EPIC - LinkedIn Corp. v. hiQ Labs, Inc.

LinkedIn Corp. v. hiQ Labs, Inc.

Whether a court can compel an internet company to provide third-party data scrapers access to user data

Background|
EPIC's Interest|
Legal Documents|
News

Supreme Court Sends Web Scraping Case Back to Lower Court: The U.S. Supreme Court has vacated the Ninth Circuit's decision in LinkedIn v. hiQ Labs but will not decide the merits of the case, instead sending the case back to the Ninth Circuit for a new decision in light of Van Buren v. United States. EPIC had filed an amicus brief in support of the Petition for Certiorari. The LinkedIn v. hiQ petition asked whether hiQ lacked authorization to access LinkedIn's servers under the Computer Fraud and Abuse Act after LinkedIn used a combination of technical and verbal methods to cut off hiQ's access to the website to stop the company from scraping user data. hiQ sued LinkedIn to regain access to the website, arguing that its business model depended on access to LinkedIn user data. A district court granted hiQ's request for an injunction, which LinkedIn appealed. EPIC filed an amicus brief in the Ninth Circuit arguing that the injunction was "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." The Ninth Circuit upheld the injunction, finding that hiQ's economic interests outweighed the interests in protecting users' personal information. In its amicus brief in support of LinkedIn's petition for cert, EPIC explained that the Ninth Circuit's decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data." The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system. The case will most likely be sent back to the district court for a new decision that accords with Van Buren v. United States. (Jun. 14, 2021)
Supreme Court to Consider Whether Improper Data Access Violates Computer Crime Law: The Supreme Court will decide whether a person who is authorized to access data for some purposes violates the Computer Fraud and Abuse Act if they access the information for other purposes. The case, Van Buren v. United States, concerns a police officer who accessed a law enforcement database to sell the information to a third party. EPIC recently urged the Supreme Court to consider whether another provision of the CFAA prohibits third parties from scraping user data when an internet company bans the practice. EPIC staff raised concerns about the civil liberties implications of the law when Congress passed the first computer crime statute in 1984. (Apr. 20, 2020)

More top news »

Federal Appeals Court Says LinkedIn Must Allow "Scraping" of Personal Data » (Sep. 9, 2019)

A federal appeals court has ruled that LinkedIn must allow hiQ, a data analytics firm, to scrape user data from public profiles—at least, for now. The appeals court found that "hiQ's interest in continuing its business" outweighed users' privacy interests in their profile information. EPIC filed an amicus brief in the case. In 2017, a lower court permitted hiQ access to the user data of LinkedIn users. EPIC argued that "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy.

EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices » (Jun. 27, 2018)

EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN.

EPIC Defends User Privacy in Case Concerning hiQ Labs "Scraping" of Personal Data » (Oct. 11, 2017)

EPIC has filed an amicus brief in hiQ Labs, Inc. v. LinkedIn Corp., a case concerning the use of personal data provided by Internet users to LinkedIn. A lower court ordered LinkedIn to provide LinkedIn user data to hiQ Labs, a data analytics firm that scores employees and provides secret intelligence to employers about "flight risk." EPIC argued that, "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy.

Summary

HiQ Labs, Inc. v. LinkedIn Corp. concerns whether a court can compel a professional networking platform to provide access to users’ profile information to a third-party data mining company. HiQ Labs is a company that collects (or "scrapes") data from LinkedIn users’ profiles. From this data, hiQ creates profiles of those users and sells the data to employers, including predictions of employee recruitment and summaries of employee skills. In response to a cease and desist letter from LinkedIn claiming that the data collection violated the Computer Fraud and Abuse Act, hiQ filed a preemptive lawsuit seeking declaratory relief and a preliminary injunction allowing access to the LinkedIn profile data. The lower court granted hiQ’s motion and issued an injunction ordering LinkedIn to grant access, and prohibiting them from limiting access, to their users' "public" profile data. The Ninth Circuit affirmed. LinkedIn has petitioned the U.S. Supreme Court for review.

Background

Factual Background

Defendant LinkedIn is a website that provides users with business and professional networking services. LinkedIn allows users to create profiles and then establish connections with other users and businesses. When LinkedIn users create such profiles, they can choose their level of privacy protection. For instance, users can choose to keep their profiles entirely private, or to make them viewable by: 1) their direct connections on LinkedIn; 2) a broader network of connections; 3) all other LinkedIn members; or 4) individuals not logged in to LinkedIn. When users choose to make their profile “public”, their profiles are viewable regardless of whether a user is logged in to LinkedIn. LinkedIn currently allows public profiles to be indexed by search engines such as Google.

