AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âď¸Legal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
HIQ LABS, INC., No. 17-16783
Plaintiff-Appellee,
D.C. No.
v. 3:17-cv-03301-EMC
LINKEDIN CORPORATION,
Defendant-Appellant. OPINION
Appeal from the United States District Court
for the Northern District of California
Edward M. Chen, District Judge, Presiding
Argued and Submitted March 15, 2018
San Francisco, California
Filed September 9, 2019
Before: J. Clifford Wallace and Marsha S. Berzon, Circuit
Judges, and Terrence Berg, * District Judge.
Opinion by Judge Berzon;
Concurrence by Judge Wallace
*
The Honorable Terrence Berg, United States District Judge for the
Eastern District of Michigan, sitting by designation.
2 HIQ LABS V. LINKEDIN
SUMMARY **
Preliminary Injunction / Computer Fraud and
Abuse Act
The panel affirmed the district courtâs preliminary
injunction forbidding the professional networking website
LinkedIn Corp. from denying plaintiff hiQ, a data analytics
company, access to publicly available LinkedIn member
profiles.
Using automated bots, hiQ scrapes information that
LinkedIn users have included on public LinkedIn profiles.
LinkedIn sent hiQ a cause-and-desist letter, demanding that
hiQ stop accessing and copying data from LinkedInâs server.
HiQ filed suit, seeking injunctive relief based on California
law and a declaratory judgment that LinkedIn could not
lawfully invoke the Computer Fraud and Abuse Act
(âCFAAâ), the Digital Millennium Copyright Act,
California Penal Code § 502(c), or the common law of
trespass against it.
Affirming the district courtâs grant of the preliminary
injunction in favor of hiQ, the panel concluded that hiQ
established a likelihood of irreparable harm because the
survival of its business was threatened. The panel held that
the district court did not abuse its discretion in balancing the
equities and concluding that, even if some LinkedIn users
retain some privacy interests in their information
notwithstanding their decision to make their profiles public,
**
This summary constitutes no part of the opinion of the court. It
has been prepared by court staff for the convenience of the reader.
HIQ LABS V. LINKEDIN 3
those interests did not outweigh hiQâs interest in continuing
its business. Thus, the balance of hardships tipped decidedly
in favor of hiQ.
The panel further held that hiQ raised serious questions
going to (1) the merits of its claim for tortious interference
with contract, alleging that LinkedIn intentionally interfered
with its contracts with third parties, and (2) the merits of
LinkedInâs legitimate business purpose defense. HiQ also
raised a serious question as to whether its state law causes of
action were preempted by the CFAA, which prohibits
intentionally accessing a computer without authorization, or
exceeding authorized access, and thereby obtaining
information from any protected computer. LinkedIn argued
that, once hiQ received its cause-and-desist letter, any
further scraping and use of LinkedInâs data was without
authorization within the meaning of the CFAA. The panel
concluded that hiQ had raised a serious question as to
whether the CFAAâs reference to access âwithout
authorizationâ limits the scope of statutory coverage to
computer information for which authorization or access
permission, such as password authentication, is generally
required.
Finally, the panel held that the district courtâs conclusion
that the public interest favored granting the preliminary
injunction was appropriate.
Specially concurring, Judge Wallace wrote that he
concurred in the majority opinion. He wrote separately to
express his concern about appealing from a preliminary
injunction to obtain an appellate courtâs view of the merits.
4 HIQ LABS V. LINKEDIN
COUNSEL
Donald B. Verrilli Jr. (argued) and Chad I. Golder, Munger
Tolles & Olson LLP, Washington, D.C.; Jonathan H. Blavin,
Rosemarie T. Ring, Nicholas D. Fram, and Elia Herrera,
Munger Tolles & Olson LLP, San Francisco, California; E.
Joshua Rosenkranz, Orrick Herrington & Sutcliffe LLP,
New York, New York; Eric A. Shumsky, Orrick Herrington
& Sutcliffe LLP, Washington, D.C.; Brian P. Goldman,
Orrick Herrington & Sutcliffe LLP, San Francisco,
California; for Defendant-Appellant.
C. Brandon Wisoff (argued), Deepak Gupta, Jeffrey G. Lau,
and Rebecca H. Stephens, Farella Braun & Martel LLP, San
Francisco, California; Aaron M. Panner, Gregory G.
Rapawy, and T. Dietrich Hill, Kellogg Hansen Todd Figel &
Frederick PLLC, Washington, D.C.; Laurence H. Tribe,
Cambridge, Massachusetts; for Plaintiff-Appellee.
Nicholas J. Boyle, John S. Williams, and Eric J. Hamilton,
Williams & Connolly LLP, Washington, D.C., for Amicus
Curiae CoStar Group Inc.
Perry J. Viscounty, Latham & Watkins LLP, San Francisco,
California; Gregory G. Garre, Latham & Watkins LLP,
Washington, D.C.; for Amicus Curiae Craigslist Inc.
Marc Rotenberg and Alan Butler, Electronic Privacy
Information Center, Washington, D.C., for Amicus Curiae
Electronic Privacy Information Center.
Thomas V. Christopher, Law Offices of Thomas V.
Christopher, San Francisco, California, for Amicus Curiae
3taps Inc.
HIQ LABS V. LINKEDIN 5
Jamie Williams, Corynne McSherry, Cindy Cohn, and
Nathan Cardozo, Electronic Frontier Foundation, San
Francisco, California, for Amici Curiae Electronic Frontier
Foundation, DuckDuckGo, and Internet Archive.
Kenneth L. Wilton and James M. Harris, Seyfarth Shaw
LLP, Los Angeles, California; Carrie P. Price, Seyfarth
Shaw LLP, San Francisco, California; for Amicus Curiae
Scraping Hub Ltd.
OPINION
BERZON, Circuit Judge:
May LinkedIn, the professional networking website,
prevent a competitor, hiQ, from collecting and using
information that LinkedIn users have shared on their public
profiles, available for viewing by anyone with a web
browser? HiQ, a data analytics company, obtained a
preliminary injunction forbidding LinkedIn from denying
hiQ access to publicly available LinkedIn member profiles.
At this preliminary injunction stage, we do not resolve the
companiesâ legal dispute definitively, nor do we address all
the claims and defenses they have pleaded in the district
court. Instead, we focus on whether hiQ has raised serious
questions on the merits of the factual and legal issues
presented to us, as well as on the other requisites for
preliminary relief.
I.
Founded in 2002, LinkedIn is a professional networking
website with over 500 million members. Members post
resumes and job listings and build professional
âconnectionsâ with other members. LinkedIn specifically
6 HIQ LABS V. LINKEDIN
disclaims ownership of the information users post to their
personal profiles: according to LinkedInâs User Agreement,
members own the content and information they submit or
post to LinkedIn and grant LinkedIn only a non-exclusive
license to âuse, copy, modify, distribute, publish, and
processâ that information.
LinkedIn allows its members to choose among various
privacy settings. Members can specify which portions of
their profile are visible to the general public (that is, to both
LinkedIn members and nonmembers), and which portions
are visible only to direct connections, to the memberâs
ânetworkâ (consisting of LinkedIn members within three
degrees of connectivity), or to all LinkedIn members. 1 This
case deals only with profiles made visible to the general
public.
