The Great E-Scrape: US Court reaffirms that web scraping is not contrary to the US’s Computer Fraud and Abuse Act

On 18 April, the US Court of Appeals for the Ninth Circuit concluded in hiQ Labs, Inc. v LinkedIn Corp. that LinkedIn cannot prevent hiQ Labs from scraping data from publically available profiles on LinkedIn –  the judgment can be viewed here.

Background

hiQ Labs scrape data from publically available LinkedIn member profiles. It interrogates this data to produce analytics reports which it sells to its corporate customers. These reports describe which of the corporate customer’s employees are at risk of being recruited away, and map out the aggregate skills of all of a customer’s employees to demonstrate skill deficiencies and/or strengths in an organisation.

Judicial history

In 2017, LinkedIn demanded that hiQ Labs should stop scraping LinkedIn’s data, relying on, among other things, its terms of use and the US’s Computer Fraud and Abuse Act (“CFAA”). LinkedIn had implemented various technical measures to prevent hiQ Labs from scraping such data.

In response, hiQ Labs requested a preliminary injunction to prevent LinkedIn interfering with its scraping activities, claiming LinkedIn was tortiously interfering with its customer relationships. This was granted by the District Court – who required LinkedIn to remove any existing technical barriers to hiQ Labs’ access – and subsequently upheld by the Ninth Circuit. Not done yet, LinkedIn appealed this decision to the Supreme Court, who in turn referred the case back to the Ninth Circuit in light of the Supreme Court’s 2021 decision in Van Buren v United States, 141 S. Ct. 1648 (2021) (on which, see further below).

Latest decision of the Ninth Circuit

In their latest decision the Ninth Circuit reconsidered the requirements for granting a preliminary injunction to hiQ Labs, namely that:

• hiQ Labs would be likely to succeed on the merits of its claims that LinkedIn was tortiously interfering with its customer relationships and that there were serious questions to be raised about whether LinkedIn could invoke the CFAA to pre-empt such a claim;
• hiQ Labs would be likely to suffer irreparable harm if the preliminary injunction was not granted;
• the balance of hardships tipped in hiQ Labs’ favour; and
• the injunction was in the public interest.

Notably, the Ninth Circuit emphasised that hiQ Labs may have gone out of business if the injunction was not granted, meaning the balance of hardships was in its favour.

As for the legality of scraping (i.e. the merits), the court considered that the CFAA prohibition on accessing a computer without authorisation is violated when a computer’s general rules regarding access, such as usernames and passwords, are circumvented. Given that LinkedIn data is freely available for public access, the court considered it likely that a user accessing such data would not be considered to be accessing “without authorisation”. Accordingly, hiQ Labs had raised “serious questions about whether LinkedIn may invoke the CFAA to pre-empt hiQ’s possibly meritorious tortious interference claim” for the purposes of the likelihood-of-success limb for a preliminary injunction.

As directed by the Supreme Court, the Ninth Circuit duly considered the Supreme Court’s Van Buren decision, which had not been available when making its 2019 decision. Van Buren introduced a “gates-up-or-down inquiry” whereby, put simply, it is considered that if a website or computer’s gates are “up” no authorisation is required for the purposes of the CFAA. This could be the case where, for example, the information is publically accessible without restriction. The Ninth Circuit found that the reasoning of Van Buren reinforced and was consistent with its interpretation of the CFAA.

However, data scrapers should keep in mind that this is a decision for a preliminary injunction: the court was considering whether hiQ Labs would be likely to succeed on the merits, rather than conducting a full analysis of the legality of scraping and providing a definitive judgment on that.

Indeed, the Ninth Circuit explained that even if the CFAA does not apply, “victims of data scraping are not without resort”: other causes of action “may” apply, with the court listing “state law trespass to chattels”, “copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy” as examples. It is therefore fairly clear that this decision does not provide a mandate to data scrapers to harvest content without legal risk.