`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`HIQ LABS, INC.,
`
`Plaintiff,
`
`v.
`
`LINKEDIN CORPORATION,
`
`Case No. 17-cv-03301-EMC
`
`
`ORDER GRANTING PLAINTIFF’S
`MOTION FOR PRELIMINARY
`INJUNCTION
`
`Docket No. 23
`
`
`
`
`
`Defendant.
`
`
`
`I.
`
` INTRODUCTION
`
`Plaintiff hiQ initiated this action after Defendant LinkedIn issued a cease and desist letter
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`and attempted to terminate hiQ‟s ability to access otherwise publicly available information on
`
`16
`
`profiles of LinkedIn users. The letter threatens action under the Computer Fraud and Abuse Act
`
`17
`
`(CFAA). LinkedIn also employed various blocking techniques designed to prevent hiQ‟s
`
`18
`
`automated data collection methods. LinkedIn brought this action after years of tolerating hiQ‟s
`
`19
`
`access and use of its data.
`
`20
`
`hiQ‟s business involves providing information to businesses about their workforces based
`
`21
`
`on statistical analysis of publicly available data. Its data analytics business is wholly dependent on
`
`22
`
`LinkedIn‟s public data. hiQ contends that LinkedIn‟s actions constitute unfair business practices
`
`23
`
`under Cal. Bus. & Prof. Code § 17200 et seq. hiQ also raises a number of common law tort and
`
`24
`
`contract claims, including intentional interference with contract and promissory estoppel, and
`
`25
`
`further contends that LinkedIn‟s actions constitute a violation of free speech under the California
`
`26
`
`Constitution.
`
`27
`
`Now pending before the Court is hiQ‟s motion for a preliminary injunction. For the
`
`28
`
`reasons set forth in more detail below, the Court GRANTS the motion. In summary, the balance
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 2 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`of hardships tips sharply in hiQ‟s favor. hiQ has demonstrated there are serious questions on the
`
`merits. In particular, the Court is doubtful that the Computer Fraud and Abuse Act may be
`
`invoked by LinkedIn to punish hiQ for accessing publicly available data; the broad interpretation
`
`of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the
`
`Internet, a result that Congress could not have intended when it enacted the CFAA over three
`
`decades ago. Furthermore, hiQ has raised serious questions as to whether LinkedIn, in blocking
`
`hiQ‟s access to public data, possibly as a means of limiting competition, violates state law.
`
`II. FACTUAL AND PROCEDURAL BACKGROUND
`
`Founded in 2002, LinkedIn is a social networking site focused on business and
`
`10
`
`professional networking. It currently has over 500 million users; it was acquired by Microsoft in
`
`11
`
`December 2016 for $26.2 billion.
`
`12
`
`LinkedIn allows users to create profiles and then establish connections with other users.
`
`13
`
`When LinkedIn users create a profile on the site, they can choose from a variety of different levels
`
`14
`
`of privacy protection. They can choose to keep their profiles entirely private, or to make them
`
`15
`
`viewable by: (1) their direct connections on the site; (2) a broader network of connections; (3) all
`
`16
`
`other LinkedIn members; or (4) the entire public. When users choose the last option, their profiles
`
`17
`
`are viewable by anyone online regardless of whether that person is a LinkedIn member. LinkedIn
`
`18
`
`also allows public profiles to be accessed via search engines such as Google.
`
`For the Northern District of California
`
`United States District Court
`
`19
`
`hiQ was founded in 2012 and has, to date, received $14.5 million in funding. hiQ sells to
`
`20
`
`its client businesses information about their workforces that hiQ generates through analysis of data
`
`21
`
`on LinkedIn users‟ publicly available profiles. It offers two products: “Keeper,” which tells
`
`22
`
`employers which of their employees are at the greatest risk of being recruited away; and “Skill
`
`23
`
`Mapper,” which provides a summary of the skills possessed by individual workers. Docket No.
`
`24
`
`23-4 (Weidick Decl.) ¶¶ 4-6. hiQ gathers the workforce data that forms the foundation of its
`
`25
`
`analytics by automatically collecting it, or harvesting or “scraping” it, from publicly available
`
`26
`
`LinkedIn profiles. hiQ‟s model is predicated entirely on access to data LinkedIn users have opted
`
`27
`
`to publish publicly. hiQ relies on LinkedIn data because LinkedIn is the dominant player in the
`
`28
`
`field of professional networking.
