A recent decision in the battle between analytics firm hiQ Labs and social networking service LinkedIn poses “a grave threat to user privacy and the openness of the Internet,” LinkedIn argues in new court papers.
The ruling, issued last month by a three-judge panel of the 9th Circuit Court of Appeals, requires LinkedIn to allow publicly available data about its users to be scraped by hiQ. LinkedIn is now seeking a review by the full 9th Circuit.
“It is foundational to the ability of website owners to control access to their computer servers in order to prevent abuse, including the furtive scraping of personal data on a massive scale,” LinkedIn writes in papers filed Friday. “The panel’s decision fundamentally weakens this protection and will have profound consequences for the Internet and for websites’ ability to control access to their servers and guard their users’ privacy.”
The battle dates to May of 2017, when the Microsoft-owned LinkedIn demanded that hiQ stop scraping data from the service.
The analytics service gathers data from LinkedIn's publicly available pages, examines the information to determine which employees are at risk of being poached, and sells the findings to employers.
LinkedIn contended that hiQ's scraping violates the Computer Fraud and Abuse Act, a 1986 law that makes it illegal to access computer services without authorization.
After LinkedIn sent a cease-and-desist letter to hiQ, the analytics company sued LinkedIn for allegedly acting anti-competitively. hiQ sought a declaratory judgment that it wasn't violating the anti-hacking law, and asked for an injunction requiring LinkedIn to stop blocking hiQ.
LinkedIn countered that it has the right to control its servers, and that hiQ was disregarding LinkedIn users' privacy. The social networking service added that more than 50 million people have used its "do not broadcast" tool, which enables users to change their profiles without having other users notified about the revision.
U.S. District Court Judge Edward Chen in the Northern District of California sided with hiQ and granted the company a preliminary injunction on the grounds that its business could suffer irreparable harm if it couldn't access publicly available data.
LinkedIn appealed to the 9th Circuit, where the company argued that it is entitled to protect the data on its servers, and that hiQ has no valid antitrust claim.
Last month, a three-judge panel of the 9th Circuit upheld the injunction, ruling that hiQ's scraping probably didn't violate the Computer Fraud and Abuse Act because LinkedIn profiles are not password-protected.
The appellate judges said the anti-hacking statute was intended to prevent activity comparable to “breaking and entering,” as opposed to gathering profile data “available to anyone with an internet connection.”
The panel also rejected LinkedIn's argument that hiQ was harming users' privacy by scraping data. “There is no evidence in the record to suggest that most people who select the 'Do Not Broadcast' option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search,” the judges wrote.
LinkedIn says in its new papers that the judges didn't adequately consider users' interests.
“By contrast, hiQ has no contractual relationship with LinkedIn’s members limiting how it can share their data or requiring its deletion if a member so requests. No contract prevents hiQ from selling member data to the highest bidder, or combining it with other data to create sophisticated profiles to facilitate identity theft or other unwanted behavior.”
The company also contends that the panel's decision “threatens the open nature of the Internet,” arguing that the ruling effectively requires website operators to password-protect material in order to prevent scraping.
“If password walls are the only things that can stop bots, then more data will end up behind walls,” LinkedIn writes. “This would transform the Internet in ways that are contrary to open access and robust economic growth.”
The digital rights group Electronic Frontier Foundation previously sided with hiQ, arguing that the criminal anti-hacking law was never meant to cover scraping data from public sites.
But advocacy group Electronic Privacy Information Center agreed with LinkedIn, arguing that users didn't necessarily know that their data would be acquired and used in material that was sold to their employers.