• by Wendy Davis  @wendyndavis, April 14, 2020

LinkedIn should be allowed to block outside companies like hiQ analytics from scraping users' data, the advocacy group Electronic Privacy Information Center argues in a new filing with the U.S. Supreme Court.

“Personal data can be used in unexpected and unethical ways,” the privacy group writes in a friend-of-the-court brief filed Monday. “Companies ... must be able to protect users by limiting third-party access to personal data.”

EPIC is urging the Supreme Court to grant LinkedIn's request to intervene in a battle over data with hiQ -- an analytics company that gathers data from LinkedIn's publicly available pages, analyzes the information to determine which employees are at risk of being poached, and sells the findings to employers.

The dispute dates to 2017, when LinkedIn demanded that hiQ stop scraping data about users. LinkedIn contended that hiQ's scraping violates the Computer Fraud and Abuse Act -- a 1986 law that makes it illegal to access computer services without authorization.

After LinkedIn sent a cease-and-desist letter to hiQ, the analytics company sued LinkedIn for allegedly acting anti-competitively. hiQ also sought a declaratory judgment that it wasn't violating the anti-hacking law, and asked for an injunction requiring LinkedIn to stop blocking hiQ.

LinkedIn countered that it has the right to control its servers, and that hiQ was disregarding LinkedIn users' privacy. The social networking service said more than 50 million people have used its "do not broadcast" tool, which enables users to change their profiles without having other users notified about the revision.

U.S. District Court Judge Edward Chen in the Northern District of California sided with hiQ and granted the company a preliminary injunction, ruling that its business could suffer irreparable harm if it couldn't access publicly available data.

LinkedIn appealed to the 9th Circuit, where the company argued it's entitled to protect the data on its servers, and that hiQ has no valid antitrust claim. Last year, a three-judge panel of the 9th Circuit upheld the injunction, ruling that hiQ's scraping probably didn't violate the Computer Fraud and Abuse Act because LinkedIn profiles are not password-protected.

LinkedIn recently asked the Supreme Court to review that ruling.

EPIC is backing that request. The privacy group argues that companies like LinkedIn should be able to prevent unrelated companies from harvesting users' data in ways they didn't anticipate.

The organization specifically cites controversial facial recognition company Clearview AI as an example of a business that amassed data submitted by consumers for its own purposes. Clearview AI reportedly built scraped more than 3 billion photos from Google, Facebook and other services, in order to build a faceprint database that it sells to law enforcement and private companies.

"LinkedIn users do not expect that the photo they provide for their public profile will be used to create a biometric profile of their face, or that their online resume will be used to predict how much time they are likely to stay at their current job,” EPIC writes.

The organization adds that companies with direct consumer relationships, like LinkedIn, are required to follow their privacy policies, but outside companies like hiQ or Clearview, aren't necessarily bound by those policies.

“Absent a comprehensive federal data protection law, third-party web scrapers are not obligated to protect the user data of most Americans,” EPIC writes. “Users may never even know that a third party has collected or used their data.”