hiQ Labs v. LinkedIn Corp.

United States Court of Appeals for the Ninth Circuit, September 9, 2019

Facts:

Defendant LinkedIn runs a professional networking website. Most members' profiles on the site are publicly visible, although they can be set to not be. Plaintiff hiQ runs an automated program to visit all of the publicly visible profiles and save all the users' names, job titles, work history, and skills, so that it can perform analytics on them.

LinkedIn has a robots.txt file which forbids automated programs from accessing its site except for a specific list of bots—mainly search engines like Google and Bing. LinkedIn also has systems in place to automatically block IP addresses of suspected scraping bots, denying them access to the website.

hiQ disobeyed LinkedIn's commands and scraped the site anyway. LinkedIn responded by sending hiQ a cease-and-desist letter, claiming that hiQ violated LinkedIn's User Agreement and that in continuing to do so, it would violate the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, California Penal Code § 502(c), and California common law of trespass. In response to LinkedIn's threats to block access to its public pages, hiQ filed suit seeking an injunction and declaratory judgment against LinkedIn.

Procedural History:

District court granted hiQ's motion for a preliminary injunction against LinkedIn, requiring it to allow hiQ access to scrape its site.

Judgment:

Affirmed.

Rules:

  • PDF SymbolPage 11

    "A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest."

  • Although monetary loss alone is not normally enough for irreparable harm, a threat of "extinction" of a business is.

Reasoning:

  • As hiQ's entire business depends on being able to access public LinkedIn profiles, it would likely be forced to breach its existing contracts and shutter its operations without this injunction.

  • This creates clear harm to hiQ. LinkedIn claims that it would suffer harm to, as it would lose the goodwill of members who do not want their publicly available information to be read by the public. However, as it is publicly accessible, there is little evidence for an expectation of privacy. Whatever interests LinkedIn has, they do not outweigh hiQ's.

Issue:

Does web scraping a publicly accessible site against the site owner's commands violate the CFAA?

Reasoning:

hiQ claims that LinkedIn tortiously interfered with its contracts with its clients. LinkedIn does not challenge any elements of this claim, but claims that it has a "legitimate business purpose" that could justify the intentional inducement of a contract breach. Its asserted interests are relatively weak however and LinkedIn may well not be able to demonstrate such a purpose. Thus, hiQ's questions raised thereabout are sufficient to support the injunction.

LinkedIn's other argument is that hiQ violated the CFAA, which makes it illegal "[to access] a computer without authorization or [to exceed] authorized access, and thereby [obtain] . . . information from any protected computer" and allows civil suits for such violations as well. LinkedIn's servers are "protected computer[s]," thus the pivotal question is whether hiQ's access thereof was "without authorization."

The phrase "without authorization" is a non-technical term that means accessing a protected computer without permission. However, that case still involved accessing a private computer for which user credentials were required. The phrasing of the statute suggests a situation where access is not generally available and which requires affirmative permission to access the computer. Where the access is publicly available, it should be called a ban, not a lack of authorization. The legislative history supports this construction, as it was designed to prevent computer hacking, not misappropriation. It only protects private information, not access to publicly available websites.

Rule/Holding:

Web scraping does not violate the CFAA.

Reasoning:

Finally, in contrast to the parties' interests, the public interest must also be considered. hiQ argues that letting large companies have sole control over their data gives them too much control over such data. LinkedIn argues that allowing such scraping will invite people to attack its servers and force it to password protect its data and cut off public access.

Public interest favors hiQ's position as allowing companies to have sole control over the data they collect but do not own risks creating "information monopolies that would disserve the public interest."

Concurring Opinion:

Wallace: LinkedIn's desire that the CFAA question be decided in this injunction since it would have come up in trial anyway gives me concern. Appealing from a preliminary injunction to obtain an appellate court's view of the merits often causes delay in the case and inefficient use of judicial resources. Similarly, the district court did not try at all to prepare the case for trial until this appeal was finished, which we have told district courts not to do. The case, which the parties claim to be urgent, might have already been decided if they had not waited nearly two years for this appellate outcome.