Trove of Online LinkedIn User Data Fuels LinkedIn’s Anti-Scraping Position

Last week, the Italian data protection authority (the “GPDP”) opened an investigation after reports that a dataset allegedly containing data compiled from 500 million LinkedIn profiles and other websites was available for sale on a hacker forum. Apparently, this data represents more than two-thirds of LinkedIn’s estimated 740 million users. The hacker reportedly posted approximately two million records visibly online as evidence of the dataset, and offered to sell the rest for an undisclosed bitcoin payment.

According to a statement by LinkedIn, the company investigated the posting and determined that it is “an aggregation of data from a number of websites and companies,” including publicly viewable LinkedIn member profile data that apparently was scraped from LinkedIn’s site. LinkedIn stated that it was not a data breach because no private member profile data was included in the dataset it was able to review. LinkedIn stated that such scraping of data violated its terms.

The posting of this scraped data immediately reminds us of the ongoing scraping dispute between LinkedIn and data analytics start-up hiQ, Inc. (“hiQ”). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In a prior ruling, the Ninth Circuit affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles. Continue Reading

Tags: hiQ litigation, PUBLIC SOCIAL MEDIA DATA, scraping attack, user privacy, web scraping

Landmark Fair Use Victory at the Supreme Court in Software Case

By Sandra Crawshaw-Sparks, Jonathan Mollod, David Munkittrick, Jeffrey Neuburger and Anisha Shenai-Khatkhate on April 9, 2021 Posted in Copyright, Mobile, Software

In a narrowly drawn, yet significant decision, the Supreme Court reversed the Federal Circuit and ruled that Google LLC’s (“Google”) copying of some of the Sun Java Application Programming Interface (API) declaring code was a fair use as a matter of law, ending Oracle America Inc.’s (“Oracle”) infringement claims over Google’s use of portions of the Java API code in the Android mobile platform. (Google LLC v. Oracle America, Inc., No. 18-956, 593 U.S. ___ (Apr. 5, 2021)). In reversing the 2018 Federal Circuit decision that found Google’s use of the Java API packages was not fair use, the Supreme Court, in a 6-2 decision (Justice Barrett did not take part in the case) found where Google reimplemented the Java user interface, taking only what was needed to allow outside developers to work in a new and transformative mobile smartphone program, Google’s copying of the Sun Java API was a fair use as a matter of law. This decade-long dispute had been previously dubbed “The World Series of IP cases” by the trial court judge, and like many classic series, this one culminated in a winner-take-all Game 7 at the highest court.

Oracle is one of the most notable Supreme Court decisions affecting the software and technology industry in recent memory since, perhaps, the Court’s 2010 Bilski patent opinion, its 2012 Jones decision on GPS tracking, privacy and the Fourth Amendment and its 2005 Grokster decision on copyright inducement in the peer-to-peer network context, and certainly the most notable decision implicating fair use since its well-cited 1994 Campbell decision that expounded on the nature of “transformative” use. It was no surprise that this case attracted a stack of amicus briefs from various technology companies, organizations, and academia. In the months following oral argument, it was difficult to discern how the Court would decide the case – would it be on procedural grounds based on the Federal Circuit’s standard of review of the jury verdict on fair use, on the issue of the copyrightability of the Java API packages, directly on the fair use issue, or some combination. The majority decision is a huge victory for the idea that fair use in the software context is not only a legal defense but a beneficial method to foster innovation by developing something transformative in a new environment on top of the functional building blocks that came before. One has to think hard to recall an opinion involving software and technology that referenced and applied the big picture principles of copyright – “to stimulate artistic creativity for the general public good,” as the Supreme Court once stated in a prior case – so indelibly into the fair use analysis.

The decision is also notable for the potential impact on copyright’s “transformative use test.” By considering Google’s intent for using the Java API code, the Court’s discussion of what constitutes a “transformative” use appears to diverge somewhat from recent Circuit Court holdings outside the software context. The decision may redirect the transformative use analysis going forward, or future decisions may cabin the holding to the software context. Continue Reading

Tags: Android platform, API copyrightability, APi declaring code, appeals, fair use, fair use factors, functional code, interface software, Java API packages, software, Supreme Court, transformative use

Noteworthy Trends in Privacy and Data Security

By Jeffrey Neuburger and Jonathan Mollod on March 22, 2021 Posted in Data Security, Privacy

Our Practical Law article, “Trends in Privacy and Data Security: 2020,” has recently been published. The article provides an overview of the past year’s privacy and data security legal developments and predictions to look out for in 2021.

