Hiq Labs, Inc. v. Linkedin Corporation

FOR PUBLICATION UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT HIQ LABS, INC., No. 17-16783 Plaintiff-Appellee, D.C. No. v. 3:17-cv-03301-EMC LINKEDIN CORPORATION, Defendant-Appellant. OPINION Appeal from the United States District Court for the Northern District of California Edward M. Chen, District Judge, Presiding Argued and Submitted March 15, 2018 San Francisco, California Filed September 9, 2019 Before: J. Clifford Wallace and Marsha S. Berzon, Circuit Judges, and Terrence Berg, * District Judge. Opinion by Judge Berzon; Concurrence by Judge Wallace * The Honorable Terrence Berg, United States District Judge for the Eastern District of Michigan, sitting by designation. 2 HIQ LABS V. LINKEDIN SUMMARY ** Preliminary Injunction / Computer Fraud and Abuse Act The panel affirmed the district court’s preliminary injunction forbidding the professional networking website LinkedIn Corp. from denying plaintiff hiQ, a data analytics company, access to publicly available LinkedIn member profiles. Using automated bots, hiQ scrapes information that LinkedIn users have included on public LinkedIn profiles. LinkedIn sent hiQ a cause-and-desist letter, demanding that hiQ stop accessing and copying data from LinkedIn’s server. HiQ filed suit, seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the Computer Fraud and Abuse Act (“CFAA”), the Digital Millennium Copyright Act, California Penal Code § 502(c), or the common law of trespass against it. Affirming the district court’s grant of the preliminary injunction in favor of hiQ, the panel concluded that hiQ established a likelihood of irreparable harm because the survival of its business was threatened. The panel held that the district court did not abuse its discretion in balancing the equities and concluding that, even if some LinkedIn users retain some privacy interests in their information notwithstanding their decision to make their profiles public, ** This summary constitutes no part of the opinion of the court. It has been prepared by court staff for the convenience of the reader. HIQ LABS V. LINKEDIN 3 those interests did not outweigh hiQ’s interest in continuing its business. Thus, the balance of hardships tipped decidedly in favor of hiQ. The panel further held that hiQ raised serious questions going to (1) the merits of its claim for tortious interference with contract, alleging that LinkedIn intentionally interfered with its contracts with third parties, and (2) the merits of LinkedIn’s legitimate business purpose defense. HiQ also raised a serious question as to whether its state law causes of action were preempted by the CFAA, which prohibits intentionally accessing a computer without authorization, or exceeding authorized access, and thereby obtaining information from any protected computer. LinkedIn argued that, once hiQ received its cause-and-desist letter, any further scraping and use of LinkedIn’s data was without authorization within the meaning of the CFAA. The panel concluded that hiQ had raised a serious question as to whether the CFAA’s reference to access “without authorization” limits the scope of statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required. Finally, the panel held that the district court’s conclusion that the public interest favored granting the preliminary injunction was appropriate. Specially concurring, Judge Wallace wrote that he concurred in the majority opinion. He wrote separately to express his concern about appealing from a preliminary injunction to obtain an appellate court’s view of the merits. 4 HIQ LABS V. LINKEDIN COUNSEL Donald B. Verrilli Jr. (argued) and Chad I. Golder, Munger Tolles & Olson LLP, Washington, D.C.; Jonathan H. Blavin, Rosemarie T. Ring, Nicholas D. Fram, and Elia Herrera, Munger Tolles & Olson LLP, San Francisco, California; E. Joshua Rosenkranz, Orrick Herrington & Sutcliffe LLP, New York, New York; Eric A. Shumsky, Orrick Herrington & Sutcliffe LLP, Washington, D.C.; Brian P. Goldman, Orrick Herrington & Sutcliffe LLP, San Francisco, California; for Defendant-Appellant. C. Brandon Wisoff (argued), Deepak Gupta, Jeffrey G. Lau, and Rebecca H. Stephens, Farella Braun & Martel LLP, San Francisco, California; Aaron M. Panner, Gregory G. Rapawy, and T. Dietrich Hill, Kellogg Hansen Todd Figel & Frederick PLLC, Washington, D.C.; Laurence H. Tribe, Cambridge, Massachusetts; for Plaintiff-Appellee. Nicholas J. Boyle, John S. Williams, and Eric J. Hamilton, Williams & Connolly LLP, Washington, D.C., for Amicus Curiae CoStar Group Inc. Perry J. Viscounty, Latham & Watkins LLP, San Francisco, California; Gregory G. Garre, Latham & Watkins LLP, Washington, D.C.; for Amicus Curiae Craigslist Inc. Marc Rotenberg and Alan Butler, Electronic Privacy Information Center, Washington, D.C., for Amicus Curiae Electronic Privacy Information Center. Thomas V. Christopher, Law Offices of Thomas V. Christopher, San Francisco, California, for Amicus Curiae 3taps Inc. HIQ LABS V. LINKEDIN 5 Jamie Williams, Corynne McSherry, Cindy Cohn, and Nathan Cardozo, Electronic Frontier Foundation, San Francisco, California, for Amici Curiae Electronic Frontier Foundation, DuckDuckGo, and Internet Archive. Kenneth L. Wilton and James M. Harris, Seyfarth Shaw LLP, Los Angeles, California; Carrie P. Price, Seyfarth Shaw LLP, San Francisco, California; for Amicus Curiae Scraping Hub Ltd. OPINION BERZON, Circuit Judge: May LinkedIn, the professional networking website, prevent a competitor, hiQ, from collecting and using information that LinkedIn users have shared on their public profiles, available for viewing by anyone with a web browser? HiQ, a data analytics company, obtained a preliminary injunction forbidding LinkedIn from denying hiQ access to publicly available LinkedIn member profiles. At this preliminary injunction stage, we do not resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court. Instead, we focus on whether hiQ has raised serious questions on the merits of the factual and legal issues presented to us, as well as on the other requisites for preliminary relief. I. Founded in 2002, LinkedIn is a professional networking website with over 500 million members. Members post resumes and job listings and build professional “connections” with other members. LinkedIn specifically 6 HIQ LABS V. LINKEDIN disclaims ownership of the information users post to their personal profiles: according to LinkedIn’s User Agreement, members own the content and information they submit or post to LinkedIn and grant LinkedIn only a non-exclusive license to “use, copy, modify, distribute, publish, and process” that information. LinkedIn allows its members to choose among various privacy settings. Members can specify which portions of their profile are visible to the general public (that is, to both LinkedIn members and nonmembers), and which portions are visible only to direct connections, to the member’s “network” (consisting of LinkedIn members within three degrees of connectivity), or to all LinkedIn members. 