LinkedIn also offers all membersâwhatever their
profile privacy settingsâa âDo Not Broadcastâ option with
respect to every change they make to their profiles. If a
LinkedIn member selects this option, her connections will
not be notified when she updates her profile information,
although the updated information will still appear on her
profile page (and thus be visible to anyone permitted to view
her profile under her general privacy setting). More than 50
1
Direct connections (or first-degree connections) are people to
whom a LinkedIn member is connected by virtue of having invited them
to connect and had the invitation accepted, or of having accepted their
invitation to connect. Second-degree connections are people connected
to a memberâs first-degree connections. Third-degree connections are
people connected to a memberâs second-degree connections. A LinkedIn
memberâs network consists of the memberâs first-degree, second-degree,
and third-degree connections, as well as fellow members of the same
LinkedIn Groups (groups of members in the same industry or with
similar interests that any member can request to join).
HIQ LABS V. LINKEDIN 7
million LinkedIn members have, at some point, elected to
employ the âDo Not Broadcastâ feature, and approximately
20 percent of all active users who updated their profiles
between July 2016 and July 2017âwhatever their privacy
settingâemployed the âDo Not Broadcastâ setting.
LinkedIn has taken steps to protect the data on its website
from what it perceives as misuse or misappropriation. The
instructions in LinkedInâs ârobots.txtâ fileâa text file used
by website owners to communicate with search engine
crawlers and other web robotsâprohibit access to LinkedIn
servers via automated bots, except that certain entities, like
the Google search engine, have express permission from
LinkedIn for bot access. 2 LinkedIn also employs several
technological systems to detect suspicious activity and
2
A web robot (or âbotâ) is an application that performs automated
tasks such as retrieving and analyzing information. See Definition of
âbot,â Merriam-Webster Dictionary, https://www.merriam-
webster.com/dictionary/bot (last visited July 12, 2019). A web crawler
is one common type of bot that systematically searches the Internet and
downloads copies of web pages, which can then be indexed by a search
engine. See Assoc. Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp.
2d 537, 544 (S.D.N.Y. 2013); Definition of âweb crawler,â Merriam-
Webster Dictionary, https://www.merriam-webster.com/dictionary/web
%20crawler (last visited July 12, 2019). A robots.txt file, also known as
the robots exclusion protocol, is a widely used standard for stating the
rules that a web server has adopted to govern a botâs behavior on that
server. See About /robots.txt, http://www.robotstxt.org/robotstxt.html
(last visited July 12, 2019). For example, a robots.txt file might instruct
specified robots to ignore certain files when crawling a site, so that the
files do not appear in search engine results. Adherence to the rules in a
robots.txt file is voluntary; malicious bots may deliberately choose not
to honor robots.txt rules and may in turn be punished with a denial of
access to the website in question. See Can I Block Just Bad Robots?,
http://www.robotstxt.org/faq/blockjustbad.html (last visited July 12,
2019); cf. Assoc. Press, 931 F. Supp. 2d at 563 (S.D.N.Y. 2013).
8 HIQ LABS V. LINKEDIN
restrict automated scraping. 3 For example, LinkedInâs
Quicksand system detects non-human activity indicative of
scraping; its Sentinel system throttles (slows or limits) or
even blocks activity from suspicious IP addresses; 4 and its
Org Block system generates a list of known âbadâ IP
addresses serving as large-scale scrapers. In total, LinkedIn
blocks approximately 95 million automated attempts to
scrape data every day, and has restricted over 11 million
accounts suspected of violating its User Agreement, 5
including through scraping.
HiQ is a data analytics company founded in 2012. Using
automated bots, it scrapes information that LinkedIn users
3
Scraping involves extracting data from a website and copying it
into a structured format, allowing for data manipulation or analysis.
See, e.g., What Is a Screen Scraper?, WiseGeek, http://www.wisegeek.
com/what-is-a-screen-scraper.htm (last visited July 12, 2019). Scraping
can be done manually, but as in this case, it is typically done by a web
robot or âbot.â See supra note 2.
4
âIP addressâ is an abbreviation for Internet protocol address, which
is a numerical identifier for each computer or network connected to the
Internet. See Definition of âIP Address,â Merriam-Webster Dictionary,
https://www.merriam-webster.com/dictionary/IP%20address (last
visited July 12, 2019).
5
Section 8.2 of the LinkedIn User Agreement to which hiQ agreed
states that users agree not to â[s]crape or copy profiles and information
of others through any means (including crawlers, browser plugins and
add-ons, and any other technology or manual work),â â[c]opy or use the
information, content or data on LinkedIn in connection with a
competitive service (as determined by LinkedIn),â â[u]se manual or
automated software, devices, scripts robots, other means or processes to
access, âscrape,â âcrawlâ or âspiderâ the Services or any related data or
information,â or â[u]se bots or other automated methods to access the
Services.â HiQ is no longer bound by the User Agreement, as LinkedIn
has terminated hiQâs user status.
HIQ LABS V. LINKEDIN 9
have included on public LinkedIn profiles, including name,
job title, work history, and skills. It then uses that
information, along with a proprietary predictive algorithm,
to yield âpeople analytics,â which it sells to business clients.
HiQ offers two such analytics. The first, Keeper,
purports to identify employees at the greatest risk of being
recruited away. According to hiQ, the product enables
employers to offer career development opportunities,
retention bonuses, or other perks to retain valuable
employees. The second, Skill Mapper, summarizes
employeesâ skills in the aggregate. Among other things, the
tool is supposed to help employers identify skill gaps in their
workforces so that they can offer internal training in those
areas, promoting internal mobility and reducing the expense
of external recruitment.
HiQ regularly organizes âElevateâ conferences, during
which participants discuss hiQâs business model and share
best practices in the people analytics field. LinkedIn
representatives participated in Elevate conferences
beginning in October 2015. At least ten LinkedIn
representatives attended the conferences. LinkedIn
employees have also spoken at Elevate conferences. In 2016,
a LinkedIn employee was awarded the Elevate âImpact
Award.â LinkedIn employees thus had an opportunity to
learn about hiQâs products, including âthat [one of] hiQâs
product[s] used data from a variety of sourcesâinternal and
externalâto predict employee attritionâ and that hiQ
âcollected skills data from public professional profiles in
order to provide hiQâs customers information about their
employeesâ skill sets.â
In recent years, LinkedIn has explored ways to capitalize
on the vast amounts of data contained in LinkedIn profiles
by marketing new products. In June 2017, LinkedInâs Chief
10 HIQ LABS V. LINKEDIN
Executive Officer (âCEOâ), Jeff Weiner, appearing on CBS,
explained that LinkedIn hoped to âleverage all this
extraordinary data weâve been able to collect by virtue of
having 500 million people join the site.â Weiner mentioned
as possibilities providing employers with data-driven
insights about what skills they will need to grow and where
they can find employees with those skills. Since then,
LinkedIn has announced a new product, Talent Insights,
which analyzes LinkedIn data to provide companies with
such data-driven information. 6
In May 2017, LinkedIn sent hiQ a cease-and-desist letter,
asserting that hiQ was in violation of LinkedInâs User
Agreement and demanding that hiQ stop accessing and
copying data from LinkedInâs server. The letter stated that if
hiQ accessed LinkedInâs data in the future, it would be
violating state and federal law, including the Computer
Fraud and Abuse Act (âCFAAâ), the Digital Millennium
Copyright Act (âDMCAâ), California Penal Code § 502(c),
and the California common law of trespass. The letter further
stated that LinkedIn had âimplemented technical measures
to prevent hiQ from accessing, and assisting others to access,
LinkedInâs site, through systems that detect, monitor, and
block scraping activity.â
6
The record does not specifically name Talent Insights, but at a
district court hearing on June 29, 2017, counsel for hiQ referenced Mr.
Weinerâs statements on CBS and stated that âin the past 24 hours weâve
received word . . . that LinkedIn is launching a product that is essentially
the same or very similar to [hiQâs] Skill Mapper, and trying to market it
head-to-head against us.â LinkedIn has since launched Talent Insights,
which, among other things, promises to help employers âunderstand the
. . . skills that are growing fastest at your company.â See
https://business.linkedin.com/talent-solutions/blog/product-updates/201
8/linkedin-talent-insights-now-available (last visited July 12, 2019).
