On April 18th, the Ninth Circuit issued its opinion in hiQ Labs, Inc. v. LinkedIn. Corp. on remand from the Supreme Court.
My quick take:
This is perhaps the most important case in the history of web-scraping litigation. It is about limiting the scope of a federal criminal statute with civil applications in a civil legal dispute. And it is, indeed, a very good case for web scraping in that limited context. But, contrary to some dangerous and lazy reporting in the mainstream press, it does not provide universal clarity on civil disputes with respect to web scraping, whether that pertains to public or private data. That question is far more complex and nuanced.
Ultimately, this decision was not new. It was just a reiteration of the Ninth Circuit’s prior opinion. In the end, the Ninth Circuit in hiQ Labs II reached the exact same conclusion after Van Buren that it did before Van Buren in hiQ Labs I. On every key point of substance its analysis is almost identical to what it was the first go-around.
The most important paragraph of the hiQ Labs II opinion is this:
[T]he CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to websites made freely accessible on the Internet, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt.hiQ Labs at 34.
So even though LinkedIn has employed anti-bot technology, sent a cease-and-desist letter, and told hiQ that it is no longer allowed to access LinkedIn’s site, hiQ’s continued scraping of LinkedIn is not “without authorization” under the meaning of the CFAA.
The same caveats that the 9th Circuit applied to its opinion in hiQ I are still there today. Power Ventures, a 2016 case out of the same court, is distinguishable because “Power Ventures was gathering user data that was protected by Facebook’s username and password authentication system, [and] the data hiQ was scraping was available to anyone with a web browser.” hiQ Labs II at 37. (Even though Power Ventures had permission from the users whose accounts they were accessing.) So any password-protected section of a website is still subject to the CFAA, potentially. Also, the 9th Circuit made crystal clear that those who feel that they are aggrieved by scraping are not without other civil remedies, as “state law trespass to chattels claims may still be available. And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie.” Id. at 41.
A few additional thoughts:
-The mainstream press’s coverage of this case has been incompetent and reckless. I get that you have to write simple headlines to capture people’s attention, but this is just wrong. TechCrunch, Forbes, Tech Radar, the Register — all with the same wrong and misleading headline. The Ninth Circuit main it plain that even if the CFAA does not apply to scraping of public data, at least seven other legal claims related to web scraping might apply, depending on the circumstances. Here’s ten more, if you’re interested. It’s shocking to see so many reputable publications with such dangerously wrong, lazy, and irresponsible coverage.
-I’m disappointed that the Ninth Circuit doubled down on the opinion that Power Ventures is still good law. The Ninth Circuit reiterated “[W]e agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.” That’s equally true of companies like Instagram and Facebook. While I can appreciate that collecting data without users’ permission could still be a violation of the CFAA, I don’t think scraping with a user’s permission should be a CFAA violation. Why should we enable companies like Facebook and TikTok to create information monopolies if we don’t allow LinkedIn to do so?
-I also think this case presents a weird tension with courts that allow companies to get a permanent injunction for breach of contract while allowing hiQ Labs to get a preliminary injunction permitting it to access data. Indeed, that’s the current position of Judge Chen in this case! It seems bizarre and non-sensical that both parties in a dispute should be entitled to injunction relief against each other reaching opposite conclusions on the same set of facts.
-It’ll be interesting to see if other circuits adopt this same logic. To date, only the DC Circuit has adopted the logic of hiQ Labs I. And courts around the country have been wildly inconsistent since Van Buren was published. Hopefully this creates some more uniformity going forward, but that is by no means guaranteed.
-As I frequently say, I still think we’re far from a stable equilibrium on these issues. The current legal regime is just too irrational and inconsistent for this to continue this way forever.