`
`IN THE
`Supreme Court of the United States
`
`LINKEDIN CORPORATION,
`
`v.
`
`HIQ LABS, INC.,
`
`
`
`Petitioner,
`
`Respondent.
`
`
`On Petition for a Writ of Certiorari to the
`United States Court of Appeals
`for the Ninth Circuit
`
`PETITION FOR A WRIT OF CERTIORARI
`
`
`
`
`
`E. JOSHUA ROSENKRANZ
`ORRICK HERRINGTON &
` SUTCLIFFE LLP
`51 West 52nd Street
`New York, NY 10019
`(212) 506-5000
`ERIC A. SHUMSKY
`ORRICK HERRINGTON &
` SUTCLIFFE LLP
`1152 15th Street, NW
`Washington, DC 20005
`(202) 339-8400
`BRIAN P. GOLDMAN
`ORRICK HERRINGTON &
` SUTCLIFFE LLP
`405 Howard Street
`San Francisco, CA 94105
`(415) 773-5700
`
` DONALD B. VERRILLI, JR.
`Counsel of Record
`JONATHAN S. MELTZER
`MUNGER, TOLLES & OLSON LLP
`1155 F Street NW, 7th Floor
`Washington, DC 20004
`(202) 220-1100
`donald.verrilli@mto.com
`JONATHAN H. BLAVIN
`ROSEMARY T. RING
`NICHOLAS D. FRAM
`MARIANNA Y. MAO
`MUNGER, TOLLES & OLSON LLP
`560 Mission Street, 27th Floor
`San Francisco, CA 94105
`(415) 512-4000
`
`Counsel for Petitioner
`
`
`
`
`
`i
`
`QUESTION PRESENTED
`Whether a company that deploys anonymous com-
`puter “bots” to circumvent technical barriers and harvest
`millions of individuals’ personal data from computer
`servers that host public-facing websites—even after the
`computer servers’ owner has expressly denied permis-
`sion to access the data—“intentionally accesses a com-
`puter without authorization” in violation of the Com-
`puter Fraud and Abuse Act.
`
`
`
`
`
`ii
`
`PARTIES TO THE PROCEEDING AND
`CORPORATE DISCLOSURE STATEMENT
`Petitioner LinkedIn Corporation was appellant in the
`court of appeals and defendant in the district court.
`LinkedIn Corporation is a wholly owned subsidiary of
`Microsoft Corporation (“Microsoft”). Microsoft is a pub-
`licly traded company. No person or entity holds 10% or
`more of Microsoft’s outstanding common stock.
`Respondent hiQ Labs, Inc. was appellee in the court
`of appeals and plaintiff in the district court.
`
`
`RELATED PROCEEDINGS
`The proceedings directly related to this petition are:
`• hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, No.
`17-16783 (9th Cir. 2019), rehearing en banc denied
`(9th Cir. Nov. 8, 2019)
`• hiQ Labs, Inc. v. LinkedIn Corp., 273 F. Supp. 3d
`1099, No.17-cv-03301-EMC (N.D. Cal. 2017)
`
`
`
`
`
`
`iii
`
`TABLE OF CONTENTS
`
`Page
`
`QUESTION PRESENTED .......................................... i
`PARTIES TO THE PROCEEDING AND
`CORPORATE DISCLOSURE STATEMENT .... ii
`RELATED PROCEEDINGS....................................... ii
`TABLE OF CONTENTS ............................................ iii
`TABLE OF AUTHORITIES ....................................... v
`OPINIONS BELOW ................................................... 1
`JURISDICTION.......................................................... 1
`STATUTORY PROVISION INVOLVED ................... 1
`INTRODUCTION ....................................................... 2
`STATEMENT .............................................................. 5
`A. The Computer Fraud and Abuse Act ................. 5
`B. Factual Background ........................................... 7
`C. Proceedings Below ............................................ 11
`REASONS FOR GRANTING THE PETITION ....... 13
`A. The Decision of the Court of Appeals
`Creates a Clear and Direct Circuit
`Conflict that Requires this Court’s
`Resolution ......................................................... 15
`B. The Ninth Circuit’s Interpretation of the
`CFAA is Incorrect ............................................. 20
`1. The Ninth Circuit’s Decision
`Cannot be Reconciled with the
`Statute’s Text and Structure ................. 20
