LinkedIn can’t use anti-hacking law to block web scraping, judges rule - Ars Technica
In a case involving LinkedIn, a federal appeals court reaffirmed Monday that web scraping likely doesn't violate the Computer Fraud and Abuse Act (CFAA).
The ruling by the US Court of Appeals for the Ninth Circuit drew a distinction between data that is password-protected and data that is publicly available. That means hiQ Labs—a data analytics company that uses automated technology to scrape information from public LinkedIn profiles—can continue accessing LinkedIn data, a three-judge panel at the appeals court ruled:
[I]t appears that the CFAA's prohibition on accessing a computer "without authorization" is violated when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ's possibly meritorious tortious interference claim.
Judges warn against “information monopolies”
The judges said they "favor a narrow interpretation of the CFAA's 'without authorization' provision so as not to turn a criminal hacking statute into a 'sweeping Internet-policing mandate.'" They also found that the public interest favors allowing access to LinkedIn data.
"We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest," the ruling said.
The overall case hasn't been decided yet, but Monday's ruling affirmed a preliminary injunction issued by the US District Court for the Northern District of California and remanded the case back to the district court. The injunction prevents Microsoft-owned LinkedIn from denying hiQ access to publicly available member profiles while litigation is pending.
LinkedIn sent hiQ a cease-and-desist letter in May 2017, claiming "that if hiQ accessed LinkedIn's data in the future, it would be violating state and federal law, including the CFAA, the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass," the appeals court noted. HiQ responded by suing LinkedIn and sought a declaratory judgment that LinkedIn could not invoke those laws against it.
Supreme Court limited what’s a crime under CFAA
The same panel of appeals court judges reached a similar decision upholding the preliminary injunction in September 2019. But the Supreme Court granted a LinkedIn petition for certiorari and remanded the case back to the appeals court for further consideration in light of the Supreme Court's 2021 decision in Van Buren v. United States, another CFAA case that we've previously covered.
In Van Buren, the Supreme Court imposed a limit on what counts as a crime under the CFAA. Former Georgia police sergeant Nathan Van Buren used his own valid credentials to get information about a license plate number from a law enforcement database. The sergeant ran the search in exchange for money and for non-law enforcement purposes, violating a department policy.
Van Buren was charged with a felony under the CFAA, which says it's a crime when someone "intentionally accesses a computer without authorization or exceeds authorized access." He was convicted and sentenced to 18 months in prison, but the Supreme Court ruled in a 6-3 decision that Van Buren did not violate the CFAA. As we previously wrote, justices found that the cybersecurity statute does not make it a crime to obtain information from a computer when the person has authorized access to that machine, even if the person has "improper motives."
LinkedIn argued that its petition "addresses the precise question left open by the Court in Van Buren. LinkedIn put gates around its servers by employing technical 'code-based' measures to prevent hiQ from scraping data (which hiQ circumvented via bots) and sending a cease-and-desist letter to hiQ, thereby expressly revoking any 'authorization' hiQ had to access LinkedIn’s computers. Van Buren expressly left open whether these methods of denying and revoking authorization, or any other methods of doing so, qualify as 'gates-down' under Section 1030(a)(2), thus rendering hiQ's massive scraping of data 'without authorization.'" LinkedIn said the technical barriers it uses include its robots.txt file and "several technological systems to detect suspicious activity and restrict automated scraping."
New analysis confirms previous decision
After the Supreme Court's remand of the LinkedIn/hiQ case, the Ninth Circuit judges "ordered supplemental briefing and held oral argument on the effect of Van Buren on this appeal," Monday's appeals court decision said. Judges ultimately found that "Van Buren's 'gates-up-or-down inquiry' is consistent with our interpretation of the CFAA as contemplating three categories of computer systems."
Those three categories are computers with open access to the public and no permission requirement; computers for which authorization is required and has been given; and computers for which authorization is required but has not been given. Van Buren made a "distinction between computer users who 'can or cannot access a computer system,' suggest[ing] a baseline in which there are 'limitations on access' that prevent some users from accessing the system (i.e., a 'gate' exists, and can be either up or down)," the appeals court said, continuing:
The Court's "gates-up-or-down inquiry" thus applies to the latter two categories of computers we have identified: if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down. As we have noted, however, a defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser. In other words, applying the "gates" analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place. Van Buren therefore reinforces our conclusion that the concept of "without authorization" does not apply to public websites.
In Van Buren, the Supreme Court said in a footnote that "we need not address whether this inquiry turns only on technological (or 'code-based') limitations on access, or instead also looks to limits contained in contracts or policies." There's disagreement among circuit courts on the relevance of contracts, as the Ninth Circuit judges said they have previously "rejected the contract-based interpretation of the CFAA's 'without authorization' provision adopted by some of our sister circuits."
"We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty," the court said in a 2012 ruling.
LinkedIn privacy argument rejected
HiQ uses data scraped from public LinkedIn profiles to offer one product that "purports to identify employees at the greatest risk of being recruited away" and another that "summarizes employees' skills in the aggregate," the court's new ruling said.
In a statement criticizing the ruling, LinkedIn said, "When your data is taken without permission and used in ways you haven't agreed to, that's not okay. On LinkedIn, our members trust us with their information, which is why we prohibit unauthorized scraping on our platform."
Appeals court judges rejected LinkedIn's privacy arguments. "[T]here is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do," judges wrote. Judges also pointed out that LinkedIn offers recruiting products that give access to member profile data, saying, "LinkedIn's own actions undercut its argument that users have an expectation of privacy in public profiles."
source: https://arstechnica.com/tech-policy/2022/04/linkedin-cant-use-anti-hacking-law-to-block-web-scraping-judges-rule/
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.