In a decision that applies to a single dispute, but which has wide implications for recruiters, sourcers and the HR vendors who serve them, a federal appeals court signaled this week that web scraping of public information does not violate a decades-old anti-hacking law.
The ruling in hiQ Labs v. LinkedIn upheld the granting of an injunction by a lower court, which ordered LinkedIn to stop blocking hiQ. Although technically not a decision on the underlying merits of the case, the ruling by the 9th Circuit Court of Appeals is a strong signal it expects hiQ to prevail in its two-year-old suit against LinkedIn and its owner, Microsoft.
Writing on behalf of the appeals court, Judge Marsha Berzon said, “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”
“We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data — data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use — risks the possible creation of information monopolies that would disserve the public interest,” Berzon wrote in the unanimous decision.
HiQ is far from the only company that collects data from other websites. Some job boards routinely pull listings from other sites. Other companies serving the talent acquisition sector will use bots to assemble profiles on candidates. Target sites like LinkedIn take pains to prevent themselves from being scraping.
In the wake of the decision Monday, LinkedIn said, “We’re disappointed in the court’s decision, and we are evaluating our options following this appeal. LinkedIn will continue to fight to protect our members and the information they entrust to LinkedIn.”
On behalf of clients, HiQ compiles data on their employees from a variety of sources, including social media and networking sites like LinkedIn. It uses that information to assess flight risk potential and for other human capital intelligence purposes. In May 2017, hiQ received a cease and desist letter from LinkedIn to stop it from scraping information from the network. hiQ refused and was then blocked by LinkedIn. At that point, hiQ sued LinkedIn, insisting the company had no legal basis for blocking it.
Finding LinkedIn’s action was causing “irreparable harm” to hiQ, and that hiQ’s suit had merit and could prevail at trial, Federal Court Judge Edward Chen granted a preliminary injunction and ordered LinkedIn to end the blocking. LinkedIn appealed the injunction.
Although the case now returns to the San Francisco federal court where hiQ sued LinkedIn over being blocked from the site, the appeals court decision is a powerful signal that the web scraping of publicly available information is legal. LinkedIn and other sites like Craigslist, which supported LinkedIn in the appeal, rely heavily on the 1986 Computer Fraud and Abuse Act (CFAA) to prevent 3rd parties from accessing their online information.
Typically, when a site detects the automated “bots” that scrape data, the bot owners are sent a cease and desist letter, like the one LinkedIn sent to hiQ in May 2017.
Like LinkedIn, Craigslist has been highly protective of its content, sending letters and ordering others to stop scraping, blocking them when they don’t. Indeed, which began by scraping job listings from tens of thousands of sites including Craigslist, was blocked. The cease and desist orders all cite the CFAA.
Article Continues Below
Contingent Workforce Strategy Survey With ERE and Aptitude Research
If your company currently leverages contingent workers, please share your views in our brief survey.
The law has been the subject of a variety of court decisions, both in the 9th Circuit, which covers Silicon Valley and the West coast, and elsewhere. Many courts have discussed the meaning of the law’s reference to “intentionally [accessing] a computer without authorization or exceeds authorized access…” In a 2012 decision, the 9th Circuit declared it would not turn the CFAA “into a sweeping Internet-policing mandate,” instead saying it was an anti-hacking law.
Now, the court has essentially reaffirmed that position, declaring:
“It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.”
Commenting on the decision, ZAPinfo founder Doug Berg said, “This is all happening at the same time as major regulations are taking shape in Europe with the GDPR and with new consumer (and candidate) consent to capture/store data regulations come online in Canada and California which all go into effect as we go into 2020 which will require many employers to rethink how, where, if they can just capture and store prospective employee data as they recruit and build talent pipelines.”
“We think this court ruling will drive LinkedIn to start closing off more publicly available profile data which is what Craigslist did when they lost similar lawsuits years ago, so that not even Google could index the classifieds that drove traffic to their site. This will allow LinkedIn to monitor and police session based activity and access to the personal profiles and features on the network similar to how other “locked-in” networks operate,” added Berg.
Reuters said the decision is a setback in “Silicon Valley’s battle against ‘data scraping,’ or extracting information from social media accounts or websites, which critics say can equate to theft or violate users’ privacy.” However, it is unlikely to be the final word. Because there are differences among the federal appeals courts over the meaning of the language of the CFAA, eventually the Supreme Court will be asked to clarify. Depending on what happens between hiQ and LinkedIn, that could be the case to make it to the high court.
SourceCon editor Shannon Pritchett contributed to this article.