1 This case deals only with profiles made visible to the general public. LinkedIn also offers all members—whatever their profile privacy settings—a “Do Not Broadcast” option with respect to every change they make to their profiles. If a LinkedIn member selects this option, her connections will not be notified when she updates her profile information, although the updated information will still appear on her profile page (and thus be visible to anyone permitted to view her profile under her general privacy setting). More than 50 1 Direct connections (or first-degree connections) are people to whom a LinkedIn member is connected by virtue of having invited them to connect and had the invitation accepted, or of having accepted their invitation to connect. Second-degree connections are people connected to a member’s first-degree connections. Third-degree connections are people connected to a member’s second-degree connections. A LinkedIn member’s network consists of the member’s first-degree, second-degree, and third-degree connections, as well as fellow members of the same LinkedIn Groups (groups of members in the same industry or with similar interests that any member can request to join). HIQ LABS V. LINKEDIN 7 million LinkedIn members have, at some point, elected to employ the “Do Not Broadcast” feature, and approximately 20 percent of all active users who updated their profiles between July 2016 and July 2017—whatever their privacy setting—employed the “Do Not Broadcast” setting. LinkedIn has taken steps to protect the data on its website from what it perceives as misuse or misappropriation. The instructions in LinkedIn’s “robots.txt” file—a text file used by website owners to communicate with search engine crawlers and other web robots—prohibit access to LinkedIn servers via automated bots, except that certain entities, like the Google search engine, have express permission from LinkedIn for bot access. 2 LinkedIn also employs several technological systems to detect suspicious activity and 2 A web robot (or “bot”) is an application that performs automated tasks such as retrieving and analyzing information. See Definition of “bot,” Merriam-Webster Dictionary, https://www.merriam- webster.com/dictionary/bot (last visited July 12, 2019). A web crawler is one common type of bot that systematically searches the Internet and downloads copies of web pages, which can then be indexed by a search engine. See Assoc. Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp. 2d 537, 544 (S.D.N.Y. 2013); Definition of “web crawler,” Merriam- Webster Dictionary, https://www.merriam-webster.com/dictionary/web %20crawler (last visited July 12, 2019). A robots.txt file, also known as the robots exclusion protocol, is a widely used standard for stating the rules that a web server has adopted to govern a bot’s behavior on that server. See About /robots.txt, http://www.robotstxt.org/robotstxt.html (last visited July 12, 2019). For example, a robots.txt file might instruct specified robots to ignore certain files when crawling a site, so that the files do not appear in search engine results. Adherence to the rules in a robots.txt file is voluntary; malicious bots may deliberately choose not to honor robots.txt rules and may in turn be punished with a denial of access to the website in question. See Can I Block Just Bad Robots?, http://www.robotstxt.org/faq/blockjustbad.html (last visited July 12, 2019); cf. Assoc. Press, 931 F. Supp. 2d at 563 (S.D.N.Y. 2013). 8 HIQ LABS V. LINKEDIN restrict automated scraping. 3 For example, LinkedIn’s Quicksand system detects non-human activity indicative of scraping; its Sentinel system throttles (slows or limits) or even blocks activity from suspicious IP addresses; 4 and its Org Block system generates a list of known “bad” IP addresses serving as large-scale scrapers. In total, LinkedIn blocks approximately 95 million automated attempts to scrape data every day, and has restricted over 11 million accounts suspected of violating its User Agreement, 5 including through scraping. HiQ is a data analytics company founded in 2012. Using automated bots, it scrapes information that LinkedIn users 3 Scraping involves extracting data from a website and copying it into a structured format, allowing for data manipulation or analysis. See, e.g., What Is a Screen Scraper?, WiseGeek, http://www.wisegeek. com/what-is-a-screen-scraper.htm (last visited July 12, 2019). Scraping can be done manually, but as in this case, it is typically done by a web robot or “bot.” See supra note 2. 4 “IP address” is an abbreviation for Internet protocol address, which is a numerical identifier for each computer or network connected to the Internet. See Definition of “IP Address,” Merriam-Webster Dictionary, https://www.merriam-webster.com/dictionary/IP%20address (last visited July 12, 2019). 5 Section 8.2 of the LinkedIn User Agreement to which hiQ agreed states that users agree not to “[s]crape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work),” “[c]opy or use the information, content or data on LinkedIn in connection with a competitive service (as determined by LinkedIn),” “[u]se manual or automated software, devices, scripts robots, other means or processes to access, ‘scrape,’ ‘crawl’ or ‘spider’ the Services or any related data or information,” or “[u]se bots or other automated methods to access the Services.” HiQ is no longer bound by the User Agreement, as LinkedIn has terminated hiQ’s user status. HIQ LABS V. LINKEDIN 9 have included on public LinkedIn profiles, including name, job title, work history, and skills. It then uses that information, along with a proprietary predictive algorithm, to yield “people analytics,” which it sells to business clients. HiQ offers two such analytics. The first, Keeper, purports to identify employees at the greatest risk of being recruited away. According to hiQ, the product enables employers to offer career development opportunities, retention bonuses, or other perks to retain valuable employees. The second, Skill Mapper, summarizes employees’ skills in the aggregate. Among other things, the tool is supposed to help employers identify skill gaps in their workforces so that they can offer internal training in those areas, promoting internal mobility and reducing the expense of external recruitment. HiQ regularly organizes “Elevate” conferences, during which participants discuss hiQ’s business model and share best practices in the people analytics field. LinkedIn representatives participated in Elevate conferences beginning in October 2015. At least ten LinkedIn representatives attended the conferences. LinkedIn employees have also spoken at Elevate conferences. In 2016, a LinkedIn employee was awarded the Elevate “Impact Award.” LinkedIn employees thus had an opportunity to learn about hiQ’s products, including “that [one of] hiQ’s product[s] used data from a variety of sources—internal and external—to predict employee attrition” and that hiQ “collected skills data from public professional profiles in order to provide hiQ’s customers information about their employees’ skill sets.” In recent years, LinkedIn has explored ways to capitalize on the vast amounts of data contained in LinkedIn profiles by marketing new products. In June 2017, LinkedIn’s Chief 10 HIQ LABS V. LINKEDIN Executive Officer (“CEO”), Jeff Weiner, appearing on CBS, explained that LinkedIn hoped to “leverage all this extraordinary data we’ve been able to collect by virtue of having 500 million people join the site.” Weiner mentioned as possibilities providing employers with data-driven insights about what skills they will need to grow and where they can find employees with those skills. Since then, LinkedIn has announced a new product, Talent Insights, which analyzes LinkedIn data to provide companies with such data-driven information. 6 In May 2017, LinkedIn sent hiQ a cease-and-desist letter, asserting that hiQ was in violation of LinkedIn’s User Agreement and demanding that hiQ stop accessing and copying data from LinkedIn’s server. The letter stated that if hiQ accessed LinkedIn’s data in the future, it would be violating state and federal law, including the Computer Fraud and Abuse Act (“CFAA”), the Digital Millennium Copyright Act (“DMCA”), California Penal Code § 502(c), and the California common law of trespass. The letter further stated that LinkedIn had “implemented technical measures to prevent hiQ from accessing, and assisting others to access, LinkedIn’s site, through systems that detect, monitor, and block scraping activity.” 