Preliminary Injunction
Injunctive Relief
Declaratory Judgment
Temporary Restraining Order
To Use LinkedIn Public Profile Data
Non-Exclusive License
Ownership Interest
To Access a Computer Without Authorization
Tortious Interference with Contract
Legitimate Business Purpose
Cease-and-Desist Letters and Interference
California Law
Computer Fraud and Abuse Act (CFAA)
On Remand from the United States Supreme Court
On remand from the United States Supreme Court, the panel affirmed the district court’s order preliminarily enjoining LinkedIn Corp. from denying hiQ Labs, Inc., a data analytics company, access to publicly available member profiles on LinkedIn’s professional networking website.
The panel previously affirmed the preliminary injunction. The Supreme Court granted certiorari, vacated the panel’s judgment, and remanded for further consideration in light of Van Buren v. United States, 141 S. Ct. 1648 (2021). On remand, the panel again affirmed the preliminary injunction, concluding that Van Buren reinforced its determination that hiQ had raised serious questions about whether LinkedIn may invoke the Computer Fraud and Abuse Act (“CFAA”) to preempt hiQ’s possibly meritorious tortious interference claim.
The panel held that a plaintiff seeking a preliminary injunction must establish that it is likely to succeed on the merits, that it is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in its favor, and that an injunction is in the public interest. The court uses a “sliding scale” approach to these factors, so that when the balance of hardships tips sharply in the plaintiff’s favor, it need demonstrate only serious questions going to the merits. Applying this approach, the district court concluded that the balance of hardships tipped sharply in hiQ’s favor and that hiQ raised serious questions on the merits.
The panel held that the district court did not abuse its discretion in concluding on the preliminary injunction record that hiQ currently had no viable way to remain in business other than using LinkedIn public profile data for its “Keeper” and “Skill Mapper” analytics services, and that hiQ therefore had demonstrated a likelihood of irreparable harm absent a preliminary injunction.
The panel concluded that the district court properly determined that the balance of hardships tipped sharply in hiQ’s favor, when weighing the likelihood that hiQ would go out of business against LinkedIn’s assertion that an injunction threatened its members’ privacy and therefore put at risk the goodwill that LinkedIn had developed with its members.
The panel concluded that hiQ showed a sufficient likelihood of establishing the elements of its claim for intentional interference with contract, and it raised a serious question on the merits of LinkedIn’s affirmative justification defense. Further, hiQ raised serious questions about whether LinkedIn could invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim. The CFAA prohibits accessing a “protected computer” without authorization. The panel concluded that to scrape LinkedIn data, hiQ needed to access LinkedIn servers, which were “protected computers.” At issue was whether, once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was “without authorization” within the meaning of the CFAA. The panel concluded that hiQ raised a serious question as to whether the CFAA “without authorization” concept is inapplicable where, as here, prior authorization is not generally required but a particular person—or bot—is refused access. The panel concluded that the reasoning of Van Buren reinforced its interpretation of the CFAA, although Van Buren did not directly address the CFAA’s “without authorization” clause, but rather considered the statute’s “exceeds authorized access” clause.
Finally, the panel concluded that the district court properly determined that, on balance, the public interest favored hiQ’s position.
The panel affirmed the district court’s determination that hiQ had established the elements required for a preliminary injunction and remanded for further proceedings.
HiQ is a data analytics company founded in 2012. Using automated bots, it scrapes information that LinkedIn users have included on public LinkedIn profiles, including name, job title, work history, and skills. It then uses that information, along with a proprietary predictive algorithm, to yield “people analytics,” which it sells to business clients.
In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ was in violation of LinkedIn’s User Agreement and demanding that hiQ stop accessing and copying data from LinkedIn’s server. The letter stated that if hiQ accessed LinkedIn’s data in the future, it would be violating state and federal law, including the CFAA, the Digital Millennium Copyright Act (“DMCA”), California Penal Code § 502(c), and the California common law of trespass. The letter further stated that LinkedIn had “implemented technical measures to prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detect, monitor, and block scraping activity.”
HiQ’s response was to demand that LinkedIn recognize hiQ’s right to access LinkedIn’s public pages and to threaten to seek an injunction if LinkedIn refused. A week later, hiQ filed an action, seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA, the DMCA, California Penal Code § 502(c), or the common law of trespass against it. HiQ also filed a request for a temporary restraining order, which the parties subsequently agreed to convert into a motion for a preliminary injunction.
