LinkedIn records a new judgment against it in its fight against a company collecting data from its public profiles.
Under California law, what does “unauthorized” access to computer systems mean? On site, the Court of Appeal had to judge. The context: a dispute in which it had already ruled in 2019. It pits LinkedIn against hiQ Labs.
This company founded in 2012 collects information on public profiles, formats it and markets it, from the angle of predictive analysis. Its target: employers. With products that should allow them to map skills (Skill Mapper) and detect personnel who plan to set sail (Keeper).
In 2017, LinkedIn formally requested hiQ to cease the practice, in the name of the Computer Fraud and Abuse Act (CFAA). The text, in force since 1986, punishes the fact of accessing a computer without permission or excessive use of authorized access.
Faced with this injunction, hiQ took legal action in California to try to prove that its activity was legal.
And had won. LinkedIn appealed. In September 2019, the Court of Appeal dismissed it. Among others for the following reasons:
- The social network does not have the rights to the data published by its members , the latter being owners of their profiles.
– Users who choose a public profile “obviously” expect it to be accessible by third parties .
– The CFAA is supposed to govern cases of piracy ; it is all the more questionable to invoke it in a case concerning open access data.
– Letting LinkedIn control the use of public data could lead to an “information monopoly” detrimental to the public interest
– Without access to the data concerned, hiQ would face “irreparable damage”
LinkedIn evokes a legitimate economic interest…
The case went all the way to the Supreme Court, which ruled in favor of LinkedIn . Underlying this was a decision the Court had issued a few weeks earlier… a decision that involved a different interpretation of the CFAA than the Court of Appeals. Specifically, it focused on the misuse of authorized access—and, consequently, the technical measures LinkedIn had implemented against bots . The case involved a police officer who had used a database to conduct his own investigation.
Asked again, the Court of Appeal upheld its initial position. It ruled on two points in particular. First, the existence of a disruption in the contractual relationship between hiQ and its clients. Second, the applicability of the CFAA, LinkedIn .
On the first point, hiQ claims that the interference was intentional. And that it was manifested as much by the implementation of technical measures as by the invocation of the CFAA. LinkedIn does not dispute these observations, but asserts that according to the law, such interference can be justified by a legitimate economic interest.
How did the court reason in this regard? It first considered that in the existence of a contractual relationship, we commonly favored the societal interest of stability rather than freedom of competition. Then resumed elements of the reasoning of the Supreme Court. More specifically: such interference cannot be justified by the mere fact that a competitor would seek to gain an economic advantage at the expense of LinkedIn . We must be able to prove that we acted to "safeguard an interest of greater societal value than the stability of the contract".
To assess whether this is the case, two things need to be checked. On the one hand, if the means of interference remain within the framework of “recognized commercial practices”. On the other, if they remain within the framework of fair competition.
… but comes up against the interpretation of the CFAA
Technical blocking is probably not a "recognized business practice" within the meaning of Californian case law, the Court considers . Unlike, for example, advertising, price adjustments or employee poaching. These may indirectly affect contractual relationships, but without fundamentally disrupting a business model .
It is not acquired either, still according to the Court, that we are in the ropes of fair competition . A hiq argument has particularly hit the bull's eye: Linkedin formally attacked years after being aware of the incriminated practices. And he did it in the weeks following the announcement of a product likely for competition Skill Mapper.
The second question then remains: once the formal warning was received, did the data collection continue “without authorization” within the meaning of the CFAA?
The blocking in itself cannot be considered as a lack of authorization, the Court clarifies from the outset. And to justify maintaining its “restrictive” interpretation of the text: a simple diversion is not sufficient to invoke it; the notion of intrusion is essential (see “hacking” above).
Is there anything akin to an intrusion in the “LinkedIn vs hiQ” case? The Court's response is negative. In broad terms, on the following bases:
– The notion of unauthorized access only applies to information made private by some form of password-type requirement
– Other texts than the CFAA – including the Stored Communications Act – go in the same direction
– LinkedIn clearly did not make data on its public profiles private
—————————
prospecting automation software that allows you to easily manage all complex aspects of your marketing processes.
Test Magileads for free in 14 days. Click here .
Or book a demo to see how it works. Click here .