`
`
`
`
`
`iv
`
`2. The Legislative History Does not
`Support the Ninth Circuit’s
`Interpretation ........................................ 25
`C. The Decision Below Raises Issues of
`Exceptional Importance That Should Be
`Addressed Now ................................................. 27
`CONCLUSION ......................................................... 33
`APPENDIX
`Appendix A: Opinion of the United States
`Court of Appeals for the Ninth Circuit
`(September 9, 2019) .................................................. 1a
`Appendix B: Opinion of the United States
`District Court for the Northern District of
`California (August 14, 2017) .................................. 39a
`Appendix C: Order of the United States Court
`of Appeals for the Ninth Circuit Denying
`Rehearing (November 8, 2019) ............................... 77a
`Appendix D: Relevant Statutory Provisions .......... 79a
`
`
`
`
`
`
`v
`
`TABLE OF AUTHORITIES
`
`Page(s)
`
`FEDERAL CASES
`
`Am. Online, Inc. v. Nat’l Health Care
`Disc., Inc.,
`121 F. Supp. 2d 1255 (N.D. Iowa
`2000)...................................................................... 29
`
`Ashcroft v. Am. Civil Liberties Union,
`542 U.S. 656 (2004) .............................................. 27
`
`City of Los Angeles v. Lyons,
`461 U.S. 95 (1983) ................................................ 27
`
`Couponcabin LLC v. Savings.com, Inc.,
`No. 14-CV-39, 2016 WL 3181826
`(N.D. Ind. June 8, 2016) ....................................... 17
`
`Craigslist Inc. v. 3Taps Inc.,
`964 F. Supp. 2d 1178 (N.D. Cal.
`2013)...............................................................passim
`
`Doe v. Dartmouth-Hitchcock Med. Ctr.,
`No. 00-cv-100, 2001 WL 873063
`(D.N.H. July 19, 2001) .......................................... 29
`
`eBay, Inc. v. Bidder’s Edge, Inc.,
`100 F. Supp. 2d 1058 (N.D. Cal.
`2000).................................................................... 8, 9
`
`EF Cultural Travel BV v. Zefer Corp.,
`318 F.3d 58 (1st Cir. 2003) ................... 6, 15, 16, 17
`
`
`
`
`
`vi
`
`Freedom Banc Mortg. Servs., Inc. v.
`O’Harra,
`No. 11-cv-01073, 2012 WL 3862209
`(S.D. Ohio Sept. 5, 2012) ...................................... 29
`
`Hardt v. Reliance Standard Life Ins. Co.,
`560 U.S. 242 (2010) .............................................. 24
`
`M.R. v. Dreyfus,
`697 F.3d 706 (9th Cir. 2012) ................................ 27
`
`Marx v. Gen. Revenue Corp.,
`568 U.S. 371 (2013) .............................................. 25
`
`Oliver v. United States,
`466 U.S. 170 (1984) ........................................ 22, 23
`
`Pasquantino v. United States,
`544 U.S. 349 (2005) .............................................. 24
`
`QVC, Inc. v. Resultly, LLC,
`159 F. Supp. 3d 576 (E.D. Pa. 2016) .............. 17, 32
`
`Ratzlaf v. United States,
`510 U.S. 135 (1994) .............................................. 25
`
`Register.com, Inc. v. Verio, Inc.,
`126 F. Supp. 2d 238 (S.D.N.Y. 2000),
`aff’d as modified, 356 F.3d 393 (2d
`Cir. 2004) .............................................................. 18
`
`Reno v. Am. Civil Liberties Union,
`521 U.S. 844 (1997) .............................................. 18
`
`Sw. Airlines Co. v. Farechase, Inc.,
`318 F. Supp. 2d 435 (N.D. Tex. 2004) .................. 18
`
`
`
`
`
`vii
`
`Ticketmaster LLC v. RMG Techs., Inc.,
`507 F. Supp. 2d 1096 (C.D. Cal. 2007) ................. 18
`
`Trump v. Hawaii,
`138 S. Ct. 2392 (2018) .......................................... 27
`
`United States v. Jones,
`565 U.S. 400 (2012) ................................................ 9
`
`United States v. Lowson,
