• by Wendy Davis  @wendyndavis, September 9, 2019

LinkedIn can't rely on a 33-year-old anti-hacking law to prevent the analytics firm HiQ Labs from mining data, a federal appellate court ruled Monday.

The ruling, issued by a three-judge panel of the 9th Circuit Court of Appeals, leaves in place an injunction that requires LinkedIn to allow publicly available data about its users to be scraped by HiQ.

The decision stems from a dispute dating to May of 2017, when the Microsoft-owned LinkedIn demanded that HiQ stop scraping data from the service.

HiQ gathers data from LinkedIn's publicly available pages, examines the information to determine which employees are at risk of being poached, and then sells its findings to employers.

LinkedIn contended that HiQ's scraping violates the Computer Fraud and Abuse Act, a 1986 law that makes it illegal to access computer services without authorization.

After LinkedIn sent a cease-and-desist letter to HiQ, the analytics company sued LinkedIn for allegedly acting anti-competitively. HiQ sought a declaratory judgment that it wasn't violating the anti-hacking law, and asked for an injunction requiring LinkedIn to stop blocking HiQ.

LinkedIn countered that it has the right to control its servers, and that HiQ was disregarding LinkedIn users' privacy. The social networking service said more than 50 million people have used its "do not broadcast" tool, which enables users to change their profiles without having other users notified about the revision.

U.S. District Court Judge Edward Chen in the Northern District of California sided with HiQ and granted the company a preliminary injunction on the grounds that its business could suffer "irreparable harm" if it were prevented from accessing publicly available information.

LinkedIn then asked the 9th Circuit to vacate Chen's preliminary order. The social networking company said it has the right to protect the data on its servers from outside parties, and that HiQ has no valid antitrust claim.

On Monday, the 9th Circuit ruled that HiQ was entitled to the injunction. The judges ruled that HiQ's scraping probably didn't violate the Computer Fraud and Abuse Act, because LinkedIn profiles are not password protected.

The appellate judges said the anti-hacking statute was intended to prevent activity comparable to “breaking and entering,” as opposed to gathering profile data “available to anyone with an internet connection.”

The judges added: “It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization.”

The appellate court discounted LinkedIn's argument that HiQ was harming users' privacy by scraping data even when people used a “do not broadcast” setting.

“There is no evidence in the record to suggest that most people who select the 'Do Not Broadcast' option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search,” the judges wrote. “As the district court noted, there are other reasons why users may choose that option -- most notably, many users may simply wish to avoid sending their connections annoying notifications each time there is a profile change.”

LinkedIn said it is "disappointed" in the decision and evaluating its options. "LinkedIn will continue to fight to protect our members and the information they entrust to LinkedIn," the company stated.

Monday's ruling appears to effectively overrule a decision issued six years ago in a dispute between Craigslist and the data miner 3Taps, which also scraped publicly available listings.

In that matter, 3Taps allegedly scraped real estate listings and made them available to the developers PadMapper and Lively. PadMapper allegedly meshed Craigslist's apartment listings with Google maps -- which allows people to easily search for apartments by neighborhood. Lovely also allegedly drew on Craigslist's offered searchable apartment listings at Livelovely.com.

U.S. District Court Judge Charles Breyer in the Northern District of California ruled in 2013 that 3Taps potentially violated the anti-hacking law by scraping listings from Craigslist after the company told it to stop doing so.