`
`2
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 3 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`On May 23, 2017, LinkedIn sent a letter demanding that hiQ “immediately cease and
`
`desist unauthorized data scraping and other violations of LinkedIn‟s User Agreement.” Docket
`
`No. 23-1 (“Gupta Decl.”) Ex. J. In the letter, LinkedIn demanded that hiQ cease using software to
`
`“scrape,” or automatically collect, data from LinkedIn‟s public profiles. LinkedIn noted that its
`
`User Agreement prohibits various methods of data collection from its website, and stated that hiQ
`
`was in violation of those provisions. LinkedIn also stated that it had restricted hiQ‟s company
`
`page on LinkedIn and that “[a]ny future access of any kind” to LinkedIn by hiQ would be
`
`“without permission and without authorization from LinkedIn.” LinkedIn further stated that it had
`
`“implemented technical measures to prevent hiQ from accessing, and assisting other to access,
`
`10
`
`LinkedIn‟s site, through systems that detects, monitor, and block scraping activity.” LinkedIn
`
`11
`
`stated that any further access to LinkedIn‟s data would violate state and federal law, including
`
`12
`
`California Penal Code § 502(c), the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C.
`
`13
`
`§ 1030, state common law of trespass, and the Digital Millennium Copyright Act. LinkedIn
`
`14
`
`reserved the right to pursue litigation, should hiQ fail to cease and desist from accessing
`
`15
`
`LinkedIn‟s website, computer systems, and data.
`
`16
`
`After hiQ and LinkedIn were unable to agree on an amicable resolution, and LinkedIn
`
`17
`
`declined to permit hiQ‟s continued access in the interim, hiQ filed the complaint in this action,
`
`18
`
`which asserts affirmative rights against the denial of access to publicly available LinkedIn profiles
`
`19
`
`based on California common law, the UCL, and the California Constitution. hiQ also seeks a
`
`20
`
`declaration that hiQ has not and will not violate the CFAA, the DMCA, California Penal Code
`
`21
`
`§ 502(c), and the common law of trespass to chattels, by accessing LinkedIn public profiles.
`
`22
`
`Docket No. 1. At the same time, hiQ also filed a request for a temporary restraining order and an
`
`23
`
`order to show cause why a preliminary injunction should not be issued against LinkedIn. Docket
`
`24
`
`No. 23. After a hearing on the TRO request, the parties entered into a standstill agreement
`
`25
`
`preserving hiQ‟s access to the data and converting hiQ‟s initial motion into a motion for a
`
`26
`
`preliminary injunction. A hearing on the motion for preliminary injunction was held on July 27,
`
`27
`
`2017.
`
`28
`
`
`
`3
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 4 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`III. DISCUSSION
`
`“A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on
`
`the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the
`
`balance of equities tips in his favor, and that an injunction is in the public interest.” Winter v. Nat.
`
`Res. Def. Council, Inc., 555 U.S. 7, 20 (2008). In evaluating these factors, courts in the Ninth
`
`Circuit employ a “sliding scale” approach, according to which “the elements of the preliminary
`
`injunction test are balanced, so that a stronger showing of one element may offset a weaker
`
`showing of another. For example, a stronger showing of irreparable harm to plaintiff might offset
`
`a lesser showing of likelihood of success on the merits.” All. for the Wild Rockies v. Cottrell, 632
`
`10
`
`F.3d 1127, 1131 (9th Cir. 2011). At minimum, “[u]nder Winter, plaintiffs must establish that
`
`11
`
`irreparable harm is likely, not just possible, in order to obtain a preliminary injunction.” Id.
`
`12
`
`(emphasis in original). Specifically, the Ninth Circuit “has adopted and applied a version of the
`
`13
`
`sliding scale approach under which a preliminary injunction could issue where the likelihood of
`
`14
`
`success is such that „serious questions going to the merits were raised and the balance of hardships
`
`15
`
`tips sharply in [plaintiff's] favor.‟” Id. (quoting Clear Channel Outdoor, Inc. v. City of Los
`
`16
`
`Angeles, 340 F.3d 810, 813 (9th Cir. 2003)). Thus, upon a showing that the balance of hardships
`
`17
`
`tips sharply in its favor, a party seeking a preliminary injunction need only show that there are
`
`18
`
`“serious questions going to the merits” in order to be entitled to relief. Because the balance of
`
`19
`
`hardships, including the threat of irreparable harm faced by each party, informs the requisite
`
`For the Northern District of California
`
`United States District Court
`
`20
`
`showing on the merits, the Court addresses that prong first.
