Argued
and Submitted March 15, 2018 San Francisco, California
Appeal
from the United States District Court for the Northern
District of California, D.C. No. 3:17-cv-03301-EMC, Edward M.
Chen, District Judge, Presiding
Donald
B. Verrilli Jr. (argued) and Chad I. Golder, Munger Tolles
& Olson LLP, Washington, D.C.; Jonathan H. Blavin,
Rosemarie T. Ring, Nicholas D. Fram, and Elia Herrera, Munger
Tolles & Olson LLP, San Francisco, California; E. Joshua
Rosenkranz, Orrick Herrington & Sutcliffe LLP, New York,
New York; Eric A. Shumsky, Orrick Herrington & Sutcliffe
LLP, Washington, D.C.; Brian P. Goldman, Orrick Herrington
& Sutcliffe LLP, San Francisco, California; for
Defendant-Appellant.
C.
Brandon Wisoff (argued), Deepak Gupta, Jeffrey G. Lau, and
Rebecca H. Stephens, Farella Braun & Martel LLP, San
Francisco, California; Aaron M. Panner, Gregory G. Rapawy,
and T. Dietrich Hill, Kellogg Hansen Todd Figel &
Frederick PLLC, Washington, D.C.; Laurence H. Tribe,
Cambridge, Massachusetts; for Plaintiff-Appellee.
Nicholas J. Boyle, John S. Williams, and Eric J. Hamilton,
Williams & Connolly LLP, Washington, D.C., for Amicus
Curiae CoStar Group Inc.
Perry
J. Viscounty, Latham & Watkins LLP, San Francisco,
California; Gregory G. Garre, Latham & Watkins LLP,
Washington, D.C.; for Amicus Curiae Craigslist Inc.
Marc
Rotenberg and Alan Butler, Electronic Privacy Information
Center, Washington, D.C., for Amicus Curiae Electronic
Privacy Information Center.
Thomas
V. Christopher, Law Offices of Thomas V. Christopher, San
Francisco, California, for Amicus Curiae 3taps Inc.
Jamie
Williams, Corynne McSherry, Cindy Cohn, and Nathan Cardozo,
Electronic Frontier Foundation, San Francisco, California,
for Amici Curiae Electronic Frontier Foundation, DuckDuckGo,
and Internet Archive.
Kenneth L. Wilton and James M. Harris, Seyfarth Shaw LLP, Los
Angeles, California; Carrie P. Price, Seyfarth Shaw LLP, San
Francisco, California; for Amicus Curiae Scraping Hub Ltd.
Before: J. Clifford Wallace and Marsha S. Berzon, Circuit
Judges, and Terrence Berg, [*] District Judge.
SUMMARY[**]
Preliminary
Injunction / Computer Fraud and Abuse Act
The
panel affirmed the district court's preliminary
injunction forbidding the professional networking website
LinkedIn Corp. from denying plaintiff hiQ, a data analytics
company, access to publicly available LinkedIn member
profiles.
Using
automated bots, hiQ scrapes information that LinkedIn users
have included on public LinkedIn profiles. LinkedIn sent hiQ
a cause-and-desist letter, demanding that hiQ stop accessing
and copying data from LinkedIn's server. HiQ filed suit,
seeking injunctive relief based on California law and a
declaratory judgment that LinkedIn could not lawfully invoke
the Computer Fraud and Abuse Act ("CFAA"), the
Digital Millennium Copyright Act, California Penal Code
§ 502(c), or the common law of trespass against it.
Affirming
the district court's grant of the preliminary injunction
in favor of hiQ, the panel concluded that hiQ established a
likelihood of irreparable harm because the survival of its
business was threatened. The panel held that the district
court did not abuse its discretion in balancing the equities
and concluding that, even if some LinkedIn users retain some
privacy interests in their information notwithstanding their
decision to make their profiles public, those interests did
not outweigh hiQ's interest in continuing its business.
Thus, the balance of hardships tipped decidedly in favor of
hiQ.
