US Supreme Court gives LinkedIn another chance to thwart web scraping


The US Supreme Court has given Microsoft’s LinkedIn another chance to stop hiQ from deleting its public profiles.

In 2019, the United States Court of Appeals for the Ninth Circuit sided with a lower court that two years earlier had found that data science company hiQ Labs had not violated CFAA (Computer Fraud and Abuse Act) by retrieving publicly available data from the LinkedIn website. The move alarmed some privacy groups.

Two weeks ago, in Van Buren v. United States, the Supreme Court narrowed the Computer Fraud and Abuse Act (CFAA) by ruling that violations of the terms of service alone are not sufficient to attract criminal liability under the CFAA. The CFAA criminalizes intentional access to a computer “without authorization” or in a manner that “exceeds authorized access”, although the law does not define these terms.

The Supreme Court has ruled that criminal hacking charges under the CFAA should not apply to individuals who obtain information in violation of the organization’s policies when that information is otherwise available to them under a granted access level .

But the court left open whether terms of service policies, in conjunction with an access control feature or door mechanism, might be sufficient to trigger liability under the CFAA.

On Monday, the court sent LinkedIn Corporation vs. hiQ Labs back to the Ninth Circuit for reconsideration in light of the Van Buren decision.

Orin Kerr, a law professor at UC Berkeley School of Law, suggested by Twitter that the Ninth Circuit is being asked to decide whether LinkedIn’s cease and desist letter to hiQ could be considered the type of portal CFAA envisions or whether making information available to the public authorizes everyone to visit the public URL.

In its June 7, 2021 brief to the Supreme Court, filed just days after the Van Buren decision, LinkedIn argued that these questions needed to be answered.

“LinkedIn put gates around its servers using ‘code-based’ technical measures to prevent hiQ from retrieving data (which hiQ circumvented via bots) and sending a cease and desist letter to hiQ, thereby expressly revoking any “permission” hiQ had to access LinkedIn’s computers,” the company brief states. “Van Buren expressly left open whether these permission denial and revocation methods, or any other methods permitting to do so, qualify as “closed doors” under Section 1030(a)(2) [of the CFAA], thus making hiQ’s massive data scraping “permissionless”. “

LinkedIn argues that companies need to know how they can prohibit unwanted uses of their data, noting that websites employ a variety of strategies involving code, policies and contracts that may or may not qualify as a “gate” under the CFAA.

In a statement emailed to The register, Megan Iorio, an attorney for the Electronic Privacy Information Center (EPIC), echoed the defense group’s amicus brief [PDF] who argued in favor of dismissal of the case.

“Today’s order for reference only delays the day when the Court must decide the question it left open in Van Buren: what methods does the CFAA require computer owners to use to deny or revoke permission to access a computer,” Iorio said. “There is already a divided circuit on whether a login prompt is necessary or whether other technical methods and policy restrictions are sufficient.”

Iorio said the Ninth Circuit’s decision to uphold the injunction granted to hiQ was largely due to the company accessing “public” data, in the sense that LinkedIn user data resided on a website. open to the general public.

“The court said the CFAA did not provide protection for this type of computer or this type of information,” she said. “But since the Ninth Circuit’s ruling, news about Clearview AI and its scraping of social media sites to create biometric templates of millions of individuals has changed the discussion about web scraping and data privacy interests” accessible at audience “.”

“LinkedIn has a chance to challenge the CFAA claims in light of the threat from Clearview AI and others that would harvest users’ personal information to use for nefarious purposes, and perhaps that will make a difference in the outcome,” she added.

hiQ did not immediately respond to a request for comment. ®


Comments are closed.