HIQ LABS V. LINKEDIN 11
HiQâs response was to demand that LinkedIn recognize
hiQâs right to access LinkedInâs public pages and to threaten
to seek an injunction if LinkedIn refused. A week later, hiQ
filed suit, seeking injunctive relief based on California law
and a declaratory judgment that LinkedIn could not lawfully
invoke the CFAA, the DMCA, California Penal Code
§ 502(c), or the common law of trespass against it. HiQ also
filed a request for a temporary restraining order, which the
parties subsequently agreed to convert into a motion for a
preliminary injunction.
The district court granted hiQâs motion. It ordered
LinkedIn to withdraw its cease-and-desist letter, to remove
any existing technical barriers to hiQâs access to public
profiles, and to refrain from putting in place any legal or
technical measures with the effect of blocking hiQâs access
to public profiles. LinkedIn timely appealed.
II.
âA plaintiff seeking a preliminary injunction must
establish that he is likely to succeed on the merits, that he is
likely to suffer irreparable harm in the absence of
preliminary relief, that the balance of equities tips in his
favor, and that an injunction is in the public interest.â Winter
v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20 (2008). All
four elements must be satisfied. See, e.g., Am. Trucking
Assân v. City of Los Angeles, 559 F.3d 1046, 1057 (9th Cir.
2009). We use a âsliding scaleâ approach to these factors,
according to which âa stronger showing of one element may
offset a weaker showing of another.â Alliance for the Wild
Rockies v. Cottrell, 632 F.3d 1127, 1131 (9th Cir. 2011). So,
when the balance of hardships tips sharply in the plaintiffâs
favor, the plaintiff need demonstrate only âserious questions
going to the merits.â Id. at 1135.
12 HIQ LABS V. LINKEDIN
Applying that sliding scale approach, the district court
granted hiQ a preliminary injunction, concluding that the
balance of hardships tips sharply in hiQâs favor and that hiQ
raised serious questions on the merits. We review the district
courtâs decision to grant a preliminary injunction for abuse
of discretion. The grant of a preliminary injunction
constitutes an abuse of discretion if the district courtâs
evaluation or balancing of the pertinent factors is âillogical,
implausible, or without support in the record.â Doe v. Kelly,
878 F.3d 710, 713 (9th Cir. 2017).
A. Irreparable Harm
We begin with the likelihood of irreparable injury to hiQ
if preliminary relief were not granted.
â[M]onetary injury is not normally considered
irreparable.â Los Angeles Memâl Coliseum Commân v. Natâl
Football League, 634 F.2d 1197, 1202 (9th Cir. 1980).
Nonetheless, â[t]he threat of being driven out of business is
sufficient to establish irreparable harm.â Am. Passage Media
Corp. v. Cass Commcâns, Inc., 750 F.2d 1470, 1474 (9th Cir.
1985). As the Second Circuit has explained, â[t]he loss of
. . . an ongoing business representing many years of effort
and the livelihood of its . . . owners, constitutes irreparable
harm. What plaintiff stands to lose cannot be fully
compensated by subsequent monetary damages.â Roso Lino
Beverage Distributors, Inc. v. Coca Cola Bottling Co. of
New York, Inc., 749 F.2d 124, 125â26 (2d Cir. 1984) (per
curiam). Thus, showing a threat of âextinctionâ is enough to
establish irreparable harm, even when damages may be
available and the amount of direct financial harm is
ascertainable. Am. Passage Media Corp., 750 F.2d at 1474.
The district court found credible hiQâs assertion that the
survival of its business is threatened absent a preliminary
HIQ LABS V. LINKEDIN 13
injunction. The record provides ample support for that
finding.
According to hiQâs CEO, âhiQâs entire business depends
on being able to access public LinkedIn member profiles,â
as âthere is no current viable alternative to LinkedInâs
member database to obtain data for hiQâs Keeper and Skill
Mapper services.â Without access to LinkedIn public profile
data, the CEO averred, hiQ will likely be forced to breach its
existing contracts with clients such as eBay, Capital One,
and GoDaddy, and to pass up pending deals with prospective
clients. The harm hiQ faces absent a preliminary injunction
is not purely hypothetical. HiQ was in the middle of a
financing round when it received LinkedInâs cease-and-
desist letter. The CEO reported that, in light of the
uncertainty about the future viability of hiQâs business, that
financing round stalled, and several employees left the
company. If LinkedIn prevails, hiQâs CEO further asserted,
hiQ would have to âlay off most if not all its employees, and
shutter its operations.â
LinkedIn maintains that hiQâs business model does not
depend on access to LinkedIn data. It insists that alternatives
to LinkedIn data exist, and points in particular to the
professional data some users post on Facebook. But hiQâs
model depends on access to publicly available data from
people who choose to share their information with the world.
Facebook data, by contrast, is not generally accessible, see
infra p. 31, and therefore is not an equivalent alternative
source of data.
LinkedIn also urges that even if there is no adequate
alternative database, hiQ could collect its own data through
employee surveys. But hiQ is a data analytics company, not
a data collection company. Suggesting that hiQ could
fundamentally change the nature of its business, not simply
14 HIQ LABS V. LINKEDIN
the manner in which it conducts its current business, is a
recognition that hiQâs current business could not survive
without access to LinkedIn public profile data. Creating a
data collection system would undoubtedly require a
considerable amount of time and expense. That hiQ could
feasibly remain in business with no products to sell while
raising the required capital and devising and implementing
an entirely new data collection system is at least highly
dubious.
In short, the district court did not abuse its discretion in
concluding on the preliminary injunction record that hiQ
currently has no viable way to remain in business other than
using LinkedIn public profile data for its Keeper and Skill
Mapper services, and that HiQ therefore has demonstrated a
likelihood of irreparable harm absent a preliminary
injunction.
B. Balance of the Equities
Next, the district court âbalance[d] the interests of all
parties and weigh[ed] the damage to each in determining the
balance of the equities.â CTIA-The Wireless Assân v. City of
Berkeley, Calif., 928 F.3d 832, 852 (9th Cir. 2019) (internal
quotation marks and citation omitted). Again, it did not
abuse its discretion in doing so.
On one side of the scale is the harm to hiQ just discussed:
the likelihood that, without an injunction, it will go out of
business. On the other side, LinkedIn asserts that the
injunction threatens its membersâ privacy and therefore puts
at risk the goodwill LinkedIn has developed with its
members. As the district court observed, âthe fact that a user
has set his profile to public does not imply that he wants any
third parties to collect and use that data for all purposes.â
LinkedIn points in particular to the more than 50 million
HIQ LABS V. LINKEDIN 15
members who have used the âDo Not Broadcastâ feature to
ensure that other users are not notified when the member
makes a profile change. According to LinkedIn, the
popularity of the âDo Not Broadcastâ feature indicates that
many membersâincluding members who choose to share
their information publiclyâdo not want their employers to
know they may be searching for a new job. An employer
who learns that an employee may be planning to leave will
not necessarily reward that employee with a retention bonus.
Instead, the employer could decide to limit the employeeâs
access to sensitive information or even to terminate the
employee.