The
panel further held that hiQ raised serious questions going to
(1) the merits of its claim for tortious interference with
contract, alleging that LinkedIn intentionally interfered
with its contracts with third parties, and (2) the merits of
LinkedIn's legitimate business purpose defense. HiQ also
raised a serious question as to whether its state law causes
of action were preempted by the CFAA, which prohibits
intentionally accessing a computer without authorization, or
exceeding authorized access, and thereby obtaining
information from any protected computer. LinkedIn argued
that, once hiQ received its cause-and-desist letter, any
further scraping and use of LinkedIn's data was without
authorization within the meaning of the CFAA. The panel
concluded that hiQ had raised a serious question as to
whether the CFAA's reference to access "without
authorization" limits the scope of statutory coverage to
computer information for which authorization or access
permission, such as password authentication, is generally
required.
Finally,
the panel held that the district court's conclusion that
the public interest favored granting the preliminary
injunction was appropriate.
Specially
concurring, Judge Wallace wrote that he concurred in the
majority opinion. He wrote separately to express his concern
about appealing from a preliminary injunction to obtain an
appellate court's view of the merits.
OPINION
BERZON, CIRCUIT JUDGE.
May
LinkedIn, the professional networking website, prevent a
competitor, hiQ, from collecting and using information that
LinkedIn users have shared on their public profiles,
available for viewing by anyone with a web browser? HiQ, a
data analytics company, obtained a preliminary injunction
forbidding LinkedIn from denying hiQ access to publicly
available LinkedIn member profiles. At this preliminary
injunction stage, we do not resolve the companies' legal
dispute definitively, nor do we address all the claims and
defenses they have pleaded in the district court. Instead, we
focus on whether hiQ has raised serious questions on the
merits of the factual and legal issues presented to us, as
well as on the other requisites for preliminary relief.
I.
Founded
in 2002, LinkedIn is a professional networking website with
over 500 million members. Members post resumes and job
listings and build professional "connections" with
other members. LinkedIn specifically disclaims ownership of
the information users post to their personal profiles:
according to LinkedIn's User Agreement, members own the
content and information they submit or post to LinkedIn and
grant LinkedIn only a non-exclusive license to "use,
copy, modify, distribute, publish, and process" that
information.
LinkedIn
allows its members to choose among various privacy settings.
Members can specify which portions of their profile are
visible to the general public (that is, to both LinkedIn
members and nonmembers), and which portions are visible only
to direct connections, to the member's
"network" (consisting of LinkedIn members within
three degrees of connectivity), or to all LinkedIn
members.[1] This case deals only with profiles made
visible to the general public.
LinkedIn
also offers all members-whatever their profile privacy
settings-a "Do Not Broadcast" option with respect
to every change they make to their profiles. If a LinkedIn
member selects this option, her connections will not be
notified when she updates her profile information, although
the updated information will still appear on her profile page
(and thus be visible to anyone permitted to view her profile
under her general privacy setting). More than 50 million
LinkedIn members have, at some point, elected to employ the
"Do Not Broadcast" feature, and approximately 20
percent of all active users who updated their profiles
between July 2016 and July 2017-whatever their privacy
setting-employed the "Do Not Broadcast" setting.
LinkedIn
has taken steps to protect the data on its website from what
it perceives as misuse or misappropriation. The instructions
in LinkedIn's "robots.txt" file-a text file
used by website owners to communicate with search engine
crawlers and other web robots-prohibit access to LinkedIn
servers via automated bots, except that certain entities,
like the Google search engine, have express permission from
LinkedIn for bot access.[2] LinkedIn also employs several
technological systems to detect suspicious activity and
restrict automated scraping.[3] For example, LinkedIn's
Quicksand system detects non-human activity indicative of
scraping; its Sentinel system throttles (slows or limits) or
even blocks activity from suspicious IP
addresses;[4] and its Org Block system generates a list
of known "bad" IP addresses serving as large-scale
scrapers. In total, LinkedIn blocks approximately 95 million
automated attempts to scrape data every day, and has
restricted over 11 million accounts suspected of violating
its User Agreement, >[5]including through scraping.
HiQ is
a data analytics company founded in 2012. Using automated
bots, it scrapes information that LinkedIn users have
included on public LinkedIn profiles, including name, job
title, work history, and skills. It then uses that
information, along with a proprietary predictive algorithm,
to yield "people analytics," which it sells to
business clients.
HiQ
offers two such analytics. The first, Keeper, purports to
identify employees at the greatest risk of being recruited
away. According to hiQ, the product enables employers to
offer career development opportunities, retention bonuses, or
other perks to retain valuable employees. The second, Skill
Mapper, summarizes employees' skills in the aggregate.