6 The record does not specifically name Talent Insights, but at a district court hearing on June 29, 2017, counsel for hiQ referenced Mr. Weiner’s statements on CBS and stated that “in the past 24 hours we’ve received word . . . that LinkedIn is launching a product that is essentially the same or very similar to [hiQ’s] Skill Mapper, and trying to market it head-to-head against us.” LinkedIn has since launched Talent Insights, which, among other things, promises to help employers “understand the . . . skills that are growing fastest at your company.” See https://business.linkedin.com/talent-solutions/blog/product-updates/201 8/linkedin-talent-insights-now-available (last visited July 12, 2019). HIQ LABS V. LINKEDIN 11 HiQ’s response was to demand that LinkedIn recognize hiQ’s right to access LinkedIn’s public pages and to threaten to seek an injunction if LinkedIn refused. A week later, hiQ filed suit, seeking injunctive relief based on California law and a declaratory judgment that LinkedIn could not lawfully invoke the CFAA, the DMCA, California Penal Code § 502(c), or the common law of trespass against it. HiQ also filed a request for a temporary restraining order, which the parties subsequently agreed to convert into a motion for a preliminary injunction. The district court granted hiQ’s motion. It ordered LinkedIn to withdraw its cease-and-desist letter, to remove any existing technical barriers to hiQ’s access to public profiles, and to refrain from putting in place any legal or technical measures with the effect of blocking hiQ’s access to public profiles. LinkedIn timely appealed. II. “A plaintiff seeking a preliminary injunction must establish that he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.” Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20 (2008). All four elements must be satisfied. See, e.g., Am. Trucking Ass’n v. City of Los Angeles, 559 F.3d 1046, 1057 (9th Cir. 2009). We use a “sliding scale” approach to these factors, according to which “a stronger showing of one element may offset a weaker showing of another.” Alliance for the Wild Rockies v. Cottrell, 632 F.3d 1127, 1131 (9th Cir. 2011). So, when the balance of hardships tips sharply in the plaintiff’s favor, the plaintiff need demonstrate only “serious questions going to the merits.” Id. at 1135. 12 HIQ LABS V. LINKEDIN Applying that sliding scale approach, the district court granted hiQ a preliminary injunction, concluding that the balance of hardships tips sharply in hiQ’s favor and that hiQ raised serious questions on the merits. We review the district court’s decision to grant a preliminary injunction for abuse of discretion. The grant of a preliminary injunction constitutes an abuse of discretion if the district court’s evaluation or balancing of the pertinent factors is “illogical, implausible, or without support in the record.” Doe v. Kelly, 878 F.3d 710, 713 (9th Cir. 2017). A. Irreparable Harm We begin with the likelihood of irreparable injury to hiQ if preliminary relief were not granted. “[M]onetary injury is not normally considered irreparable.” Los Angeles Mem’l Coliseum Comm’n v. Nat’l Football League, 634 F.2d 1197, 1202 (9th Cir. 1980). Nonetheless, “[t]he threat of being driven out of business is sufficient to establish irreparable harm.” Am. Passage Media Corp. v. Cass Commc’ns, Inc., 750 F.2d 1470, 1474 (9th Cir. 1985). As the Second Circuit has explained, “[t]he loss of . . . an ongoing business representing many years of effort and the livelihood of its . . . owners, constitutes irreparable harm. What plaintiff stands to lose cannot be fully compensated by subsequent monetary damages.” Roso Lino Beverage Distributors, Inc. v. Coca Cola Bottling Co. of New York, Inc., 749 F.2d 124, 125–26 (2d Cir. 1984) (per curiam). Thus, showing a threat of “extinction” is enough to establish irreparable harm, even when damages may be available and the amount of direct financial harm is ascertainable. Am. Passage Media Corp., 750 F.2d at 1474. The district court found credible hiQ’s assertion that the survival of its business is threatened absent a preliminary HIQ LABS V. LINKEDIN 13 injunction. The record provides ample support for that finding. According to hiQ’s CEO, “hiQ’s entire business depends on being able to access public LinkedIn member profiles,” as “there is no current viable alternative to LinkedIn’s member database to obtain data for hiQ’s Keeper and Skill Mapper services.” Without access to LinkedIn public profile data, the CEO averred, hiQ will likely be forced to breach its existing contracts with clients such as eBay, Capital One, and GoDaddy, and to pass up pending deals with prospective clients. The harm hiQ faces absent a preliminary injunction is not purely hypothetical. HiQ was in the middle of a financing round when it received LinkedIn’s cease-and- desist letter. The CEO reported that, in light of the uncertainty about the future viability of hiQ’s business, that financing round stalled, and several employees left the company. If LinkedIn prevails, hiQ’s CEO further asserted, hiQ would have to “lay off most if not all its employees, and shutter its operations.” LinkedIn maintains that hiQ’s business model does not depend on access to LinkedIn data. It insists that alternatives to LinkedIn data exist, and points in particular to the professional data some users post on Facebook. But hiQ’s model depends on access to publicly available data from people who choose to share their information with the world. Facebook data, by contrast, is not generally accessible, see infra p. 31, and therefore is not an equivalent alternative source of data. LinkedIn also urges that even if there is no adequate alternative database, hiQ could collect its own data through employee surveys. But hiQ is a data analytics company, not a data collection company. Suggesting that hiQ could fundamentally change the nature of its business, not simply 14 HIQ LABS V. LINKEDIN the manner in which it conducts its current business, is a recognition that hiQ’s current business could not survive without access to LinkedIn public profile data. Creating a data collection system would undoubtedly require a considerable amount of time and expense. That hiQ could feasibly remain in business with no products to sell while raising the required capital and devising and implementing an entirely new data collection system is at least highly dubious. In short, the district court did not abuse its discretion in concluding on the preliminary injunction record that hiQ currently has no viable way to remain in business other than using LinkedIn public profile data for its Keeper and Skill Mapper services, and that HiQ therefore has demonstrated a likelihood of irreparable harm absent a preliminary injunction. B. Balance of the Equities Next, the district court “balance[d] the interests of all parties and weigh[ed] the damage to each in determining the balance of the equities.” CTIA-The Wireless Ass’n v. City of Berkeley, Calif., 928 F.3d 832, 852 (9th Cir. 2019) (internal quotation marks and citation omitted). Again, it did not abuse its discretion in doing so. On one side of the scale is the harm to hiQ just discussed: the likelihood that, without an injunction, it will go out of business. On the other side, LinkedIn asserts that the injunction threatens its members’ privacy and therefore puts at risk the goodwill LinkedIn has developed with its members. As the district court observed, “the fact that a user has set his profile to public does not imply that he wants any third parties to collect and use that data for all purposes.” LinkedIn points in particular to the more than 50 million HIQ LABS V. LINKEDIN 15 members who have used the “Do Not Broadcast” feature to ensure that other users are not notified when the member makes a profile change. According to LinkedIn, the popularity of the “Do Not Broadcast” feature indicates that many members—including members who choose to share their information publicly—do not want their employers to know they may be searching for a new job. An employer who learns that an employee may be planning to leave will not necessarily reward that employee with a retention bonus. Instead, the employer could decide to limit the employee’s access to sensitive information or even to terminate the employee. There is support