There is support in the record for the district courtâs
connected conclusions that (1) LinkedInâs assertions have
some merit; and (2) there are reasons to discount them to
some extent. First, there is little evidence that LinkedIn users
who choose to make their profiles public actually maintain
an expectation of privacy with respect to the information that
they post publicly, and it is doubtful that they do. LinkedInâs
privacy policy clearly states that â[a]ny information you put
on your profile and any content you post on LinkedIn may
be seen by othersâ and instructs users not to âpost or add
personal data to your profile that you would not want to be
public.â
Second, there is no evidence in the record to suggest that
most people who select the âDo Not Broadcastâ option do so
to prevent their employers from being alerted to profile
changes made in anticipation of a job search. As the district
court noted, there are other reasons why users may choose
that optionâmost notably, many users may simply wish to
avoid sending their connections annoying notifications each
time there is a profile change. In any event, employers can
always directly consult the profiles of users who chose to
16 HIQ LABS V. LINKEDIN
make their profiles public to see if any recent changes have
been made. Employees intent on keeping such information
from their employers can do so by rejecting public exposure
of their profiles and eliminating their employers as contacts.
Finally, LinkedInâs own actions undercut its argument
that users have an expectation of privacy in public profiles.
LinkedInâs âRecruiterâ product enables recruiters to
âfollowâ prospects, get âalert[ed] when prospects make
changes to their profiles,â and âuse those [alerts] as signals
to reach out at just the right moment,â without the prospectâs
knowledge. 7 And subscribers to LinkedInâs âtalent
recruiting, marketing and sales solutionsâ can export data
from membersâ public profiles, such as âname, headline,
current company, current title, and location.â
In short, even if some users retain some privacy interests
in their information notwithstanding their decision to make
their profiles public, we cannot, on the record before us,
conclude that those interestsâor more specifically,
LinkedInâs interest in preventing hiQ from scraping those
profilesâare significant enough to outweigh hiQâs interest
in continuing its business, which depends on accessing,
analyzing, and communicating information derived from
public LinkedIn profiles.
Nor do the other harms asserted by LinkedIn tip the
balance of harms with regard to preliminary relief. LinkedIn
invokes an interest in preventing âfree ridersâ from using
profiles posted on its platform. But LinkedIn has no
protected property interest in the data contributed by its
users, as the users retain ownership over their profiles. And
7
Recruiter does not provide alerts about profile changes made by
LinkedIn members who select the âDo Not Broadcastâ setting.
HIQ LABS V. LINKEDIN 17
as to the publicly available profiles, the users quite evidently
intend them to be accessed by others, including for
commercial purposesâfor example, by employers seeking
to hire individuals with certain credentials. Of course,
LinkedIn could satisfy its âfree riderâ concern by eliminating
the public access option, albeit at a cost to the preferences of
many users and, possibly, to its own bottom line.
We conclude that the district courtâs determination that
the balance of hardships tips sharply in hiQâs favor is not
âillogical, implausible, or without support in the record.â
Kelly, 878 F.3d at 713.
C. Likelihood of Success
Because hiQ has established that the balance of
hardships tips decidedly in its favor, the likelihood-of-
success prong of the preliminary injunction inquiry focuses
on whether hiQ has raised âserious questions going to the
merits.â Alliance for the Wild Rockies, 632 F.3d at 1131. It
has.
As usual, we consider only the claims and defenses that
the parties press on appeal. We recognize that the companies
have invoked additional claims and defenses in the district
court, and we express no opinion as to whether any of those
claims or defenses might ultimately prove meritorious. Thus,
while hiQ advanced several affirmative claims in support of
its request for preliminary injunctive relief, here we consider
only whether hiQ has raised serious questions on the merits
of its claims either for intentional interference with contract
or unfair competition, under Californiaâs Unfair
Competition Law, Cal. Bus. & Prof. Code § 17200 et seq.
Likewise, while LinkedIn has asserted that it has âclaims
under the Digital Millennium Copyright Act and under
trespass and misappropriation doctrines,â it has chosen for
18 HIQ LABS V. LINKEDIN
present purposes to focus on a defense based on the CFAA,
so that is the sole defense to hiQâs claims that we address
here.
1. Tortious Interference with Contract
HiQ alleges that LinkedIn intentionally interfered with
hiQâs contracts with third parties. âThe elements which a
plaintiff must plead to state the cause of action for intentional
interference with contractual relations are (1) a valid contract
between plaintiff and a third party; (2) defendantâs
knowledge of this contract; (3) defendantâs intentional acts
designed to induce a breach or disruption of the contractual
relationship; (4) actual breach or disruption of the
contractual relationship; and (5) resulting damage.â Pac.
Gas & Elec. Co. v. Bear Stearns & Co., 50 Cal. 3d 1118,
1126 (1990). 8
HiQ has shown a sufficient likelihood of establishing
each of these elements. First, LinkedIn does not contest
8
Under California law, tortious interference with contract claims are
not limited to circumstances in which the defendant has caused the third
party with whom the plaintiff has contracted to breach the agreement.
âThe most general application of the rule is to cases where the party with
whom the plaintiff has entered into an agreement has been induced to
breach it, but the rule is also applicable where the plaintiffâs performance
has been prevented or rendered more expensive or burdensome and
where he has been induced to breach the contract by conduct of the
defendant, such as threats of economic reprisals.â Lipman v. Brisbane
Elementary Sch. Dist., 55 Cal. 2d 224, 232 (1961), abrogated on other
grounds by Brown v. Kelly Broadcasting Co., 48 Cal. 3d 711, 753 n.37
(1989); see also Pac. Gas & Elec. Co., 50 Cal. 3d at 1129 (âWe have
recognized that interference with the plaintiffâs performance may give
rise to a claim for interference with contractual relations if plaintiffâs
performance is made more costly or more burdensome.â).
HIQ LABS V. LINKEDIN 19
hiQâs evidence that contracts exist between hiQ and some
customers, including eBay, Capital One, and GoDaddy.
Second, hiQ will likely be able to establish that LinkedIn
knew of hiQâs scraping activity and products for some time.
LinkedIn began sending representatives to hiQâs Elevate
conferences in October 2015. At those conferences, hiQ
discussed its business model, including its use of data from
external sources to predict employee attrition. LinkedInâs
director of business operations and analytics, who attended
several Elevate conferences, specifically ârecall[s] someone
from hiQ stating [at the April 2017 conference] that they
collected skills data from public professional profiles in
order to provide hiQâs customers information about their
employeesâ skill sets.â Additionally, LinkedIn
acknowledged in its cease-and-desist letter that âhiQ has
stated during marketing presentations that its Skill Mapper
product is built on profile data from LinkedIn.â Finally, at a
minimum, LinkedIn knew of hiQâs contracts as of May 31,
2017, when hiQ responded to LinkedInâs cease-and-desist
letter and identified both current and prospective hiQ clients.
Third, LinkedInâs threats to invoke the CFAA and
implementation of technical measures selectively to ban hiQ
bots could well constitute âintentional acts designed to
induce a breach or disruptionâ of hiQâs contractual
relationships with third parties. Pac. Gas & Elec. Co.,
50 Cal. 3d at 1126; cf. Winchester Mystery House, LLC v.
Global Asylum, Inc., 210 Cal. App. 4th 579, 597 (2012)
(indicating that âcease-and-desist letters . . . refer[ring] to a[]
contractual or other economic relationship between plaintiff
and any third partyâ could âestablish . . . the . . . intent
element[] of the interference claim[]â).
Fourth, the contractual relationships between hiQ and
third parties have been disrupted and ânow hang[] in the
20 HIQ LABS V. LINKEDIN
balance.â Without access to LinkedIn data, hiQ will likely
be unable to deliver its services to its existing customers as
promised.
Last, hiQ is harmed by the disruption to its existing
contracts and interference with its pending contracts.
Without the revenue from sale of its products, hiQ will likely
go out of business. See supra pp. 12â14.
