Who controls access to user data available online such as LinkedIn profiles? In hiQ Labs, Inc. v. LinkedIn Corp. the Ninth Circuit recently addressed this question, holding that LinkedIn does not have the right to control access to data publicly available on its website.
HiQ Labs provides “people analytics” to employers by “scraping” data from individuals’ public LinkedIn profiles. Scraping can be done manually or by automated means and involves the extraction of data from a website which is then organized for other uses. HiQ scraped LinkedIn user profile data by using bots (custom applications created to identify and copy large volumes of data). HiQ then used complex algorithms to analyze the data for specific customer needs.
Recognizing the value of such analytics to its own business, LinkedIn prohibited HiQ from scraping its user profiles, claiming these data were protected by, among other laws, the Computer Fraud and Abuse Act (“CFAA”). HiQ sued LinkedIn to regain access to LinkedIn’s user profiles, with the key question being whether LinkedIn could invoke the protections of CFAA by demanding that HiQ cease its scraping practices.
On appeal, the Ninth Circuit upheld the trial court’s injunction prohibiting LinkedIn from blocking HiQ from accessing its user profiles. The Court reasoned that LinkedIn’s purported interest in protecting its users from HiQ’s scraping was not persuasive as “LinkedIn has only a non-exclusive license” to its user data, and that members’ privacy expectations regarding information they have publicly shared is “uncertain at best.” In other words, LinkedIn does not own or control its users’ information.
The Court next turned to the CFAA, which, among other things, proscribes intentionally accessing computers without authorization. The Court reviewed both the wording of the statute and the legislative history in considering whether HiQ had violated CFAA’s restrictions. The Court focused on whether HiQ’s scraping of LinkedIn profile data constituted “without authorization.” The court found that “without authorization” required some barrier to access, such as a password, and did not apply to publicly-available information.
The Court noted that CFAA is an “anti-intrusion” (i.e., anti-hacking) statute, not one affecting misappropriation.
The Court pointed out that the CFAA contemplates three distinct forms of computer information: (1) public information for which permission is not required; (2) information that requires authorization, which has been given; and (3) information that requires authorization which has not been given. CFAA does not protect Category 1 data.
On this basis, the Court distinguished its past decisions that addressed Category 2 & 3 data. Here, by contrast, the case concerned Category 1 data, as the LinkedIn user data at issue in this lawsuit are available to anyone with internet access and without requiring a password.
As a consequence of HiQ, companies that host public online databases likely will not be able to invoke the protections of CFAA to deny competitors access to data its users have made public. Under the reasoning of HiQ, LinkedIn does not own its public user data, but merely hosts it. Where users make their information public, the host does not control the data and must permit access to all, and accessing such public information cannot constitute a violation of CFAA’s “without authorization” restrictions.