Last week, hiQ Labs, Inc. (“hiQ”) filed its brief urging the Supreme Court to deny LinkedIn Corp.’s (“LinkedIn”) petition for a writ of certiorari in the Ninth Circuit’s blockbuster ruling in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In the prior ruling, the appeals court affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Most notably, the Ninth Circuit held that hiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing of that publicly available data will not constitute access “without authorization” under the CFAA. Considering the decision wrongly decided, LinkedIn filed its petition requesting Supreme Court review in March 2020. In it, LinkedIn declared that the hiQ decision was “unprecedented” and “denied operators of public-facing websites a critical means of protecting user data from unauthorized third-party scrapers.”
hiQ initially signaled its intent not to file any opposition, but the Court requested a response in April 2020.
In its opposition, hiQ framed the issue as:
“Whether a professional networking website may rely on the Computer Fraud and Abuse Act’s prohibition on ‘intentionally access[ing] a computer without authorization’ to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.”
hiQ put forth several reasons why the Court should deny the petition.
- Correct interpretation of “unauthorized access”: hiQ contended that the Ninth Circuit got it right in its narrow interpretation of the CFAA with respect to the scraping of publicly available website data: “The interpretation of the phrase ‘without authorization’ to exclude viewing and gathering public information—access to which requires no permission—flows naturally from the plain meaning of the phrase.” It rejected LinkedIn’s argument that the appeals court created some sort of password requirement with respect to when a website operator may garner CFAA protection for its networks, stating that the appeals court correctly read the statute to not reach public information.
- No true circuit split: hiQ further argued that LinkedIn’s suggestion that the Ninth Circuit’s ruling created a circuit split was “misleading.” LinkedIn argued that the Ninth Circuit decision was at odds with the First Circuit decision in the 2003 EF Cultural Travel. There, the court stated that a web scraper may be acting without “authorization” under the CFAA when it crawls a public website in contravention of posted terms of use containing prohibitions of scraping activities. hiQ argued that this conflict was “wholly illusory,” asserting that the EF Cultural decision was from an earlier age of the web, did not interpret the same issue of “unauthorized access” to publicly available website data (as LinkedIn suggested), and, in any event, merely concerned a fact-specific preliminary ruling about the ability of a court to enjoin a third-party that was allegedly aiding the defendant in scraping confidential data. hiQ also discounted LinkedIn’s argument that a host of district courts have issued rulings on the issue that support its position (e.g., 3Taps), finding the various lower court rulings immaterial to whether a circuit split existed or whether the Supreme Court should take the case. It even pointed to the recent Sandvig ruling where a D.C. district court held that the mere violation of website terms of use cannot form the basis of criminal liability for “unauthorized access” or “exceeding authorized access” under the CFAA and stated that “most courts agree with the hiQ Labs court’s interpretation of ‘accesses . . . without authorization’ as contemplating a ‘two-realm internet.’”
- Privacy issues unfounded: hiQ took issue with LinkedIn’s arguments that its pleading of the CFAA to control unwanted scraping of users’ public profile information implicated personal privacy issues. To hiQ, LinkedIn’s privacy arguments were “disingenuous” given that LinkedIn previously permitted hiQ to scrape user data and allegedly limited hiQ’s collection only after it decided to start its own data analytics service that crunched LinkedIn member data. hiQ argued further that, beyond the CFAA, LinkedIn has state remedies available to confront unwanted scraping and that the proper resolution of this issue is really a matter for Congress, as it involves complex data privacy issues and the balancing of interests better suited for the legislature. Interestingly, hiQ suggested that LinkedIn arbitrarily drew a distinction regarding access to members’ public profiles by an individual web user and a scraper: “LinkedIn wrongly seeks to distinguish between any member of the public and bots. The CFAA does not support drawing such a line.” [citations omitted].
- Poor vehicle for review: Finally, hiQ contended that even if the CFAA “unauthorized access” issue warranted clarification, this is a poor vehicle for such review, as the case concerns a preliminary ruling, and that the Supreme Court should wait for other circuit courts to weigh in on the issue before stepping in. On this point, hiQ noted the Court’s having recently accepted its first CFAA dispute with the Van Buren appeal, another important CFAA case concerning the scope of “exceeding authorized access” – in that instance, seven different circuit courts had issued rulings with some conflicting results, prompting the Court to resolve the split.
The LinkedIn-hiQ dispute is one of the most important web scraping cases to interpret the scope of CFAA liability, and we will certainly watch the proceedings closely. It is a case that is cited frequently by web scrapers to those inquiring as to the legality of their practice. Although the opinion was actually a narrow one based on specific facts, and the Ninth Circuit did not really address all of the related issues, scrapers hail the opinion as a green light for scraping generally. It would be helpful to have the Supreme Court’s view of the issue.
Perhaps it is unlikely the Court would accept two CFAA cases on its docket in the same year…still, the issue is an important one for the current digital age. Even if the Court declines LinkedIn’s petition, we still have the Van Buren case where the Court will examine the scope of the CFAA in a criminal context. Depending on the scope of that opinion, it may or may not resolve questions of civil liability in all “unauthorized access” scenarios that may arise in instances of unwanted data scraping.