`No. 10-cr-114, 2010 WL 9552416
`(D.N.J. Oct. 12, 2010) ........................................... 18
`
`Whitfield v. United States,
`543 U.S. 209 (2005) .............................................. 25
`
`FEDERAL STATUTES
`
`18 U.S.C. § 1030(a) .............................................passim
`
`18 U.S.C. § 1030(a)(2) .........................................passim
`
`18 U.S.C. § 1030(a)(2) (1994) ....................................... 6
`
`18 U.S.C. § 1030(a)(2) (2000) ....................................... 6
`
`18 U.S.C. § 1030(a)(2)(C) ................................. 5, 20, 24
`
`18 U.S.C. § 1030(a)(3) .................................... 23, 24, 26
`
`18 U.S.C. § 1030(e)(2)(B) ............................................. 5
`
`18 U.S.C. § 1030(g) ...................................................... 6
`
`18 U.S.C. § 2511(2)(g) ................................................ 24
`
`18 U.S.C. § 2701 et seq. ............................................. 24
`
`
`
`
`
`viii
`
`28 U.S.C. § 1254(1) ...................................................... 1
`
`Pub. L. No. 104-104, 110 Stat 56 (1996) ................... 26
`
`Pub. L. No. 104-294, 110 Stat 3488,
`(1996) ...................................................................... 6
`
`LEGISLATIVE MATERIALS
`
`H.R. Rep. No. 98-894 (1984) ...................................... 22
`
`H.R. Rep. No. 99-612 (1986) ...................................... 22
`
`S. Rep. No. 99-432 (1986) .......................................... 22
`
`S. Rep. No. 104-357 (1996) .............................. 6, 24, 26
`
`TREATISES
`
`75 Am. Jur. 2d Trespass § 40 .................................... 22
`
`OTHER AUTHORITIES
`
`Daniel J. Marcus, The Data Breach
`Dilemma: Proactive Solutions for
`Protecting Consumers’ Personal
`Information, 68 Duke L.J. 555 (2018) ................. 27
`
`Kashmir Hill, Before Clearview Became
`a Police Tool, It Was a Secret
`Plaything of the Rich, The New York
`Times (March 5, 2020) ............................................ 5
`
`Kashmir Hill, The Secretive Company
`That Might End Privacy As We Know
`It, The New York Times (Jan. 18,
`2020)........................................................................ 5
`
`
`
`
`
`ix
`
`Kashmir Hill, Twitter Tells Facial
`Recognition Trailblazer to Stop Using
`Site’s Photos, The New York Times
`(Jan. 22, 2020) .................................................. 5, 29
`
`Louise Matsakis, Scraping the Web is a
`Powerful Tool. Clearview AI Abused
`it, Wired (Jan. 25 2020) ........................................ 29
`
`Matthew Rosenberg & Sheera Frankel,
`Facebook’s Role in Data Misuse Sets
`off Storms on Two Continents, The
`New York Times (Mar. 18, 2018) ......................... 28
`
`
`
`
`
`
`
`1
`
`PETITION FOR A WRIT OF CERTIORARI
`
`
`LinkedIn Corporation (“LinkedIn”) respectfully peti-
`tions for a writ of certiorari to review the judgment of the
`United States Court of Appeals for the Ninth Circuit.
`OPINIONS BELOW
`The Ninth Circuit’s opinion affirming the judgment of
`the district court and remanding (Pet. App. 1a) is re-
`ported at 938 F.3d 985. The Ninth Circuit’s order deny-
`ing panel rehearing and rehearing en banc (Pet. App.
`77a) is unreported. The district court’s opinion granting
`hiQ a preliminary injunction (Pet. App. 39a) is reported
`at 273 F. Supp. 3d 1099.
`JURISDICTION
`The Ninth Circuit entered judgment on September 9,
`2019, and denied a timely rehearing petition on Novem-
`ber 8, 2019. Pet. App. 77a. On January 23, 2020, the
`Court extended the time to file this petition to March 9,
`2020. The jurisdiction of this Court is invoked under 28
`U.S.C. § 1254(1).
