The Continuing Battle Over LinkedIn Profiles and the Applicability of the Computer Fraud and Abuse Act
April 28 2022
Over two and a half years ago, this column analyzed a Ninth Circuit case titled HiQ Labs, Inc. v. LinkedIn Corporation, in which the Court agreed with a lower court that had issued a preliminary injunction against LinkedIn from taking certain technical measures to prevent HiQ, a data analytics company, from “scraping” information from publicly available profiles on LinkedIn’s site. The Ninth Circuit concluded then that HiQ was not violating the Computer Fraud and Abuse Act (“CFAA”) because its activities were directed at publicly available information and therefore, it was not accessing LinkedIn’s computer systems either without authorization or in excess of such authorization as required to establish liability under the CFAA.
LinkedIn filed a petition for writ of certiorari with the U.S. Supreme Court seeking review of the Ninth Circuit’s decision. Coincidentally, another case involving the application of the CFAA was being considered during the same time period by the U.S. Supreme Court, Van Buren v. United States, 141 S.Ct. 1648 (2021). The Van Buren case involved a former Georgia police officer who, in exchange for money, would use the computer in his patrol car to access the law enforcement database to retrieve information about requested license plate numbers. In essence, the officer was using his valid credentials to access the police computer system but was using the system for non-law enforcement purposes. The officer became the subject of an FBI investigation and was charged with a felony violation of the CFAA. A jury voted to convict him after trial and he was subsequently sentenced to 18 months in prison.
In Van Buren, the U.S. Supreme Court reversed the officer’s conviction and applied a narrow reading of the CFAA. The U.S. Supreme Court essentially concluded that because the officer had been granted “access” to the areas of the database that he was accessing (even though for an improper purpose), he did not exceed his authorization and therefore the CFAA could not apply to his activities. The Court essentially adopted what has been described as “a gates up or down” approach to the CFAA.
In connection with the issuance of its ruling in Van Buren, the U.S. Supreme Court then granted LinkedIn’s petition for a writ of certiorari. The U.S. Supreme Court vacated the 2019 judgment of the Ninth Circuit and remanded the case back to the Ninth Circuit to reevaluate the issues in light of the Van Buren opinion.
On April 18, 2022, the Ninth Circuit issued its new opinion in the HiQ v. LinkedIn case and once again affirmed the preliminary injunction HiQ obtained against LinkedIn. The Ninth Circuit’s opinion largely tracks its earlier opinion, especially in concluding that the district court properly found the presence of irreparable harm to HiQ if an injunction was not granted, as well as the “balance of the equities” tilting in favor of HiQ in connection with its request for injunctive relief.
In addressing the CFAA issue, the Ninth Circuit once again found that the “pivotal CFAA question” was whether “once HiQ received LinkedIn’s cease and desist letter, any further scraping and use of LinkedIn’s data was `without authorization’ within the meaning of the CFAA.…” The Ninth Circuit began by recognizing that the CFAA phrase “without authorization” is a non-technical term and should be given “it’s plain and ordinary meaning.” In essence, the Ninth Circuit found that accessing a protected computer without permission was required to establish the “without authorization” prong. The Court continued by recognizing that “authorization” indicates an affirmative notion, i.e., that some steps have been taken to restrict and/or permit access to certain people. However, where sites like LinkedIn has “free access without authorization,” it was hard to find how one accessing the site has done so “without authorization.”
The Ninth Circuit reasoned that even if this conclusion was debatable, it could look at the legislative history of this CFAA, which was primarily “enacted to prevent intentional intrusion onto someone else’s computer, specifically computer hacking.” It noted that the CFAA was best “understood as an anti-intrusion statute and not as a `misappropriation statute.’” Furthermore, most of the early cases involving the CFAA generally applied only to computers that were not accessible to the general public, and therefore, some type of affirmative authorization was required to access them. The Ninth Circuit summarized its understanding of the CFAA by creating a three-category dichotomy: “(1) Computers for which access is open to the general public and permission is not required; (2) computers for which authorization is required and has been given; and (3) computers for which authorization is required but has not been given (or in the case of the prohibition unexceeding authorized access has not been given for the part of the system accessed).”
With this dichotomy in mind, the Ninth Circuit concluded that because public LinkedIn profiles are available to anyone with an internet connection, this type of computer system fell within the first category and therefore the concept of “without authorization” was not applicable. This was largely consistent with what the Ninth Circuit found in its first consideration of the issue back in 2019.
Following the direction of the U.S. Supreme Court in remanding the matter, the Ninth Circuit concluded that the Van Buren decision “reinforce[d] [the Ninth Circuit’s] interpretation of the CFAA.” The Ninth Circuit found that although Van Buren dealt with the “exceeds authorized access” clause of the CFAA, rather than the “without authorization” clause, it determined that the Supreme Court had ruled that: “liability under both clauses stems from a gates-up-or-down inquiry — one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.”
The Ninth Circuit concluded that this “gates up or down inquiry” was not inconsistent with the three-category dichotomy it had set forth earlier. The Ninth Circuit reasoned that the “gates up or down” inquiry was directly pertinent to the last two categories of its dichotomy. However, it concluded that computer systems in the first category, i.e., those computer systems that are open to the general public, essentially have no gate whatsoever. Therefore, the Ninth Circuit concluded that the U.S. Supreme Court’s opinion in Van Buren “reinforce[d] [the Ninth Circuit’s] conclusion that the concept of `without authorization does not apply to public websites” like LinkedIn.
There is some suggestion in the new Ninth Circuit opinion as to whether HiQ was still a going concern. While LinkedIn claimed that HiQ had ceased doing business during the pendency of the appeal to the U.S. Supreme Court, HiQ claimed that it had been approached by “prospective business partners” interested in its technology. Thus, it remains to be seen whether this second go-round before the Ninth Circuit is the final word on the interplay between the CFAA and websites accessible to the general public. It is possible that LinkedIn will seek further review of the Ninth Circuit’s from the U.S. Supreme Court like it did nearly three years ago.