Among other things, the tool is supposed to help employers
identify skill gaps in their workforces so that they can
offer internal training in those areas, promoting internal
mobility and reducing the expense of external recruitment.
HiQ
regularly organizes "Elevate" conferences, during
which participants discuss hiQ's business model and share
best practices in the people analytics field. LinkedIn
representatives participated in Elevate conferences beginning
in October 2015. At least ten LinkedIn representatives
attended the conferences. LinkedIn employees have also spoken
at Elevate conferences. In 2016, a LinkedIn employee was
awarded the Elevate "Impact Award." LinkedIn
employees thus had an opportunity to learn about hiQ's
products, including "that [one of] hiQ's product[s]
used data from a variety of sources-internal and external-to
predict employee attrition" and that hiQ "collected
skills data from public professional profiles in order to
provide hiQ's customers information about their
employees' skill sets."
In
recent years, LinkedIn has explored ways to capitalize on the
vast amounts of data contained in LinkedIn profiles by
marketing new products. In June 2017, LinkedIn's Chief
Executive Officer ("CEO"), Jeff Weiner, appearing
on CBS, explained that LinkedIn hoped to "leverage all
this extraordinary data we've been able to collect by
virtue of having 500 million people join the site."
Weiner mentioned as possibilities providing employers with
data-driven insights about what skills they will need to grow
and where they can find employees with those skills. Since
then, LinkedIn has announced a new product, Talent Insights,
which analyzes LinkedIn data to provide companies with such
data-driven information.[6]
In May
2017, LinkedIn sent hiQ a cease-and-desist letter, asserting
that hiQ was in violation of LinkedIn's User Agreement
and demanding that hiQ stop accessing and copying data from
LinkedIn's server. The letter stated that if hiQ accessed
LinkedIn's data in the future, it would be violating
state and federal law, including the Computer Fraud and Abuse
Act ("CFAA"), the Digital Millennium Copyright Act
("DMCA"), California Penal Code § 502(c), and
the California common law of trespass. The letter further
stated that LinkedIn had "implemented technical measures
to prevent hiQ from accessing, and assisting others to
access, LinkedIn's site, through systems that detect,
monitor, and block scraping activity."
HiQ's
response was to demand that LinkedIn recognize hiQ's
right to access LinkedIn's public pages and to threaten
to seek an injunction if LinkedIn refused. A week later, hiQ
filed suit, seeking injunctive relief based on California law
and a declaratory judgment that LinkedIn could not lawfully
invoke the CFAA, the DMCA, California Penal Code §
502(c), or the common law of trespass against it. HiQ also
filed a request for a temporary restraining order, which the
parties subsequently agreed to convert into a motion for a
preliminary injunction.
The
district court granted hiQ's motion. It ordered LinkedIn
to withdraw its cease-and-desist letter, to remove any
existing technical barriers to hiQ's access to public
profiles, and to refrain from putting in place any legal or
technical measures with the effect of blocking hiQ's
access to public profiles. LinkedIn timely appealed.
II.
"A
plaintiff seeking a preliminary injunction must establish
that he is likely to succeed on the merits, that he is likely
to suffer irreparable harm in the absence of preliminary
relief, that the balance of equities tips in his favor, and
that an injunction is in the public interest."
Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7,
20 (2008). All four elements must be satisfied. See,
e.g., Am. Trucking Ass'n v. City of Los
Angeles, 559 F.3d 1046, 1057 (9th Cir. 2009). We use a
"sliding scale" approach to these factors,
according to which "a stronger showing of one element
may offset a weaker showing of another." Alliance
for the Wild Rockies v. Cottrell, 632 F.3d 1127, 1131
(9th Cir. 2011). So, when the balance of hardships tips
sharply in the plaintiff's favor, the plaintiff need
demonstrate only "serious questions going to the
merits." Id. at 1135.
Applying
that sliding scale approach, the district court granted hiQ a
preliminary injunction, concluding that the balance of
hardships tips sharply in hiQ's favor and that hiQ raised
serious questions on the merits. We review the district
court's decision to grant a preliminary injunction for
abuse of discretion. The grant of a preliminary injunction
constitutes an abuse of discretion if the district
court's evaluation or balancing of the pertinent factors
is "illogical, implausible, or without support in the
record." Doe v. Kelly, 878 F.3d 710, 713 (9th
Cir. 2017).
A.
...