in the record for the district court’s connected conclusions that (1) LinkedIn’s assertions have some merit; and (2) there are reasons to discount them to some extent. First, there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do. LinkedIn’s privacy policy clearly states that “[a]ny information you put on your profile and any content you post on LinkedIn may be seen by others” and instructs users not to “post or add personal data to your profile that you would not want to be public.” Second, there is no evidence in the record to suggest that most people who select the “Do Not Broadcast” option do so to prevent their employers from being alerted to profile changes made in anticipation of a job search. As the district court noted, there are other reasons why users may choose that option—most notably, many users may simply wish to avoid sending their connections annoying notifications each time there is a profile change. In any event, employers can always directly consult the profiles of users who chose to 16 HIQ LABS V. LINKEDIN make their profiles public to see if any recent changes have been made. Employees intent on keeping such information from their employers can do so by rejecting public exposure of their profiles and eliminating their employers as contacts. Finally, LinkedIn’s own actions undercut its argument that users have an expectation of privacy in public profiles. LinkedIn’s “Recruiter” product enables recruiters to “follow” prospects, get “alert[ed] when prospects make changes to their profiles,” and “use those [alerts] as signals to reach out at just the right moment,” without the prospect’s knowledge. 7 And subscribers to LinkedIn’s “talent recruiting, marketing and sales solutions” can export data from members’ public profiles, such as “name, headline, current company, current title, and location.” In short, even if some users retain some privacy interests in their information notwithstanding their decision to make their profiles public, we cannot, on the record before us, conclude that those interests—or more specifically, LinkedIn’s interest in preventing hiQ from scraping those profiles—are significant enough to outweigh hiQ’s interest in continuing its business, which depends on accessing, analyzing, and communicating information derived from public LinkedIn profiles. Nor do the other harms asserted by LinkedIn tip the balance of harms with regard to preliminary relief. LinkedIn invokes an interest in preventing “free riders” from using profiles posted on its platform. But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles. And 7 Recruiter does not provide alerts about profile changes made by LinkedIn members who select the “Do Not Broadcast” setting. HIQ LABS V. LINKEDIN 17 as to the publicly available profiles, the users quite evidently intend them to be accessed by others, including for commercial purposes—for example, by employers seeking to hire individuals with certain credentials. Of course, LinkedIn could satisfy its “free rider” concern by eliminating the public access option, albeit at a cost to the preferences of many users and, possibly, to its own bottom line. We conclude that the district court’s determination that the balance of hardships tips sharply in hiQ’s favor is not “illogical, implausible, or without support in the record.” Kelly, 878 F.3d at 713. C. Likelihood of Success Because hiQ has established that the balance of hardships tips decidedly in its favor, the likelihood-of- success prong of the preliminary injunction inquiry focuses on whether hiQ has raised “serious questions going to the merits.” Alliance for the Wild Rockies, 632 F.3d at 1131. It has. As usual, we consider only the claims and defenses that the parties press on appeal. We recognize that the companies have invoked additional claims and defenses in the district court, and we express no opinion as to whether any of those claims or defenses might ultimately prove meritorious. Thus, while hiQ advanced several affirmative claims in support of its request for preliminary injunctive relief, here we consider only whether hiQ has raised serious questions on the merits of its claims either for intentional interference with contract or unfair competition, under California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq. Likewise, while LinkedIn has asserted that it has “claims under the Digital Millennium Copyright Act and under trespass and misappropriation doctrines,” it has chosen for 18 HIQ LABS V. LINKEDIN present purposes to focus on a defense based on the CFAA, so that is the sole defense to hiQ’s claims that we address here. 1. Tortious Interference with Contract HiQ alleges that LinkedIn intentionally interfered with hiQ’s contracts with third parties. “The elements which a plaintiff must plead to state the cause of action for intentional interference with contractual relations are (1) a valid contract between plaintiff and a third party; (2) defendant’s knowledge of this contract; (3) defendant’s intentional acts designed to induce a breach or disruption of the contractual relationship; (4) actual breach or disruption of the contractual relationship; and (5) resulting damage.” Pac. Gas & Elec. Co. v. Bear Stearns & Co., 50 Cal. 3d 1118, 1126 (1990). 8 HiQ has shown a sufficient likelihood of establishing each of these elements. First, LinkedIn does not contest 8 Under California law, tortious interference with contract claims are not limited to circumstances in which the defendant has caused the third party with whom the plaintiff has contracted to breach the agreement. “The most general application of the rule is to cases where the party with whom the plaintiff has entered into an agreement has been induced to breach it, but the rule is also applicable where the plaintiff’s performance has been prevented or rendered more expensive or burdensome and where he has been induced to breach the contract by conduct of the defendant, such as threats of economic reprisals.” Lipman v. Brisbane Elementary Sch. Dist., 55 Cal. 2d 224, 232 (1961), abrogated on other grounds by Brown v. Kelly Broadcasting Co., 48 Cal. 3d 711, 753 n.37 (1989); see also Pac. Gas & Elec. Co., 50 Cal. 3d at 1129 (“We have recognized that interference with the plaintiff’s performance may give rise to a claim for interference with contractual relations if plaintiff’s performance is made more costly or more burdensome.”). HIQ LABS V. LINKEDIN 19 hiQ’s evidence that contracts exist between hiQ and some customers, including eBay, Capital One, and GoDaddy. Second, hiQ will likely be able to establish that LinkedIn knew of hiQ’s scraping activity and products for some time. LinkedIn began sending representatives to hiQ’s Elevate conferences in October 2015. At those conferences, hiQ discussed its business model, including its use of data from external sources to predict employee attrition. LinkedIn’s director of business operations and analytics, who attended several Elevate conferences, specifically “recall[s] someone from hiQ stating [at the April 2017 conference] that they collected skills data from public professional profiles in order to provide hiQ’s customers information about their employees’ skill sets.” Additionally, LinkedIn acknowledged in its cease-and-desist letter that “hiQ has stated during marketing presentations that its Skill Mapper product is built on profile data from LinkedIn.” Finally, at a minimum, LinkedIn knew of hiQ’s contracts as of May 31, 2017, when hiQ responded to LinkedIn’s cease-and-desist letter and identified both current and prospective hiQ clients. Third, LinkedIn’s threats to invoke the CFAA and implementation of technical measures selectively to ban hiQ bots could well constitute “intentional acts designed to induce a breach or disruption” of hiQ’s contractual relationships with third parties. Pac. Gas & Elec. Co., 50 Cal. 3d at 1126; cf. Winchester Mystery House, LLC v. Global Asylum, Inc., 210 Cal. App. 4th 579, 597 (2012) (indicating