`
`21
`
`22
`
`A.
`
`Irreparable Harm and Balance of Hardships
`
`hiQ states that absent injunctive relief, it will suffer immediate and irreparable harm
`
`23
`
`because its entire business model depends on access to LinkedIn‟s data. If LinkedIn prevails, hiQ
`
`24
`
`will simply go out of business; it “will have to breach its agreements with its customers, stop
`
`25
`
`discussions with its long list of prospective customers, lay off most if not all its employees, and
`
`26
`
`shutter its operations.” Docket No. 24 (“Motion”) at 24. These are credible assertions, given the
`
`27
`
`28
`
`4
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 5 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`undisputed fact that hiQ‟s entire business depends on its access to LinkedIn‟s public profile data.1
`
`These potential consequences are sufficient to constitute irreparable harm. “The threat of being
`
`driven out of business is sufficient to establish irreparable harm.” Am. Passage Media Corp. v.
`
`Cass Commc’ns, Inc., 750 F.2d 1470, 1474 (9th Cir. 1985); see also Doran v. Salem Inn, Inc., 422
`
`U.S. 922, 932 (1975) (holding that “a substantial loss of business and perhaps even bankruptcy”
`
`constitutes irreparable harm sufficient to warrant interim relief). Similarly, “[e]vidence of
`
`threatened loss of prospective customers or goodwill certainly supports a finding of the possibility
`
`of irreparable harm.” Stuhlbarg Int’l Sales Co. v. John D. Brush & Co., 240 F.3d 832, 841 (9th
`
`Cir. 2001).
`
`10
`
`For its part, LinkedIn argues that it faces significant harm because hiQ‟s data collection
`
`11
`
`threatens the privacy of LinkedIn users, because even members who opt to make their profiles
`
`12
`
`publicly viewable retain a significant interest in controlling the use and visibility of their data.2 In
`
`13
`
`particular, LinkedIn points to the interest that some users may have in preventing employers or
`
`14
`
`other parties from tracking changes they have made to their profiles. LinkedIn posits that when a
`
`15
`
`user updates his profile, that action may signal to his employer that he is looking for a new
`
`16
`
`position. LinkedIn states that over 50 million LinkedIn members have used a “Do Not Broadcast”
`
`17
`
`feature that prevents the site from notifying other users when a member makes profile changes.
`
`18
`
`This feature is available even when a profile is set to public. LinkedIn also points to specific user
`
`For the Northern District of California
`
`United States District Court
`
`19
`
`complaints it has received objecting to the use of data by third parties. In particular, two users
`
`20
`
`complained that information that they had previously featured on their profile, but subsequently
`
`
`1 At the hearing, LinkedIn pointed to the fact that other companies operate in the data analytics
`field without making use of LinkedIn‟s member data. But as hiQ pointed out, these companies
`employ entirely different business models. For example, one company highlighted by LinkedIn,
`Glint, creates its own data by taking surveys of employees working for its clients. Requiring hiQ
`to rebuild its business on an entirely different business model, such as that employed by Glint,
`from scratch would constitute harm comparable to simply going out of business. LinkedIn also
`suggests that hiQ could make use of other sources of data, such as Facebook. But while Facebook
`may have a comparable number of professionals using its service, LinkedIn has not argued that the
`professional data available at Facebook is of a similar quality to that available at LinkedIn.
`Moreover, if LinkedIn‟s view of the law is correct, nothing would prevent Facebook from barring
`hiQ in the same way LinkedIn has.
`
` LinkedIn does not claim a proprietary interest in its users‟ profiles.
`5
`
` 2
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 6 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`removed, remained viewable via third parties. (These complaints involved third parties other than
`
`hiQ.) LinkedIn maintains that all of these concerns are potentially undermined by hiQ‟s data
`
`collection practices: while the information that hiQ seeks to collect is publicly viewable, the
`
`posting of changes to a profile may raise the risk that a current employee may be rated as having a
`
`higher risk of flight under Keeper even though the employee chose the Do Not Broadcast setting.
