In an a recently published opinion, the Ninth Circuit answered the question whether “LinkedIn, the professional networking website, [may] prevent a competitor, hiQ, from collecting and using information that LinkedIn users have shared on their public profiles, available for viewing by anyone with a web browser?” In affirming the trial court’s injunction enjoining LinkedIn from blocking hiQ’s access to its users’ public profiles, the Ninth Circuit held, among other things, that hiQ’s scraping did not amount to accessing LinkedIn’s users’ data “without authorization,” in violation of the Computer Fraud and Abuse Act (“CFAA”), because the data hiQ was accessing was publicly available and therefore did not fall within the scope of the CFAA.
HiQ is a data analytics company that creates algorithms from data “scraped” from LinkedIn users’ public profiles. It then packages that information into products and services that identify for employers both those employees at the greatest risk of being recruited away, and skill gaps in employers’ workforces so that they can offer training in those areas. LinkedIn recently started marketing its own similar services using its users’ data, including tools which analyze what skills employers need to grow and where they can find employees with those skills. When LinkedIn discovered that hiQ was scraping LinkedIn’s users’ data to develop competing products, LinkedIn sent a cease and desist letter and implemented measures to block hiQ from accessing LinkedIn’s site. HiQ responded by filing suit and seeking injunctive relief. The trial court granted hiQ’s motion, enjoining LinkedIn from putting in place any legal or technical measures with the effect of blocking hiQ’s access to LinkedIn’s users’ public profiles.
On appeal, after determining that hiQ had adequately established the threat of irreparable harm and that the balance of the equities weighed in hiQ’s favor, the Ninth Circuit addressed whether hiQ’s claims were preempted by the CFAA, and if they were, whether hiQ had violated the CFAA when it continued to scrape and use LinkedIn’s data after it received LinkedIn’s cease and desist letter.
The CFAA provides that “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C). The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” which the Ninth Circuit described as “effectively any computer connected to the Internet . . . including servers, computers that manage network resources and provide data to other computers.”
Although it determined that hiQ had accessed “protected computers” when it scraped LinkedIn’s data, the Ninth Circuit held that hiQ had not accessed a computer “without authorization.” Relying on its prior opinions, the Ninth Circuit stated that the phrase “without authorization” is a non-technical term that means accessing a protected computer without permission. The Court also relied on the legislative history of the CFAA, which was originally passed in 1984 as an anti-intrusion statute, and the Court therefore determined that “unauthorized access” was analogous to “breaking and entering.” It is worth noting that a circuit split remains over this issue, with the Ninth Circuit rejecting the First and Eleventh Circuits’ interpretation that the CFAA broadly covers violations of corporate computer use restrictions and policies governing authorized uses of databases, not just “breaking and entering” type intrusions.
With that background in mind, the Court concluded that hiQ had raised a serious question “as to whether the reference to access ‘without authorization’ limits the scope of the statutory coverage [of the CFAA] to computer information for which authorization or access permission, such as password authentication, is generally required.” In other words, “the CFAA contemplates the existence of three kinds of computer information: (1) information for which access is open to the general public and permission is not required, (2) information for which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed).” The Court therefore concluded that “[p]ublic LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to such information, the ‘breaking and entering’ analogue invoked so frequently during congressional consideration has no application, and the concept of ‘without authorization’ is inapt.”
The Ninth Circuit’s opinion is consistent with its previous rulings involving the CFAA, wherein the Court has favored a narrow interpretation of the statute, particularly given that the CFAA provides for criminal, as well as civil penalties. In recent years, employers have increasingly asserted CFAA claims against employees who have allegedly misappropriated the employers’ trade secrets by downloading confidential information from company computers “without authorization” or by “exceeding their authorized access.” But, as demonstrated by this recent ruling, the Ninth Circuit has been reluctant to turn “a criminal hacking statute” into a “sweeping internet-policing mandate” to be used against employees, and employers—particularly those within the Ninth Circuit’s jurisdiction—should be mindful of the Court’s narrow interpretation of the statute before asserting such claims.