute that prohibits accessing protected computer systems “without authorization” or in excess of “authorized access.” 18 U.S.C. §1030(a)(2). For many years before this particular cease and desist, LinkedIn and other platform companies relied on the CFAA to crack down on collecting even the public-facing data on their websites.
After receiving the cease and desist, hiQ Labs sued and obtained a preliminary injunction that the Ninth Circuit later upheld. This important 2019 ruling (which the Ninth Circuit reaffirmed in April 2022 following a remand from the U.S. Supreme Court) narrowed the scope of the CFAA by finding that the law did not apply to the automatic collection of publicly accessible data. In other words, platforms such as LinkedIn and Meta could not designate portions of their public platforms as “off limits” to only certain individuals or companies.
Among other things, the Ninth Circuit found that interpreting the CFAA so broadly would allow “companies like LinkedIn free rein to decide, on any basis, who can collect and use” publicly available data, which would risk “possible creation of information monopolies that would disserve the public interest.”
Other high-profile cases decided since the Ninth Circuit’s ruling further narrowed the CFAA in other ways. For example, in Van Buren v. U.S., the Supreme Court refused to apply the “exceeds authorized access” prong of the CFAA to a police officer who accepted a bribe to access a state license plate registry for improper purposes in violation of police department policy.
Reading the CFAA so broadly would criminalize “every violation of a computer-use policy” with the likely consequences that “millions of otherwise law-abiding citizens are criminals.” Id. at 1661; see also Sandvig v. Barr, (“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.”)
Nothing in the recent hiQ Labs v. LinkedIn permanent injunction or the summary judgment ruling that preceded it affects these principles. The trend initiated by the Ninth Circuit’s hiQ ruling in favor of open access to public data remains intact. Instead, the recent proceedings in the hiQ Labs case focused primarily on contract-based theories rather than the CFAA. LinkedIn did not even seek summary judgment on any affirmative CFAA claim—it instead obtained summary judgment on its contract and unfair competition claims.
The court granted summary judgment only as to one aspect of hiQ’s data collection activity: hiring contractors to create fake LinkedIn accounts for the explicit purpose of collecting logged-in data (referred to by the court as the “turkers” conduct). In another important summary judgment ruling in the scraping space, Meta Platforms. v. BrandTotal Ltd., the court also refused to grant summary judgment to Meta Platforms on the CFAA as to two categories of data collection.
Like the recent hiQ Labs ruling, the court’s detailed summary judgment opinion focused largely on contract-based theories for prohibiting scraping. The court then held that scraping publicly available data did not violate the CFAA (citing hiQ Labs), nor did an “unauthorized person hiring an authorized agent to extract information from a computer system.” Meta Platforms v. BrandTotal Ltd., Case No. 20-cv-07182-JCS, Dkt. No. 344 at p. 57 (N.D. Cal. June 6, 2022).
These rulings suggest that courts are much more comfortable restricting scraping activity where the parties have agreed by contract (whether directly or through agents) not to scrape. But courts remain wary of applying the CFAA and the potential criminal consequences it carries to scraping. The apparent exception is when a company engages in a pattern of intentionally creating fake accounts to collect logged-in data.
What does all this mean for scraping? The case law is still unsettled, but some rules of thumb are starting to emerge. First, collecting only public data where the scraper has not agreed by contract to refrain from doing so is very unlikely to be a CFAA violation.
Second, intentionally creating fake accounts to collect logged-in data exposes scrapers to contract-based liability and potentially CFAA liability, too (though the Sandvig case arguably says the CFAA does not prohibit this conduct). Platforms have recently begun attacking this conduct by alleging anti-circumvention claims under the Digital Millennium Copyright Act as well.
Third, there’s a broad range of activities in a legal gray area in the middle, such as collecting data for a user with the user’s access credentials and explicit permission. We’ll have to wait for future cases to determine the CFAA’s potential application to that activity.
Reprinted with permission from the 12/22/22 issue of The Recorder. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.