`STATUTORY PROVISION INVOLVED
`The relevant provision of the Computer Fraud and
`Abuse Act, 18 U.S.C. § 1030, is reproduced in its entirety
`in the appendix to this petition. Pet. App. 79a.
`
`
`
`
`
`
`
`2
`
`INTRODUCTION
`This case raises a question of fundamental im-
`portance: whether the Computer Fraud and Abuse Act
`(CFAA) protects a public-facing website 1 from data-
`scraping by companies that surreptitiously harvest and
`exploit the personal data of the website’s users for their
`own purposes.
`LinkedIn is a professional social networking service
`that offers registered members the ability to create pro-
`files that showcase their skills and accomplishments and
`to connect with other professionals to further their ca-
`reers. When members do so, they entrust their personal
`information—such as education, work history, skills, test
`scores, volunteer activities, and organizational affilia-
`tions—to LinkedIn, which is then stored on LinkedIn’s
`computer servers.
`In making their information available on LinkedIn’s
`website, LinkedIn’s members do not relinquish control of
`all uses of that information to all persons for all time. To
`the contrary, LinkedIn gives its members considerable
`control over how their personal information will be used.
`Members can restrict public access to that information
`in various ways, and can change their minds as their
`needs or preferences change. And they can terminate
`their relationship with LinkedIn at any time, and
`thereby preclude further access to their information on
`LinkedIn’s website and further use of that information
`by LinkedIn.
`Over the years, LinkedIn has sought to develop a re-
`lationship of trust with its members by respecting the
`choices they make about how their personal information
`will be used. That relationship is integral to LinkedIn’s
`
`1 The term “public-facing website” refers to a website that makes
`information available to visitors without the use of a password.
`
`
`
`
`3
`
`success, and LinkedIn works hard to protect it. But it is
`constantly threatened by entities that surreptitiously
`deploy anonymous computer “bots” that seek to scrape—
`i.e., harvest—massive volumes of personal data from
`LinkedIn’s servers. Many of those third parties repack-
`age and use LinkedIn member data without permission
`from LinkedIn or its members, often in violation of the
`members’ expectations of privacy and to their detriment.
`LinkedIn has established technological barriers to coun-
`ter this unauthorized activity, but data scrapers in turn
`constantly update their own technologies to overcome
`these technological barriers.
`One such entity is Respondent hiQ, which surrepti-
`tiously employs bots on a massive scale in a systematic
`effort to evade LinkedIn’s barriers and to amass its own
`database of information about LinkedIn’s members. hiQ
`uses that scraped data in a commercial product that op-
`erates as an early warning system for employers, alert-
`ing them when their employees are likely looking for a
`new job.
`The CFAA, a computer trespass statute, imposes civil
`and criminal liability on a party for accessing a qualify-
`ing computer “without authorization.”
` 18 U.S.C.
`§ 1030(a)(2). For decades, website operators have in-
`voked this statute successfully to stop systematic third-
`party scraping like that undertaken by hiQ. In this case,
`however, the Ninth Circuit held that hiQ did not inten-
`tionally access a computer server “without authoriza-
`tion,” even though LinkedIn had employed technical
`measures designed to deny access to hiQ’s data-scraping
`bots and sent a cease-and-desist letter informing hiQ
`that its bots did not have permission to access LinkedIn’s
`servers. Pet. App. 22a-39a. In an unprecedented ruling,
`the Ninth Circuit concluded that public-facing websites
`are categorically ineligible to invoke the CFAA. Accord-
`ing to the Ninth Circuit, because certain information
`
`
`
`
`
`4
`
`available on LinkedIn’s website can be viewed by the
`public without submitting a password, LinkedIn had
`never granted—and therefore could not revoke—“au-
`thorization” to anyone, including surreptitious scrapers
`like hiQ.
`The Ninth Circuit’s opinion breaks sharply with
`every federal court that has interpreted Section 1030(a).
`The First Circuit and all district courts to consider the
`issue have uniformly held that Section 1030(a) applies,
`in accordance with its unambiguous text, to entities that
`scrape data from public-facing websites when the web-
`site owner has denied authorization for such scraping.