LinkedIn does not specifically challenge hiQâs ability to
make out any of these elements of a tortious interference
claim. Instead, LinkedIn maintains that it has a âlegitimate
business purposeâ defense to any such claim. Cf. Quelimane
Co. v. Stewart Title Guar. Co., 19 Cal. 4th 26, 57 (1998), as
modified (Sept. 23, 1998). That contention is an affirmative
justification defense for which LinkedIn bears the burden of
proof. See id.
Under California law, a legitimate business purpose can
indeed justify interference with contract, but not just any
such purpose suffices. See id. at 55â56. Where a contractual
relationship exists, the societal interest in âcontractual
stability is generally accepted as of greater importance than
competitive freedom.â Imperial Ice Co. v. Rossier, 18 Cal.
2d 33, 36 (1941). Emphasizing the âdistinction between
claims for the tortious disruption of an existing contract and
claims that a prospective contractual or economic
relationship has been interfered with by the defendant,â the
California Supreme Court instructs that we must âbring[] a
greater solicitude to those relationships that have ripened
into agreements.â Della Penna v. Toyota Motor Sales,
U.S.A., Inc., 11 Cal. 4th 376, 392 (1995). Thus, interference
with an existing contract is not justified simply because a
competitor âseeks to further his own economic advantage at
the expense of another.â Imperial Ice, 18 Cal. 2d at 36; see
id. at 37 (âA party may not . . . under the guise of
HIQ LABS V. LINKEDIN 21
competition . . . induce the breach of a competitorâs contract
in order to secure an economic advantage.â). Rather,
interference with contract is justified only when the party
alleged to have interfered acted âto protect an interest that
has greater social value than insuring the stability of the
contractâ interfered with. Id. at 35.
Accordingly, California courts apply a balancing test to
determine whether the interests advanced by interference
with contract outweigh the societal interest in contractual
stability:
Whether an intentional interference by a third
party is justifiable depends upon a balancing
of the importance, social and private, of the
objective advanced by the interference
against the importance of the interest
interfered with, considering all circumstances
including the nature of the actorâs conduct
and the relationship between the parties.
Herron v. State Farm Mut. Ins. Co., 56 Cal. 2d 202, 206
(1961). Considerations include whether âthe means of
interference involve no more than recognized trade
practices,â Buxbom v. Smith, 23 Cal. 2d 535, 546 (1944), and
whether the conduct is âwithin the realm of fair
competition,â Inst. of Veterinary Pathology, Inc. v. Cal.
Health Labs., Inc., 116 Cal. App. 3d 111, 127 (Cal. Ct. App.
1981). The âdeterminative questionâ is whether the business
interest is pretextual or âasserted in good faith.â Richardson
v. La Rancherita, 98 Cal. App. 3d 73, 81 (Cal. Ct. App.
1979).
Balancing the interest in contractual stability and the
specific interests interfered with against the interests
advanced by the interference, we agree with the district court
22 HIQ LABS V. LINKEDIN
that hiQ has at least raised a serious question on the merits
of LinkedInâs affirmative justification defense. First, hiQ has
a strong commercial interest in fulfilling its contractual
obligations to large clients like eBay and Capital One. Those
companies benefit from hiQâs ability to access, aggregate,
and analyze data from LinkedIn profiles.
Second, LinkedInâs means of interference is likely not a
ârecognized trade practiceâ as California courts have
understood that term. âRecognized trade practicesâ include
such activities as âadvertising,â âprice-cutting,â and
âhir[ing] the employees of another for use in the hirerâs
business,â Buxbom, 23 Cal. 2d at 546â47âall practices
which may indirectly interfere with a competitorâs contracts
but do not fundamentally undermine a competitorâs basic
business model. LinkedInâs proactive technical measures to
selectively block hiQâs access to the data on its site are not
similar to trade practices heretofore recognized as acceptable
justifications for contract interference.
Further, LinkedInâs conduct may well not be âwithin the
realm of fair competition.â Inst. of Veterinary Pathology,
116 Cal. App. 3d at 127. HiQ has raised serious questions
about whether LinkedInâs actions to ban hiQâs bots were
taken in furtherance of LinkedInâs own plans to introduce a
competing professional data analytics tool. There is evidence
from which it can be inferred that LinkedIn knew about hiQ
and its reliance on external data for several years before the
present controversy. Its decision to send a cease-and-desist
letter occurred within a month of the announcement by
LinkedInâs CEO that LinkedIn planned to leverage the data
on its platform to create a new product for employers with
some similarities to hiQâs Skill Mapper product. If
companies like LinkedIn, whose servers hold vast amounts
of public data, are permitted selectively to ban only potential
HIQ LABS V. LINKEDIN 23
competitors from accessing and using that otherwise public
data, the resultâcomplete exclusion of the original
innovator in aggregating and analyzing the public
informationâmay well be considered unfair competition
under California law. 9
Finally, LinkedInâs asserted private business interestsâ
âprotecting its membersâ data and the investment made in
developing its platformâ and âenforcing its User
Agreementsâ prohibitions on automated scrapingââare
relatively weak. LinkedIn has only a non-exclusive license
to the data shared on its platform, not an ownership interest.
Its core business modelâproviding a platform to share
professional informationâdoes not require prohibiting
hiQâs use of that information, as evidenced by the fact that
hiQ used LinkedIn data for some time before LinkedIn sent
its cease-and-desist letter. As to its membersâ interests in
their data, for the reasons already explained, see supra pp.
15â16, we agree with the district court that membersâ
privacy expectations regarding information they have shared
in their public profiles are âuncertain at best.â Further, there
is evidence that LinkedIn has itself developed a data
analytics tool similar to HiQâs products, undermining
LinkedInâs claim that it has its membersâ privacy interests in
mind. Finally, LinkedIn has not explained how it can enforce
its user agreement against hiQ now that its user status has
been terminated.
9
The district court determined that LinkedInâs legitimate business
purpose defense overlapped with hiQâs claim under Californiaâs Unfair
Competition Law (âUCLâ), which the district court found raised serious
questions on the merits: âhiQ has presented some evidence supporting
its assertion that LinkedInâs decision to revoke hiQâs access to its data
was made for the purpose of eliminating hiQ as a competitor in the data
analytics field, and thus potentially âviolates [the UCL].ââ
24 HIQ LABS V. LINKEDIN
For all these reasons, LinkedIn may well not be able to
demonstrate a âlegitimate business purposeâ that could
justify the intentional inducement of a contract breach, at
least on the record now before us. We therefore conclude
that hiQ has raised at least serious questions going to the
merits of its tortious interference with contract claim. As that
showing on the tortious interference claim is sufficient to
support an injunction prohibiting LinkedIn from selectively
blocking hiQâs access to public member profiles, we do not
reach hiQâs unfair competition claim. 10
2. Computer Fraud and Abuse Act (CFAA)
Our inquiry does not end, however, with the state law
tortious interference claim. LinkedIn argues that even if hiQ
can show a likelihood of success on any of its state law
causes of action, all those causes of action are preempted by
the Computer Fraud and Abuse Act (âCFAAâ), 18 U.S.C.
§ 1030, which LinkedIn asserts that hiQ violated.
The CFAA states that â[w]hoever . . . intentionally
accesses a computer without authorization or exceeds
10
LinkedIn also advances a business interest in âasserting its rights
under federal and state law.â That interest depends upon the scope of
LinkedInâs rights under the CFAA and Californiaâs CFAA analogue,
California Penal Code § 502. Similarly, LinkedIn argues that there can
be no tortious interference because hiQâs contracts are premised on
unauthorized access to LinkedIn data and are therefore illegal. Under
California law, â[i]f the central purpose of the contract is tainted with
illegality, then the contract as a whole cannot be enforced.â Marathon
Entmât, Inc. v. Blasi, 42 Cal. 4th 974, 996 (2008), as modified (Mar. 12,
2008); see also Cal. Civ. Code § 1598 (âWhere a contract has but a single
object, and such object is unlawful, whether in whole or in part, or wholly
impossible of performance . . . the entire contract is void.â). As we
explain next, however, hiQ has raised at least serious questions in
support of its position that its activities are lawful under the CFAA.
