Web Scraper’s Harvest is a Bumper Crop
hiQ Labs; LinkedIn; Computer Fraud and Abuse Act; Data Scraping
In Brief: Web scraping publically available information isn’t computer fraud.
Here’s What Happened: Web scraping or web harvesting is the extraction of data from a website. A “web bot” scampers about the web looking for data on a website, harvests the data and then loads it into a database or exports it into a format that can be utilized. Web scraping can be a marketing tool like lead generation. It can also be used for market analytics like brand monitoring, industry statistics and comparative shopping data.
LinkedIn is a professional networking site. Its members upload information about themselves as well as content that might be of interest. Members own their information and content. LinkedIn has tools to monitor the use of the website; including a tool that prohibits access by automated bots except for search engines like Google.
hiQ Labs Inc. is a data analytics company. It uses an automated web bot to scrape publically available information on LinkedIn Corp.’s website. This information includes information like people’s names, jobs, work histories and skills. hiQ creates “people analytics” for use by its customers. The customers use the information for employee recruiting and management intelligence.
hiQ filed a declaratory judgment action. The court granted hiQ’s motion for preliminary injunction to stop LinkedIn from blocking its access to the LinkedIn website. LinkedIn appealed. The matter bounced up to the US Supreme Court who remanded the case back to the Ninth Circuit Court of Appeals.
The Ninth Circuit focused on, inter alia¸ whether hiQ would succeed on the merits against LinkedIn’s on violation of the CFAA. The CFAA prohibits accessing a computer “without authorization”. According to the Ninth Circuit, “the pivotal CFAA question here is whether once hiQ received the cease-and-desist letter, any further scraping and use of LinkedIn’s data was ‘without authorization’ within the meaning of the CFAA and thus a violation of the statute.” If so, LinkedIn asserted, hiQ would have no legal right of access to LinkedIn’s data and so could not succeed on the merits.
The Ninth Circuit held that hiQ raised serious questions about whether its web bot accessed information “without authorization”. hiQ only accessed publically available information that was uploaded by LinkedIn’s members. It didn’t try to circumvent a password or breach a demarcation wall that protected private information.
The Ninth Circuit affirmed the entry of the preliminary injunction and remanded the case back to the district court.
Why You Should Know This: This opinion gives a succinct roadmap for data scraper bots. Stick to publically available information. Don’t try to reach protected private information.
Case Information: hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (U.S. 9th Cir. 2022)