`And the conflict created by the Ninth Circuit’s decision
`is not a tolerable one. Because the Internet is ubiquitous,
`the exact same conduct by the exact same entities will
`be subject to CFAA liability in some parts of the country
`and not others. By the same token, leading technology
`companies will be able to invoke the CFAA to protect
`themselves and their users in some parts of the country
`but not in the Ninth Circuit (where many of them are
`headquartered).
`In addition to creating a circuit conflict and disrupt-
`ing this prior uniformity, the Ninth Circuit’s opinion pre-
`sents an issue of exceptional importance. The need to
`protect personal data from the threat of unauthorized
`exploitation becomes more pressing every day. hiQ is far
`from alone in engaging in such activities. For example,
`recent reports have highlighted the actions of another
`company, Clearview, which has deployed bots to engage
`in the systematic scraping of social media websites to
`amass a database of more than three billion photos,
`without the consent of those websites or their users.
`Clearview has exploited that scraped data to support a
`powerful facial recognition technology that it has al-
`ready licensed to more than 600 law enforcement agen-
`
`
`
`
`
`5
`
`cies and offered to some private individuals and compa-
`nies.2 And Clearview will surely not be the last company
`to engage in such conduct.
`In the face of these increasing threats, the Ninth Cir-
`cuit’s decision has denied operators of public-facing web-
`sites a critical means of protecting user data from unau-
`thorized third-party scrapers. Experts have already
`noted that the Ninth Circuit’s decision “eviscerated the
`legal argument that” websites have used to block entities
`like hiQ and Clearview. 3 Review of that decision is
`plainly warranted.
`
`STATEMENT
`A. The Computer Fraud and Abuse Act
`The CFAA is a computer trespass statute. Specifi-
`cally, it creates criminal and civil liability for “[w]hoever
`... intentionally accesses a computer without authoriza-
`tion or exceeds authorized access, and thereby obtains ...
`information from any protected computer.” 18 U.S.C.
`§ 1030(a)(2)(C). A “protected computer,” in turn, is any
`computer “used in or affecting interstate or foreign com-
`merce or communication,” 18 U.S.C. § 1030(e)(2)(B)—in
`short, any computer connected to the Internet. The
`CFAA also provides a private right of action for “[a]ny
`
`
`2 Kashmir Hill, The Secretive Company That Might End Privacy
`As We Know It, The New York Times (Jan. 18, 2020),
`https://www.nytimes.com/2020/01/18/technology/clearview-
`privacy-facial-recognition.html; Kashmir Hill, Before Clearview
`Became a Police Tool, It Was a Secret Plaything of the Rich, The
`New York Times
`(March
`5,
`2020), https://www.ny-
`times.com/2020/03/05/technology/clearview-investors.html.
`3 Kashmir Hill, Twitter Tells Facial Recognition Trailblazer to
`Stop Using Site’s Photos, The New York Times (Jan. 22, 2020),
`https://www.nytimes.com/2020/01/22/technology/clearview-ai-
`twitter-letter.html (quoting director of Stanford Internet Obser-
`vatory Alex Stamos).
`
`
`
`
`6
`
`person who suffers damage or loss [greater than $5,000]
`by reason of a violation of this section.” 18 U.S.C.
`§ 1030(g).
`Although the CFAA was originally enacted in 1984,
`the provision at issue in this case, § 1030(a)(2), was
`adopted in its current form in 1996, when use of the In-
`ternet was already widespread. See Pub. L. No. 104-294,
`§ 201, 110 Stat 3488, 3492 (1996). The 1996 amendment
`expanded the scope of § 1030(a)(2), which had previously
`applied only to unauthorized attempts to obtain certain
`financial records. See 18 U.S.C. § 1030(a)(2) (1994). As
`amended, the provision covered the act of obtaining any
`“information,” financial or otherwise, from any protected
`computer “without authorization.” See 18 U.S.C.
`§ 1030(a)(2) (2000). See also S. Rep. No. 104-357, at 8-9
`(1996) (recognizing that “accessing” a “publicly availa-
`ble” computer “via [a] World Wide Web site” without au-
`thorization could trigger CFAA liability).
