Ancora sul c.d. data scraping: i dati pubblici dei profili Linkedin possono essere utilizzati da terzi

Interessante decisione di appello (di rimando dalla Suprema Corte) nella lite HiQ Labs c. Linkedin da parte del 9° circuito, 18.04.2022, 3:17-cv-03301-EMC (link fornito dal blog del prof. Eric Goldman) sulla questione della liceità dello scraping (raschiare/grattare) automatizzato (tramite bot) di dati presenti nei profili Linkedin pubblici.

Linkedid (L.)  è scocciata per la raccolta dei dati dei suoi utenti da parte di HiQ che li usa per fornire offerte di profilazione ad aziende (ove è di fatto in concorrenza con la stessa L.) e tenta di bloccare la pratica.

Allo stato però in via cautelare (preliminary injunction) è ritenuta più probabilmente legittima che uillegittima.

Si v. spt. il § B Balance of equities, p. 17 ss sul bilanciamento dei reciproci danni probabili : In short, even if some users retain some privacy interests in their information notwithstanding their decision to make their profiles public, we cannot, on the record before us, conclude that those interests—or more specifically, LinkedIn’s interest in preventing hiQ from scraping those profiles—are significant enough to outweigh hiQ’s interest in continuing its business, which depends on accessing, analyzing, and communicating information derived from public LinkedIn profiles, p. 19.

Poi la corte affronta il merito cautelare (likelihood of success), p. 20 ss, favorevole ad HiQ sia per l’azione di tortious interference che per il CFAA.

Sulla prima (interferenza di L. sui rapporti contrattuali di HiQ con i suoi clienti): Balancing the interest in contractual stability and the specific interests interfered with against the interests advanced by the interference, we agree with the district court that hiQ has at least raised a serious question on the merits of LinkedIn’s affirmative justification defense … or all these reasons, LinkedIn may well not be able to demonstrate a “legitimate business purpose” that could justify the intentional inducement of a contract breach, at least on the record now before us. We therefore conclude that hiQ has raised at least serious questions going to the merits of its tortious interference with contract claim. Because such a showing on the tortious interference claim is sufficient to support an injunction prohibiting LinkedIn from selectively blocking hiQ’s access to public member profiles, we do not reach hiQ’s unfair competition claim.(p. 24-5 e 26/7).

Sulla seconda (Computer Fraud and Abuse Act (CFAA) ): il requisito di legge sull’accesso a computer altrui <<without authorization >> non si rifeisce al caso in cui i dati siano volutamente resi pubblici: <<We therefore conclude that hiQ has raised a serious question as to whether the reference to access “without authorization” limits the scope of the statutory coverage to  computers for which authorization or access permission, such as password authentication, is generally required. Put differently, the CFAA contemplates the existence of three kinds of computer systems: (1) computers for which access is open to the general public and permission is not required, (2) computers for which authorization is required and has been given, and (3) computers for which authorization is required but has not been given (or, in the case of the prohibition on exceeding authorized access, has not been given for the part of the system accessed). Public LinkedIn profiles, available to anyone with an Internet connection, fall into the first category. With regard to websites made freely accessible on the Internet, the “breaking and entering” analog ue invoked so frequently during congressional consideration has no application, and the concept of “without authorization” is inapt >>.    Soluzione esatta, direi (pur se relativo al diritto usa; da noi ad es. si v. il chiaro disposto dell’art. 615 ter c. pen.).