LinkedIn Profiles and the Applicability of the Computer Fraud and Abuse Act
Published: September 19, 2019
LinkedIn is a popular professional networking website with more than half a billion members. Many of its users, in an effort to enhance their networking capabilities, make their profile public and available to anyone to review their personal details such as their employment, education, skill sets and other personal information. Although LinkedIn disclaims any ownership of the information its users post, this information has enormous value in the online marketplace.
For instance, web analytics companies have “harvested” this information for the purpose of analyzing it and/or selling their resulting analyses to third parties. One such company, HiQ Labs is a data analytics company that uses automated bots to harvest or “scrape” information from LinkedIn’s publicly available profiles, including data like names, job titles, work history and skills. HiQ Labs uses this information for two analytical products: (1) “Keeper,” which is used by employers to identify which employees are at the greatest risk of being recruited away so that they may take preventive measures; and (2) “Skill Mapper,” which aggregates the skill sets of employees in a particular workforce so that employers can determine where they may have “skill gaps.”
In May 2017, LinkedIn sent a cease and desist letter to HiQ Labs stating that it must stop accessing and copying data from LinkedIn’s servers and stated that LinkedIn would consider HiQ to be in violation of the Computer Fraud and Abuse Act (“CFAA”) (as well as other state and federal laws) if it continued its “scraping” activities. LinkedIn also warned HiQ that it had “implemented technical measures to prevent HiQ from accessing and assisting others to access LinkedIn’s site through systems that detect, monitor and block scraping activity.”
HiQ sued LinkedIn and sought a preliminary injunction preventing LinkedIn from taking these actions, claiming that they violated California law. HiQ also sought declaratory relief that LinkedIn could not invoke the CFAA (or other similar statutes) to shut down HiQ’s efforts. The District Court granted HiQ a preliminary injunction against LinkedIn after finding that HiQ had demonstrated a substantial likelihood of prevailing on the merits of its claims against LinkedIn and would suffer severe irreparable injury, i.e., the loss of its business model if such injunctive relief was not granted. LinkedIn immediately appealed this ruling to the Ninth Circuit.
After finding that the District Court did not abuse its discretion in finding the presence of irreparable harm, as well as the likelihood that HiQ would prevail under various state theories, the Ninth Circuit turned its attention to the applicability of the CFAA and whether LinkedIn could invoke it in an attempt to preempt HiQ’s state law claims. The CFAA prohibits a person or entity from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, … thereby obtain[ing] … information from any protected computer.…” (18 U.S.C. § 1030(a)(2).) The CFAA provides various criminal penalties and civil liability for violations of its provisions.
Under the CFAA, almost any computer that is attached to the internet is covered as a “protected computer.” This would include the servers that LinkedIn used to host its members’ public profiles from which HiQ Labs would “scrape” data.
The primary issue that the Ninth Circuit considered was whether the sending of the cease and desist letter by LinkedIn to HiQ Labs meant that any further access of LinkedIn’s public member profiles by HiQ constituted access “without authorization” in violation of the CFAA. The Ninth Circuit began by recognizing that in other contexts, it had recognized that “without authorization” should have a non-technical meaning, essentially meaning the accessing of “a protected computer without permission.” For instance, in United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016), the Ninth Circuit had held that an employee who used other employees’ log-in credentials to access his former employer’s computer system had accessed a “protected computer” “without authorization” in violation of the CFAA. HiQ Labs argued that where access to the computer information is open to the general public (such as LinkedIn’s public member profiles), CFAA’s requirement of “without authorization” was not applicable. The Ninth Circuit agreed with this reasoning, or in any event, concluded that it had “raised a serious question as to this issue” so that the District Court did not err in granting the injunction.
Next, the Ninth Circuit examined the CFAA’s legislative history and concluded that it also supported its decision. It noted that the CFAA “was enacted to prevent intentional intrusion onto someone else’s computer – specifically, computer hacking.” For instance, the original CFAA, in 1984, was limited to a narrow range of computers, primarily those containing national security information and financial data, or those operated by the government. In 1996, the CFAA was brought into any “protected computer” in order “to increase protection for the privacy and confidentiality of computer information.” The Ninth Circuit reasoned that “the CFAA is best understood as an anti-intrusion statute and not as a `misappropriation statute.'”
The Ninth Circuit also distinguished two cases, the Nosal case and Power Ventures v. Facebook, 844 F.3d 1058 (9th Cir. 2016), upon which LinkedIn was relying. The Court easily distinguished Nosal by finding that Nosal had used other employees’ log-in credentials to access his former employer’s computers and thus, the computer information that was accessed was “plainly one which no one could access without authorization.”
Likewise, in the Power Ventures v. Facebook case, Power Ventures had developed tools to circumvent I.P. barriers and gain access to password-protected Facebook profiles. Thus, Power Ventures was accessing data on Facebook servers that were protected by Facebook’s user name/password authentication system, which the Court reasoned was distinguishable from what HiQ was doing by “scraping” publicly available information.
The Ninth Circuit also stated that its limitation on the applicability of the CFAA to publicly available computer information was similar to its analysis of cases brought under the Stored Communication Act (“S.C.A.”), which contains a similar “without authorization” provision. Furthermore, given that the CFAA provides for criminal penalties (as well as civil liability), the “rule of lenity” favored adopting a narrow interpretation of the CFAA’s “without authorization” provision. Thus, the Ninth Circuit concluded that when a computer network generally permits public access to its data, especially given that LinkedIn claimed to have no ownership of the information posted by its users, the Court will generally find that no violation of the CFAA. The Ninth Circuit noted, however, that there could be other remedies available to LinkedIn for this type of conduct, including copyright infringement, misappropriation, unjust enrichment, and/or breach of privacy.
The Ninth Circuit’s decision in HiQ demonstrates that the Ninth Circuit is willing to place some limitations as to the scope of the CFAA’s applicability. However, given that the case is still in its preliminary stages, it is possible that the Court will allow LinkedIn to pursue other legal theories in an attempt to try to stop HiQ from “scraping” its publicly available member profiles. Stay tuned.