`After passage of the 1996 amendment, courts rou-
`tinely held that Section 1030(a)(2) liability attached to
`accessing websites without authorization, even where
`information was publicly available without use of a pass-
`word. See, e.g., EF Cultural Travel BV v. Zefer Corp., 318
`F.3d 58 (1st Cir. 2003). Those courts found that using
`bots in ways that were antithetical to the business inter-
`ests of a publicly-available website operator or to the pri-
`vacy interests of a website’s users, after those websites
`had unequivocally withdrawn authorization for such ac-
`cess, violated the CFAA.
`Against this backdrop, Congress amended the CFAA
`in 2001 and 2008, each time to expand the scope of online
`conduct that the CFAA would cover. As lower courts con-
`tinued to apply the CFAA to impose liability when bots
`operated by third parties accessed public-facing websites
`
`
`
`
`
`7
`
`“without authorization,” Congress thus gave no indica-
`tion that courts were misinterpreting the statute’s scope.
`B. Factual Background
`1. Petitioner LinkedIn is a professional networking
`service that allows its members to create, manage, and
`share their professional identities and interests online.
`5ER-824.4 Members do so by creating a “profile” contain-
`ing professional information that appears on LinkedIn’s
`website. The information that members entrust to
`LinkedIn—including work and education history, profile
`narratives, and photographs—is central to its business.
`LinkedIn’s significant investment in its platform and its
`member community has resulted in over 500 million
`members signing up for its service worldwide. 5ER-824.
`LinkedIn’s members can use a variety of user controls
`and privacy settings to choose what information they
`share on their profiles, with whom they share it, and
`when to remove it from LinkedIn’s servers and the In-
`ternet. When LinkedIn members remove information
`from their profiles, LinkedIn in turn removes that infor-
`mation from its servers. And when a user decides to
`close her LinkedIn account, that account, and the infor-
`mation in it, is removed from LinkedIn and the Internet.
`4ER-764.
`LinkedIn also enables its members to control how
`their personal information is shared and with whom. To
`this end, LinkedIn offers its members a “Do Not Broad-
`cast” feature, which allows members to change their pro-
`files without alerting others that any changes were
`made. Pet. App. 3a. This feature was specifically devel-
`oped in response to employees’ concerns about employers
`monitoring changes to their LinkedIn profiles. 3ER-427.
`
`4 “ER” cites are to the Appellant’s Excerpts of Record on appeal in
`the Ninth Circuit.
`
`
`
`
`8
`
`And LinkedIn members can access their privacy settings
`and select this feature at any time, as demonstrated by
`this screenshot:
`
`
`
`3ER-427. More than 50 million LinkedIn members have
`elected to employ the “Do Not Broadcast” feature, includ-
`ing 20 percent of active members who updated their pro-
`files between July 2016 and July 2017. Pet. App. 3a.5
`2. To protect its members’ data and its business,
`LinkedIn actively works to prevent unauthorized data-
`scraping from its computers. Scraping is the automated,
`mass-extraction of data directly from a website’s servers.
`Scraping is frequently performed by bots: computer pro-
`grams that “query other computers over the Internet in
`order to obtain a significant amount of information.”
`eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058,
`1060 n.2 (N.D. Cal. 2000).
`Data-scraping bots can be employed for a variety of
`purposes. For example, search engines use bots to access
`and index information on websites. Pursuant to its pri-
`vacy policy, LinkedIn has authorized certain “white
`
`
`5 Consistent with this feature, and in notable contrast to hiQ’s ap-
`proach, LinkedIn’s “Recruiter” product—which enables recruiters
`to view information regarding prospective employees they may be
`interested in recruiting— “does not provide alerts about profile
`changes made by LinkedIn members who select the ‘Do Not
`Broadcast’ setting.” Pet. App. 13a n.7.
`
`
`
`
`9
`
`listed” bots (e.g., those employed by search engines such
`as Google and Bing) to index some member profile infor-
`mation. 4ER-761. LinkedIn’s policy benefits members
`by allowing them to be found via search engines, and to
`thus present their professional information to the world
`in the manner of their choice. LinkedIn informs mem-
`bers that data on their “public-facing” profiles may be in-
`dexed by search engines, and allows them to limit which
`parts of their profiles are indexed, or opt out of being in-
`dexed altogether. 4ER-762, 4ER-772.