`
`hiQ could also make data from users available even after those users have removed it from their
`
`profiles or deleted their profiles altogether. LinkedIn argues that both it and its users therefore
`
`face substantial harm absent an injunction; if hiQ is able to continue its data collection unabated,
`
`LinkedIn members‟ privacy may be compromised, and the company will suffer a corresponding
`
`10
`
`loss of consumer trust and confidence.
`
`11
`
`These considerations are not without merit, but there are a number of reasons to discount
`
`12
`
`to some extent the harm claimed by LinkedIn. First, LinkedIn emphasizes that the fact that 50
`
`13
`
`million users have opted into the “Do Not Broadcast” feature indicates that a vast number of its
`
`14
`
`users are fearful that their employer may monitor their accounts for possible changes. But there
`
`15
`
`are other potential reasons why a user may opt for that setting. For instance, users may be
`
`16
`
`cognizant that their profile changes are generating a large volume of unwanted notifications
`
`17
`
`broadcasted to their connections on the site. They may wish to limit annoying intrusions into their
`
`18
`
`contacts.3 Second, LinkedIn has presented little evidence of users‟ actual privacy expectation; out
`
`19
`
`of its hundreds of millions of users, including 50 million using Do Not Broadcast, LinkedIn has
`
`20
`
`only identified three individual complaints specifically raising concerns about data privacy related
`
`21
`
`to third-party data collection. Docket No. 49-1 Exs. A-C. None actually discuss hiQ or the “Do
`
`22
`
`Not Broadcast” setting. Third, LinkedIn‟s professed privacy concerns are somewhat undermined
`
`23
`
`by the fact that LinkedIn allows other third-parties to access user data without its members‟
`
`24
`
`knowledge or consent. LinkedIn offers a product called “Recruiter” that allows professional
`
`25
`
`recruiters to identify possible candidates for other job opportunities. LinkedIn avers that when
`
`26
`
`27
`
`28
`
`
`3 Though the “Do Not Broadcast” feature makes it less likely to draw immediate attention to a
`profile update, it does nothing to prevent an employer, or any other third-party, from visiting an
`employee‟s page periodically to determine whether significant changes have been made.
`6
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 7 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`users have selected the Do Not Broadcast option, the Recruiter product respects this choice and
`
`does not update recruiters of profile changes. However, hiQ presented marketing materials at the
`
`hearing which indicate that regardless of other privacy settings, information including profile
`
`changes are conveyed to third parties who subscribe to Recruiter. Indeed, these materials inform
`
`potential customers that when they “follow” another user, “[f]rom now on, when they update their
`
`profile or celebrate a work anniversary, you‟ll receive an update on your homepage. And don‟t
`
`worry – they don‟t know you‟re following them.” LinkedIn thus trumpets its own product in a
`
`way that seems to afford little deference to the very privacy concerns it professes to be protecting
`
`in this case.
`
`10
`
`LinkedIn stresses that its privacy policy expressly permits disclosures of this sort, whereas
`
`11
`
`it expressly prohibits third-party scraping of the sort that hiQ engages in. Accordingly, LinkedIn
`
`12
`
`argues that the Recruiter program accords with its members‟ expectations of privacy, whereas
`
`13
`
`hiQ‟s data collection does not.4 It is unlikely, however, that most users‟ actual privacy
`
`14
`
`expectations are shaped by the fine print of a privacy policy buried in the User Agreement that
`
`15
`
`likely few, if any, users have actually read.5 To the contrary, it is not obvious that LinkedIn
`
`16
`
`members who decide to set their profiles to be publicly viewable expect much privacy at all in the
`
`17
`
`profiles they post.
`
`18
`
`In sum, hiQ unquestionably faces irreparable harm in the absence of an injunction, as it
`
`19
`
`will likely be driven out of business. The asserted harm LinkedIn faces, by contrast, is tied to its
`
`20
`
`users‟ expectations of privacy and any impact on user trust in LinkedIn. However, those
`
`21
`
`expectations are uncertain at best, and in any case, LinkedIn‟s own actions do not appear to have
`
`22
`
`zealously safeguarded those privacy interests.
`
`For the Northern District of California
`
`United States District Court
`
`Furthermore, despite the fact that hiQ has been aggregating LinkedIn‟s public data for five
`
`
`4 LinkedIn argues hiQ signed up as a LinkedIn user and is thus bound by the User Agreement.
