A federal appellate court ruled that mining and aggregating user data publicly posted to social media sites is allowable by law.
In an opinion released earlier this month, the 9th Circuit U.S.Court of Appeals upheld an injunction against employment-centric social network LinkedIn from blocking access to hiQ, a data mining company that sells aggregated user information.
LinkedIn sent a cease-and-desist letter to hiQ in 2017 requesting that the company stop accessing and copying data from its servers. The letter warned hiQ that further aggregation activity would violate state and federal laws, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), California Penal Code § 502(c), and the California common law of trespass. HiQ responded with a suit against LinkedIn and requested a temporary restraining order against them, which was granted by the district court and upheld by the 9th Circuit.
While the court’s ruling was a response to the potential for “irreparable harm” to hiQ caused by depriving them of access to data, the decision as it pertains to the collection and dissemination of data could have major implications for online privacy:
“[T]here is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do,” stated the court’s opinion.
The opinion went on to assert that the CFAA didn’t apply to hiQ, since “the CFAA’s prohibition on accessing a computer ‘without authorization’ is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer.”
As things stand now with this legal battle, information displayed publicly on a website is fair game for third parties seeking to aggregate their user data, regardless of whether their activities conflict with a web service’s user license agreement or the wishes of their users. It also limits the definition of “unauthorized access” to content protected behind a password or some other means of authorization.
It is unclear how this ruling would apply in states with more stringent privacy requirements, or how it impacts data accidentally exposed to the public because of poor cybersecurity or human error, but the case does raise several questions about the ownership of and access to user data.