`In contrast, third parties such as hiQ surreptitiously
`deploy bots without permission to access LinkedIn’s
`computer servers and copy personal data that members
`have entrusted to LinkedIn. 3ER-759-761. These bots
`operate on a massive scale, scraping and analyzing data
`on a magnitude that even a vast army of human viewers
`could not replicate.6 Some go so far as to make complete
`mirror-image copies of LinkedIn’s website. Once the
`data is scraped from LinkedIn’s servers, the scraper is
`able to repurpose that data in any manner the scraper
`desires—for instance, by combining it with data found
`elsewhere (such as photographs, telephone numbers or
`addresses), or selling it to the highest bidder.
`
`
`6 Although bots harvest data that is viewable by individual com-
`puter users, the massive scale of bot scraping renders it different
`in kind from individual human viewing. Bots can make thou-
`sands of server requests per second, “far in excess of what a hu-
`man can accomplish.” eBay, 100 F. Supp. 2d at 1061. While indi-
`viduals are aware that their personal data can be viewed on pub-
`licly-available websites, efforts to manually harvest such data
`would be “difficult and costly,” providing a “practical” limitation
`on such efforts. United States v. Jones, 565 U.S. 400, 429 (2012)
`(Alito, J., concurring in the judgment). But bots, which make
`“monitor[ing] and catalogu[ing] every single” profile change “easy
`and cheap,” remove any such practical constraint. Id. at 429-30.
`
`
`
`
`10
`
`Website owners use technology to prevent unauthor-
`ized bots from accessing their servers. One method, em-
`ployed by LinkedIn and countless other website owners,
`is to use automated countermeasures that identify and
`block unauthorized bots. LinkedIn invests millions of
`dollars annually on such countermeasures, which block
`roughly 95 million bot access attempts per day. 4ER759-
`761. But blocking unauthorized bots is a perpetual game
`of cat and mouse. Those who deploy bots that have been
`stymied by LinkedIn’s technical barriers routinely rede-
`sign their bots to evade those barriers—including by
`masking their identities. 3ER-433.
`As a result, LinkedIn also resorts to legal action.
`LinkedIn’s User Agreement expressly prohibits using
`automated software—including “bots”—to access and
`scrape member data from LinkedIn’s computers. 4ER-
`761-762. LinkedIn “reserves the right to restrict, sus-
`pend, or terminate” the access of those found to abuse
`their access privileges, including by scraping LinkedIn’s
`computers with bots, 4ER-772, 4ER-775, and has sent
`cease and desist letters to offenders putting them on
`clear notice of such terms. And as particularly relevant
`here, LinkedIn also relies on the CFAA’s prohibition
`against unauthorized access to computer servers.
`3. hiQ runs a business that free rides on LinkedIn’s
`investment and entrepreneurship and disregards
`LinkedIn members’ interests. hiQ’s bots continuously
`mass-scrape member profiles from LinkedIn’s servers
`without the consent of LinkedIn or its members, and hiQ
`then repackages that data to sell to its clients. 4ER-766.
`The bots use various methods to evade LinkedIn’s tech-
`nical measures, including by using anonymous IP ad-
`dresses that mask what they are doing. In so doing, they
`circumvent “LinkedIn’s measures to prevent use of bots
`and implementation of IP address blocks.” Pet. App. 61a;
`4ER-766.
`
`
`
`
`
`11
`
`After surreptitiously scraping data from LinkedIn’s
`servers, hiQ incorporates that data into the two products
`that it sells to its clients: (1) Keeper, which identifies for
`employers which employees are most likely to be re-
`cruited away (by assigning each user a “flight score”);
`and (2) Skill Mapper, which summarizes employees’
`skills in the aggregate. Pet. App. 5a-6a. hiQ introduced
`no evidence that these services benefit LinkedIn mem-
`bers, and it is easy to understand how they might not: if
`an employer believes an employee is about to leave, the
`employer could terminate the employee, diminish her
`role, or refuse to give her access to confidential infor-
`mation, even if she actually has no intention of leaving.
