On hiQ v. LinkedIn
On August 14th, US District Judge Edward M. Chen granted a preliminary injunction to hiQ Labs in its case against LinkedIn. While I agree with part of the judge’s ruling, I found other parts troubling, and I feel the implications of this decision merit further awareness.
I encourage you to read the ruling yourself, but I’ll try to summarize it faithfully before offering my own analysis.
Note: I am a former LinkedIn employee, but at this point I have no formal relationship with or financial stake in the company, and the opinions I express here are strictly my own.
hiQ, founded in 2012, built a data analytics business by scraping LinkedIn’s public profiles.
On May 23, 2017, LinkedIn issued a cease and desist letter, demanding that hiQ stop this scraping. LinkedIn stated that it had implemented technical measures to prevent scraping, and it threatened that continued attempts by hiQ to access its data would violate state and federal law, including the federal Computer Fraud and Abuse Act (CFAA).
hiQ filed a counter complaint, not only demanding a judgement that it was not violating any laws, but further asserting that it was entitled to access LinkedIn’s public profiles. hiQ argued that, by preventing this access, LinkedIn would be violating state law, including California’s Unfair Competition Law (UCL).
The judge granted hiQ’s motion for a preliminary injunction. As a result, not only is hiQ legally allowed to continue scraping LinkedIn’s data, but LinkedIn is barred from using technical means to prevent such scraping.
Balance of Hardships
A key question in the judge’s decision to grant a preliminary injunction was the balance of hardships — specifically, the threat of irreparable harm faced by each party. For hiQ, loss of access to LinkedIn data represented an existential threat: hiQ freely admitted that its entire business model depended on access to LinkedIn’s data. Conversely, LinkedIn argued that it faced significant harm because hiQ’s data collection threatened the privacy of LinkedIn users. The judge was dismissive of LinkedIn’s privacy argument and ruled that the balance of hardship tipped strongly in hiQ’s favor.
The judge then considered the merits of the case.
The first question concerned the applicability of the CFAA to hiQ’s scraping of LinkedIn’s public profiles.
The judge was skeptical that the CFAA could regulate access to a publicly viewable site that doesn’t require a login or authentication. He concluded that hiQ had raised serious questions as to applicability of the CFAA.
The second question concerned whether LinkedIn was violating the UCL by using preventing hiQ from accessing its data.
The judge believed that hiQ had made a credible case that LinkedIn was unfairly leveraging its power in the professional networking market in order to achieve an anticompetitive advantage in the data analytics market.
First, it’s important to note that the judge issued a preliminary injunction, not a final ruling. And it’s hard to argue with the judge’s decision about the balance of hardships, given that hiQ was facing an existential threat if it lost access to LinkedIn data. So I’d like to focus on the merits.
I agree with the judge regarding the CFAA. The CFAA, as written, may well be on LinkedIn’s side. But, as the judge pointed out, it’s dangerous to interpret the CFAA so broadly that it covers data not protected by a login or authentication. I’d go further: the CFAA, which predates the Internet, should never have been applied beyond its original purpose of preventing cyberattacks. Regardless of how else this case turns out, I hope it will either drive reform of the CFAA or establish boundaries through judicial precedent.
Where I strongly disagree with the judge, however, is with regard to the UCL. LinkedIn has not suddenly decided to enter the data analytics market. LinkedIn has been in the data analytics market for years — the company was one of the first to embrace data science, and it has a long history of monetizing its professional network through data analytics. Moreover, hiQ’s Skill Mapper product, which helps employers understand what skills their workforces possess, competes with LinkedIn’s core talent solutions business. What hiQ wants is the right to use LinkedIn’s platform, free of charge, in order to power a product that competes with LinkedIn. Concerns about user privacy aside, LinkedIn should not be required to help a competitor this way.
And I specifically object to the judge’s ruling that LinkedIn cannot use technical means to prevent scraping of its content just because that content is “public data”. When users opt to make their profiles “public”, they do so with the expectation that their public profile will appear when people search for them on search engines. That does not mean that users expect that anyone who wants to scrape this data from LinkedIn can do so.
This ruling is, as far as I can tell, unprecedented and could have far-reaching consequences. Will Google be forced to allow programmatic access to its search engine because it permits people to use it without a login? Will any site that has a dominant position in its market be required to choose between hiding all its data behind a login wall or making it available to anyone that wants it? I don’t think the judge has thought this through.
I understand that hiQ can’t afford to lose this case, but that’s not LinkedIn’s problem. I’m glad to see a judge finally putting limits on the reach of the CFAA. But forcing LinkedIn to share data under the UCL is an overreach. And it’s an even greater overreach to prevent companies from using technical means to stop scrapers.
I recognize that this was just a preliminary injunction, and perhaps I am overreacting to what is only a temporary measure. Regardless, I hope the judge will prove more thoughtful in his final ruling.