that “cease-and-desist letters . . . refer[ring] to a[] contractual or other economic relationship between plaintiff and any third party” could “establish . . . the . . . intent element[] of the interference claim[]”). Fourth, the contractual relationships between hiQ and third parties have been disrupted and “now hang[] in the 20 HIQ LABS V. LINKEDIN balance.” Without access to LinkedIn data, hiQ will likely be unable to deliver its services to its existing customers as promised. Last, hiQ is harmed by the disruption to its existing contracts and interference with its pending contracts. Without the revenue from sale of its products, hiQ will likely go out of business. See supra pp. 12–14. LinkedIn does not specifically challenge hiQ’s ability to make out any of these elements of a tortious interference claim. Instead, LinkedIn maintains that it has a “legitimate business purpose” defense to any such claim. Cf. Quelimane Co. v. Stewart Title Guar. Co., 19 Cal. 4th 26, 57 (1998), as modified (Sept. 23, 1998). That contention is an affirmative justification defense for which LinkedIn bears the burden of proof. See id. Under California law, a legitimate business purpose can indeed justify interference with contract, but not just any such purpose suffices. See id. at 55–56. Where a contractual relationship exists, the societal interest in “contractual stability is generally accepted as of greater importance than competitive freedom.” Imperial Ice Co. v. Rossier, 18 Cal. 2d 33, 36 (1941). Emphasizing the “distinction between claims for the tortious disruption of an existing contract and claims that a prospective contractual or economic relationship has been interfered with by the defendant,” the California Supreme Court instructs that we must “bring[] a greater solicitude to those relationships that have ripened into agreements.” Della Penna v. Toyota Motor Sales, U.S.A., Inc., 11 Cal. 4th 376, 392 (1995). Thus, interference with an existing contract is not justified simply because a competitor “seeks to further his own economic advantage at the expense of another.” Imperial Ice, 18 Cal. 2d at 36; see id. at 37 (“A party may not . . . under the guise of HIQ LABS V. LINKEDIN 21 competition . . . induce the breach of a competitor’s contract in order to secure an economic advantage.”). Rather, interference with contract is justified only when the party alleged to have interfered acted “to protect an interest that has greater social value than insuring the stability of the contract” interfered with. Id. at 35. Accordingly, California courts apply a balancing test to determine whether the interests advanced by interference with contract outweigh the societal interest in contractual stability: Whether an intentional interference by a third party is justifiable depends upon a balancing of the importance, social and private, of the objective advanced by the interference against the importance of the interest interfered with, considering all circumstances including the nature of the actor’s conduct and the relationship between the parties. Herron v. State Farm Mut. Ins. Co., 56 Cal. 2d 202, 206 (1961). Considerations include whether “the means of interference involve no more than recognized trade practices,” Buxbom v. Smith, 23 Cal. 2d 535, 546 (1944), and whether the conduct is “within the realm of fair competition,” Inst. of Veterinary Pathology, Inc. v. Cal. Health Labs., Inc., 116 Cal. App. 3d 111, 127 (Cal. Ct. App. 1981). The “determinative question” is whether the business interest is pretextual or “asserted in good faith.” Richardson v. La Rancherita, 98 Cal. App. 3d 73, 81 (Cal. Ct. App. 1979). Balancing the interest in contractual stability and the specific interests interfered with against the interests advanced by the interference, we agree with the district court 22 HIQ LABS V. LINKEDIN that hiQ has at least raised a serious question on the merits of LinkedIn’s affirmative justification defense. First, hiQ has a strong commercial interest in fulfilling its contractual obligations to large clients like eBay and Capital One. Those companies benefit from hiQ’s ability to access, aggregate, and analyze data from LinkedIn profiles. Second, LinkedIn’s means of interference is likely not a “recognized trade practice” as California courts have understood that term. “Recognized trade practices” include such activities as “advertising,” “price-cutting,” and “hir[ing] the employees of another for use in the hirer’s business,” Buxbom, 23 Cal. 2d at 546–47—all practices which may indirectly interfere with a competitor’s contracts but do not fundamentally undermine a competitor’s basic business model. LinkedIn’s proactive technical measures to selectively block hiQ’s access to the data on its site are not similar to trade practices heretofore recognized as acceptable justifications for contract interference. Further, LinkedIn’s conduct may well not be “within the realm of fair competition.” Inst. of Veterinary Pathology, 116 Cal. App. 3d at 127. HiQ has raised serious questions about whether LinkedIn’s actions to ban hiQ’s bots were taken in furtherance of LinkedIn’s own plans to introduce a competing professional data analytics tool. There is evidence from which it can be inferred that LinkedIn knew about hiQ and its reliance on external data for several years before the present controversy. Its decision to send a cease-and-desist letter occurred within a month of the announcement by LinkedIn’s CEO that LinkedIn planned to leverage the data on its platform to create a new product for employers with some similarities to hiQ’s Skill Mapper product. If companies like LinkedIn, whose servers hold vast amounts of public data, are permitted selectively to ban only potential HIQ LABS V. LINKEDIN 23 competitors from accessing and using that otherwise public data, the result—complete exclusion of the original innovator in aggregating and analyzing the public information—may well be considered unfair competition under California law. 9 Finally, LinkedIn’s asserted private business interests— “protecting its members’ data and the investment made in developing its platform” and “enforcing its User Agreements’ prohibitions on automated scraping”—are relatively weak. LinkedIn has only a non-exclusive license to the data shared on its platform, not an ownership interest. Its core business model—providing a platform to share professional information—does not require prohibiting hiQ’s use of that information, as evidenced by the fact that hiQ used LinkedIn data for some time before LinkedIn sent its cease-and-desist letter. As to its members’ interests in their data, for the reasons already explained, see supra pp. 15–16, we agree with the district court that members’ privacy expectations regarding information they have shared in their public profiles are “uncertain at best.” Further, there is evidence that LinkedIn has itself developed a data analytics tool similar to HiQ’s products, undermining LinkedIn’s claim that it has its members’ privacy interests in mind. Finally, LinkedIn has not explained how it can enforce its user agreement against hiQ now that its user status has been terminated. 9 The district court determined that LinkedIn’s legitimate business purpose defense overlapped with hiQ’s claim under California’s Unfair Competition Law (“UCL”), which the district court found raised serious questions on the merits: “hiQ has presented some evidence supporting its assertion that LinkedIn’s decision to revoke hiQ’s access to its data was made for the purpose of eliminating hiQ as a competitor in the data analytics field, and thus potentially ‘violates [the UCL].’” 24 HIQ LABS V. LINKEDIN For all these reasons, LinkedIn may well not be able to demonstrate a “legitimate business purpose” that could justify the intentional inducement of a contract breach, at least on the record now before us. We therefore conclude that hiQ has raised at least serious questions going to the merits of its tortious interference with contract claim. As that showing on the tortious interference claim is sufficient to support an injunction prohibiting LinkedIn from selectively blocking hiQ’s access to public member profiles, we do not reach hiQ’s unfair competition claim. 