LinkedIn is challenging the U.S. Court of Appeals for the Ninth Circuit’s September ruling that the data aggregation and analytics company, hiQ Labs, Inc., can “scrape” personal data of users from LinkedIn’s platform, analyze the data, and sell its findings to employers. Earlier this month, the Supreme Court granted an extension for LinkedIn to submit its petition for a writ of certiorari. The Ninth Circuit found that LinkedIn “has no protected property interest in the data contributed by its users”; that the Computer Fraud and Abuse Act (CFAA), which prohibits intentionally accessing a computer without authorization, is not violated when data is scraped from websites where such data is publicly available; and that any privacy interests that LinkedIn users have in their personal data are not significant enough to outweigh hiQ’s interest in continuing its business, which depends on accessing, analyzing, and communicating information from LinkedIn. The Ninth Circuit’s decision conflicts with a 2003 decision by the U.S. Court of Appeals for the First Circuit in EF Cultural Travel BV v. Zefer Corp., which held that where a publicly available website explicitly bans data scrapers (e.g., in its terms of service), further access by data scrapers is “without authorization” under the CFAA.
Data scraping is a process through which a computer program (often referred to as a “bot”) extracts data from another program or codebase. In this case, hiQ uses bots to scrape data from LinkedIn users’ public profiles (including name, job title, work history, and skills); analyzes the information to identify, for example, employees at risk of being poached or that are likely searching for a new job; and sells its findings to employers. After discovering hiQ’s actions, LinkedIn sent the company a cease-and-desist letter, asserting that hiQ was in violation of its User Agreement and the CFAA, in addition to other laws, and demanding that hiQ stop accessing and copying data from its servers. The letter further stated that LinkedIn had installed technical measures to prevent hiQ from accessing LinkedIn’s website through systems that detect, monitor, and block data scraping activity. However, the Ninth Circuit ruled that “where the default is free access without authorization,” selective denial of access is a “ban” and not a lack of “authorization” under the CFAA.
If the Supreme Court grants certiorari, the case will have broad privacy implications. For example, the New York Times recently reported on Clearview AI, a company that has created a facial recognition app that has raised privacy concerns. The app allows users to upload a person’s photo, and, using a facial recognition algorithm, returns public photos of that person collected from websites including Facebook, YouTube, Twitter, Instagram, and Venmo, as well as links to the websites where those photos appear. The app relies on Clearview’s database of more than three billion photos, created by a data scraping program that automatically collects images of people’s faces across the internet (and that likely violates many websites’ terms of service). Should the Supreme Court rule in favor of hiQ, more companies like hiQ and Clearview AI could mine and use individuals’ personal information contained on publicly available websites regardless of the websites’ terms of service and without fear of violating the CFAA. Such a ruling would undermine the effectiveness of website terms of service explicitly prohibiting users from scraping data from websites, and narrow the CFAA’s application to websites that password-protect or use other barriers to help ensure that information is not available to the public.
Regardless of which way the Supreme Court rules, this case in one that privacy professionals will be closely watching and analyzing.
Mary Colleen Fowler, a third-year law student at the University of Kansas School of Law, contributed to this post. Ms. Fowler is a law clerk with Fey LLC.