Legal Case Shows Social Networks Can’t Remain Neutral On User Privacy

The LinkedIn/hiQ case highlights the tension between the desire to protect users' privacy and the free flow of information.
Ron MosconaAugust 23, 2017
Legal Case Shows Social Networks Can’t Remain Neutral On User Privacy

What is more important — that LinkedIn should be able to control the commercial use of its vast database of users’ “public profile” data (to protect the privacy of users, among other motivations) or that anyone should be able to access and exploit data that individuals choose to put in the public domain (in the interest of promoting an open and competitive market)?

A California court decided this month, albeit only at the preliminary stage, to favor the interests of competitiveness over privacy in granting a temporary injunction against LinkedIn.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The case against LinkedIn was brought by hiQ Labs, a data analysis business that depends on LinkedIn. It scrapes publicly available profile data of LinkedIn users and analyzes it for its customers—employers and potential employers. One of its services promises to identify employees who are more likely to leave their current employer.

LinkedIn wanted to revoke its permission to hiQ to access its open website (which is accessible without registration or password) in order to enforce its user agreement that prohibits data-scraping activities. LinkedIn also wanted to put in place technical measures to prevent data scraping. It cited its members’ privacy interests as its reason. Interestingly, no intellectual property rights were asserted. LinkedIn did not assert any rights in its users’ profile data.

The plaintiff (hiQ) asserted various legal theories in support of its case, including alleged violations of California constitutional free speech principles and California competition law. It claimed that blocking its access to the LinkedIn site would put it out of business. It also pointed out that LinkedIn allows many third parties to scrape data from its service and that it even encourages those practices. It also pointed out that LinkedIn was happy for hiQ to carry on its business using LinkedIn users’ data for five years.

LinkedIn relied on three main arguments: that hiQ’s access to the site, once its permission is revoked, would violate the federal Computer Fraud and Abuse Act (“CFAA”); that the scraping was a violation of its user terms; and that hiQ’s operations jeopardized its users’ privacy interests, which it is entitled to protect. In particular, LinkedIn pointed out that its users often update their profile data or change their privacy settings and that they would not want third-party services such as hiQ’s to use their old data regardless of their privacy choices. LinkedIn argued that its own services are designed to respect its users’ privacy preferences, including in relation to historic data.

Ron Moscana

Ron Moscona

A key question was whether the CFAA, which prohibits unauthorized access to computer systems, applied to hiQ’s access to the public website operated by LinkedIn and whether permission to access the site could be revoked by LinkedIn. A positive answer would determine the result of the case, as the CFAA would pre-empt any grounds relied on by hiQ under California state law. The court held, however, that the federal act did not apply. It therefore had to consider whether hiQ’s claims raised a serious question on the merits.

Effectively, the court had to decide whether the privacy concerns raised by LinkedIn outweighed the competition and free speech grounds relied on by hiQ. Both parties managed to muster some factual evidence in support of their respective positions, but only of a very general nature.

HiQ was able to point out that LinkedIn’s corporate strategy identified data analysis services as an expansion area for its business, which would make hiQ a potential competitor. LinkedIn relied on statistics relating to its users’ privacy preferences (showing that millions of users prefer not to notify other users when they update their profile data) and to point out a few incidents where users complained about third-party use of their profile data. The user agreement was also relevant but not a key consideration in the decision (for one thing, it is unclear whether it was even binding on hiQ, as acceptance of the user agreement is not a condition for accessing the site).  

The factual evidence, however, seems to have had limited significance. At least for the purpose of the temporary injunction application, the court had to reach a decision largely on broad principles.

The court decided that the case did not raise a sufficiently serious question under California free speech constitutional principles. The plaintiff’s suggestion was that LinkedIn’s service was a public forum and therefore LinkedIn should not be allowed to rely on the ownership of the site or the terms of its user agreement to block hiQ’s access to the site and its scraping of public data available on the site. The court was concerned that applying these free speech principles against LinkedIn would constitute a big step with potentially far-reaching ramifications.

However, in weighing LinkedIn’s desire to protect users’ privacy interests against hiQ’s accusations of anti-competitive behavior, the court found the latter to be more persuasive. At least, it found that hiQ’s arguments raised a sufficiently serious question so as to justify a temporary injunction (given the finding that unless an injunction were granted, hiQ’s business would have to shut down).

The court did not entirely dismiss LinkedIn’s privacy concerns. However, it largely discounted those concerns on the basis of evidence suggesting that LinkedIn itself may not have always respected its users’ expectations of privacy. Perhaps more critically, it proceeded on the proposition that “the actual privacy interests of LinkedIn users in their public data are at best uncertain.”

More than the result itself, it is perhaps this last statement that should be considered closely. The words chosen by the court may have been intended more as a comment on the evidence relied on by LinkedIn, but they also seem to express a general value judgement. That is, the traditional approach in common-law legal systems that once information is put in the public domain it is no longer confidential and therefore no longer private. This, however, is no longer the approach reflected in modern privacy laws in many countries.