10 2. Computer Fraud and Abuse Act (CFAA) Our inquiry does not end, however, with the state law tortious interference claim. LinkedIn argues that even if hiQ can show a likelihood of success on any of its state law causes of action, all those causes of action are preempted by the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, which LinkedIn asserts that hiQ violated. The CFAA states that “[w]hoever . . . intentionally accesses a computer without authorization or exceeds 10 LinkedIn also advances a business interest in “asserting its rights under federal and state law.” That interest depends upon the scope of LinkedIn’s rights under the CFAA and California’s CFAA analogue, California Penal Code § 502. Similarly, LinkedIn argues that there can be no tortious interference because hiQ’s contracts are premised on unauthorized access to LinkedIn data and are therefore illegal. Under California law, “[i]f the central purpose of the contract is tainted with illegality, then the contract as a whole cannot be enforced.” Marathon Entm’t, Inc. v. Blasi, 42 Cal. 4th 974, 996 (2008), as modified (Mar. 12, 2008); see also Cal. Civ. Code § 1598 (“Where a contract has but a single object, and such object is unlawful, whether in whole or in part, or wholly impossible of performance . . . the entire contract is void.”). As we explain next, however, hiQ has raised at least serious questions in support of its position that its activities are lawful under the CFAA. HIQ LABS V. LINKEDIN 25 authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished” by fine or imprisonment. 18 U.S.C. § 1030(a)(2)(C). Further, “[a]ny person who suffers damage or loss by reason of a violation” of that provision may bring a civil suit “against the violator to obtain compensatory damages and injunctive relief or other equitable relief,” subject to certain conditions not relevant here. 18 U.S.C. § 1030(g). The term “protected computer” refers to any computer “used in or affecting interstate or foreign commerce or communication,” 18 U.S.C. § 1030(e)(2)(B)—effectively any computer connected to the Internet, see United States v. Nosal (Nosal II), 844 F.3d 1024, 1050 (9th Cir. 2016), cert. denied, 138 S. Ct. 314 (2017)—including servers, computers that manage network resources and provide data to other computers. LinkedIn’s computer servers store the data members share on LinkedIn’s platform and provide that data to users who request to visit its website. Thus, to scrape LinkedIn data, hiQ must access LinkedIn servers, which are “protected computer[s].” See Nosal II, 844 F.3d at 1050. The pivotal CFAA question here is whether once hiQ received LinkedIn’s cease-and-desist letter, any further scraping and use of LinkedIn’s data was “without authorization” within the meaning of the CFAA and thus a violation of the statute. 18 U.S.C. § 1030(a)(2). If so, hiQ could have no legal right of access to LinkedIn’s data and so could not succeed on any of its state law claims, including the tortious interference with contract claim we have held otherwise sufficient for preliminary injunction purposes. We have held in another context that the phrase “‘without authorization’ is a non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Nosal II, 844 F.3d at 1028. 26 HIQ LABS V. LINKEDIN Nosal II involved an employee accessing without permission an employer’s private computer for which access permissions in the form of user accounts were required. Id. at 1028–29. Nosal II did not address whether access can be “without authorization” under the CFAA where, as here, prior authorization is not generally required, but a particular person—or bot—is refused access. HiQ’s position is that Nosal II is consistent with the conclusion that where access is open to the general public, the CFAA “without authorization” concept is inapplicable. At the very least, we conclude, hiQ has raised a serious question as to this issue. First, the wording of the statute, forbidding “access[] . . . without authorization,” 18 U.S.C. § 1030(a)(2), suggests a baseline in which access is not generally available and so permission is ordinarily required. “Authorization” is an affirmative notion, indicating that access is restricted to those specially recognized or admitted. See, e.g., Black’s Law Dictionary (10th ed. 2014) (defining “authorization” as “[o]fficial permission to do something; sanction or warrant”). Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of “authorization.” Cf. Blankenhorn v. City of Orange, 485 F.3d 463, 472 (9th Cir. 2007) (characterizing the exclusion of the plaintiff in particular from a shopping mall as “bann[ing]”). Second, even if this interpretation is debatable, the legislative history of the statute confirms our understanding. “If [a] statute’s terms are ambiguous, we may use . . . legislative history[] and the statute’s overall purpose to illuminate Congress’s intent.” Jonah R. v. Carmona, 446 F.3d 1000, 1005 (9th Cir. 2006). HIQ LABS V. LINKEDIN 27 The CFAA was enacted to prevent intentional intrusion onto someone else’s computer—specifically, computer hacking. See United States v. Nosal (Nosal I), 676 F.3d 854, 858 (9th Cir. 2012) (citing S. Rep. No. 99-432, at 9 (1986) (Conf. Rep.)). The 1984 House Report on the CFAA explicitly analogized the conduct prohibited by section 1030 to forced entry: “It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering’ . . . .’” H.R. Rep. No. 98-894, at 20 (1984); see also id. at 10 (describing the problem of “‘hackers’ who have been able to access (trespass into) both private and public computer systems”). Senator Jeremiah Denton similarly characterized the CFAA as a statute designed to prevent unlawful intrusion into otherwise inaccessible computers, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.” 11 132 Cong. Rec. 27639 (1986) (emphasis added). And when considering amendments to the CFAA two years later, the House again linked computer intrusion to breaking and entering. See H.R. Rep. No. 99- 612, at 5–6 (1986) (describing “the expanding group of electronic trespassers,” who trespass “just as much as if they broke a window and crawled into a home while the occupants were away”). In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” 11 The CFAA originally prohibited only unauthorized access to government computers. 28 HIQ LABS V. LINKEDIN Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA’s “without authorization” provision adopted by some of our sister circuits. Compare Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016), cert. denied, 138 S. Ct. 313 (2017) (“[A] violation of the terms of use of a website—without more— cannot establish liability under the CFAA.”); Nosal I, 676 F.3d at 862 (“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”), with EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases). We therefore look to whether the conduct at issue is analogous to “breaking and entering.” H.R. Rep. No. 98-894, at 20. Significantly, the version of the CFAA initially enacted in 1984 was limited to a narrow range of computers—namely, those containing national security information or financial data and those operated by or on behalf of the government. See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98- 473, § 2102, 98 Stat. 2190, 2190–91. None of the computers to which the CFAA initially applied were accessible to the general public; affirmative authorization of some kind was presumptively required. When section 1030(a)(2)(c) was added in 1996 to extend the prohibition on unauthorized access to any “protected computer,” the Senate Judiciary Committee explained that HIQ LABS V. LINKEDIN 29 the amendment was designed to “to increase protection for the privacy and confidentiality of computer information.” S. Rep. No. 104-357, at 7 (emphasis added). The legislative history of section 1030 thus makes clear that the prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort. As one prominent commentator has put it, “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.” Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see 18 U.S.C. § 1030(a)(6), 12 bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information. We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to computer information for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer information: (1) information for which access is open to the general public and permission is not required, (2) information for 12 18 U.S.C. § 1030(a)(6) provides: “Whoever . . . knowingly and with intent to defraud traffics . . . in any password or similar information through which a computer may be accessed without authorization, if— (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; . . . shall be punished as provided in subsection (c) of this section.” 30 HIQ LABS V. LINKEDIN which authorization is required and has been given, and (3) information for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to such information, the “breaking and entering” analogue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt. Neither of the cases LinkedIn principally relies upon is to the contrary. LinkedIn first cites Nosal II, 844 F.3d 1024 (9th Cir. 2016). As we have already stated, Nosal II held that a former employee who used current employees’ login credentials to access company computers and collect confidential information had acted “‘without authorization’ in violation of the CFAA.” Nosal II, 844 F.3d at 1038. The computer information the defendant accessed in Nosal II was thus plainly one which no one could access without authorization. So too with regard to the system at issue in Power Ventures, 844 F.3d 1058 (9th Cir. 2016), the other precedent upon which LinkedIn relies. In that case, Facebook sued Power Ventures, a social networking website that aggregated social networking information from multiple platforms, for accessing Facebook users’ data and using that data to send mass messages as part of a promotional campaign. Id. at 1062–63. After Facebook sent a cease-and-desist letter, Power Ventures continued to circumvent IP barriers and gain access to password-protected Facebook member profiles. Id. at 1063. We held that after receiving an individualized cease- and-desist letter, Power Ventures had accessed Facebook computers “without authorization” and was therefore liable HIQ LABS V. LINKEDIN 31 under the CFAA. Id. at 1067–68. But we specifically recognized that “Facebook has tried to limit and control access to its website” as to the purposes for which Power Ventures sought to use it. Id. at 1063. Indeed, Facebook requires its users to register with a unique username and password, and Power Ventures required that Facebook users provide their Facebook username and password to access their Facebook data on Power Ventures’ platform. Facebook, Inc. v. Power Ventures, Inc., 844 F. Supp. 2d 1025, 1028 (N.D. Cal. 2012). While Power Ventures was gathering user data that was protected by Facebook’s username and password authentication system, the data hiQ was scraping was available to anyone with a web browser. In sum, Nosal II and Power Ventures control situations in which authorization generally is required and has either never been given or has been revoked. As Power Ventures indicated, the two cases do not control the situation present here, in which information is “presumptively open to all comers.” Power Ventures, 844 F.3d at 1067 n.2. Our understanding that the CFAA is premised on a distinction between information presumptively accessible to the general public and information for which authorization is generally required is consistent with our interpretation of a provision of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., 13 nearly identical to the CFAA provision at issue. Compare 18 U.S.C. § 2701(a) (“[W]hoever—(1) intentionally accesses without 13 The Stored Communications Act, enacted as part of the Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848, provides privacy protections for e-mail and other electronic communications by limiting the ability of the government to compel disclosure by internet service providers. 32 HIQ LABS V. LINKEDIN authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains . . . unauthorized access to a wire or electronic communication . . . shall be punished . . . .”) with 18 U.S.C. § 1030(a)(2)(C) (“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished . . . .”). “The similarity of language in [the SCA and the CFAA] is a strong indication that [they] should be interpreted pari passu.” Northcross v. Bd. of Educ. of Memphis City Schools, 412 U.S. 427, 428 (1973); see also United States v. Sioux, 362 F.3d 1241, 1246 (9th Cir. 2004). Addressing the “without authorization” provision of the SCA, we have distinguished between public websites and non-public or “restricted” websites, such as websites that “are password-protected . . . or require the user to purchase access by entering a credit card number.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 875 (9th Cir. 2002); see also id. at 879 n.8. As we explained in Konop, in enacting the SCA, “Congress wanted to protect electronic communications that are configured to be private” and are “‘not intended to be available to the public.’” Id. at 875 (quoting S. Rep. No. 99-541, at 35–36 (1986)). The House Committee on the Judiciary stated, with respect to the section of the SCA at issue, section 2701, that “[a] person may reasonably conclude that a communication is readily accessible to the general public if the . . . means of access are widely known, and if a person does not, in the course of gaining access, encounter any warnings, encryptions, password requests, or other indicia of intended privacy.” H.R. Rep. No. 99-647, at 62 (1986). The Committee further explained that “electronic communications which the HIQ LABS V. LINKEDIN 33 service provider attempts to keep confidential would be protected, while the statute would impose no liability for access to features configured to be readily accessible to the general public.” Id. at 63. Both the legislative history of section 1030 of the CFAA and the legislative history of section 2701 of the SCA, with its similar “without authorization” provision, then, support the district court’s distinction between “private” computer networks and websites, protected by a password authentication system and “not visible to the public,” and websites that are accessible to the general public. Finally, the rule of lenity favors our narrow interpretation of the “without authorization” provision in the CFAA. The statutory prohibition on unauthorized access applies both to civil actions and to criminal prosecutions— indeed, “§ 1030 is primarily a criminal statute.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134 (9th Cir. 2009). “Because we must interpret the statute consistently, whether we encounter its application in a criminal or noncriminal context, the rule of lenity applies.” Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004). As we explained in Nosal I, we therefore favor a narrow interpretation of the CFAA’s “without authorization” provision so as not to turn a criminal hacking statute into a “sweeping Internet-policing mandate.” Nosal I, 676 F.3d at 858; see also id. at 863. For all these reasons, it appears that the CFAA’s prohibition on accessing a computer “without authorization” is violated when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without 34 HIQ LABS V. LINKEDIN authorization under the CFAA. The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system. HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim. 14 We note that entities that view themselves as victims of data scraping are not without resort, even if the CFAA does not apply: state law trespass to chattels claims may still be available. 