`But LinkedIn has since terminated hiQ‟s user status. LinkedIn has not demonstrated that hiQ‟s
`aggregation of data from LinkedIn‟s public profiles is dependent on its status as a LinkedIn user.
`
` 5
`
` See, e.g., Tom Towers, Thousands Sign up for Community Service After Failing to Read Terms
`and Conditions, Metro News (July 14, 2017, 11:12 PM), http://metro.co.uk/2017/07/14/thousands-
`sign-up-for-community-service-after-failing-to-read-terms-and-conditions-6781034/.
`7
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 8 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`years with LinkedIn‟s knowledge, LinkedIn has presented no evidence of harm, financial or
`
`otherwise resulting from hiQ‟s activities. Indeed, LinkedIn has not explained why suddenly it has
`
`now chosen to revoke its consent (or at least tolerance) of hiQ‟s use of that data.
`
`The Court concludes that based on the record presented, the balance of hardships tips
`
`sharply in hiQ‟s favor. To be entitled to an injunction, therefore, hiQ needs only show that it has
`
`raised “serious questions going to the merits.” All. for the Wild Rockies, 632 F.3d at 1131.
`
`B.
`
`Serious Questions Going to the Merits
`
`hiQ argues that it is likely to prevail on the merits – or at least raises serious questions
`
`going to the merits – on each of its claims. For its part, LinkedIn argues that all of hiQ‟s claims
`
`10
`
`necessarily fail because hiQ‟s unauthorized access to LinkedIn‟s computers violates the CFAA.
`
`11
`
`Thus, not only is LinkedIn‟s cease and desist letter backed by the CFAA, to the extent that any of
`
`12
`
`hiQ‟s state claims have merit, they would be preempted by the CFAA. The Court thus first
`
`13
`
`addresses the likelihood that the CFAA applies.
`
`14
`
`15
`
`1.
`
`CFAA
`
`Whether hiQ‟s continued access to the LinkedIn public profiles violates the CFAA
`
`16
`
`constitutes a key threshold question in this case. The CFAA creates civil and criminal liability for
`
`17
`
`any person who “intentionally accesses a computer without authorization or exceeds authorized
`
`18
`
`access, and thereby obtains . . . information from any protected computer.”6 18 U.S.C. §
`
`19
`
`1030(a)(2)(C). As the Supreme Court has explained, the statute “provides two ways of
`
`20
`
`committing the crime of improperly accessing a protected computer: (1) obtaining access without
`
`21
`
`authorization; and (2) obtaining access with authorization but then using that access improperly.”
`
`22
`
`Musacchio v. United States, 136 S. Ct. 709, 713 (2016).
`
`23
`
`The key question regarding the applicability of the CFAA in this case is whether, by
`
`24
`
`continuing to access public LinkedIn profiles after LinkedIn has explicitly revoked permission to
`
`25
`
`do so, hiQ has “accesse[d] a computer without authorization” within the meaning of the CFAA.
`
`26
`
`27
`
`28
`
`
`6 As LinkedIn notes, because its computers are connected to the Internet and affect interstate
`commerce, they are “protected computers” under the CFAA. See United States v. Nosal (Nosal I),
`676 F.3d 854, 859 (9th Cir. 2012). hiQ does not dispute this fact.
`8
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 9 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`LinkedIn argues that under the plain meaning of “without authorization,” as well as under relevant
`
`Ninth Circuit authority, hiQ has. LinkedIn relies primarily on two cases.
`
`First, in Facebook, Inc. v. Power Ventures, Inc., the Ninth Circuit held that “a defendant
`
`can run afoul of the CFAA when he or she has no permission to access a computer or when such
`
`permission has been revoked explicitly.” 844 F.3d 1058, 1067 (9th Cir. 2016) (emphasis added).
`
`In Power Ventures, the defendant operated a site that extracted and aggregated users‟ social
`
`networking information from Facebook and other sites on a single page. The defendant gained
`
`access to password-protected Facebook member profiles when its users supplied their Facebook
`
`login credentials. When users selected certain options on the defendant‟s site, the defendant, in
`
`10
`
`many instances, “caused a message to be transmitted to the user‟s friends within the Facebook
`
`11
`
`system.” Id. at 1063. Facebook had sent a cease and desist letter demanding that Power Ventures
`
`12
`
`cease accessing information on users‟ pages. The Ninth Circuit found a CFAA violation where
`
`13
`
`“after receiving written notification from Facebook” Power Ventures “circumvented IP barriers”
`
`14
`
`and continued to access Facebook servers. Id. at 1068. In short, Power Ventures accessed
`
`15
`
`Facebook computers “without authorization.”
