LinkedIn Can’t Block Third-Party Scanning Of Public Profiles To Identify Employees Most Likely To Leave

LinkedIn is trying to stop a third-party analytics firm from scanning publicly available profiles on the networking site with the purpose of identifying employees most likely to jump ship to a competitor. But a federal judge has granted an injunction against LinkedIn, saying the company appears to be misinterpreting the law in a way that “could profoundly impact open access to the Internet.”

hiQ is a California-based tech startup that analyzes data from public LinkedIn profiles to then tell its clients which of their employees are at the greatest risk of being lured away by the competition. hiQ also provides a “Skill Mapper” product which uses the same data to create a summary of an individual worker’s skills.

The firm has been operating since 2012, but recently LinkedIn blocked hiQ’s access to the public section of the site. When hiQ continued trying to scan LinkedIn profiles, it received a cease-and-desist notice alleging that hiQ could be violating the federal Computer Fraud and Abuse Act, Digital Millennium Copyright Act, and along with allegations of state and common law violations.

Rather than wait to be sued by LinkedIn, hiQ filed a complaint [PDF] of its own in June, seeking a declaratory judgment clarifying that it is not breaking the law as LinkedIn contends. The company argues that LinkedIn is using the threat of legal action “for an improper purpose to obtain exclusive proprietary control over wholly public data in which it otherwise has no exclusive interest and which hiQ, and anyone else, can freely access on the world wide web with no log-in credentials or password.”

hiQ also asked the court for a temporary restraining order [PDF] barring LinkedIn from blocking hiQ’s access pending the outcome of the case.

Yesterday, the judge in this lawsuit granted that injunction against LinkedIn.

Privacy threat?

The networking site had argued that hiQ’s continued scanning of LinkedIn profiles was a privacy threat to its users. It contended that even people with fully public profiles may still not want anyone tracking changes to their information, particularly since an update to one’s LinkedIn profile could be a red flag that an employee is looking to make an exit.

LinkedIn pointed out that it offers — and 50 million users take advantage of — a “Do Not Broadcast” feature that stops LinkedIn from notifying others when a change has been made to a profile.

But the judge was not convinced, noting that there are various plausible reasons why someone might use this feature — like not wanting to be inundated with unwanted and unsolicited emails just because you tweaked your profile — that are not relevant to hiQ’s scanning.

What’s good for the goose…

More importantly, the judge found that LinkedIn undermines its own argument by explicitly allowing other third-party services to scan public profiles without users’ knowledge or consent.

LinkedIn’s marketing materials for its own “Recruiter” service, which lets professional recruiters scan profiles to identify potential job candidates, also seem to work against the company’s supposed pro-privacy stance, said the judge.
According to those materials, “following” a user means that “when they update their profile or celebrate a work anniversary, you’ll receive an update on your homepage. And don’t worry – they don’t know you’re following them.”

This is all fine, countered LinkedIn, saying that Recruiter is allowed under the LinkedIn privacy policy, while third-party data scraping like that done by hiQ is not.

“It is unlikely, however, that most users’ actual privacy expectations are shaped by the fine print of a privacy policy buried in the User Agreement that likely few, if any, users have actually read,” responds the judge. “To the contrary, it is not obvious that LinkedIn members who decide to set their profiles to be publicly viewable expect much privacy at all in the profiles they post.”

In terms of balancing the possible harms, the judge determined that hiQ — whose entire business model is based on accessing public LinkedIn info — would likely have to go out of business if it were barred from this data. On the other side, the judge noted that “LinkedIn has presented no evidence of harm, financial or otherwise resulting from hiQ’s activities,” even though this scraping has been occurring for five years.

Misinterpreting the law?

The Computer Fraud and Abuse Act (CFAA) is a law created to fight hacking by creating criminal and civil liability for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer.”

In its cease-and-desist notice to hiQ, LinkedIn claimed that hiQ would be in violation of CFAA if it continued trying to access public LinkedIn profiles.

However, the judge found that LinkedIn failed to adequately explain how going on to a free, publicly available, no-registration-required website could be considered a CFAA violation. In court, the legal precedents offered by LinkedIn to support their claim both involved accessing password protected networks or accounts.

The CFAA, created years before invention of the World Wide Web, was not intended to police access to freely available websites, explained the judge, and adopting LinkedIn’s overbroad view of the law could be problematic.

“Under LinkedIn’s interpretation of the CFAA, a website would be free to revoke ‘authorization’ with respect to any person, at any time, for any reason, and invoke the CFAA for enforcement, potentially subjecting an Internet user to criminal, as well as civil, liability,” explains the judge. “[M]erely viewing a website in contravention of a unilateral directive from a private entity would be a crime, effectuating the digital equivalence of Medusa. The potential for such exercise of power over access to publicly viewable information by a private entity weaponized by the potential of criminal sanctions is deeply concerning.”

Accepting LinkedIn’s argument might allow website owners to block access to users based on race or gender, says the judge.

“Political campaigns could block selected news media, or supporters of rival candidates, from accessing their websites,” he continues. “Companies could prevent competitors or consumer groups from visiting their websites to learn about their products or analyze pricing… A broad reading of the CFAA could stifle the dynamic evolution and incremental development of state and local laws addressing the delicate balance between open access to information and privacy – all in the name of a federal statute enacted in 1984 before the advent of the World Wide Web.”

The injunction orders LinkedIn to retract its cease-and-desist threats and remove any barriers it has constructed to block hiQ’s access to the site.

The injunction isn’t the final word on this case, but it does appear to provide an indication that the judge sees little merit in LinkedIn’s claims

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.