In a scraping case that strikingly endorses an open, accessible Internet as a “social norm,” a California federal judge has issued a preliminary injunction blocking LinkedIn from preventing (or using technical countermeasures to prevent) a California startup from scraping publicly available user profile data for its analytics product.
In hiQ Labs, Inc. v. LinkedIn Corp., No. 17-cv-03301-EMC (N.D. Cal. Aug. 14, 2017), hiQ offered its clients information about their workforces (such as information about which employees are at risk of being recruited away) generated from its analysis of publicly available LinkedIn user profile data scraped by bots. LinkedIn sent hiQ two cease and desist letters demanding that hiQ stop any further scraping and threatening technical countermeasures to block further access to the LinkedIn site and that “[a]ny future access of any kind” to LinkedIn by hiQ would be “without authorization from LinkedIn.” LinkedIn asserted that the scraping was prohibited by its user agreement and that any further access to LinkedIn data would violate the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, and constitute trespass to computer chattels, among other causes of action. hiQ then brought suit to restore access based on (among other things) claims of unfair competition under California law and the position that its activities did not violate the CFAA.
The CFAA has been the primary weapon used by website owners in recent years against scrapers and other undesired third parties seeking access. The U.S. Court of Appeals for the Ninth Circuit’s 2016 ruling in Facebook, Inc. v. Power Ventures, Inc. (which was the focus of an earlier blog post here) examined the CFAA’s applicability in these instances and, along with the Nosal decisions discussed in Power Ventures, formed the primary legal backdrop for hiQ. The CFAA creates civil and criminal liability for computer trespass for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” 18 U.S.C. §1030(a)(2)(C). In Power Ventures, the appellate court held that (1) accessing a site in violation of a website user agreement, without more, does not violate the CFAA, but (2) continuing to access the site in the face of explicit notification (such as a cease and desist letter) that the access is unauthorized can establish a CFAA claim. LinkedIn’s cease and desist letters to hiQ, with their clear statement that any further access to LinkedIn was “without authorization,” would appear to be sufficiently explicit to satisfy this requirement and revoke hiQ’s access rights. However, while Power Ventures involved the permitted use of user credentials to access Facebook, the areas of Facebook which Power accessed were not publicly viewable.
Although the district court’s ruling in hiQ was not a final pronouncement on the parties’ various claims (hiQ was merely required to show the existence of “serious questions” going to the merits of the case in order to get a preliminary injunction to prevent LinkedIn from taking action that would have effectively shut hiQ’s business down before it had an opportunity to develop and try its case), Judge Edward M. Chen did not resist the chance to weigh in on the central CFAA question plaguing many Internet lawyers and their clients, particularly scrapers: how a website owner can selectively prevent (through either legal action or technical countermeasures like IP address blocking) access to a public-facing website where the access, though undesired, causes no disruption to the site or other harm? Judge Chen’s answer, if it is adopted by other courts, could go a long way toward de-fanging the CFAA and its common-law analogue, trespass to computer chattels, in scraping cases.
According to Judge Chen, the CFAA violations in Power Ventures and Nosal rulings derived from the fact that the defendants there accessed areas of computer systems protected by password authentication (“the private interior of a computer system”), and the CFAA, which was originally enacted in 1984 to deal with the hacking of password-protected mainframes, was never “intended to police traffic to publicly available websites on the Internet.” Chen, therefore, rejected a straight literal reading of the statutory term “authorization” due to a troubling “potential for such exercise of power over access to publicly available information by a privacy entity weaponized by the potential of criminal sanctions” (which are a possibility, along with civil damages, under the CFAA). Chen’s opinion strongly endorsed the reasoning of George Washington University law professor Orin Kerr that a “social norm” of presumed openness and accessibility of public Internet sites should govern trespass law in the digital realm and be read into the CFAA. Under this approach, whether activity is “authorized” or not depends not on what the site owner claims in a cease and desist letter, but on whether the accused digital trespasser would need to bypass an authentication requirement to gain access. If the site owner has imposed such a requirement, then the defendant risks violating the CFAA if it proceeds to access the site without permission or if permission has been explicitly revoked (as in Power Ventures).
Interestingly, Chen’s adoption of Professor Kerr’s legal theory went even further, to embrace bypassing of technical countermeasures when these are deployed to block access to a public site. So, for example, Chen (quoting Kerr) noted that unlike a password gate, a CAPTCHA (the purpose of which is to block bots from accessing a site) is not intended to limit access to certain individuals, but rather to slow a user’s access. Therefore, employing an automated program to bypass a CAPTCHA for a public site does not constitute entry to the site “without authorization” and should not violate the CFAA! Of course, certain technical measures like IP address blocking are more directed to blocking particular individuals or entities. Nevertheless, Chen concluded that “[a] user does not ‘access’ a computer ‘without authorization’ [in violation of the CFAA] by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.” Thus hiQ’s circumvention of LinkedIn’s IP address blocks should not give rise to liability.
The district court largely dismissed the end user privacy considerations which LinkedIn raised to attempt to legitimate its actions against hiQ’s scraping. While the evidence was preliminary, the court noted that LinkedIn permitted the collection of publicly available user data by other third parties (as well as use it in LinkedIn’s own analytics product) and that by choosing a setting that allowed their data to be viewed by the public, the users showed little expectation of privacy.
The court also found that hiQ had raised serious questions as to whether it had rights against LinkedIn under state law, specifically California’s Unfair Competition Law, Cal. Bus. & Prof. Code §17200 et seq. Previously LinkedIn had allowed, or at least tolerated, hiQ’s use of LinkedIn data. However, hiQ presented evidence that LinkedIn’s change in tune may have been motivated by its desire to use its user profile data for a competing analytics product, which potentially raised antitrust concerns. In light of these findings and analysis, the court took the extraordinary step of not only restraining enforcement of the CFAA against hiQ but also issuing a preliminary injunction forcing LinkedIn to lift its technical countermeasures and withdraw its cease and desist letters.
It must be emphasized that the court’s ruling in hiQ is just a preliminary read on the CFAA and computer trespass issues raised in the case. As the litigation proceeds, additional evidence may emerge that shifts the court’s balancing of the equities or its CFAA analysis. Moreover, since Judge Chen’s adoption of Professor Kerr’s “social norm of openness” represents a major evolution of the legal doctrine beyond the Ninth Circuit’s reasoning in the Power Ventures and Nosal cases (even though there is a common-sense basis to distinguish those cases based on the facts, as Judge Chen did), it is an open question whether the Ninth Circuit or other courts will embrace his approach. Furthermore, as the court made clear, the opinion should not be read to forestall a CFAA or computer trespass suit where there is actual site disruption, or a copyright infringement suit where copyrightable material is reproduced and exploited.
All that being said, however, the hiQ decision represents an important effort to rationalize the rather confused case law relevant to scraping as well as harmonize the CFAA’s verbiage with the widespread acceptance of scraping as a legitimate information gathering tool. This is a case that should be followed very closely.