`
`16
`
`LinkedIn also relies on United States v. Nosal (Nosal II), 844 F.3d 1024 (9th Cir. 2016).
`
`17
`
`There, the Ninth Circuit held that an employee “whose computer access credentials were
`
`18
`
`affirmatively revoked by [his employer] acted „without authorization‟ in violation of the CFAA
`
`19
`
`when he or his former employee coconspirators used the login credentials of a current employee”
`
`20
`
`to gain access to the employer‟s computer systems. Id. at 1038. Specifically, the defendant
`
`21
`
`persuaded current employees of the company to use their login credentials to access and collect
`
`22
`
`confidential information, including trade secrets that Nosal and the employees planned to use to
`
`23
`
`start a competing business. Id. at 1028-29. The court held “that „without authorization” is an
`
`24
`
`unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a
`
`25
`
`protected computer without permission.” Id. at 1028. Defendant‟s authorization had been
`
`26
`
`revoked when he left the company.
`
`27
`
`Each of these cases is distinguishable in an important respect: none of the data in Facebook
`
`28
`
`or Nosal II was public data. Rather, the defendants in those cases gained access to a computer
`
`9
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 10 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`network (in Nosal II) and a portion of a website (in Power Ventures) that were protected by a
`
`password authentication system. In short, the unauthorized intruders reached into what would
`
`fairly be characterized as the private interior of a computer system not visible to the public.
`
`Neither of those cases confronted the precise issue presented here: whether visiting and collecting
`
`information from a publicly available website may be deemed “access” to a computer “without
`
`authorization” within the meaning of the CFAA where the owner of the web site has selectively
`
`revoked permission.
`
`To be sure, LinkedIn‟s construction of the CFAA is not without basis. Visiting a website
`
`accesses the host computer in one literal sense, and where authorization has been revoked by the
`
`10
`
`website host, that “access” can be said to be “without authorization.” See Craigslist Inc. v. 3Taps
`
`11
`
`Inc., 942 F. Supp. 2d 962 (N.D. Cal. 2013). However, whether “access” to a publicly viewable
`
`12
`
`site may be deemed “without authorization” under the CFAA where the website host purports to
`
`13
`
`revoke permission is not free from ambiguity. The Supreme Court has cautioned that “[w]hether a
`
`14
`
`statutory term is unambiguous . . . does not turn solely on dictionary definitions of its component
`
`15
`
`words. Rather, „the plainness or ambiguity of statutory language is determined [not only] by
`
`16
`
`reference to the language itself, [but as well by] the specific context in which that language is
`
`17
`
`used, and the broader context of the statute as a whole.‟” Yates v. United States, 135 S. Ct. 1074,
`
`18
`
`1082 (2015) (quoting Robinson v. Shell Oil Co., 519 U.S. 337, 341 (1997)) (holding that a fish is
`
`19
`
`not a “tangible object” within the meaning of the Sarbanes-Oxley Act). See also Bond v. U.S., 134
`
`20
`
`S.Ct. 2077, 2090 (2014) (rejecting literal reading of Chemical Weapons Convention
`
`21
`
`Implementation Act that would have permitted prosecution of woman who caused minor chemical
`
`22
`
`burns to spouse‟s lover‟s thumb because “[p]art of a fair reading of statutory text is recognizing
`
`23
`
`that „Congress legislates against the backdrop‟ of certain unexpressed presumptions”) (quoting
`
`24
`
`EEOC v. Arabian American Oil Co., 499 U.S. 244, 248 (1991)).
`
`25
`
`The CFAA must be interpreted in its historical context, mindful of Congress‟ purpose.
`
`26
`
`The CFAA was not intended to police traffic to publicly available websites on the Internet – the
`
`27
`
`Internet did not exist in 1984. The CFAA was intended instead to deal with “hacking” or
`
`28
`
`“trespass” onto private, often password-protected mainframe computers. See H.R. Rep. No. 98-
`
`10
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 11 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`894, 1984 U.S.C.C.A.N. 3689, 3691-92, 3695-97 (1984); S. Rep. No. 99-432, 1986 U.S.C.C.A.N.
