U.S. Supreme Court Puts New Hacking Precedent to the Test In Old LinkedIn Case

U.S. Supreme Court Puts New Hacking Precedent to the Test In Old LinkedIn Case
Photo: Kevin Dietsch, Getty Images

In 2019, a U.S. federal appeals court ruled that business-oriented social network LinkedIn couldn’t continue to block another company’s data scraping while a lawsuit between the two firms played out.

The ruling was broadly interpreted as supporting the view that data scraping, the practice of downloading large amounts of data from publicly accessible websites and servers, isn’t in violation of the 1986 Computer Fraud and Abuse Act (CFAA). But the Supreme Court has now thrown LinkedIn another lifeline in the case by throwing out the appeals court’s decision and ordering them to reconsider it in light of a new precedent, according to Reuters.

The CFAA was written at a time when most major computer networks were operated by the government, military, corporations, and academic institutions for very specific and often sensitive purposes, and with all the computer expertise of the 1980s U.S. Congress (which is to say very little). It is infamously vague and makes a federal crime out of accessing a “protected computer” either without or in excess of “authorization,” terms which could mean pretty much anything, including using someone else’s Netflix account or violating the terms of service of a website. Meanwhile, data scraping is in some ways indistinguishable from normal web browsing other than the fact that it’s automated — humans sitting at keyboards could accomplish the same task, just nowhere near as quickly.

LinkedIn claimed that a data analytics company called hiQ had violated the CFAA by scraping large amounts of information for their analytics business. As the Electronic Privacy Information Centre explained, this wasn’t private data that required a user to be logged in or an approved connection to view. The data was available on the public-facing side of the site indexable by search engines. Regardless, LinkedIn sent cease-and-desist letters to hiQ, citing various laws, including the CFAA, and subsequently attempted to block them with technical tools.

hiQ sued on anti-competition grounds and won a preliminary injunction in 2017 that prohibited LinkedIn from continuing the attempted blacklisting while the court case proceeded on the merits. LinkedIn appealed the decision on the injunction and lost in 2019, Reuters reported, with San Francisco Court of Appeals for the Ninth Circuit Judge Marsha Berzon suggesting in her opinion that companies cannot use the CFAA as leverage to impose arbitrary limits on who can use publicly accessible data, and that allowing them to do so increased the risk of “information monopolies”:

She also said giving companies such as LinkedIn “free rein” over who can use public user data risked creating “information monopolies” that harm the public interest.

“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles,” Berzon wrote. “And as to the publicly available profiles, the users quite evidently intend them to be accessed by others,” including prospective employers… “Of course, LinkedIn could satisfy its ‘free rider’ concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line,” she wrote.

The decision on the injunction wasn’t a final say on the outcome of the suit between hiQ and LinkedIn. Instead, Marzon allowed it to remain in place because she found that hiQ was likely to win, and thus allowing LinkedIn to maintain the blacklist imposed unfair burdens on hiQ.

The thinking behind the decision seemed pretty clear-cut. LinkedIn wanted to enjoy the benefits of having a massive index of user-submitted data that anyone could search. It also tried to use federal anti-hacking laws as a pretext to block anyone they viewed as a competitor from using it. Not only did LinkedIn want to have its cake and eat it too, but a ruling that scraping techniques violate the CFAA would also have ramifications for all other web users and potentially undermine the principles of open access across the internet. For example, data scraping isn’t just used in for-profit applications but is widely used in academia, scientific research, journalism, and all manner of useful programming projects.

LinkedIn obviously wasn’t satisfied and appealed the appeals court’s ruling to the Supreme Court, which earlier this month issued another decision limiting the scope of the CFAA.

In a separate case decided on June 4, the Supreme Court ruled 6-3 to reverse the conviction under the CFAA of a Georgia police officer (Nathan Van Buren) who abused his access to a police database to determine whether a local stripper was an undercover cop. The court found that while the officer had “improper motives” when he searched for information on the stripper, no actual hacking was involved as his employer had given him account credentials to access it, and thus the search couldn’t be prosecuted as a crime under the CFAA.

On its face, that ruling might seem amenable to hiQ — but the Supreme Court ruling is an adjustment to precedent that left multiple issues unclear surrounding whether conduct becomes unauthorised when it involves circumventing security or technical restrictions (like cracking a password) or merely against “limits contained in contracts or policies.” The decision in the Van Buren case also dwells on language in the CFAA prohibiting conduct that “exceeds authorised access,” while the hiQ/LinkedIn dispute centres around the section about “without authorization.” The Ninth Circuit itself has issued muddled rulings on the CFAA in the past, such as a suit between Facebook and a data scraper where Facebook won because accessing the data required registering an account.

The Supreme Court apparently didn’t want to address these lingering questions itself. It threw out the injunction in the hiQ/LinkedIn case on Monday and sent the case back to the San Francisco appeals court to reconsider.

As University of California, Berkeley law professor Orin Kerr tweeted, this means the appeals court will have the first opportunity to interpret the Van Buren ruling as it applies to the dispute between hiQ and LinkedIn. One key factor will be whether the modified scope of the CFAA under the Supreme Court’s June 4 decision affects LinkedIn’s argument that sending cease-and-desist letters constituted a legally binding retraction of hiQ’s authorization to use the site.

“You can see examples of how big companies are using CFAA for so-called privacy enforcement and why we think that’s a really bad idea,” Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, told Protocol last year. “They’re kind of just using it as an excuse to bully outside groups they don’t like.”