The U.S. Ninth Circuit of Appeals ruled Monday that scraping personal data from a public website is totally, entirely legal.
For those that haven’t been following the scraping saga until now, the court’s ruling is the latest in a sprawling case first launched by Linkedin in 2017 against hiQ Labs, a rival data science company that was spotted scraping personal details from LinkedIn user’s public profiles, which hiQ would then sell to corporate customers and recruiters interested in knowing, say, which employee might be likely to quit their job in the coming months. While there’s plenty of “corporate intelligence” tools that offer similar scraping services, LinkedIn wanted to make an example of hiQ, in particular, and served the company with a cease-and-desist five years ago.
At the time, LinkedIn’s counsel argued in a letter sent to the company that the professional social network had implemented “technical measures” to keep hiQ’s scraping from taking place, and that by continuing to scrape LinkedIn, hiQ was violating the Federal Computer Fraud and Abuse Act, or CFAA, a 1986 law meant to crack down on cybercriminals. But the fact that the law was written in the 80s means that the law gets invoked to penalise all sorts of cyber-adjacent behaviour, from contract violations to terms of service mishaps to scraping publicly available information.
Rather than waiting for that cease-and-desist letter to turn into a full-blown lawsuit, hiQ actually sued LinkedIn — and won. In that original 2019 ruling, the Ninth Circuit found that the CFAA, outdated though it may be, doesn’t technically bar anyone from scraping data that anyone with an internet connection can access.
Naturally, LinkedIn wasn’t too happy about the decision, and tried to get the case taken to the Supreme Court last summer. The high court immediately shot the case down, arguing instead that the appeals court re-examine it in light of some recent tweaks to the CFAA that significantly pared down the definition of “hacking” under U.S. law. According to this new definition, hiQ would need to gain “unauthorised access” to LinkedIn’s systems in order for the company’s scraping to constitute a hack and therefore be punishable under CFAA.
But as the Ninth Circuit pointed out in its second pass at the ruling, “the concept of ‘without authorization’ does not apply to public websites,” because no one needs authorization to access them. That’s what makes them public.
LinkedIn sees things a bit differently. “We’re disappointed in the court’s decision. This is a preliminary ruling and the case is far from over,” LinkedIn spokesperson Greg Snapper told TechCrunch in a statement.
“We will continue to fight to protect our members’ ability to control the information they make available on LinkedIn,” he went on. “When your data is taken without permission and used in ways you haven’t agreed to, that’s not ok. On LinkedIn, our members trust us with their information, which is why we prohibit unauthorised scraping on our platform.”
But as this new ruling makes clear, just because one company prohibits it, that doesn’t mean the U.S. Courts do the same.