This week, the U.S. Court of Appeals for the 9th Circuit ruled that screen scraping from public LinkedIn profiles likely does not breach the federal Computer Fraud and Abuse Act. As noted in a Law 360 story,
Ruling in favor of job-search startup hiQ Labs Inc., the appellate panel found that the high court’s June 2021 ruling in Van Buren v. U.S. narrowing the anti-hacking law’s scope only bolstered hiQ’s case that it did not breach the CFAA by continuing to scrape LinkedIn profile data to build a data analytics product despite receiving a cease-and-desist letter.
In Van Buren, the justices found that an ex-Georgia police officer did not breach the computer crime law — which bars accessing computers without or “in excess” of authorization — by abusing his access to police records to look up whether someone was an undercover officer in exchange for $6,000.
The high court suggested that the CFAA only applies in cases where someone is accused of breaking into or exceeding their approved access to a network that is protected, or which has its “gates up.” The computer fraud statute likely doesn’t apply, however, to cases involving data scraped in bulk by automated bots from publicly available sources like LinkedIn profiles, the appeals panel found Monday.
‘A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,’ wrote Circuit Judge Marsha Berzon for the court. ‘In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.’
‘Van Buren therefore reinforces our conclusion that the concept of ‘without authorization’ does not apply to public websites,’ Judge Berzon added.
The appeals court’s ruling affirms its September 2019 decision upholding a California district court’s preliminary injunction that allowed hiQ to keep scraping LinkedIn profile data to build a service that the startup says provides clients with recruiting and retention insights, including by telling them when employees may be looking for a new job.
LinkedIn appealed the Ninth Circuit’s original ruling to the Supreme Court, which in June 2021 ordered the appeals court to reconsider the case in light of the Van Buren decision. The impact of the Van Buren case has been closely followed by both corporate attorneys, who have said that the ruling limits the reach of a law companies have used to punish rogue insiders, and by privacy advocates concerned about companies scraping public data at scale to build products that could put consumers at risk.
The facial recognition startup Clearview AI, for example, says that it has collected billions of images posted to public platforms such as Facebook, Instagram and Twitter to build a database that allows users to identify someone by inputting a photograph of the person. Legal experts have said that the Ninth Circuit’s ruling in favor of hiQ could help Clearview escape liability under the CFAA, but the company has to date been unable to shake allegations that it breached state privacy laws like Illinois’ Biometric Privacy Information Act.
In a statement following the release of the opinion, LinkedIn said that “[t]This was a preliminary ruling and the case is far from over. We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn.”
The case is hiQ Labs, Inc. v. LinkedIn Corp., U.S. Ct. App., 9th Cir., No. No. 17-16783.
Eric J. Ellman is Senior Vice President for Public Policy and Legal Affairs at the Consumer Data Industry Association (CDIA) in Washington, DC. He also served for eight months as Interim President and CEO of the Association. More