LinkedIn Corp. v. hiQ Labs, Inc.
- Supreme Court Sends Web Scraping Case Back to Lower Court: The U.S. Supreme Court has vacated the Ninth Circuit's decision in LinkedIn v. hiQ Labs but will not decide the merits of the case, instead sending the case back to the Ninth Circuit for a new decision in light of Van Buren v. United States. EPIC had filed an amicus brief in support of the Petition for Certiorari. The LinkedIn v. hiQ petition asked whether hiQ lacked authorization to access LinkedIn's servers under the Computer Fraud and Abuse Act after LinkedIn used a combination of technical and verbal methods to cut off hiQ's access to the website to stop the company from scraping user data. hiQ sued LinkedIn to regain access to the website, arguing that its business model depended on access to LinkedIn user data. A district court granted hiQ's request for an injunction, which LinkedIn appealed. EPIC filed an amicus brief in the Ninth Circuit arguing that the injunction was "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." The Ninth Circuit upheld the injunction, finding that hiQ's economic interests outweighed the interests in protecting users' personal information. In its amicus brief in support of LinkedIn's petition for cert, EPIC explained that the Ninth Circuit's decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data." The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system. The case will most likely be sent back to the district court for a new decision that accords with Van Buren v. United States. (Jun. 14, 2021)
- Supreme Court to Consider Whether Improper Data Access Violates Computer Crime Law: The Supreme Court will decide whether a person who is authorized to access data for some purposes violates the Computer Fraud and Abuse Act if they access the information for other purposes. The case, Van Buren v. United States, concerns a police officer who accessed a law enforcement database to sell the information to a third party. EPIC recently urged the Supreme Court to consider whether another provision of the CFAA prohibits third parties from scraping user data when an internet company bans the practice. EPIC staff raised concerns about the civil liberties implications of the law when Congress passed the first computer crime statute in 1984. (Apr. 20, 2020) More top news »
HiQ Labs, Inc. v. LinkedIn Corp. concerns whether a court can compel a professional networking platform to provide access to users’ profile information to a third-party data mining company. HiQ Labs is a company that collects (or "scrapes") data from LinkedIn users’ profiles. From this data, hiQ creates profiles of those users and sells the data to employers, including predictions of employee recruitment and summaries of employee skills. In response to a cease and desist letter from LinkedIn claiming that the data collection violated the Computer Fraud and Abuse Act, hiQ filed a preemptive lawsuit seeking declaratory relief and a preliminary injunction allowing access to the LinkedIn profile data. The lower court granted hiQ’s motion and issued an injunction ordering LinkedIn to grant access, and prohibiting them from limiting access, to their users' "public" profile data. The Ninth Circuit affirmed. LinkedIn has petitioned the U.S. Supreme Court for review.
Defendant LinkedIn is a website that provides users with business and professional networking services. LinkedIn allows users to create profiles and then establish connections with other users and businesses. When LinkedIn users create such profiles, they can choose their level of privacy protection. For instance, users can choose to keep their profiles entirely private, or to make them viewable by: 1) their direct connections on LinkedIn; 2) a broader network of connections; 3) all other LinkedIn members; or 4) individuals not logged in to LinkedIn. When users choose to make their profile “public”, their profiles are viewable regardless of whether a user is logged in to LinkedIn. LinkedIn currently allows public profiles to be indexed by search engines such as Google.
HiQ Labs, Inc. provides “data services” to employers. As part of its business, hiQ Labs collects and sells data to employers about their employees, based on data that hiQ collects from LinkedIn users’ pblic profiles. HiQ has created two specific data products targeted at employers: (1) “Keeper,” which informs employers which of their employees are at “risk” of being recruited by competitors; and (2) “Skill Mapper,” which provides an overview of an employee’s skills set. HiQ collects employees’ personal data by “scraping” the public profiles on LinkedIn.
On May 23, 2017, LinkedIn sent a letter demanding that hiQ “immediately cease and desist unauthorized data scraping and other violations of LinkedIn User Agreement.” LinkedIn demanded that hiQ stop “scraping” data from LinkedIn’s public profiles and noted that hiQ’s actions violated their User Agreement, which prohibits various types of data collection from LinkedIn’s website. As a result of the violation, LinkedIn restricted hiQ’s company page and “future access of any kind” and provided that such access would be “without permission and without authorization from LinkedIn.” LinkedIn also employed a series of technical measures that “prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detects, monitor, and block scraping activity.” LinkedIn also provided that any further access to LinkedIn’s data would be in direct violation of California Penal Code § 502(c), the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, state common law trespass, and the Digital Millennium Copyright Act (DMCA).
Procedural BackgroundU.S. District Court for the Northern District of California
Unable to come to an agreement outside court, hiQ filed a complaint in federal court on June 6, 2017. HiQ asserted that it had an affirmative right to access public profiles on LinkedIn's website under California law and sought declaratory relief that its actions would not violate any of the laws listed above. Furthermore, hiQ filed a request for a temporary restraining order (TRO) and an order to show cause why a preliminary injunction should not be issued against LinkedIn. Ultimately, the parties entered into a standstill agreement after a hearing on the TRO. The agreement preserved hiQ’s access to LinkedIn’s data and converted hiQ’s initial motion to a motion for a preliminary injunction.
