Social media companies (“SMC’s”) are constantly working to leverage data they gather from customers to develop new, innovative products and effective advertising strategies to market those products. At the same time, SMC’s face threats from competitors seeking to harvest and exploit the publicly-available customer data hosted on SMC servers. On the technology side, SMC’s employ increasingly sophisticated artificial intelligence (AI)-based software to prevent automated bots and web crawlers from accessing and scraping customer data from SMC websites. And, under the auspices of enforcing their own proprietary rights and their customers’ privacy rights, SMC’s have asserted a variety of legal claims – ranging from common law trespass and breach of contract theories to federal copyright and Computer Fraud and Abuse Action (CFAA) claims -- in an effort to shut down, or at least deter, their competitors’ efforts to access and “scrape” SMC customer data.
As judges have gained a better understanding of the technology and legal issues in these cases, the viability of some of these claims has been circumscribed.i Nevertheless, SMC’s have largely been on the offensive in this battle, primarily due to their ability to outspend their competitors, which are often start-ups lacking the resources for extended legal battles. The Ninth Circuit’s September 9, 2019 decision in hiQ Labs, Inc. v. LinkedIn Corporation,ii however, suggests a more favorable future for web scraping in general, and specifically highlights the effectiveness of smaller competitors’ strategy of “taking the battle” to larger SMCs rather than waiting to be sued.
HiQ Labs v. LinkedIn Corporation
In hiQ Labs, the Ninth Circuit affirmed the trial court’s preliminary injunction barring LinkedIn from blocking or otherwise hindering hiQ’s ability to “scrape” LinkedIn users’ public profiles. The underlying dispute in hiQ Labs centered on hiQ’s data analytics business model, which depends exclusively on its ability to scrape LinkedIn’s users’ public profile information. Using automated bots to harvest LinkedIn users’ name, job title, work history and skills, hiQ applies a proprietary algorithm to this data to yield “people analytics,” which it then sells to business clients to allow them to identify employees at the greatest risk of being recruited away, as well as to identify skill gaps in an employer’s workforce.
Rather than taking a defensive posture, hiQ went on the offensive and filed a pre-emptive lawsuit seeking a declaration that it was legally entitled to scrape LinkedIn user profiles and that LinkedIn could not lawfully invoke the federal and state laws identified in its cease-and-desist letter. HiQ also went a step further, and sought an injunction prohibiting LinkedIn from erecting technological barriers to hiQ’s automated bots. By doing so, hiQ effectively pivoted the Court’s analysis, and instead of being seen as an Internet parasite, hiQ was able to successfully argue that it was the victim of LinkedIn’s heavy-handed, anti-competitive tactics.iii And, by posturing the case as one requiring immediate injunctive relief, hiQ highlighted its strongest argument – that LinkedIn’s actions would destroy hiQ’s business – and reduced its burden of proof on establishing the likelihood of success on the merits of its legal claims.iv
The Ninth Circuit agreed that the CFAA’s prohibition against accessing a protected “without authorization” must be viewed in the context of the three types of information which exist on computers:
- Information for which access is open to the general public and permission is not required
- Information for which authorization is required and has been given; i.e., username and password authentication
- Information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed.)
According to the Ninth Circuit, the information which hiQ accessed and “scraped” fell into the first category of “computer information” for which no permission was required. As such, the court found that liability under the CFAA could not be based on LinkedIn’s digital user agreement or the express revocation of hiQ’s access rights contained in LinkedIn’s cease-and-desist letter.viii
The Renewed Importance of Requiring Password Authentication of Customer/User Data for CFAA Liability
The Ninth Circuit’s decision underscores the importance of user authentication systems in determining whether liability under the CFAA will be triggered. In U.S. v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (“Nosal II”), the Ninth Circuit held that a former employee whose computer access rights had been terminated when he left his employer, but who had then used current employees’ login credentials to access company computers and collect confidential information, had acted “without authorization” in violation of the CFAA. Nosal II, 844 F.3d at 1038. Similarly, in Facebook v. Power Ventures, Inc, 844 F.3d 1058 (9th Cir. 2016), the Ninth Circuit held that Power Ventures, a social networking website that aggregated social networking information from multiple platforms, had violated the CFAA by accessing Facebook users’ password-protected data (e-mail/contact information) and then using that data to send mass e-mail messages as part of a promotional campaign. Id. at 1062-63.
Using its newly-articulated analytical framework, the Ninth Circuit in hiQ Labs observed that, unlike LinkedIn users’ public profiles, the computer information being accessed in Nosal II and Power Ventures was “plainly” the type where authorization was generally required; i.e., requiring password authentication, and that authorization had either never been given or had been revoked:
It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using … an [username/password] authorization system.ix
On October 11, 2019, LinkedIn filed its Petition for Rehearing and Rehearing En Banc, seeking reversal of the three-judge’s panel’s September 9th decision.x
While the outcome on LinkedIn’s Petition is uncertain, one thing remains clear: the battle between SMC’s and “scrapers” is far from over. Even if the panel’s September 9th opinion remains intact, the Ninth Circuit made clear that SMCs and other online entities which view themselves as victims of data scrapping are not without legal recourse, noting that common law claims (e.g., trespass to chattels, unjust enrichment, conversion, breach of contract, and breach of privacy) and statutory claims (e.g., copyright infringement and misappropriation of trade secrets) may still be available.x
ii -- F.3d --, 2019 WL 4251998 (9th Cir. Sept. 9, 2019).
iii Id. at *9 (observing that LinkedIn’s conduct “may well not be ‘within the realm of fair competition.’) (citations omitted).
iv See Alliance for the Wild Rockies v. Cottrell, 632 F.3d 1127, 1131 (9th Cir. 2011) (adopting a sliding scale approach and holding that where the party seeking an injunction establishes irreparable harm is virtually certain, it need only demonstrate that there are “serious questions going to the merits” of its legal claims).
v -- F.3d --, 2019 WL 4251998 at * 5-6.
vi HiQ Labs v. LinkedIn Corp., 273 F.Supp.3d1099, 1110 (N.D. Cal. 2017).
vii Id. at 1112.
viii Id. at *12.
ix -- F.3d --, 2019 WL 4251998 at *14.
x HiQ Labs v. LinkedIn Corp., Case No. 17-16783 (9th Cir.), Dkt No. 82.
xi Id. (citing Associated Press v. Meltwater U.S. Holdings, Inc., 931 F.Supp.2d 537, 561 (S.D.N.Y. 2013) (holding that a software company’s conduct in scraping and aggregating copyrighted news articles was not protected by fair use)).