HIQ LABS V. LINKEDIN 25
authorized access, and thereby obtains . . . information from
any protected computer . . . shall be punishedâ by fine or
imprisonment. 18 U.S.C. § 1030(a)(2)(C). Further, â[a]ny
person who suffers damage or loss by reason of a violationâ
of that provision may bring a civil suit âagainst the violator
to obtain compensatory damages and injunctive relief or
other equitable relief,â subject to certain conditions not
relevant here. 18 U.S.C. § 1030(g). The term âprotected
computerâ refers to any computer âused in or affecting
interstate or foreign commerce or communication,â
18 U.S.C. § 1030(e)(2)(B)âeffectively any computer
connected to the Internet, see United States v. Nosal (Nosal
II), 844 F.3d 1024, 1050 (9th Cir. 2016), cert. denied, 138 S.
Ct. 314 (2017)âincluding servers, computers that manage
network resources and provide data to other computers.
LinkedInâs computer servers store the data members share
on LinkedInâs platform and provide that data to users who
request to visit its website. Thus, to scrape LinkedIn data,
hiQ must access LinkedIn servers, which are âprotected
computer[s].â See Nosal II, 844 F.3d at 1050.
The pivotal CFAA question here is whether once hiQ
received LinkedInâs cease-and-desist letter, any further
scraping and use of LinkedInâs data was âwithout
authorizationâ within the meaning of the CFAA and thus a
violation of the statute. 18 U.S.C. § 1030(a)(2). If so, hiQ
could have no legal right of access to LinkedInâs data and so
could not succeed on any of its state law claims, including
the tortious interference with contract claim we have held
otherwise sufficient for preliminary injunction purposes.
We have held in another context that the phrase
ââwithout authorizationâ is a non-technical term that, given
its plain and ordinary meaning, means accessing a protected
computer without permission.â Nosal II, 844 F.3d at 1028.
26 HIQ LABS V. LINKEDIN
Nosal II involved an employee accessing without permission
an employerâs private computer for which access
permissions in the form of user accounts were required. Id.
at 1028â29. Nosal II did not address whether access can be
âwithout authorizationâ under the CFAA where, as here,
prior authorization is not generally required, but a particular
personâor botâis refused access. HiQâs position is that
Nosal II is consistent with the conclusion that where access
is open to the general public, the CFAA âwithout
authorizationâ concept is inapplicable. At the very least, we
conclude, hiQ has raised a serious question as to this issue.
First, the wording of the statute, forbidding âaccess[] . . .
without authorization,â 18 U.S.C. § 1030(a)(2), suggests a
baseline in which access is not generally available and so
permission is ordinarily required. âAuthorizationâ is an
affirmative notion, indicating that access is restricted to
those specially recognized or admitted. See, e.g., Blackâs
Law Dictionary (10th ed. 2014) (defining âauthorizationâ as
â[o]fficial permission to do something; sanction or
warrantâ). Where the default is free access without
authorization, in ordinary parlance one would characterize
selective denial of access as a ban, not as a lack of
âauthorization.â Cf. Blankenhorn v. City of Orange, 485
F.3d 463, 472 (9th Cir. 2007) (characterizing the exclusion
of the plaintiff in particular from a shopping mall as
âbann[ing]â).
Second, even if this interpretation is debatable, the
legislative history of the statute confirms our understanding.
âIf [a] statuteâs terms are ambiguous, we may use . . .
legislative history[] and the statuteâs overall purpose to
illuminate Congressâs intent.â Jonah R. v. Carmona,
446 F.3d 1000, 1005 (9th Cir. 2006).
HIQ LABS V. LINKEDIN 27
The CFAA was enacted to prevent intentional intrusion
onto someone elseâs computerâspecifically, computer
hacking. See United States v. Nosal (Nosal I), 676 F.3d 854,
858 (9th Cir. 2012) (citing S. Rep. No. 99-432, at 9 (1986)
(Conf. Rep.)).
The 1984 House Report on the CFAA explicitly
analogized the conduct prohibited by section 1030 to forced
entry: âIt is noteworthy that section 1030 deals with an
âunauthorized accessâ concept of computer fraud rather than
the mere use of a computer. Thus, the conduct prohibited is
analogous to that of âbreaking and enteringâ . . . .ââ H.R.
Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing
the problem of ââhackersâ who have been able to access
(trespass into) both private and public computer systemsâ).
Senator Jeremiah Denton similarly characterized the CFAA
as a statute designed to prevent unlawful intrusion into
otherwise inaccessible computers, observing that â[t]he bill
makes it clear that unauthorized access to a Government
computer is a trespass offense, as surely as if the offender
had entered a restricted Government compound without
proper authorization.â 11 132 Cong. Rec. 27639 (1986)
(emphasis added). And when considering amendments to the
CFAA two years later, the House again linked computer
intrusion to breaking and entering. See H.R. Rep. No. 99-
612, at 5â6 (1986) (describing âthe expanding group of
electronic trespassers,â who trespass âjust as much as if they
broke a window and crawled into a home while the
occupants were awayâ).
In recognizing that the CFAA is best understood as an
anti-intrusion statute and not as a âmisappropriation statute,â
11
The CFAA originally prohibited only unauthorized access to
government computers.
28 HIQ LABS V. LINKEDIN
Nosal I, 676 F.3d at 857â58, we rejected the contract-based
interpretation of the CFAAâs âwithout authorizationâ
provision adopted by some of our sister circuits. Compare
Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067
(9th Cir. 2016), cert. denied, 138 S. Ct. 313 (2017) (â[A]
violation of the terms of use of a websiteâwithout moreâ
cannot establish liability under the CFAA.â); Nosal I,
676 F.3d at 862 (âWe remain unpersuaded by the decisions
of our sister circuits that interpret the CFAA broadly to cover
violations of corporate computer use restrictions or
violations of a duty of loyalty.â), with EF Cultural Travel
BV v. Explorica, Inc., 274 F.3d 577, 583â84 (1st Cir. 2001)
(holding that violations of a confidentiality agreement or
other contractual restraints could give rise to a claim for
unauthorized access under the CFAA); United States v.
Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding
that a defendant âexceeds authorized accessâ when violating
policies governing authorized use of databases).
We therefore look to whether the conduct at issue is
analogous to âbreaking and entering.â H.R. Rep. No. 98-894,
at 20. Significantly, the version of the CFAA initially
enacted in 1984 was limited to a narrow range of
computersânamely, those containing national security
information or financial data and those operated by or on
behalf of the government. See Counterfeit Access Device
and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-
473, § 2102, 98 Stat. 2190, 2190â91. None of the computers
to which the CFAA initially applied were accessible to the
general public; affirmative authorization of some kind was
presumptively required.
When section 1030(a)(2)(c) was added in 1996 to extend
the prohibition on unauthorized access to any âprotected
computer,â the Senate Judiciary Committee explained that
HIQ LABS V. LINKEDIN 29
the amendment was designed to âto increase protection for
the privacy and confidentiality of computer information.â
S. Rep. No. 104-357, at 7 (emphasis added). The legislative
history of section 1030 thus makes clear that the prohibition
on unauthorized access is properly understood to apply only
to private informationâinformation delineated as private
through use of a permission requirement of some sort. As
one prominent commentator has put it, âan authentication
requirement, such as a password gate, is needed to create the
necessary barrier that divides open spaces from closed
spaces on the Web.â Orin S. Kerr, Norms of Computer
Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover,
elsewhere in the statute, password fraud is cited as a means
by which a computer may be accessed without authorization,
see 18 U.S.C. § 1030(a)(6), 12 bolstering the idea that
authorization is only required for password-protected sites
or sites that otherwise prevent the general public from
viewing the information.
