The lawyers continue to gather their billable hours as the legal tussle between data science company hiQ Labs and LinkedIn plays out in the United States federal courts.
The most recent update took place in the Ninth Circuit Court of Appeals, with Judge Marsha Berzon writing the opinion, where hiQ Labs was granted a continued preliminary injunction, which would allow the company access LinkedIn’s publicly available corpus of data.
The ruling also remanded the companies for further proceedings on the subject. In addition, the court held that hiQ’s actions do not violate the U.S. Computer Fraud and Abuse Act (CFAA).
The case is a must-follow for every CISO or data DPO as the outcome will have a material effect on privacy, the creation of privacy policies, and the operationalisation of the policies in the global milieu.
hiQ v LinkedIn background
While the two companies may be at loggerheads, such wasn’t always the case. LinkedIn participated in hiQ’s Elevate Conference in 2016. Its presence wasn’t simply performative. Then director of business operations and analytics for LinkedIn Lorenzo Canlas received the “hiQ Elevate Impact Award.”
Like many relationships, the lovefest between two parties leads to differences and this relationship came to an abrupt end when LinkedIn sent hiQ a cease-and-desist order in May 2017 and then blocked the company’s access to LinkedIn.
hiQ wasn’t able to get LinkedIn to the negotiating table and without access to the publicly available data, found itself in the proverbial chicken wire canoe and sinking fast. hiQ was able to get an injunction against LinkedIn’s actions and remain afloat but destined to be engaged in years of legal entanglement with LinkedIn.
Privacy implications of the April 2022 hiQ v LinkedIn court ruling
The court ruling contained some noteworthy observations. The “balance of equities” discussion highlighted LinkedIn users could opt not to have their profile changes shared publicly. An example provided by LinkedIn is the user who may wish to avoid their employer seeing they’ve begun a job search. The court made two observations that speak to the expectation of privacy.
First, the court observed, “There is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to information that they post publicly.”
The second observation by the court is with respect to the expectation that users’ employers being alerted to profile changes signalling an employee is engaged in a job hunt. The court noted employees could avoid such by “rejecting public exposure of their profiles and eliminating their employers as contacts.”
As intimated in 2017, the court observed again in 2022 that LinkedIn’s actions undercut their arguments regarding expectation of privacy in users’ public profiles, highlighting the LinkedIn product “Recruiter,” which essentially allows recruiters to tag, monitor and receive updates on changes taking place within the profiles of individuals who they may wish to target, with full-on export capabilities.
The blocking of hiQ’s access would have a deleterious effect on their ability to conduct business, and if LinkedIn wished to restrict public access it could eliminate the “public access option, albeit at a cost to the performance of many users and, possibly, to its own bottom line.”
Why LinkedIn’s CFAA claim was denied
The court was clear: If publicly available sections of a website lack “limitations on access,” they are not gated and publicly available. hiQ’s actions thus are no different than what anyone with a web browser could achieve, and the concept of “without authorisation” does not apply to public websites.
The opinion stated: “The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorisation system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.”
Implications for data collection and aggregation
What is particularly interesting, especially to those supporting privacy and or data collation efforts, is the court’s observation, “we agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest.”
The court’s opinion may serve to bring the two parties back to the table where an amicable agreement can be reached. Without such, the two companies, five years in, remain on opposite sides of the coin, with hiQ still allowed to scrape LinkedIn data and apparently LinkedIn wanting the data for their own use and not a third party.