HiQ Labs, Inc. provides “data services” to employers. As part of its business, hiQ Labs collects and sells data to employers about their employees, based on data that hiQ collects from LinkedIn users’ pblic profiles. HiQ has created two specific data products targeted at employers: (1) “Keeper,” which informs employers which of their employees are at “risk” of being recruited by competitors; and (2) “Skill Mapper,” which provides an overview of an employee’s skills set. HiQ collects employees’ personal data by “scraping” the public profiles on LinkedIn.

On May 23, 2017, LinkedIn sent a letter demanding that hiQ “immediately cease and desist unauthorized data scraping and other violations of LinkedIn User Agreement.” LinkedIn demanded that hiQ stop “scraping” data from LinkedIn’s public profiles and noted that hiQ’s actions violated their User Agreement, which prohibits various types of data collection from LinkedIn’s website. As a result of the violation, LinkedIn restricted hiQ’s company page and “future access of any kind” and provided that such access would be “without permission and without authorization from LinkedIn.” LinkedIn also employed a series of technical measures that “prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detects, monitor, and block scraping activity.” LinkedIn also provided that any further access to LinkedIn’s data would be in direct violation of California Penal Code § 502(c), the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, state common law trespass, and the Digital Millennium Copyright Act (DMCA).

Procedural Background

U.S. District Court for the Northern District of California

Unable to come to an agreement outside court, hiQ filed a complaint in federal court on June 6, 2017. HiQ asserted that it had an affirmative right to access public profiles on LinkedIn's website under California law and sought declaratory relief that its actions would not violate any of the laws listed above. Furthermore, hiQ filed a request for a temporary restraining order (TRO) and an order to show cause why a preliminary injunction should not be issued against LinkedIn. Ultimately, the parties entered into a standstill agreement after a hearing on the TRO. The agreement preserved hiQ’s access to LinkedIn’s data and converted hiQ’s initial motion to a motion for a preliminary injunction.

The district court granted hiQ’s motion for preliminary injunction upon finding that the balance of hardships tipped in hiQ’s favor. The court determined that hiQ was able to show serious questions on the merits of LinkedIn’s claims; for instance, the court was doubtful that LinkedIn may invoke the CFAA in response to hiQ's scraping of public profile data. The court found that LinkedIn’s interpretation of the CFAA, if adopted, could impact "open access" on the Internet. The court believed this was not something Congress intended by enacting the CFAA. Furthermore, the court found that by blocking hiQ’s access to public profiles, LinkedIn might be violating state competition laws.

U.S. Court of Appeals for the Ninth Circuit

LinkedIn appealed to the Ninth Circuit, which affirmed. The appeals court found that "hiQ's interest in continuing its business" outweighed users' privacy interests in their profile information. EPIC filed an amicus brief in the case. EPIC argued that "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy.

EPIC’s Interest

EPIC has a strong interest in protecting the privacy of consumers and their information, including their social media information, and ensuring this data is not improperly disclosed to third parties. EPIC closely monitors the use of advanced tracking techniques that enable companies to track users browsing activities and collect a wealth of personal data about users that the businesses use to develop and sell profiles. EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smart-phones, laptops, tablets, and other internet-connected devices. EPIC also supports proposals to impose technological limits on the tracking of third-party web browsing history.

EPIC has filed amicus curiae briefs in support of consumers alleging that their rights have been violated by third party tracking techniques. In Smith v. Facebook, the Ninth Circuit considered whether Facebook’s tracking of users’ visits to medical websites violates California and Federal privacy laws. EPIC argued that generic notice is insufficient to establish meaningful consent to the detailed tracking of users’ web browsing history.

In In Re Nickelodeon, a case arising under the Video Privacy Protection Act, the plaintiffs alleged that -children who visited the website Nickolodeon.com -they were subject to tracking by Viacom, the company that managed the website, and Google, and that these companies collected their personal information in connection with online views of video content. EPIC argued in its brief that the definition of “Personally Identifiable Information” (or “PII”) in the VPPA is purposefully broad to protect against the very type of privacy abuses at issue in the case.

EPIC has also previously challenged Facebook’s privacy policies - in particular their requiring that users disclose certain personal information - in a complaint with the FTC. The FTC subsequently brought legal action against Facebook for unfair and deceptive business practices, and entered into a consent decree in 2011 following EPIC’s complaint.