Court Okays 'Data Scraping' By Analytics Firm Of Users' Public LinkedIn Profiles. Lots Of Consequences
Thursday, September 12, 2019
Earlier this week, a Federal appeals court affirmed an August 2017 injunction which required LinkedIn, a professional networking platform owned by Microsoft Corporation, to allow hiQ Labs, Inc. to access members' profiles. This ruling has implications for everyone.
First, some background. The Naked Security blog by Sophos explained in December, 2017:
"... hiQ is a company that makes its money by “scraping” LinkedIn’s public member profiles to feed two analytical systems, Keeper and Skill Mapper. Keeper can be used by employers to detect staff that might be thinking about leaving while Skill Mapper summarizes the skills and status of current and future employees. For several years, this presented no problems until, in 2016, LinkedIn decided to offer something similar, at which point it sent hiQ and others in the sector cease and desist letters and started blocking the bots reading its pages."
So, hiQ apps use algorithms which determine for its clients (prospective or current employers) which employees will stay or go. Gizmodo explained the law which LinkedIn used in its arguments in court, namely the:
".... practice of scraping publicly available information from their platform violated the 1986 Computer Fraud and Abuse Act (CFAA). The CFAA is infamously vaguely written and makes it illegal to access a “protected computer” without or in excess of “authorization”—opening the door to sweeping interpretations that could be used to criminalize conduct not even close to what would traditionally be understood as hacking.
Second, the latest court ruling basically said two things: a) it is legal (and doesn't violate hacking laws) for companies to scrape information contained in publicly available profiles; and b) LinkedIn must allow hiQ (and potentially other firms) to continue with data-scraping. This has plenty of implications.
This recent ruling may surprise some persons, since the issue of data scraping was supposedly settled law previously. MediaPost reported:
"Monday's ruling appears to effectively overrule a decision issued six years ago in a dispute between Craigslist and the data miner 3Taps, which also scraped publicly available listings. In that matter, 3Taps allegedly scraped real estate listings and made them available to the developers PadMapper and Lively. PadMapper allegedly meshed Craigslist's apartment listings with Google maps... U.S. District Court Judge Charles Breyer in the Northern District of California ruled in 2013 that 3Taps potentially violated the anti-hacking law by scraping listings from Craigslist after the company told it to stop doing so."
So, you can bet that both social media sites and data analytics firms closely watched and read the appeal court's ruling this week.
Third, in theory any company or agency could then legally scrape information from public profiles on the LinkedIn platform. This scraping could be done by industries and/or entities (e.g., spy agencies worldwide) which job seekers didn't intend nor want.
Many consumers simply signed up and use LinkedIn to build professional relationship and/or to find jobs, either fulltime as employees or as contractors. The 2019 social media survey by Pew Research found that 27 percent of adults in the United States use LinkedIn, but higher usage penetration among persons with college degrees (51 percent), persons making more than $75K annually (49 percent), persons ages 25 - 29 (44 percent), persons ages 30 - 49 (37 percent), and urban residents (33 percent).
I'll bet that many LinkedIn users never imagined that their profiles would be used against them by data analytics firms. Like it or not, that is how consumers' valuable, personal data is used (abused?) by social media sites and their clients.
Fourth, the practice of data scraping has divided tech companies. Again, from the Naked Security blog post in 2017:
"Data scraping, its seems, has become a booming tech sector that increasingly divides the industry ideologically. One side believes LinkedIn is simply trying to shut down a competitor wanting to access public data LinkedIn merely displays rather than owns..."
The Electronic Frontier Foundation (EFF), the DuckDuckGo search engine, and the Internet Archived had filed an amicus brief with the appeals court before its ruling. The EFF explained the group's reasoning and urged the:
"... Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target serious computer break-ins into a tool for enforcing its computer use policies. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information. But using automated scripts to access publicly available data is not "hacking," and neither is violating a website’s terms of use. LinkedIn would have the court believe that all "bots" are bad, but they’re actually a common and necessary part of the Internet. "Good bots" were responsible for 23 percent of Web traffic in 2016..."
So, bots are here to stay. And, it's up to LinkedIn executives to find a solution to protect their users' information.
Fifth, according to the Reuters report the court judge suggested a solution for LinkedIn by "eliminating the public access option." Hmmmm. Public, or at least broad access, is what many job seekers desire. So, a balance needs to be struck between truly "public" where anyone, anywhere worldwide could access public profiles, versus intended targets (e.g., hiring executives in potential employers in certain industries).
Sixth, what struck me about the court ruling this week was that nobody was in the court room representing the interests of LinkedIn users, of which I am one. MediaPost reported:
"The appellate court discounted LinkedIn's argument that hiQ was harming users' privacy by scraping data even when people used a "do not broadcast" setting. "There is no evidence in the record to suggest that most people who select the 'Do Not Broadcast' option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search," the judges wrote. "As the district court noted, there are other reasons why users may choose that option -- most notably, many users may simply wish to avoid sending their connections annoying notifications each time there is a profile change." "
What? Really?! We LinkedIn users have a natural, vested interest in control over both our profiles and the sensitive, personal information that describes each of us in our profiles. Somebody at LinkedIn failed to adequately represent users' interests of its users, the court didn't really listen closely nor seek out additional evidence, or all of the above.