The district court granted hiQ’s motion. It ordered LinkedIn to withdraw its cease-and-desist letter, to remove any existing technical barriers to hiQ’s access to public profiles, and to refrain from putting in place any legal or technical measures with the effect of blocking hiQ’s access to public profiles. LinkedIn timely appealed.
We begin with the likelihood of irreparable injury to hiQ if preliminary relief were not granted. “Monetary injury is not normally considered irreparable.” Los Angeles Mem’l Coliseum Comm’n v. Nat’l Football League, 634 F.2d 1197, 1202 (9th Cir. 1980). Nonetheless, “the threat of being driven out of business is sufficient to establish irreparable harm.” Am. Passage Media Corp. v. Cass Commc’ns, Inc., 750 F.2d 1470, 1474 (9th Cir. 1985).
B. Balance of the Equities
Next, the district court “balanced the interests of all parties and weighed the damage to each in determining the balance of the equities.” CTIA - The Wireless Ass’n v. City of Berkeley, Calif., 928 F.3d 832, 852 (9th Cir. 2019) (internal quotation marks and citation omitted). Again, it did not abuse its discretion in doing so.
We conclude that the district court’s determination that the balance of hardships tips sharply in hiQ’s favor is not “illogical, implausible, or without support in the record.” Kelly, 878 F.3d at 713.
C. Likelihood of Success
Because hiQ has established that the balance of hardships tips decidedly in its favor, the likelihood-of-success prong of the preliminary injunction inquiry focuses on whether hiQ has raised “serious questions going to the merits.” Alliance for the Wild Rockies, 632 F.3d at 1131. It has.
1. Tortious Interference with Contract
HiQ alleges that LinkedIn intentionally interfered with hiQ’s contracts with third parties. “The elements which a plaintiff must plead to state the cause of action for intentional interference with contractual relations are (1) a valid contract between plaintiff and a third party; (2) defendant’s knowledge of this contract; (3) defendant’s intentional acts designed to induce a breach or disruption of the contractual relationship; (4) actual breach or disruption of the contractual relationship; and (5) resulting damage.” Pac. Gas & Elec. Co. v. Bear Stearns & Co., 50 Cal. 3d 1118, 1126 (1990).
Under California law, tortious interference with contract claims are not limited to circumstances in which the defendant has caused the third party with whom the plaintiff has contracted to breach the agreement. “The most general application of the rule is to cases where the party with whom the plaintiff has entered into an agreement has been induced to breach it, but the rule is also applicable where the plaintiff’s performance has been prevented or rendered more expensive or burdensome and where he has been induced to breach the contract by conduct of the defendant, such as threats of economic reprisals.” Lipman v. Brisbane Elementary Sch. Dist., 55 Cal. 2d 224, 232 (1961), abrogated on other grounds by Brown v. Kelly Broad. Co., 48 Cal. 3d 711, 753 n. 37 (1989); see also Pac. Gas & Elec. Co., 50 Cal. 3d at 1129 (“We have recognized that interference with the plaintiff’s performance may give rise to a claim for interference with contractual relations if plaintiff’s performance is made more costly or more burdensome.”).
Third, LinkedIn’s threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute “intentional acts designed to induce a breach or disruption” of hiQ’s contractual relationships with third parties. Pac. Gas & Elec. Co., 50 Cal. 3d at 1126; cf. Winchester Mystery House, LLC v. Global Asylum, Inc., 210 Cal. App. 4th 579, 597 (2012) (indicating that “cease-and-desist letters . . . referring to a contractual or other economic relationship between plaintiff and any third party” could “establish . . . the . . . intent element of the interference claim”).
