As competition for data analytics grows fierce, the Ninth Circuit has disfavored an attempt to lock down publicly available data against competition, signaling caution for those in the business of collecting or hosting such data.
HiQ’s business model relies on “scraping” public data from public professional profiles (primarily found on LinkedIn) and using those profiles to create data analytics to sell as business insights. HiQ alleged that, for at least two years, LinkedIn had known that hiQ uses bots to scrape data from public LinkedIn profiles for this purpose, but just one month before announcing the launch of its own data analytics initiative, LinkedIn sent hiQ a cease-and-desist letter and blocked it from accessing profile data hosted on LinkedIn. Thereafter, hiQ filed for a temporary restraining order (TRO) and declaratory judgment.
Judge Chen in the Northern District of California issued a preliminary injunction against LinkedIn, barring it from imposing any legal or technical barriers to hiQ’s access. He reasoned that hiQ had established a likelihood of irreparable harm and shown a sharp imbalance of hardships if it could no longer obtain the profile data undergirding its business. Judge Chen also indicated that hiQ had shown serious questions going to the merits of its claims, which include allegations of unfair business practices, intentional interference with contract and promissory estoppel, and violation of free speech under the California Constitution.
The Ninth Circuit affirmed Judge Chen’s decision under an abuse-of-discretion standard of review. It agreed that hiQ had shown a likelihood of irreparable harm and substantial hardship without access to the data. The Ninth Circuit held that LinkedIn had failed to identify privacy or property interests in the data that outweighed the risks to hiQ’s business. It also agreed that hiQ had presented serious questions as to the merits, but due to the issues presented on appeal, the court limited its merits analysis to hiQ’s claims for unfair competition and tortious interference with contractual relations and LinkedIn’s affirmative defense of Computer Fraud and Abuse Act (CFAA) preemption. The court also held that the injunction was in the public interest to prevent information monopolies.
The Ninth Circuit’s decision touches on three key issues for companies currently in – or seeking to enter – the business of hosting or mining public data online.
First, public data may weigh in favor of public, competitive use. In deciding that the balance of hardships tipped sharply in hiQ’s favor, and in evaluating the public interests at stake, the Ninth Circuit held that a company’s competitive interest in accessing public data outweighed the minimal privacy and security interests that LinkedIn had identified in response.
The court held that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly.” It further noted: “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”
The court further reasoned that while “Internet companies and the public do have a substantial interest in thwarting denial-of-service attacks and blocking abusive users, identity thieves, and other ill-intentioned actors,” hiQ’s usage did not present such a threat.
Second, to withdraw permissions for use of public data under the CFAA, actions may speak louder than words. The court held that hiQ had raised serious questions as to whether normal access of public online profiles stored on a server constitutes access “without authorization,” even after receipt of a cease-and-desist letter. LinkedIn argued that, once hiQ received the cease and desist letter, its use of the profile data was “without authorization” and thus a violation of the CFAA that preempted hiQ’s state law claims. The court rejected this interpretation.
Instead, the court reasoned that the statute’s legislative history and its language “forbidding ‘access[] . . . without authorization’” concerns access that is “not generally available,” for example, if password protections are imposed. The Ninth Circuit concluded that, because CFAA is an “anti-intrusion” statute rather than a “misappropriation statute,” it did not apply to public profiles “for which access is open to the general public and permission is not required.” This narrow view of the statute is shared by the Second and Fourth Circuits, in contrast with the First, Fifth, Seventh, and Eleventh Circuits, which have broadened the CFAA’s scope to prohibit abuse of permitted access for forbidden purposes.
Third, even for hosts of public data, data scraping might be first come, stay served. The court also held that hiQ had raised serious questions as to the merits of its claims for unfair competition and intentional interference with contractual relations. HiQ alleged that LinkedIn knew about its data scraping practices and its contracts with customers like eBay, Capital One, and GoDaddy and denied access to hiQ only after LinkedIn announced its decision to leverage its own data in a similar way.
Given this, LinkedIn’s knowing exclusion of hiQ could show anti-competitive intentions: “If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential competitors from accessing and using that otherwise public data, the result—complete exclusion of the original innovator in aggregating and analyzing the public information—may well be considered unfair competition under California law,” even if LinkedIn had a business purpose for the decision. The court held that, because LinkedIn allegedly knew about the contractual relationships, its disruption of those relationships would be justified only “to protect an interest that has greater social value than insuring the stability of the contract” that suffered interference.
Notwithstanding these holdings, the Ninth Circuit left LinkedIn ammunition by suggesting other state law claims that could apply. The court noted that trespass to chattels, copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract or breach of privacy could lie against a data scraper like hiQ. It remains to be seen if and how such claims will fare in defending the interests of data hosts like LinkedIn.