Maybe the "there is no evidence in the record" regarding the 'Do Not Broadcast' feature will be the basis of another appeal or lawsuit.
With this latest court ruling, we LinkedIn users have totally lost control (except for deleting or suspending our LinkedIn accounts). It makes me wonder how a court could reach its decision without hearing directly from somebody representing LinkedIn users.
Seventh, it seems that LinkedIn needs to modify its platform in three key ways:
- Allow its users to specify which uses or applications (e.g., find fulltime work, find contract work, build contacts in my industry or area of expertise, find/screen job candidates, advertise/promote a business, academic research, publish content, read news, dating, etc.) their profiles can only be used for. The 'Do Not Broadcast' feature is clearly not strong enough;
- Allow its users to specify or approve individual users -- other actual persons who are LinkedIn users and not bots nor corporate accounts -- who can access their full, detailed profiles; and
- Outline in the user agreement the list of applications or uses profiles may be accessed for, so that both prospective and current LinkedIn users can make informed decisions.
This would give LinkedIn users some control over the sensitive, personal information in their profiles. Without control, the benefits of using LinkedIn quickly diminish. And, that's enough to cause me to rethink my use of LinkedIn, and either deactivate or delete my account.
What are your opinions of this ruling? If you currently use LinkedIn, will you continue using it? If you don't use LinkedIn and were considering it, will you still consider using it?
The Editor’s deft analysis recognizes that the 9th Circuit’s holding fails to protect the privacy interests of LinkedIn’s individual human users, and his proposals for finding a middle way—between the 9th Circuit’s improvidently permitting all third parties access to users’ public LinkedIn profiles for any purpose and Microsoft’s excessive reading of the Computer Fraud and Abuse Act (CFAA) to make all third-party use of LinkedIn’s public profiles a crime, except for its anticompetitive, monopoly control of users’ public profiles for it to exclusively commercially exploit—is positively wise.
The middle way is to correct the mistake at the inception of the internet by recognizing that the users’ public LinkedIn profiles are their property, and, therefore, it is they, the users who, as the authors of their public profiles, who have the right to decide how others, whether Microsoft or anyone else, use their public profiles. Once we recognize that the information in those public profiles belong to users, the solution for protecting their privacy interests becomes immediately apparent: That is, the users will post their public profiles with their license that restricts who has access to their public profiles, how they may be used, and who may use them.
The exact details of such a users’ license, while not trivial, are well within the capabilities of skillful legal draftsmanship. The result would be a standard license for LinkedIn users. However, because Microsoft has inordinate bargaining power and would inevitably draft these standard licenses in a way that gave LinkedIn monopoly control and rights to exploit these licenses, the government, pursuant to its authority under antitrust law and to protect users’ privacy interests, would have the right and responsibility to set mandatory terms of the standard license in ways that both protect a user’s right to control who can use his public profile and how it could be used, and that then permits Microsoft and third parties to commercially exploit the users’ public profiles in ways that are consistent with the protections of users’ privacy and fair and vigorous competition in the commercial exploitation of users’ profiles, as permitted by users’ license.
Therefore, upon a proper motion for reconsideration or at a hearing en banc, the 9th Circuit should vacate its instant holding on the grounds that, in an unconstitutional violation of due process, the courts have decided the interests of parties, LinkedIn’ individual users, whose privacy interests were not adequately represented, and therefore, their privacy interests were adjudicated and decided without being heard. The 9th Circuit should then remand the case to the district court with instructions to identify and appoint counsel and representative parties to represent LinkedIn users’ privacy interests. And if it finds that those privacy interests have been violated, the court is to appoint a special master, who in consultation with the FTC and the DOJ, shall draft a standard license to protect both users’ privacy and fair competition in the exploitation of users’ public profiles, as discussed, supra. The district court will have the approval of the final license, based on the adequacy of the license to accomplish its purposes as discussed here. LinkedIn users’ counsel and other parties and either the FTC or DOJ may be heard as to their objections and suggestions regarding the special master’s draft license. The district court shall give due consideration to the parties’ objections and suggestions in approving a final draft of the users’ standard license that protects both users’ privacy interests and their proprietary rights in their public profiles, while otherwise permitting Microsoft and third parties to commercially exploit those public profiles in ways that promote fair competition in that exploitation but in a manner consistent with the the provisions and restrictions in users’ standard license.
It is so ordered.
P.S. And gee, I wish the author had been sitting next to me in law school, because how he immediately recognized the flaw in the 9th Circuit’s holding of not fully recognizing or even having heard the properly represented privacy interests of LinkedIn users was first rate lawyering.
Posted by: Chanson de Roland | Wednesday, September 18, 2019 at 05:07 PM
LinkedIn users concerned about their privacy may be interested in this:
How To Delete Your LinkedIn Account
https://nordvpn.com/blog/delete-linkedin-account/
George
Editor
https://ivebeenmugged.typepad.com
Posted by: George | Wednesday, September 25, 2019 at 12:40 PM