Microsoft subsidiary LinkedIn lost an appeal in the 9th U.S. Circuit Court of Appeals on Monday against hiQ Labs Inc., with three justices unanimously ruling that hiQ could continue scraping publicly available information off the site, Reuters reported.
LinkedIn sent a cease-and-desist to hiQ, a data analytics firm, in 2017, arguing in part that the latter company’s practice of scraping publicly available information from their platform violated the 1986 Computer Fraud and Abuse Act (CFAA). The CFAA is infamously vaguely written and makes it illegal to access a “protected computer” without or in excess of “authorization”—opening the door to sweeping interpretations that could be used to criminalize conduct not even close to what would traditionally be understood as hacking. (As TechDirt noted in 2016, the vagueness of “authorization” seems to invite big tech companies to direct the ire of federal prosecutors based on their own incentives “rather than by policy.”) Per Ars Technica, hiQ then sued LinkedIn “seeking not only a declaration that its scraping activities were not hacking but also an order banning LinkedIn from interfering.”
hiQ won an injunction preventing LinkedIn from blacklisting them from their site with technical tools in 2017. Monday’s ruling upholds both that injunction and found that scraping publicly available data doesn’t violate the CFAA.
Circuit Judge Marsha Berzon wrote that hiQ could go out of business without an injunction, as well as argued that allowing companies control over who can use publicly available data would give them too much power, Reuters wrote:
She also said giving companies such as LinkedIn “free rein” over who can use public user data risked creating “information monopolies” that harm the public interest.
“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles,” Berzon wrote. “And as to the publicly available profiles, the users quite evidently intend them to be accessed by others,” including prospective employers.
According to Ars Technica, the judges also noted that in the 1980s the CFAA applied to specific computer systems with financial, military, or protected data, not the sprawling public internet of today: “None of the computers to which the CFAA initially applied were accessible to the general public. Affirmative authorization of some kind was presumptively required.” Conversely, public LinkedIn profiles are explicitly meant by their creators to be available to anyone with an internet connection.
Berzon also suggested that if LinkedIn really wanted to stop the data scraping, it could simply make all profiles private: “Of course, LinkedIn could satisfy its ‘free rider’ concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line.”
The ruling “doesn’t establish that scraping websites is completely legal, but it goes a long way toward establishing that it’s not a federal crime,” University of California, Berkeley law professor Orin Kerr told the Associated Press. Kerr added that the ruling certified people “can’t be arrested and prosecuted just for visiting” a website.