LinkedIn Petitions CFAA Data Scraping Case to Supreme Court

LinkedIn has filed a petition for a writ of certiorari to the Supreme Court of the United States in response to the Ninth Circuit’s decision in its case against hiQ Labs. LinkedIn has asked the Supreme Court to examine “[w]hether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites – even after the computer servers’ owner has expressly denied permission to access the data – ‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.” The Supreme Court had previously granted an extension for LinkedIn to file the petition.

Previously, LinkedIn sent data science company hiQ a cease and desist letter requesting that the company not “scrape” LinkedIn’s platform. LinkedIn argued that the practice violated its User Agreement, Terms of Service, and the Computer Fraud and Abuse Act. In 2017, hiQ brought the case before the California Northern District Court; the court granted hiQ’s preliminary injunction. The Ninth Circuit ruled similarly to the district court, stating that hiQ did not violate the Computer Fraud and Abuse Act (CFAA), and that LinkedIn could reasonably take measures to protect itself.

Partial LinkedIn member information is publicly available online, but LinkedIn gives its users control over how their information is used or accessed, including the option to delete information or an account altogether. LinkedIn alleged that hiQ has threatened this relationship with its customers by scraping user profiles for its own ends.

The Ninth Circuit stated that because this information could be viewed publicly without a password that LinkedIn did not grant permission, and consequently, could not revoke it; therefore, the information was not protected by CFAA. Additionally, the court determined that users’ privacy interests did not outweigh hiQ’s business interest, which relies on this user information.

LinkedIn stated that the Ninth Circuit’s opinion deviates from other courts’ interpretations. LinkedIn claimed it now lacks the authority to protect itself and its users. The CFAA “creates criminal and civil liability for ‘[w]hoever…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer.’” It is this protection that LinkedIn alleged was violated through the use of bots, and which it now seeks the Supreme Court to decide on.

LinkedIn, in its petition, stated that the Ninth Circuit’s “sweeping ruling that public-facing websites are categorically unable to invoke Section 1030(a)(2) of the Computer Fraud and Abuse Act” is based on policy rather than the statute. LinkedIn also noted that this issue will not go away anytime soon, and the Supreme Court may face other cases about this issue.  LinkedIn specifically cited Clearview AI scraping users’ information on social media websites without permission for its database as an example. LinkedIn raised the concern that, without a definitive ruling, companies will be uncertain if they can use CFAA protections.

LinkedIn is represented by Munger, Tolles & Olson.