The United States has been slow in developing its privacy legislation, possibly as a result of Silicon Valley lobbying. That lobbying tends to resist restraints on the free flow of information. Nevertheless, privacy legislation has been introduced at the state level and to a limited extent (in the context of health and child protection) even at the federal level. The Obama administration started a process of introducing a more comprehensive approach to protecting privacy interests, although those attempts have now been deserted. In many other countries, however, such as Canada and Australia, and in regions such as the European Union, privacy protection has developed significantly over the last two decades.

It is probably fair to say that as a general approach, modern privacy laws reject the idea that privacy interests are simply eliminated once an individual puts information in the public domain. There is of course a vast difference between private information which is also secret and confidential  as opposed to information that a person voluntarily puts into the public domain. But the distinction does not exclude the fact that privacy interests continue to be relevant even in respect of “public” information. For example, in many jurisdictions subscribers can require their telephone numbers to be removed from public directories, even if the number was previously listed.   

LinkedIn made the point plainly in its case against hiQ. Many professionals are happy to display their profile data publicly on the service. However, if a user decides to update her profile she may prefer not to advertise the fact that she made the change and she may also have a reasonable expectation that her old profile would disappear from the service. This can be important to people looking for a new job. An old version of a person’s profile data might not project the right image or include the right information that a person wishes to advertise for future purposes. LinkedIn users expect the service to work for them, not against their interest.

As a matter of fact, it is difficult to accept the court’s suggestion that LinkedIn users’ interest in protecting their public data is “at best uncertain.” Most users, if asked, would probably prefer that their historical information cease to be publicly available once they have updated it. Professionals join LinkedIn in order to advertise their skills and expertise, not to create a searchable archive of their past data.

LinkedIn’s case was that as a service provider it ought to be able to address the privacy concerns of its users, even in relation to their so called “public profiles.” The court, so far, was not impressed.

LinkedIn’s concerns over its users’ privacy interests and its decision to block hiQ may have been influenced by legal compliance considerations.

LinkedIn, along with the rest of the digital industry, is undoubtedly acutely aware of the looming requirements of the General Data Protection Regulation (“GDPR”) — the EU’s overhaul of its privacy laws which will come into effect in the middle of 2018. Among the many compliance requirements that social network operators need to grapple with are the new rules regarding the “right to be forgotten.” One aspect of these rules is that under GDPR operators of a social network would (in most cases) have to respect a user’s request to erase or update his or her data. Another aspect is that the law requires the social network operator to notify third-party recipients of the data of requests (by the subject) to update, correct, or erase the data. Another key GDPR requirement requires appropriate administrative and technology measures to protect data, in particular against unauthorized access, corruption, or loss.

The GDPR also introduces an overarching requirement on data controllers to design their services and systems for compliance with the requirements of the legislation.

And GDPR will not be LinkedIn’s only concern. As a global service, it needs to take account of developments in privacy protection around the world. It may also wish to participate in voluntary schemes such as the various privacy shields that have been introduced by agreements between the United States and other countries. LinkedIn may also seek to meet other privacy standards for the sake of its own reputation.

It is not clear yet whether compliance with GDPR would require operators of social networks to prevent unauthorized data scraping by third parties, nor whether LinkedIn would be under an obligation to notify third parties such as hiQ of requests by its users to update or erase their public profiles. However, it is clear that LinkedIn’s concern for the privacy interests of its users are not merely a ruse to rid itself of a potential competitor.

LinkedIn knows that in a legal environment where privacy interests are taken seriously in many countries and where its users are increasingly concerned over the use of their own data, it cannot adopt a neutral position. It has to assume more control over the way data flows through and around its network. It may not be able to stop every third party from scraping or using its users’ data, but it may need to demonstrate that it is doing as much as it reasonably can to protect the privacy interests of users.

The decision of the California court to grant a temporary injunction in this case is probably not very significant but it seems to demonstrate the widening gap between the U.S. approach to the internet, which emphasizes free-market values, and the growing emphasis on the protection of privacy interests elsewhere. Global companies like LinkedIn will need to learn how to reconcile the two.

It is worth noting that in a previous decision from 2009, also in the Northern District of California, Facebook fared better than LinkedIn in a case it brought against a data gatherer. In that case (Facebook, Inc. v. Power Ventures, Inc.) the court refused to dismiss the claim which sought to prevent the data-scraping activities. Facebook alleged copyright infringement, violations of California’s Comprehensive Computer Data Access and Fraud Act and the Digital Millennium Copyright Act, and unfair competition. Privacy issues, however, were not central to that case.

Ron Moscona is a partner at the international law firm Dorsey & Whitney in its intellectual property practice.

Case Study: How Edgewood Tahoe’s CFO Saved 500 Jobs From the Ashes