SAN FRANCISCO (CN) – Weighing privacy rights against access to public data, a Ninth Circuit panel on Thursday wrestled with whether a 1984 law permits LinkedIn to keep its website off limits to a company that mines its data to tell employers which workers are “flight risks.”
In August last year, U.S. District Judge Edward Chen ruled that LinkedIn could not use the Computer Fraud and Abuse Act, a 1984 anti-hacking law, to block the company hiQ from deploying bots to scrape data from its public website.
HiQ sells information to clients — including CapitalOne, eBay and GoDaddy — on which employees may be seeking a new job, based on information culled primarily from public LinkedIn profiles.
During a hearing Thursday, LinkedIn attorney Donald Verrilli Jr. warned that upholding Judge Chen’s ruling could have dire consequences for the free flow of information online.
“That’s going to create very substantial pressure for companies that now have public facing sites to pull them back behind password walls, which will inhibit the free flow of information,” said Verrilli, who served as U.S. Solicitor General from 2011 to 2016.
Companies like Craigslist, the online advertising platform, filed amicus briefs arguing that networks like LinkedIn must be able to protect their public websites from unauthorized access and “bad actors.” The Electronic Privacy Information Center (EPIC), a digital privacy rights group, also filed a brief, saying LinkedIn users never expected their profile data would be “acquired and monetized by unknown third parties” when they joined the social media network.
But others, like digital civil liberties group Electronic Frontier Foundation, say a ruling in favor of LinkedIn would transform an anti-hacking law into a “tool for policing the use of publicly available information.”
During the hearing Thursday, Verrilli compared LinkedIn’s website to a physical bookstore.
“If I own a bookstore, it’s open to the public. Anybody can come in, and the information is available. But if somebody is shoplifting and I catch them, I can bar them from coming back,” Verrilli said.
U.S. Circuit Judge Marsha Berzon challenged that analogy. She said hiQ claims it is merely viewing publicly available data, not stealing it.
The circuit judge added that she is “concerned” that letting LinkedIn block access to its public website could embolden other websites to restrict activities that might further learning and research.
“There are in the amicus briefs a lot of suggestions that to allow this is to cut off a means of acquiring knowledge by people who want to do data research, want to look at political websites, want to look at all manner of websites which are publicly available and do this kind of technologically available data aggregation,” Berzon said.
But allowing companies like hiQ to bypass LinkedIn’s technical barriers and scrape data from its profiles threatens the privacy of LinkedIn members, Verrilli argued.
LinkedIn lets its users decide whether to publicize changes made to their social media profiles. By regularly scraping data from the website, hiQ can analyze any changes and notify employers when workers start updating their LinkedIn profile to potentially look for a new job.
Verrilli said LinkedIn gave its users control over that information to protect their privacy, and that hiQ is undermining its privacy commitments to users.
“Their employers could still check their profiles, couldn’t they,” asked U.S. District Judge Terrance Berg, sitting on the panel by designation from the Eastern District of Michigan.
HiQ claims LinkedIn blocked its access not due to privacy concerns, but rather to cut off a competitor. LinkedIn was about to launch a new service that would compete directly with hiQ’s “Skill Mapper” product, which analyzes employee skills listed in public LinkedIn profiles, according to hiQ’s lawsuit.
HiQ attorney Carl Wisoff dismissed as ludicrous LinkedIn’s argument that Chen’s ruling would disrupt the free flow of information on the internet. Companies will continue to reap benefits from having public websites, he argued.
“The only reason people are posting information on their website in the first place is because they know it’s going to be public and accessible to the world,” Wisoff said. “That’s the purpose of having a LinkedIn profile. It’s your billboard to the public.”
In Chen’s August 2017 ruling, the judge concluded that access to free and open spaces on the internet should only be deemed “unauthorized” when one bypasses an authentication requirement, such as entering a password.
Bypassing technical measures designed to block bots from scraping data from public websites is not the same as entering a password-protected mainframe without permission, Chen stated in his ruling.
In his final pitch to the panel, Verrilli urged the Ninth Circuit to reject Chen’s limiting view of the Computer Fraud and Abuse Act.
“The idea that a password wall is the sine qua non of the Computer Fraud and Abuse Act just can’t be right,” Verrilli said.
After a one-hour hearing, the panel took the arguments under advisement.
U.S. Circuit Judge John Wallace joined Berzon and Berg on the panel.
LinkedIn manages the largest online professional network on the planet, with more than 500 million members in more than 200 countries, according to its website. Microsoft bought it for $26.2 billion in 2016.