`Although LinkedIn’s User Agreement and Privacy
`Policy limit how LinkedIn can use the data that mem-
`bers entrust to it, LinkedIn members have not given
`their data to third parties like hiQ, and hiQ has no con-
`tractual relationship with LinkedIn’s members. Nor
`does hiQ’s Keeper product respect members’ use of
`LinkedIn’s “Do Not Broadcast” feature. See Pet. App.
`46a; supra p. 8 n. 5. hiQ simply uses the data in what-
`ever way it finds advantageous, with no regard for the
`privacy interests of LinkedIn members. LinkedIn mem-
`bers unsurprisingly have complained to LinkedIn when
`information that they wished not to share has been
`scraped and made available on third party websites.
`3ER-431.
`C. Proceedings Below
`1. LinkedIn sent hiQ a cease-and-desist letter on May
`23, 2017, demanding that hiQ stop accessing LinkedIn’s
`servers to scrape LinkedIn member data. The letter ex-
`plained that hiQ’s use of bots to scrape data circum-
`vented LinkedIn’s technical protection measures and vi-
`olated LinkedIn’s User Agreement, and that any further
`
`
`
`
`
`12
`
`access to LinkedIn’s servers would be “without authori-
`zation” under the CFAA. The letter also explained that
`LinkedIn was
`implementing additional “technical
`measures to prevent hiQ from accessing, and assisting
`others to access, LinkedIn’s site.” 4ER-743.
`In response, hiQ brought this suit. hiQ’s complaint
`alleged four affirmative claims for relief based on Cali-
`fornia tort and constitutional law, and sought a declara-
`tory judgment that LinkedIn could not lawfully invoke
`the CFAA against it to stop its bot-based scraping. Pet.
`App. 42a-43a. hiQ also sought a temporary restraining
`order, which was converted into a motion for a prelimi-
`nary injunction. Pet. App. 7a-8a. The district court
`granted that motion. Pet. App. 75a-76a. It held that hiQ
`had demonstrated “serious questions” about one of its
`claims for affirmative relief under California law and it
`rejected as a matter of law LinkedIn’s argument that
`LinkedIn’s invocation of the CFAA preempted hiQ’s af-
`firmative state law claims. Pet. App. 49a-64a, 69a-72a.
`2. The Ninth Circuit affirmed. It recognized that “to
`scrape LinkedIn data, hiQ must access LinkedIn servers,
`which are ‘protected computer[s]’” under the CFAA. Pet.
`App. 23a. It further noted that if hiQ’s access is “‘without
`authorization’ within the meaning of the CFAA,” then
`hiQ “could have no legal right of access to LinkedIn’s
`data and so could not succeed on any of its state law
`claims.” Pet. App. 23a. But it held that LinkedIn could
`not rely on the CFAA as a defense.
`In interpreting the text of the statute, the Ninth Cir-
`cuit observed that the phrase “without authorization”
`means “accessing a protected computer without permis-
`sion.” Pet. App. 23a. The court then held, however, that
`the CFAA has no application in situations where a “prior
`authorization is not generally required, but a particular
`
`
`
`
`
`13
`
`person—or bot—is refused access.” Pet. App. 24a. Ac-
`cording to the court, the CFAA’s prohibition of access
`“‘without authorization’ … suggests a baseline in which
`access is not generally available and so permission is or-
`dinarily required …. Where the default is free access
`without authorization, in ordinary parlance one would
`characterize selective denial of access as a ban, not as a
`lack of ‘authorization.’” Pet. App. 24a. Although the in-
`formation that hiQ wanted to access on LinkedIn’s com-
`puters was protected by numerous technical measures
`designed to prevent unauthorized bot access, because
`LinkedIn did not employ a password system, the Ninth
`Circuit determined that “permission is not required.”
`Pet. App. 28a. As a result, even though LinkedIn’s serv-
`ers are its private property, LinkedIn could not revoke
`hiQ’s permission to access them, and could not render
`hiQ’s access “without authorization.” Pet. App. 28a. This
`textual interpretation, the court acknowledged, may be
`“debatable.” Pet. App. 24a.
`With respect to the user data and privacy implica-
`tion