The Ninth Circuit Court of Appeals reaffirmed that web scraping is legal, provided access is authorized. In the hiQ Labs vs. LinkedIn case, LinkedIn contended the former’s access to its computers was unauthorized through technical ‘gates’ or barriers and a cease and desist letter. However, the court ruled otherwise, ruling that web scraping doesn’t constitute hacking under CFAA.
LinkedIn has been on the back foot since the first hearing when the Ninth Circuit court of appeals ruled in favor of data scraping. The case progressed to the Supreme Court but was sent back for a remand. The second ruling, to LinkedIn’s dismay, reaffirms the original one.
LinkedIn has been trying to literally block hiQ Labs’ access to the professional networking platform since 2017. The HR analytics company challenged LinkedIn’s cease and desist letter dated May 2017 that claimed violations of the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass, besides CFAA, and filed a lawsuit to for injunctive relief.
LinkedIn believes hiQ’s actions amount to hacking and violates its terms of service. The company also blocked hiQ’s access for a while but was overruled in August 2017 by a California federal district court.
In September 2019, the Ninth Circuit appellate court upheld the federal district court’s ruling. In a 3-0 decision, it found logic in hiQ Labs’ concerns over LinkedIn’s stance that the use of publicly available data violated the CFAA.
Judge Marsha Berzon cautioned against the creation of “information monopolies†by LinkedIn and, if given a “free rein†over the use of public user data, it would ultimately be detrimental to the public interest.
“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles,†Judge Berzon statedOpens a new window . “And as to the publicly available profiles, the users quite evidently intend them to be accessed by others.â€
“There is little evidence that LinkedIn users who choose to make their profiles public maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.â€
Later in June 2021, the Supreme Court also questioned the legitimacy of LinkedIn’s argument, citing a previous case wherein the top court had found that irrespective of the motive, it doesn’t constitute a crime to fetch data from any source, provided they have access.
The top court cited the Van Buren v. United States case wherein Nathan Van Buren, a police sergeant in Georgia, accessed license and registration information from a government database in exchange for money.
LinkedIn, which Microsoft acquired in 2016, highlighted that it specifically tried to prevent hiQ from scraping and thus argued the legitimacy of hiQ Labs’ actions. “This Petition addresses the precise question left open by the Court in Van Buren,†notedOpens a new window LinkedIn.
See More: Data Scraping Is on the Rise: Here’s How to Mitigate the Damage
“LinkedIn put gates around its servers by employing technical ‘code-based’ measures to prevent hiQ from scraping data (which hiQ circumvented via bots) and sending a cease and desist letter to hiQ, thereby expressly revoking any ‘authorization’ hiQ had to access LinkedIn’s computers. Van Buren expressly left open whether these methods of denying and revoking authorization, or any other methods of doing so, qualify as ‘gates-down’ under Section 1030(a)(2), thus rendering hiQ’s massive scraping of data without authorization’.â€
The argument now was whether the courts and the law considered LinkedIn’s technical ‘gates’ for its public website as adequate measures to overturn the original judgment.
That is far from the case. The Ninth Circuit court assessed that a public website doesn’t entail a ‘gates-down,’ i.e., unauthorized access. This basically means that accessing a public website or at the very least where users haven’t made their information private is never unauthorized.
“A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser. In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place. Van Buren therefore reinforces our conclusion that the concept of ‘without authorization does not apply to public websites,†the court saidOpens a new window .
In other words, LinkedIn’s argument of putting up technical ‘gates’ was dismissed by the court. Making a case to block web scraping under CFAA, which is made explicitly for malicious hacking, is where LinkedIn went wrong, according to the Electronic Frontier Foundation (EFF).
“EFF has long argued that violations of the law should involve circumvention of effective technical barriers,†writes Andrew CrockerOpens a new window , staff attorney at EFF. After all, web scraping does pose a privacy risk for individuals who can be victimized by cyberattacks, fraud, identity theft, etc.
Crocker added that since CFAA doesn’t include clauses of what constitutes the circumvention of gates or technical barriers, it alone cannot be leveraged in the court. He saidOpens a new window , “Whether you call the requirement of a technical authorization ‘gates down’ or something else, computer owners should not get to invoke power of the CFAA based merely on a written agreement or a cease-and-desist letter.â€
But it’s not over just yet. “We’re disappointed in the court’s decision. This is a preliminary ruling and the case is far from over. We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn,†said Greg Snapper, a spokesperson for LinkedIn.
“When your data is taken without permission and used in ways you haven’t agreed to, that’s not OK. On LinkedIn, our members trust us with their information, which is why we prohibit unauthorized scraping on our platform.â€
Data/web scraping is a contentious issue for social media and networking platforms such as LinkedIn, Facebook, and Instagram. A part of the data that exposed 533 million Facebook users in April 2021 was obtained by scraping the platform.
Artificial intelligence-based facial recognition vendor Clearview AI has scraped billions of photos from Facebook, Google, YouTube, etc.
The company was handed cease and desist letters by Facebook, Google, YouTube, and Twitter. It is also being sued by the ACLU of Illinois, Chicago Alliance Against Sexual Exploitation, Sex Workers Outreach Project Chicago, Illinois Public Interest Research Group, and Mujeres Latinas en Acción.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!