`
`2479, 2480 (1986). The Ninth Circuit has recognized this statutory purpose, explaining that
`
`“Congress enacted the CFAA in 1984 primarily to address the growing problem of computer
`
`hacking, recognizing that, „[i]n intentionally trespassing into someone else‟s computer files, the
`
`offender obtains at the very least information as to how to break into that computer system.‟”
`
`United States v. Nosal (Nosal I), 676 F.3d 854, 858 (9th Cir. 2012) (quoting S.Rep. No. 99–432, at
`
`9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.)). It was originally enacted to protect
`
`government computers from hacking; it was expanded in 1986 to protect commercial computer
`
`systems. See S.Rep. No. 99–432, at 2 (1986), 1986 U.S.C.C.A.N. 2479, 2480 (Conf. Rep.)). The
`
`10
`
`Ninth Circuit, in considering a related provision of the statute, cautioned against an overbroad
`
`11
`
`interpretation that would “expand its scope far beyond computer hacking to criminalize any
`
`12
`
`unauthorized use of information obtained from a computer,” thereby “mak[ing] criminals of large
`
`13
`
`groups of people who would have little reason to suspect they are committing a federal crime.”
`
`14
`
`Nosal I, 676 F.3d at 859.
`
`15
`
`As hiQ points out, application of the CFAA to the accessing of websites open to the public
`
`16
`
`would have sweeping consequences well beyond anything Congress could have contemplated; it
`
`17
`
`would “expand its scope well beyond computer hacking.” Nosal I, 676 F.3d at 859. Under
`
`18
`
`LinkedIn‟s interpretation of the CFAA, a website would be free to revoke “authorization” with
`
`19
`
`respect to any person, at any time, for any reason, and invoke the CFAA for enforcement,
`
`20
`
`potentially subjecting an Internet user to criminal, as well as civil, liability. Indeed, because the
`
`21
`
`Ninth Circuit has specifically rejected the argument that “the CFAA only criminalizes access
`
`22
`
`where the party circumvents a technological access barrier,” Nosal II, 844 F.3d at 1038, merely
`
`23
`
`viewing a website in contravention of a unilateral directive from a private entity would be a crime,
`
`24
`
`effectuating the digital equivalence of Medusa. The potential for such exercise of power over
`
`25
`
`access to publicly viewable information by a private entity weaponized by the potential of criminal
`
`26
`
`27
`
`28
`
`sanctions is deeply concerning.7 This effect would be particularly pernicious because once it is
`
`
`7 Although there is no indication of any current threat of criminal prosecution in this case as
`LinkedIn thus far has alluded only to possible civil enforcement of the CFAA, a construction of
`11
`
`For the Northern District of California
`
`United States District Court
`
`
`
`Case 3:17-cv-03301-EMC Document 63 Filed 08/14/17 Page 12 of 25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`found to apply, the CFAA as interpreted by LinkedIn would not leave any room for the
`
`consideration of either a website owner‟s reasons for denying authorization or an individual‟s
`
`possible justification for ignoring such a denial. Website owners could, for example, block access
`
`by individuals or groups on the basis of race or gender discrimination. Political campaigns could
`
`block selected news media, or supporters of rival candidates, from accessing their websites.
`
`Companies could prevent competitors or consumer groups from visiting their websites to learn
`
`about their products or analyze pricing. Further, in addition to criminalizing any attempt to obtain
`
`access to information otherwise viewable by the public at large, the CFAA would preempt all state
`
`and local laws that might otherwise afford a legal right of access (e.g., state law rights asserted by
`
`10
`
`hiQ herein). A broad reading of the CFAA could stifle the dynamic evolution and incremental
`
`11
`
`development of state and local laws addressing the delicate balance between open access to
`
`12
`
`information and privacy – all in the name of a federal statute enacted in 1984 before the advent of
`
`the World Wide Web.8
`
`
`the CFAA must take into account the fact the statute may be enforced criminally and that its
`interpretation would apply uniformly to criminal as well as civil enforcement. See, e.g., Ratzlaf v.
`United States, 510 U.S. 135, 143 (1994) (“A term appearing in several places in a statutory text is
`generally read the same way each time