Under California law, a legitimate business purpose can indeed justify interference with contract, but not just any such purpose suffices. See id. at 55–56. Where a contractual relationship exists, the societal interest in “contractual stability is generally accepted as of greater importance than competitive freedom.” Imperial Ice Co. v. Rossier, 18 Cal. 2d 33, 36 (1941). Emphasizing the “distinction between claims for the tortious disruption of an existing contract and claims that a prospective contractual or economic relationship has been interfered with by the defendant,” the California Supreme Court instructs that we must “bring a greater solicitude to those relationships that have ripened into agreements.” Della Penna v. Toyota Motor Sales, U.S.A., Inc., 11 Cal. 4th 376, 392 (1995). Thus, interference with an existing contract is not justified simply because a competitor “seeks to further his own economic advantage at the expense of another.” Imperial Ice, 18 Cal. 2d at 36; see id. at 37 (“A party may not . . . under the guise of competition . . . induce the breach of a competitor’s contract in order to secure an economic advantage.”). Rather, interference with contract is justified only when the party alleged to have interfered acted “to protect an interest that has greater social value than insuring the stability of the contract” interfered with. Id. at 35.
(…) Second, LinkedIn’s means of interference is likely not a “recognized trade practice” as California courts have understood that term. “Recognized trade practices” include such activities as “advertising,” “price-cutting,” and “hiring the employees of another for use in the hirer’s business,” Buxbom, 23 Cal. 2d at 546–47—all practices which may indirectly interfere with a competitor’s contracts but do not fundamentally undermine a competitor’s basic business model. LinkedIn’s proactive technical measures to selectively block hiQ’s access to the data on its site are not similar to trade practices previously recognized an acceptable justifications for contract interference.
(…) LinkedIn has only a non-exclusive license to the data shared on its platform, not an ownership interest.
1. Computer Fraud and Abuse Act (CFAA)
Our inquiry does not end, however, with the state law tortious interference claim. LinkedIn argues that even if hiQ can show a likelihood of success on any of its state law causes of action, all those causes of action are preempted by the CFAA, 18 U.S.C. § 1030, which LinkedIn asserts that hiQ violated. The CFAA states that “whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C). The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” 18 U.S.C. § 1030(e)(2)(B)—effectively any computer connected to the Internet, see United States v. Nosal (Nosal II), 844 F.3d 1024, 1050 (9th Cir. 2016), cert. denied, 138 S. Ct. 314 (2017)—including servers, computers that manage network resources and provide data to other computers. LinkedIn’s computer servers store the data members share on LinkedIn’s platform and provide that data to users who request to visit its website. Thus, to scrape LinkedIn data, hiQ must access LinkedIn servers, which are “protected computers.” See Nosal II, 844 F.3d at 1050. The pivotal CFAA question here is whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was “without authorization” within the meaning of the CFAA and thus a violation of the statute. 18 U.S.C. § 1030(a)(2). If so, LinkedIn maintains, hiQ could have no legal right of access to LinkedIn’s data and so could not succeed on any of its state law claims, including the tortious interference with contract claim we have held otherwise sufficient for preliminary injunction purposes.
We have held in another context that the phrase “‘without authorization’ is a non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Nosal II, 844 F.3d at 1028. Nosal II involved an employee accessing without permission an employer’s private computer for which access permissions in the form of user accounts were required. Id. at 1028–29. Nosal II did not address whether access can be “without authorization” under the CFAA where, as here, prior authorization is not generally required, but a particular person—or bot—is refused access. HiQ’s position is that Nosal II is consistent with the conclusion that where access is open to the general public, the CFAA “without authorization” concept is inapplicable. At the very least, we conclude, hiQ has raised a serious question as to this issue. First, the wording of the statute, forbidding “access . . . without authorization,” 18 U.S.C. § 1030(a)(2), suggests a baseline in which access is not generally available and so permission is ordinarily required. “Authorization” is an affirmative notion, indicating that access is restricted to those specially recognized or admitted. See, e.g., Black’s Law Dictionary (11th ed. 2019) (defining “authorization” as “official permission to do something; sanction or warrant”). Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of “authorization.” Cf. Blankenhorn v. City of Orange, 485 F.3d 463, 472 (9th Cir. 2007) (characterizing the exclusion of the plaintiff in particular from a shopping mall as “banning”).
In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA’s “without authorization” provision adopted by some of our sister circuits. Compare Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016), cert. denied, 138 S. Ct. 313 (2017) (“A violation of the terms of use of a website—without more—cannot establish liability under the CFAA.”); Nosal I, 676 F.3d at 862 (“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”) (…).
(…) For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.
(U.S. Court of Appeals for the Ninth Circuit, April 18, 2022, HIQ Labs, Inc. v. LinkedIn Corp., Docket No. 17-16783, for Publication)
No comments:
Post a Comment