Exploiting Scraped Data – A Privacy and Legal Minefield
September 12, 2020
Privacy Plus+
Privacy, Technology and Perspective
Exploiting Scraped Data – A Privacy and Legal Minefield. This week, let’s consider the implications of LinkedIn v. hiQ Labs, Inc., a Ninth Circuit decision late last year, which found that the automated scraping of publicly available personal data off of LinkedIn does not violate the Computer Fraud and Abuse Act (CFAA).
CFAA
As a refresher, the CFAA states that “[w]hoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C). Section 1030(g) provides for a civil cause of action under certain conditions.
The phrases “without authorization” and “exceeds authorized access” have been surprisingly controversial. A petition for certiorari to construe “without authorization” is pending in LinkedIn v. hiQ Labs, Inc., and certiorari to construe “exceeds authorized access” has already been granted in a criminal case where a police officer – clearly authorized to access a criminal database in the course of performing his duties – is accused of “exceed[ing]” his “authorized access” by looking something up for a civilian friend. (Van Buren v. United States, Dkt. 19-783 (petition for certiorari granted April 20, 2020).
Overview of the LinkedIn “Without authorization” Dispute
hiQ Labs, Inc. (hiQ) is a predictive employment analytics firm that uses automated bots to scrape personal data posted by LinkedIn users—such as, their names, employment histories, skills, and education. hiQ then processes that data through its proprietary algorithms in order to identify employees at the greatest risk of being recruited away, and sells a service to its corporate customers, which identifies employees who are flight risks, among other things.
LinkedIn sent hiQ a cease-and-desist letter, demanding that hiQ stop scraping its site, stating, among other things, that hiQ’s further access to the site would violate the CFAA because its scraping and use of LinkedIn’s data was “without authorization” within the meaning of the CFAA. Rather than stopping, hiQ filed suit, seeking an injunction and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA, the Digital Millennium Copyright Act, California Penal Code § 502(c), or the common law of trespass against it.
The district court issued a preliminary injunction in favor of hiQ, finding, in part, that hiQ raised a serious question as to whether hiQ’s scraping of publicly-available data constitutes “without authorization” under the CFAA.
The Ninth Circuit affirmed. It reasoned that the word “authorization” is an “affirmative notion,” so that the CFAA would apply only if access to the materials would require a specific permission. It further reasoned that the CFAA is an “anti-intrusion” statute, not a “misappropriation” one, and that hiQ hadn’t intruded by only accessing the public-facing data. Further, since the CFAA provides for criminal as well as civil penalties, the “rule of lenity” should apply and a narrow construction be given.
Now, LinkedIn has filed a Petition for a Writ of Certiorari to the United States Supreme Court (which includes the Ninth Circuit decision in the Appendix), that you can read by clicking here:
We are waiting now to see if the Supreme Court will agree to hear LinkedIn. The petition is fully briefed, so we expect to hear this fall if the Court will hear the case next spring.
Privacy Implications
In its petition, and significantly in our view, LinkedIn has raised important privacy issues. To greenlight hiQ’s scraping of LinkedIn’s public profiles, it argues, would be also to greenlight Clearview AI’s scraping of untold numbers of public sites for pictures of people’s faces – and no telling what else. You can read more about Clearview AI by clicking on the following link to this previous Privacy Plus+ post:
https://www.hoschmorris.com/privacy-plus-news/clear-views-about-clearview-ai
The Electronic Privacy Information Center (EPIC) also has moved for leave to file a brief as Amicus Curiae, describing particular privacy concerns, which available at the following link:
https://www.epic.org/amicus/cfaa/linkedin/EPIC-Amicus-LinkedIn-v-hiQ.pdf
Data privacy does not appear to concern hiQ, however, which points to LinkedIn’s positive celebration of hiQ’s activities until the time came when LinkedIn decided it wanted to offer similar products itself.
Be Careful Not to Over-Read Linkedin.
We doubt the Supreme Court will hear LinkedIn, because of the procedural posture, the lack of many conflicting decisions in lower courts, and the chance that its opinion in Van Buren will affect LinkedIn materially.
But this will leave us with a Ninth Circuit decision seeming to hold that it’s okay to scrape data off the public pages of a website, so long as you don’t sneak behind the password- or pay-wall.
That would not be a correct reading. The focus in LinkedIn has only been on the CFAA – an oft-amended 1986 statute in urgent need of congressional updating and overhaul. The Ninth Circuit could not have been clearer that to say data scraping from public websites might not be “without authorization” under the antique CFAA, is not to say it wouldn’t violate or infringe something else – such as, the Ninth Circuit specifically spelled out, trespass to chattels, copyright infringement, (common law) misappropriation, unjust enrichment, breach of contract, or breach of privacy.
So whether the Supreme Court grants certiorari or not, don’t read LinkedIn as carte blanche to scrape.
With bots already comprising some 37% or more of all internet traffic, and data being increasingly their target and prize, we have no doubt that there will be (1) more calls for Congress to update and clarify the CFAA; (2) more (and earlier) attention to website user-agreements; and (3) more litigation over these lesser-known, mostly state-based causes of action.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.