HiQ Labs is a company that focuses on talent management using data science and machine learning. They use data to help companies understand when someone may be looking to quit, how much time and money should be put into employee training and what candidates would qualify for new positions. Where do they get the data that leads to these conclusions though? HiQ Labs uses a web scraper to download profiles off LinkedIn and use that data from their site to use for their own financial gain.
In May of 2017, LinkedIn sent a letter to hiQ Labs informing them that their actions were illegal and violated the LinkedIn User Agreement. It also stated that “LinkedIn has earned its members’ trust by acting vigilantly to keep their data secure. HiQ’s actions and products violate this trust”. In response to this, LinkedIn blocked hiQ from accessing their data because of the user agreement violation.
While LinkedIn may have thought this was a violation of their user agreement, hiQ Labs was now suffering a major blow to their company which that this was fair use of the data because it was free and open to the public. Because of this, hiQ labs filed a lawsuit against LinkedIn claiming that they violated anti-trust laws. On August 14, 2017, The U.S. District Court of San Francisco ruled in the favor of hiQ Labs and forced LinkedIn to return access of their site to hiQ Labs.
Obviously LinkedIn was not happy with this decision and appealed the decision on March 15, 2018. Unfortunately the appeal made by LinkedIn was ruled against them yet again by the U.S. Court of Appeals leading to a victory for hiQ and their web scrapping bots.
“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles” – Judge Marsha Berzon
This decision was rather shocking to LinkedIn especially because they should have the right to block a user for violating their User Agreement even if it isn’t breaking the law.
Many people in not only the cyber security community but they LinkedIn community as well are disturbed by the outcome of this case. This could open the doors to legally allow data scraping with more malicious intents. The court is claiming that the information on LinkedIn’s site is owned by the users not by LinkedIn and that the users of LinkedIn intend to have their information accessed by the public. While this is true, it is still LinkedIn’s responsibility to protect its users data and not allow it to be accessed in the wrong ways.
Written by Austin Rose October 7th, 2019