The Legal Battle Between hiQ and LinkedIn Over Public User Data

One of the central issues for social media and professional networking sites is who “owns” or can exert control over user information shared on the platform. Typically, the rights of platform users are set forth in a Terms of Use agreement between the platform and the user. However, it is unclear how much control the platform can exert over that data once it is published by the user.

In hiQ Labs, Inc. v. LinkedIn Corp., No. 17-CV-03301-EMC, 2017 BL 284160 (N.D. Cal. Aug. 14, 2017), a district court examined whether social and professional networking sites like LinkedIn have the right to prevent third parties from collecting public user data for analysis and sharing. The case arose when LinkedIn threatened to prevent hiQ Labs Inc. (hiQ) from scraping public user data from the LinkedIn site for use in its consulting services. The court found in favor of hiQ, and issued an injunction to stop LinkedIn from blocking hiQ’s access to information posted by LinkedIn users. hiQ Labs, Inc. v. LinkedIn Corp. at 13.

The hiQ Labs Complaint

LinkedIn is a major professional networking site with over 500 million users who use the platform to post information about their skills and professional experience and connect with other users. Each user clicks-through the LinkedIn User Agreement that, among other provisions, prohibits various methods of data collection from the site. Each user is allowed to choose the level of privacy for the content they post to their individual account. Users can choose to keep their profiles entirely private, or to share their profiles with LinkedIn members that are their connections, or to share their information with the public.

hiQ is a human resources tech startup based in San Francisco. Through data science and analysis, hiQ provides insights to corporate clients about current and potential employees. hiQ’s business model relies on utilizing public LinkedIn profile data to predict how likely certain employees are to stay or leave their company, so companies can better manage talent. In order to collect LinkedIn data, hiQ uses software that “scrapes,” or automatically collects, public information posted by LinkedIn users to the site. hiQ has been relying on LinkedIn user posted public information since it was founded in 2012.

In May 2017, LinkedIn sent a cease and desist letter to hiQ, demanding that hiQ immediately halt “unauthorized data scraping and other violations of LinkedIn’s User Agreement.” Id. at 2. LinkedIn cited the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) as legal grounds for its demand, along with several state and common law claims. In response, hiQ filed a complaint requesting the court enjoin LinkedIn from taking measures to prevent it from scraping user data, arguing that LinkedIn has no right to prevent third parties from accessing data that LinkedIn users have already agreed would be public. Moreover, hiQ stated that LinkedIn does not legally own user data. With respect to LinkedIn’s claims under the DMCA, hiQ responded that LinkedIn has no copyright claim to information on its users’ profiles. hiQ also asserted that LinkedIn’s threat to block hiQ from accessing its site was a violation of the California Unfair Competition Law.

In its complaint seeking an injunction, hiQ pointed out that the LinkedIn user data it collects is available to “anyone with an internet connection” since the LinkedIn members can choose to permit general access by the public to their data, notwithstanding whether or not the viewer has a LinkedIn account. Complaint at 2, hiQ Labs v. LinkedIn Corp., No. 17-CV-03301-EMC, (N.D. Cal. 2017). hiQ argued that users who chose that option were basically making their profile data available to everyone online, hiQ included.

The Response from LinkedIn

In response, LinkedIn relied in large part on potential concerns its users might have regarding hiQ’s collection of their data. LinkedIn pointed out that hiQ has used the collected data for purposes that is not in the users’ best interest. For instance, hiQ generates “flight risk” scores for employers to determine which employees are likely looking for another job based on their LinkedIn profile data. LinkedIn also argued that hiQ never asked permission to scrape user data—and that LinkedIn would have said no if it had been asked.

LinkedIn maintained that hiQ was in violation of the CFAA, in addition to the LinkedIn User Agreement, which hiQ had agreed to online numerous times. LinkedIn argued further that hiQ never gave users a chance to “opt out” of its data scraping, and has no privacy policy to inform users how their data may be used.

The fact that hiQ’s business model was solely dependent on LinkedIn data, LinkedIn argued, was the fault of hiQ. LinkedIn noted that many other businesses in the HR tech space exist that do not rely on LinkedIn’s public user data.

The Court’s Decision

In order to obtain a preliminary injunction, the party seeking the injunction must show that it is likely to succeed on the merits, is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tip in its favor, and that an injunction is in the public interest. 2017 BL 284160 at 3 (citing Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008)). Applying this standard, the court ruled in favor of hiQ, granting an preliminary injunction that prevented LinkedIn from blocking hiQ’s access to LinkedIn’s public data. Id.

With respect to the irreparable harm requirement and the balance of hardships, the court sided with hiQ. Id at 2. The Court noted that without access to public LinkedIn user data, hiQ would suffer severe economic hardship. Id at 13. hiQ would have to alter their existing product, cease discussions with potential clients, lay off employees, and most likely go out of business.

In contrast, the court found that the harm alleged by LinkedIn was speculative, particularly in light of LinkedIn’s failure to point to negative effects from hiQ’s scraping of its data which had been ongoing for at least five years. Id. at 2. This, the court stated, tilted the balance of hardships in hiQ’s favor. Id.

Regarding LinkedIn’s contentions that hiQ was in violation of the CFFA, the court reasoned that the LinkedIn user data being scraped by hiQ was public data, and that hiQ did not circumvent any safeguard or security measure to gain access to the data. The court noted that allowing a private entity to police access to public information on the web is a result that was not contemplated by the drafters of the CFAA. Id. at 8. The court also determined that hiQ, at a minimum, had raised serious questions with respect to LinkedIn’s claim that hiQ’s use of the LinkedIn data violated the DMCA. Id. at 13. Furthermore, the court agreed with hiQ’s argument that LinkedIn’s threat to selectively block hiQ’s access to public user data posted to LinkedIn could be in violation of California’s Unfair Competition Law. Id.

The injunction granted in favor of hiQ is notable because it affirmatively prohibits LinkedIn from taking steps to protect user data posted on its own service. Indeed, the injunction prevents LinkedIn from implementing technical countermeasures against activity that is expressly prohibited by its own user agreement. The court goes further to suggest that even automated scraping accomplished with software designed to overcome technical barriers (for example, a “captcha” tool that requires entry of a scrambled image) may not violate the CFAA. The court explained that “[a] user does not ‘access’ a computer ‘without authorization’ by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.” hiQ Labs, at 8.

Notwithstanding the decision in hiQ, companies that engage in scraping of data from third-party sites should not read the court’s ruling as a blank check to engage in such activity. Numerous other cases that have suggested accessing and using data from internet websites in ways that are prohibited by the website owner constitute potential CFAA violations. See, e.g., Craigslist, Inc. v. 3Taps Inc., 942 F. Supp. 2d 962, 969-70 (N.D. Cal. 2013) (finding that automated scraping of data was a potential CFAA violation, particularly when there were technical barriers in place to prevent such scraping); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1068 (9th Cir. 2016) (prohibited use of the social platform constituted a CFAA violation after permission was expressly revoked in a cease and desist letter); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585 (1st Cir. 2001) (finding that a district court properly entered a preliminary injunction preventing certain data scraping activity alleged to violate the CFAA).

The fact that the data at issue in hiQ was public, in the sense that it was designated by the relevant LinkedIn users as “public” and made public through the LinkedIn website, appears to have been a persuasive fact to the hiQ court. If the data being scraped were user data protected by countermeasures including, for example, password protection, the court may have ruled differently.