LinkedIn has registered a new judgment against him in his fight against a company collecting data from his public profiles.
Under California law, what does “unauthorized” access to computer systems mean? On the spot, the Court of Appeal had to judge. The context: a dispute in which it had already ruled in 2019. It pits LinkedIn against hiQ Labs.
This company, founded in 2012, retrieves information from public profiles, formats it and markets it, from the perspective of predictive analytics. Its target: employers. With products that should allow them to map skills (Skill Mapper) and detect staff who plan to set sail (Keeper).
In 2017, LinkedIn formally asked hiQ to stop the practice, citing the Computer Fraud and Abuse Act (CFAA). The law, in force since 1986, punishes access to a computer without permission or excessive use of authorized access.
Faced with this injunction, hiQ had gone to court in California to try to prove that its activity was legal. And had won.
LinkedIn had appealed. In September 2019, the Court of Appeal dismissed the appeal. Among other reasons:
– The social network does not have the rights to the data published by its members, the latter being owners of their profiles.
– Users who choose a public profile ” obviously” expect it to be accessible by third parties.
– The CFAA is supposed to govern cases of piracy ; It is all the more questionable to invoke it in a case concerning open access data.
Giving LinkedIn control over the use of public data could lead to an “information monopoly” detrimental to the public interest
– Without access to the data concerned, hiQ would face “irreparable damage”
LinkedIn evokes a legitimate economic interest…
The proceedings went all the way to the Supreme Court, which ruled in favour of LinkedIn. In the background, a decision she had rendered a few weeks earlier… and which implied a reading of the CFAA other than that of the Court of Appeal. In this case, from the point of view of the misuse of authorized access – and, consequently, the technical measures that LinkedIn had put in place against hiQ’s bots . The case involved a police officer who had used a government database to conduct an investigation on his own initiative.
Again requested, the Court of Appeal maintained its initial position. It ruled on two elements in particular. On the one hand, the existence of a disruption of the contractual relationship between hiQ and its customers. On the other, the applicability of the CFAA, LinkedIn’s main axis of defense.
On the first point, hiQ claims that the interference was intentional. And that it manifested itself as much by the implementation of technical measures as by the invocation of the CFAA. LinkedIn does not dispute those observations, but asserts that, according to the legislation, such interference may be justified by a legitimate economic interest.
How did the Court reason in this regard? First, it considered that, in the existence of a contractual relationship, the societal interest of stability was commonly given priority over freedom of competition. Then repeated elements of the Supreme Court’s reasoning. More precisely: such interference cannot be justified solely by the fact that a competitor would seek to gain an economic advantage at LinkedIn’s expense. It is necessary to be able to prove that one acted to “safeguard an interest of greater societal value than the stability of the contract”.
To estimate whether this is the case, two things need to be checked. On the one hand, if the means of interference remain within the framework of “recognized commercial practices”. On the other, if they remain in the nails of fair competition.
… but clashes with the interpretation of the CFAA
Technical blocking is probably not a “recognized business practice” within the meaning of California case law, the Court said. On the contrary, for example, advertising, price adjustments or poaching of employees. Which can indirectly influence contractual relationships, but without fundamentally disrupting a business model.
Nor is it a given, according to the Court, that we are on the ropes of fair competition. One argument from hiQ in particular hit the nail on the head: LinkedIn formally attacked years after becoming aware of the offending practices. And it did so in the weeks following the announcement of a product that could compete with Skill Mapper.
The second question remains: once the formal warning was received, did the data collection continue “without authorization” within the meaning of the CFAA?
The blocking in itself cannot be considered as a lack of authorisation, the Court states at the outset. And to justify maintaining its “restrictive” interpretation of the text: a simple misuse is not enough to invoke it; The notion of intrusion is essential (see “hacking” above).
Is there anything in the LinkedIn vs hiQ case that amounts to an intrusion? The Court’s answer is no. In broad outline, on the following bases:
– The notion of unauthorised access applies only to information made private by some form of password-type requirement
– Other texts than the CFAA – including the Stored Communications Act – go in the same direction
– LinkedIn did not manifestly make the data on its public profiles private
Illustration © photo 360b – Shutterstock