A preliminary order has been handed down in the hiQ Labs versus LinkedIn lawsuit. If you are not familiar with this case, here are the basics: hiQ analyzes and sells data to employers regarding various things related to the workforce. hiQ has two products (services): Keeper, which lets employers know which of their employees are at greatest risk for being poached, and Skill Mapper, which provides a summary of the skills of an individual worker.
The thing is, both of hiQ’s products are based on the analysis and packaging of data which is publicly available from profiles on... wait for it ... LinkedIn.
Yes, hiQ has been scraping user data from LinkedIn profiles - but only profiles set to ‘public’ by the user - and that is the model on which they built their business.
Now, hiQ was founded in 2014, and this has been their business model all along. Moreover, LinkedIn was not only well aware of hiQ and their business model, but in 2015 they actually participated in events put on by hiQ, such as the hiQ Elevate conference. In fact, in 2016 a LinkedIn employee was awarded the “High Impact” award during the hiQ Elevate conference. So, one could reasonably infer that whether or not there was a formal agreement between LinkedIn and hiQ, LinkedIn was certainly aware of what hiQ was doing, and seemed to have no problem with it.
LinkedIn was acquired by Microsoft at the end of 2016, and LinkedIn fired the first shot in this volley just five months later, with a cease and cesist (”C&D”) demand, then another C&D letter, and ultimately locking hiQ out of their own LinkedIn account, effectively blocking hiQ’s access to the data. While nowhere is Microsoft mentioned in the documents (other then a reference to the acquisition), one has to wonder whether the change of ownership was the impetus for this showdown.
And what a showdown it is!
One might think this would be a slam dunk for LinkedIn, but one would be wrong.
You see, it all started with that cease and desist letter that LinkedIn sent to hiQ. In that letter, LinkedIn alleged that hiQ was in violation of the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and California Penal Code §502(c) (Unauthorized Computer Access and Computer Fraud).
Those are some pretty serious charges to level against someone who has a legitimate account through which they are accessing your service, and who is using only publicly available data.
Then LinkedIn shut off hiQ’s access, which effectively would put them out of business because, remember, hiQ’s entire business model is analyzing and packaging up the data from LinkedIn, and selling it.
So, hiQ lawyered up, and sued LinkedIn for declaratory relief (which is where the Court declares something, hence the term ‘declaratory relief’), and for an injunction stopping LinkedIn from blocking hiQ from scraping that public data. Specifically, hiQ asked the Court to declare that they were not, and would not be, in violation of the computer fraud laws by accessing public profiles on LinkedIn, because those are some serious charges. They also happen to be the wrong ones, in my expert professional opinion (yes, I am an Internet law and policy attorney, and I’ve played one on TV).
Oh, and hiQ didn’t just lawyer up with any old lawyer. They got Laurence F’in Tribe! He will be working with their local California attorneys.
Perhaps the most interesting part of all is this little tidbit from the preliminary order:
“After a hearing on the TRO request, the parties entered into a standstill agreement preserving hiQ’s access to the data and converting hiQ’s initial motion into a motion for a preliminary injunction. A hearing on the motion for preliminary injunction was held on July 27, 2017”
What this means is that hiQ and LinkedIn agreed between them to not move forward with hiQ’s original motion (at least for now), to restore hiQ’s access to the LinkedIn data, and to have hiQ request an order from the Court requiring LinkedIn to allow them to access the data.
We can only guess what LinkedIn’s lawyers’ logic was, but some good guesses would be that either a) they thought the Court would decline the request for the preliminary injunction enjoining LinkedIn from blocking hiQ, or b) they wanted the Court to order it so that they could say “we were ordered to do this by the Court”, or c) someone within LinkedIn didn’t agree with the cease and desist letter to start with, and so, nudge nudge wink wink, we’re not going going to fight this very hard.
Regardless of the reason, that is exactly what happened. The Court issued an order barring LinkedIn from blocking hiQ from scraping the public profiles, and requiring them to “withdraw the cease and desist letters to hiQ dated May 23, 2017 and June 24, 2017” and to “refrain from issuing any further cease and desist letters on the grounds therein stated during the pendency of this injunction.” There was no declaration yet (the declaratory judgement part), but still, this seems to school LinkedIn pretty well.
Now, the full order, which you can read at the link below, is 25 pages long. Here are some of my favourite excerpts:
Regarding LinkedIn’s notification system: "But there are other potential reasons why a user may opt for that setting. For instance, users may be cognizant that their profile changes are generating a large volume of unwanted notifications broadcasted to their connections on the site. They may wish to limit annoying intrusions into their contacts."
Regarding LinkedIn’s Recruiter product: "However, hiQ presented marketing materials at the hearing which indicate that regardless of other privacy settings, information including profile changes are conveyed to third parties who subscribe to Recruiter. Indeed, these materials inform potential customers that when they “follow” another user , “[f]rom now on, when they update their profile or celebrate a work anniversary, you’ll receive an update on your homepage. And don’t worry they don’t know you’re following them.” LinkedIn thus trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case."
Regarding the likelihood of users actually reading a privacy policy: "It is unlikely, however, that most users' actual privacy expectations are shaped by the fine print of a privacy policy buried in the User Agreement that likely few, if any, users have actually read."
Regarding LinkedIn protecting their users’ privacy: "The asserted harm LinkedIn faces, by contrast, is tied to its users' expectations of privacy and any impact on user trust in LinkedIn. However, those expectations are uncertain at best, and in any case, LinkedIn's own actions do not appear to have zealously safeguarded those privacy interests."
So, what does this mean for the scraping of public data? Well, this is all very preliminary, but LinkedIn is going to have to retreat, regroup, and rethink their strategy. It’s clear that this court is not inclined to say that the scraping of public data is a violation of any computer fraud laws.
You can read the full order here.
You can read hiQ’s original complaint here.