We therefore conclude that hiQ has raised a serious
question as to whether the reference to access âwithout
authorizationâ limits the scope of the statutory coverage to
computer information for which authorization or access
permission, such as password authentication, is generally
required. Put differently, the CFAA contemplates the
existence of three kinds of computer information:
(1) information for which access is open to the general
public and permission is not required, (2) information for
12
18 U.S.C. § 1030(a)(6) provides: âWhoever . . . knowingly and
with intent to defraud traffics . . . in any password or similar information
through which a computer may be accessed without authorization, ifâ
(A) such trafficking affects interstate or foreign commerce; or (B) such
computer is used by or for the Government of the United States; . . . shall
be punished as provided in subsection (c) of this section.â
30 HIQ LABS V. LINKEDIN
which authorization is required and has been given, and
(3) information for which authorization is required but has
not been given (or, in the case of the prohibition on
exceeding authorized access, has not been given for the part
of the system accessed). Public LinkedIn profiles, available
to anyone with an Internet connection, fall into the first
category. With regard to such information, the âbreaking and
enteringâ analogue invoked so frequently during
congressional consideration has no application, and the
concept of âwithout authorizationâ is inapt.
Neither of the cases LinkedIn principally relies upon is
to the contrary. LinkedIn first cites Nosal II, 844 F.3d 1024
(9th Cir. 2016). As we have already stated, Nosal II held that
a former employee who used current employeesâ login
credentials to access company computers and collect
confidential information had acted ââwithout authorizationâ
in violation of the CFAA.â Nosal II, 844 F.3d at 1038. The
computer information the defendant accessed in Nosal II was
thus plainly one which no one could access without
authorization.
So too with regard to the system at issue in Power
Ventures, 844 F.3d 1058 (9th Cir. 2016), the other precedent
upon which LinkedIn relies. In that case, Facebook sued
Power Ventures, a social networking website that aggregated
social networking information from multiple platforms, for
accessing Facebook usersâ data and using that data to send
mass messages as part of a promotional campaign. Id. at
1062â63. After Facebook sent a cease-and-desist letter,
Power Ventures continued to circumvent IP barriers and gain
access to password-protected Facebook member profiles. Id.
at 1063. We held that after receiving an individualized cease-
and-desist letter, Power Ventures had accessed Facebook
computers âwithout authorizationâ and was therefore liable
HIQ LABS V. LINKEDIN 31
under the CFAA. Id. at 1067â68. But we specifically
recognized that âFacebook has tried to limit and control
access to its websiteâ as to the purposes for which Power
Ventures sought to use it. Id. at 1063. Indeed, Facebook
requires its users to register with a unique username and
password, and Power Ventures required that Facebook users
provide their Facebook username and password to access
their Facebook data on Power Venturesâ platform.
Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d
1025, 1028 (N.D. Cal. 2012). While Power Ventures was
gathering user data that was protected by Facebookâs
username and password authentication system, the data hiQ
was scraping was available to anyone with a web browser.
In sum, Nosal II and Power Ventures control situations
in which authorization generally is required and has either
never been given or has been revoked. As Power Ventures
indicated, the two cases do not control the situation present
here, in which information is âpresumptively open to all
comers.â Power Ventures, 844 F.3d at 1067 n.2.
Our understanding that the CFAA is premised on a
distinction between information presumptively accessible to
the general public and information for which authorization
is generally required is consistent with our interpretation of
a provision of the Stored Communications Act (âSCAâ),
18 U.S.C. § 2701 et seq., 13 nearly identical to the CFAA
provision at issue. Compare 18 U.S.C. § 2701(a)
(â[W]hoeverâ(1) intentionally accesses without
13
The Stored Communications Act, enacted as part of the Electronic
Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat.
1848, provides privacy protections for e-mail and other electronic
communications by limiting the ability of the government to compel
disclosure by internet service providers.
32 HIQ LABS V. LINKEDIN
authorization a facility through which an electronic
communication service is provided; or (2) intentionally
exceeds an authorization to access that facility; and thereby
obtains . . . unauthorized access to a wire or electronic
communication . . . shall be punished . . . .â) with 18 U.S.C.
§ 1030(a)(2)(C) (âWhoever . . . intentionally accesses a
computer without authorization or exceeds authorized
access, and thereby obtains . . . information from any
protected computer . . . shall be punished . . . .â). âThe
similarity of language in [the SCA and the CFAA] is a strong
indication that [they] should be interpreted pari passu.â
Northcross v. Bd. of Educ. of Memphis City Schools,
412 U.S. 427, 428 (1973); see also United States v. Sioux,
362 F.3d 1241, 1246 (9th Cir. 2004).
Addressing the âwithout authorizationâ provision of the
SCA, we have distinguished between public websites and
non-public or ârestrictedâ websites, such as websites that
âare password-protected . . . or require the user to purchase
access by entering a credit card number.â Konop v.
Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002);
see also id. at 879 n.8. As we explained in Konop, in enacting
the SCA, âCongress wanted to protect electronic
communications that are configured to be privateâ and are
âânot intended to be available to the public.ââ Id. at 875
(quoting S. Rep. No. 99-541, at 35â36 (1986)). The House
Committee on the Judiciary stated, with respect to the
section of the SCA at issue, section 2701, that â[a] person
may reasonably conclude that a communication is readily
accessible to the general public if the . . . means of access are
widely known, and if a person does not, in the course of
gaining access, encounter any warnings, encryptions,
password requests, or other indicia of intended privacy.â
H.R. Rep. No. 99-647, at 62 (1986). The Committee further
explained that âelectronic communications which the
HIQ LABS V. LINKEDIN 33
service provider attempts to keep confidential would be
protected, while the statute would impose no liability for
access to features configured to be readily accessible to the
general public.â Id. at 63.
Both the legislative history of section 1030 of the CFAA
and the legislative history of section 2701 of the SCA, with
its similar âwithout authorizationâ provision, then, support
the district courtâs distinction between âprivateâ computer
networks and websites, protected by a password
authentication system and ânot visible to the public,â and
websites that are accessible to the general public.
Finally, the rule of lenity favors our narrow
interpretation of the âwithout authorizationâ provision in the
CFAA. The statutory prohibition on unauthorized access
applies both to civil actions and to criminal prosecutionsâ
indeed, ⧠1030 is primarily a criminal statute.â LVRC
Holdings LLC v. Brekka, 581 F.3d 1127, 1134 (9th Cir.
2009). âBecause we must interpret the statute consistently,
whether we encounter its application in a criminal or
noncriminal context, the rule of lenity applies.â Leocal v.
Ashcroft, 543 U.S. 1, 11 n.8 (2004). As we explained in
Nosal I, we therefore favor a narrow interpretation of the
CFAAâs âwithout authorizationâ provision so as not to turn
a criminal hacking statute into a âsweeping Internet-policing
mandate.â Nosal I, 676 F.3d at 858; see also id. at 863.