The district court granted hiQ’s motion for preliminary injunction upon finding that the balance of hardships tipped in hiQ’s favor. The court determined that hiQ was able to show serious questions on the merits of LinkedIn’s claims; for instance, the court was doubtful that LinkedIn may invoke the CFAA in response to hiQ's scraping of public profile data. The court found that LinkedIn’s interpretation of the CFAA, if adopted, could impact "open access" on the Internet. The court believed this was not something Congress intended by enacting the CFAA. Furthermore, the court found that by blocking hiQ’s access to public profiles, LinkedIn might be violating state competition laws.U.S. Court of Appeals for the Ninth Circuit
LinkedIn appealed to the Ninth Circuit, which affirmed. The appeals court found that "hiQ's interest in continuing its business" outweighed users' privacy interests in their profile information. EPIC filed an amicus brief in the case. EPIC argued that "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy.
EPIC has a strong interest in protecting the privacy of consumers and their information, including their social media information, and ensuring this data is not improperly disclosed to third parties. EPIC closely monitors the use of advanced tracking techniques that enable companies to track users browsing activities and collect a wealth of personal data about users that the businesses use to develop and sell profiles. EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smart-phones, laptops, tablets, and other internet-connected devices. EPIC also supports proposals to impose technological limits on the tracking of third-party web browsing history.
EPIC has filed amicus curiae briefs in support of consumers alleging that their rights have been violated by third party tracking techniques. In Smith v. Facebook, the Ninth Circuit considered whether Facebook’s tracking of users’ visits to medical websites violates California and Federal privacy laws. EPIC argued that generic notice is insufficient to establish meaningful consent to the detailed tracking of users’ web browsing history.
In In Re Nickelodeon, a case arising under the Video Privacy Protection Act, the plaintiffs alleged that -children who visited the website Nickolodeon.com -they were subject to tracking by Viacom, the company that managed the website, and Google, and that these companies collected their personal information in connection with online views of video content. EPIC argued in its brief that the definition of “Personally Identifiable Information” (or “PII”) in the VPPA is purposefully broad to protect against the very type of privacy abuses at issue in the case.
EPIC has also previously challenged Facebook’s privacy policies - in particular their requiring that users disclose certain personal information - in a complaint with the FTC. The FTC subsequently brought legal action against Facebook for unfair and deceptive business practices, and entered into a consent decree in 2011 following EPIC’s complaint.
United States Supreme Court, No. 19-1116
- LinkedIn's Petition for a Writ of Certiorari (Mar. 9, 2020)
- EPIC's Amicus Brief in Support of the Petition (Apr. 13, 2020)
- hiQ's Opposition to Cert (June 25, 2020)
United States Court of Appeals for the Ninth Circuit, No. 17-16783
- LinkedIn Opening Brief (Oct. 3, 2017)
- Briefs of Amici Curiae in Support of Petitioner
- Briefs of Amici Curiae in Support of Neither Party
- EPIC Amicus Brief (Oct. 10, 2017)
- HiQ Labs, Inc. Answering Brief
- Briefs of Amici Curiae in Support of Respondent
- EFF, DuckDuckGo, and Internet Archive Amicus Brief
- Scraping Hub, Ltd. Amicus Brief
- 3Taps, Inc. Amicus Brief
- LinkedIn Reply Brief
- Opinion (Sep. 9, 2019)
United States District Court for the Western District of Washington, No. 2:14-cv-00463-TSZ
- Hearing Transcript (July 27, 2017)
- Order Granting Plaintiff’s Motion for Preliminary Injunction (Aug. 14, 2017)
- Steven Trader, Internet Cos. Urge 9th Circ. To Dump LinkeIn Data Appeal, Law360 (Nov. 28, 2017)
- Drake Bennett, The Brutal Fight to Mine Your Data and Sell It to Your Boss, Bloomberg (Nov. 15, 2017)
- Prayag Narule, ,LinkedIn Vs. hiQ Ruling Casts A Long Shadow Over the Tech Industry, Forbes (Sept. 20, 2017)
- Shepard Goldfein & James Keyte , Big Data, Web 'Scraping' and Competition Law: The Debate Continues, N.Y. L. J. (Sept. 8, 2017)
- Shaun Nichols, hiQ prevails / LinkedIn must allow scraping / Of your page info, The Register (Aug. 14, 2017)
- Salvador Rodriguez, U.S. judge says LinkedIn cannot block startup from public profile data, Reuters (Aug. 14, 2017)
- Alison Frankel, HiQ v. LinkedIn: Does First Amendment limit application of computer fraud law?, Reuters (Aug. 1, 2017)
- Oliver Staley, LinkedIn data can predict how likely you are to quit, and it’s being sued to keep it public, Quartz (July 28, 2017)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.