Hiq Labs, Inc. v. Linkedin Corporation
FOR PUBLICATION (2019)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The Computer Fraud and Abuse Act's prohibition on accessing a computer 'without authorization' applies only when a person circumvents a computer's generally applicable access permission rules, such as password requirements, to gain access to data not otherwise publicly available; it does not apply to accessing data that is openly accessible to the general public on a website.
Facts:
- LinkedIn, a professional networking website founded in 2002, allows its over 500 million members to post resumes and other professional information, which they own and can set to various privacy levels, including publicly visible profiles.
- HiQ Labs, Inc. (hiQ), a data analytics company founded in 2012, uses automated bots to collect information, such as name, job title, and work history, from these public LinkedIn profiles.
- HiQ uses the scraped public data with a proprietary algorithm to provide 'people analytics' products, including Keeper (identifies employee attrition risk) and Skill Mapper (summarizes aggregated employee skills), which it sells to business clients.
- LinkedIn representatives attended hiQ's 'Elevate' conferences beginning in October 2015, where hiQ discussed its business model, including its use of external data to predict employee attrition.
- LinkedIn's CEO announced in June 2017 that the company planned to leverage its platform data for new products for employers, and LinkedIn subsequently launched 'Talent Insights,' a product similar to hiQ's Skill Mapper.
- In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting hiQ was violating LinkedIn's User Agreement and federal/state law, and informed hiQ that it had implemented technical measures to block hiQ's access.
- HiQ's entire business model depends on accessing public LinkedIn member profiles, and without such access, it would likely be forced to breach existing contracts, pass up prospective deals, stall financing, lay off employees, and cease operations.
Procedural Posture:
- HiQ Labs, Inc. filed suit in the United States District Court for the Northern District of California, seeking injunctive relief and a declaratory judgment against LinkedIn Corporation.
- HiQ Labs, Inc. filed a request for a temporary restraining order, which the parties subsequently agreed to convert into a motion for a preliminary injunction.
- The District Court granted hiQ’s motion for a preliminary injunction, ordering LinkedIn to withdraw its cease-and-desist letter, remove existing technical barriers to hiQ’s access to public profiles, and refrain from blocking hiQ’s access.
- LinkedIn Corporation (defendant-appellant) timely appealed the District Court’s preliminary injunction order to the United States Court of Appeals for the Ninth Circuit (plaintiff-appellee hiQ Labs, Inc.).
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does accessing and scraping publicly available data from a website, after receiving a cease-and-desist letter but without circumventing any password or similar authentication barriers, constitute accessing a computer 'without authorization' under the Computer Fraud and Abuse Act (CFAA)?
Opinions:
Majority - Berzon
No, accessing and scraping publicly available data from a website, without circumventing password protection or similar authentication, does not constitute accessing a computer 'without authorization' under the Computer Fraud and Abuse Act. The Ninth Circuit affirmed the district court's preliminary injunction, concluding that hiQ established a likelihood of irreparable harm because the survival of its business was threatened without access to the publicly available LinkedIn data. The balance of equities tipped decidedly in hiQ's favor; hiQ's likely demise outweighed LinkedIn's asserted privacy interests in publicly shared data, especially given LinkedIn's own use of similar data analytics and its allowance of public access. On the merits, hiQ raised serious questions regarding its tortious interference with contract claim, as LinkedIn's actions to block hiQ could be seen as intentional interference without a legitimate business purpose under California law, particularly since LinkedIn developed a competing product. Crucially, hiQ also raised a serious question as to whether its activities violated the CFAA. The court interpreted 'without authorization' in the CFAA narrowly, viewing it as an anti-intrusion statute, akin to 'breaking and entering,' intended to prevent access to private, password-protected systems. Legislative history supports this, analogizing prohibited conduct to forced entry into restricted areas. The court distinguished its prior rulings in United States v. Nosal (Nosal II) and Facebook, Inc. v. Power Ventures, Inc., noting they involved circumvention of password authentication or private systems. The court found that public LinkedIn profiles, accessible to anyone with an internet connection, fall outside the 'without authorization' scope. Applying the rule of lenity, the court favored a narrow interpretation of this criminal statute. The public interest also favored granting the injunction, preventing the possible creation of information monopolies by entities controlling large public data sets.
Concurring - Wallace
Judge Wallace concurred with the majority opinion's outcome and reasoning. He wrote separately to express concern about parties appealing preliminary injunctions merely to ascertain an appellate court's view on the merits, which he noted often leads to unnecessary delay and inefficient use of judicial resources. He emphasized that such appeals provide limited guidance because the factual record may be materially different at trial, and admonished district courts not to delay trial preparation pending interlocutory appeals.
Analysis:
This case significantly narrows the scope of the Computer Fraud and Abuse Act (CFAA), establishing that 'without authorization' generally refers to bypassing security measures like passwords for data not publicly available, rather than merely violating a website's terms of service or a cease-and-desist letter for public data. This interpretation provides greater certainty for data scrapers accessing open-source information and limits large platforms from unilaterally blocking competitors under federal anti-hacking law. It forces companies to rely on other legal theories like trespass to chattels or contract law, which may require demonstrable harm or contractual relationships, rather than the broad reach of the CFAA. The ruling also underscores the tension between data access for innovation and platform control, especially when platforms themselves compete with scrapers.