For all these reasons, it appears that the CFAAâs
prohibition on accessing a computer âwithout authorizationâ
is violated when a person circumvents a computerâs
generally applicable rules regarding access permissions,
such as username and password requirements, to gain access
to a computer. It is likely that when a computer network
generally permits public access to its data, a userâs accessing
that publicly available data will not constitute access without
34 HIQ LABS V. LINKEDIN
authorization under the CFAA. The data hiQ seeks to access
is not owned by LinkedIn and has not been demarcated by
LinkedIn as private using such an authorization system. HiQ
has therefore raised serious questions about whether
LinkedIn may invoke the CFAA to preempt hiQâs possibly
meritorious tortious interference claim. 14
We note that entities that view themselves as victims of
data scraping are not without resort, even if the CFAA does
not apply: state law trespass to chattels claims may still be
available. 15 And other causes of action, such as copyright
14
LinkedIn asserts that the illegality of hiQâs actions under the
CFAA is also grounds for holding (1) that hiQâs injuries are not
cognizable as irreparable harm, (2) that hiQâs contracts are illegal and so
their breach cannot give rise to a cognizable tortious interference with
contract claim, and (3) that LinkedIn has a legitimate business interest in
asserting its rights under federal law that justifies its interference with
hiQâs contracts. See supra n.10. These contentions are insufficient at this
stage for the same reasons LinkedInâs CFAA preemption position does
not preclude preliminary injunctive relief.
15
LinkedInâs cease-and-desist letter also asserted a state common
law claim of trespass to chattels. Although we do not decide the question,
see supra pp. 17â18, it may be that web scraping exceeding the scope of
the website ownerâs consent gives rise to a common law tort claim for
trespass to chattels, at least when it causes demonstrable harm. Compare
eBay, Inc. v. Bidderâs Edge, Inc., 100 F. Supp. 2d 1058, 1070 (N.D. Cal.
2000) (finding that eBay had established a likelihood of success on its
trespass claim against the auction-aggregating site Bidderâs Edge
because, although eBayâs âsite is publicly accessible,â âeBayâs servers
are private property, conditional access to which eBay grants the public,â
and Bidderâs Edge had exceeded the scope of any consent, even if it did
not cause physical harm); Register.com, Inc. v. Verio, Inc., 356 F.3d 393,
437â38 (2d Cir. 2004) (holding that a company that scraped a
competitorâs website to obtain data for marketing purposes likely
committed trespass to chattels, because scraping couldâalthough it did
not yetâcause physical harm to the plaintiffâs computer servers); Sw.
Airlines Co. v. FareChase, Inc., 318 F. Supp. 2d 435, 442 (N.D. Tex.
HIQ LABS V. LINKEDIN 35
infringement, misappropriation, unjust enrichment,
conversion, breach of contract, or breach of privacy, may
also lie. See, e.g., Associated Press v. Meltwater U.S.
Holdings, Inc., 931 F. Supp. 2d 537, 561 (S.D.N.Y. 2013)
(holding that a software companyâs conduct in scraping and
aggregating copyrighted news articles was not protected by
fair use).
D. Public Interest
Finally, we must consider the public interest in granting
or denying the preliminary injunction. Whereas the balance
of equities focuses on the parties, â[t]he public interest
inquiry primarily addresses impact on non-parties rather
than parties,â and takes into consideration âthe public
consequences in employing the extraordinary remedy of
injunction.â Bernhardt v. Los Angeles Cty., 339 F.3d 920,
931â32 (9th Cir. 2003) (citations omitted).
As the district court observed, each side asserts that its
own position would benefit the public interest by
maximizing the free flow of information on the Internet. HiQ
points out that data scraping is a common method of
gathering information, used by search engines, academic
researchers, and many others. According to hiQ, letting
2004) (holding that the use of a scraper to glean flight information was
unauthorized as it interfered with Southwestâs use and possession of its
site, even if the scraping did not cause physical harm or deprivation),
with Ticketmaster Corp. v. Tickets.Com, Inc., No. 2:99-cv-07654-HLH-
VBK, 2003 WL 21406289, at *3 (C.D. Cal. Mar. 7, 2003) (holding that
the use of a web crawler to gather information from a public website,
without more, is insufficient to fulfill the harm requirement of a trespass
action); Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1364 (2003) (holding
that âtrespass to chattels is not actionable if it does not involve actual or
threatened injuryâ to property and the defendantâs actions did not
damage or interfere with the operation of the computer systems at issue).
36 HIQ LABS V. LINKEDIN
established entities that already have accumulated large user
data sets decide who can scrape that data from otherwise
public websites gives those entities outsized control over
how such data may be put to use.
For its part, LinkedIn argues that the preliminary
injunction is against the public interest because it will invite
malicious actors to access LinkedInâs computers and attack
its servers. As a result, the argument goes, LinkedIn and
other companies with public websites will be forced to
choose between leaving their servers open to such attacks or
protecting their websites with passwords, thereby cutting
them off from public view.
Although there are significant public interests on both
sides, the district court properly determined that, on balance,
the public interest favors hiQâs position. We agree with the
district court that giving companies like LinkedIn free rein
to decide, on any basis, who can collect and use dataâdata
that the companies do not own, that they otherwise make
publicly available to viewers, and that the companies
themselves collect and useârisks the possible creation of
information monopolies that would disserve the public
interest.
Internet companies and the public do have a substantial
interest in thwarting denial-of-service attacks 16 and blocking
abusive users, identity thieves, and other ill-intentioned
actors. But we do not view the district courtâs injunction as
opening the door to such malicious activity. The district
16
In a denial-of-service (DoS) attack, an attacker seeks to prevent
legitimate users from accessing a targeted computer or network,
typically by flooding the target with requests and thereby overloading
the server.
HIQ LABS V. LINKEDIN 37
court made clear that the injunction does not preclude
LinkedIn from continuing to engage in âtechnological self-
helpâ against bad actorsâfor example, by employing âanti-
bot measures to prevent, e.g., harmful intrusions or attacks
on its server.â Although an injunction preventing a company
from securing even the public parts of its website from
malicious actors would raise serious concerns, such concerns
are not present here. 17
The district courtâs conclusion that the public interest
favors granting the preliminary injunction was appropriate.
CONCLUSION
We AFFIRM the district courtâs determination that hiQ
has established the elements required for a preliminary
injunction and remand for further proceedings.
WALLACE, Circuit Judge, specially concurring:
I concur in the majority opinion. I write separately to
express my concern that âin some cases, parties appeal
orders granting or denying motions for preliminary
injunctions in order to ascertain the views of the appellate
court on the merits of the litigation.â Sports Form, Inc. v.
United Press Intâl, Inc., 686 F.2d 750, 753 (9th Cir. 1982);
see also California v. Azar, 911 F.3d 558, 583â84 (9th Cir.
2018). For example, here LinkedInâs counsel suggested that
we should address the CFAA question in this appeal for
17
We note that LinkedIn has not specifically challenged the scope
of the injunction.
38 HIQ LABS V. LINKEDIN
âpragmatic reason[s]â because it âis going to be a significant
issue on remand no matter what happens to this injunction.â
I emphasize that appealing from a preliminary injunction
to obtain an appellate courtâs view of the merits often leads
to âunnecessary delay to the parties and inefficient use of
judicial resources.â Sports Form, 686 F.2d at 753. These
appeals generally provide âlittle guidanceâ because âof the
limited scope of our review of the lawâ and âbecause the
fully developed factual record may be materially different
from that initially before the district court.â Id.
The district court here also stayed any effort to prepare
the case for trial pending the appeal of the preliminary
injunction. We have repeatedly admonished district courts
not to delay trial preparation to await an interim ruling on a
preliminary injunction. See, e.g., California, 911 F.3d at
583â84. This case could have well proceeded to a
disposition on the merits without the delay in processing the
interlocutory appeal. Given the purported urgency of the
caseâs resolution, the parties might âhave been better served
to pursue aggressivelyâ its claims in the district court, ârather
than apparently awaiting the outcome of this appealâ for
nearly two years. Id. at 584 (citation omitted).