15 And other causes of action, such as copyright 14 LinkedIn asserts that the illegality of hiQ’s actions under the CFAA is also grounds for holding (1) that hiQ’s injuries are not cognizable as irreparable harm, (2) that hiQ’s contracts are illegal and so their breach cannot give rise to a cognizable tortious interference with contract claim, and (3) that LinkedIn has a legitimate business interest in asserting its rights under federal law that justifies its interference with hiQ’s contracts. See supra n.10. These contentions are insufficient at this stage for the same reasons LinkedIn’s CFAA preemption position does not preclude preliminary injunctive relief. 15 LinkedIn’s cease-and-desist letter also asserted a state common law claim of trespass to chattels. Although we do not decide the question, see supra pp. 17–18, it may be that web scraping exceeding the scope of the website owner’s consent gives rise to a common law tort claim for trespass to chattels, at least when it causes demonstrable harm. Compare eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 1070 (N.D. Cal. 2000) (finding that eBay had established a likelihood of success on its trespass claim against the auction-aggregating site Bidder’s Edge because, although eBay’s “site is publicly accessible,” “eBay’s servers are private property, conditional access to which eBay grants the public,” and Bidder’s Edge had exceeded the scope of any consent, even if it did not cause physical harm); Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 437–38 (2d Cir. 2004) (holding that a company that scraped a competitor’s website to obtain data for marketing purposes likely committed trespass to chattels, because scraping could—although it did not yet—cause physical harm to the plaintiff’s computer servers); Sw. Airlines Co. v. FareChase, Inc., 318 F. Supp. 2d 435, 442 (N.D. Tex. HIQ LABS V. LINKEDIN 35 infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie. See, e.g., Associated Press v. Meltwater U.S. Holdings, Inc., 931 F. Supp. 2d 537, 561 (S.D.N.Y. 2013) (holding that a software company’s conduct in scraping and aggregating copyrighted news articles was not protected by fair use). D. Public Interest Finally, we must consider the public interest in granting or denying the preliminary injunction. Whereas the balance of equities focuses on the parties, “[t]he public interest inquiry primarily addresses impact on non-parties rather than parties,” and takes into consideration “the public consequences in employing the extraordinary remedy of injunction.” Bernhardt v. Los Angeles Cty., 339 F.3d 920, 931–32 (9th Cir. 2003) (citations omitted). As the district court observed, each side asserts that its own position would benefit the public interest by maximizing the free flow of information on the Internet. HiQ points out that data scraping is a common method of gathering information, used by search engines, academic researchers, and many others. According to hiQ, letting 2004) (holding that the use of a scraper to glean flight information was unauthorized as it interfered with Southwest’s use and possession of its site, even if the scraping did not cause physical harm or deprivation), with Ticketmaster Corp. v. Tickets.Com, Inc., No. 2:99-cv-07654-HLH- VBK, 2003 WL 21406289, at *3 (C.D. Cal. Mar. 7, 2003) (holding that the use of a web crawler to gather information from a public website, without more, is insufficient to fulfill the harm requirement of a trespass action); Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1364 (2003) (holding that “trespass to chattels is not actionable if it does not involve actual or threatened injury” to property and the defendant’s actions did not damage or interfere with the operation of the computer systems at issue). 36 HIQ LABS V. LINKEDIN established entities that already have accumulated large user data sets decide who can scrape that data from otherwise public websites gives those entities outsized control over how such data may be put to use. For its part, LinkedIn argues that the preliminary injunction is against the public interest because it will invite malicious actors to access LinkedIn’s computers and attack its servers. As a result, the argument goes, LinkedIn and other companies with public websites will be forced to choose between leaving their servers open to such attacks or protecting their websites with passwords, thereby cutting them off from public view. Although there are significant public interests on both sides, the district court properly determined that, on balance, the public interest favors hiQ’s position. We agree with the district court that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest. Internet companies and the public do have a substantial interest in thwarting denial-of-service attacks 16 and blocking abusive users, identity thieves, and other ill-intentioned actors. But we do not view the district court’s injunction as opening the door to such malicious activity. The district 16 In a denial-of-service (DoS) attack, an attacker seeks to prevent legitimate users from accessing a targeted computer or network, typically by flooding the target with requests and thereby overloading the server. HIQ LABS V. LINKEDIN 37 court made clear that the injunction does not preclude LinkedIn from continuing to engage in “technological self- help” against bad actors—for example, by employing “anti- bot measures to prevent, e.g., harmful intrusions or attacks on its server.” Although an injunction preventing a company from securing even the public parts of its website from malicious actors would raise serious concerns, such concerns are not present here. 17 The district court’s conclusion that the public interest favors granting the preliminary injunction was appropriate. CONCLUSION We AFFIRM the district court’s determination that hiQ has established the elements required for a preliminary injunction and remand for further proceedings. WALLACE, Circuit Judge, specially concurring: I concur in the majority opinion. I write separately to express my concern that “in some cases, parties appeal orders granting or denying motions for preliminary injunctions in order to ascertain the views of the appellate court on the merits of the litigation.” Sports Form, Inc. v. United Press Int’l, Inc., 686 F.2d 750, 753 (9th Cir. 1982); see also California v. Azar, 911 F.3d 558, 583–84 (9th Cir. 2018). For example, here LinkedIn’s counsel suggested that we should address the CFAA question in this appeal for 17 We note that LinkedIn has not specifically challenged the scope of the injunction. 38 HIQ LABS V. LINKEDIN “pragmatic reason[s]” because it “is going to be a significant issue on remand no matter what happens to this injunction.” I emphasize that appealing from a preliminary injunction to obtain an appellate court’s view of the merits often leads to “unnecessary delay to the parties and inefficient use of judicial resources.” Sports Form, 686 F.2d at 753. These appeals generally provide “little guidance” because “of the limited scope of our review of the law” and “because the fully developed factual record may be materially different from that initially before the district court.” Id. The district court here also stayed any effort to prepare the case for trial pending the appeal of the preliminary injunction. We have repeatedly admonished district courts not to delay trial preparation to await an interim ruling on a preliminary injunction. See, e.g., California, 911 F.3d at 583–84. This case could have well proceeded to a disposition on the merits without the delay in processing the interlocutory appeal. Given the purported urgency of the case’s resolution, the parties might “have been better served to pursue aggressively” its claims in the district court, “rather than apparently awaiting the outcome of this appeal” for nearly two years. Id. at 584 (citation omitted).