Tags: CALIFORNIA CONSUMER PRIVACY ACT (CCPA), COVID-19, CPRA, Cybersecurity, data security, EU-US PRIVACY SHIELD, FTC enforcement, PRIVACY LAW, PRIVACY LITIGATION, State Privacy Enforcement, State Privacy Legislation

Mobile App Platform Entitled to CDA Immunity over State Law Claims Related to In-App Purchases of Loot Boxes

By Jeffrey Neuburger and Frances P. Kelley on March 17, 2021 Posted in Mobile, Online Commerce, Social Media

Happy Silver Anniversary to Section 230 of Communications Decency Act (“CDA” or “Section 230”), which was signed into law by President Bill Clinton in February 1996. At that time, Congress enacted CDA Section 230 in response to case law that raised the specter of liability for any online service provider that attempted to moderate its platform, thus discouraging the screening out and blocking of offensive material. As has been extensively reported on this blog, the world of social media and user-generated content is supported by protections afforded by Section 230. Now, 25 years later, the CDA is at a crossroads of sorts and its protections have stoked some controversy. Yet, as it stands, Section 230 continues to provide robust immunity for online providers.

In a recent case, Google LLC (“Google”) successfully argued for the application of Section 230, resulting in a California district court dismissing, with leave to amend, a putative class action alleging consumer protection law claims against the Google Play App Store. The claims concerned the offering for download of third party mobile video games that allow users to buy Loot Boxes, which are in-app purchases that contain a randomized assortment of items that can improve a player’s chances at advancing in a videogame. The plaintiffs claimed these offerings constituted illegal “slot machines or devices” under California law. (Coffee v. Google LLC, No. 20-03901 (N.D. Cal. Feb. 10, 2021)). Continue Reading

Tags: CDA immunity, CDA reform, CDA Section 230, emerging technology, gambling, loot boxes, mobile gaming, mobile platform

Group of Democratic Senators Release Latest CDA Reform Bill

By Jeffrey Neuburger on February 15, 2021 Posted in Internet, Legislation, Online Content, Social Media

With the change in administrations in Washington, there has been a drive to enact or amend legislation in a variety of areas. However, most initiatives lack the zeal found with the bipartisan interest in “reining in social media” and pursuing reforms to Section 230 of the Communications Decency Act (CDA). As we have documented,, the parade of bills and approaches to curtail the scope of the immunities given to “interactive computer services” under CDA Section 230 has come from both sides of the aisle (even if the justifications for such reform differ along party lines). The latest came on February 5, 2021, when Senators Warner, Hirono and Klobuchar announced the SAFE TECH Act. The SAFE TECH Act would limit CDA immunity by enacting “targeted exceptions” to the law’s broad grant of immunity. Continue Reading

Tags: CDA immunity, CDA reform, CDA Section 230, online platforms, regulation of online content, SAFE TECH Act, third party content, U.S. Senate

Southwest Airlines Sues to Stop Web Scraping of Fare Information

By Jeffrey Neuburger on January 21, 2021 Posted in Contracts, Internet, Online Commerce, Screen Scraping

On January 14, 2021, Southwest Airlines Co. (“Southwest”) filed a complaint in a Texas district court against an online travel site, Kiwi.com, Inc. (“Kiwi”), alleging, among other things, that Kiwi’s scraping of fare information from Southwest’s website constituted a breach of contract and a violation of the Computer Fraud and Abuse Act (CFAA). (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. filed Jan. 14, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirst, LLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.

According to the current complaint, Kiwi operates an online travel agency and engaged in the unauthorized scraping of Southwest flight and pricing data and the selling of Southwest tickets (along with allegedly charging unauthorized service fees), all in violation of the Southwest site terms. Upon learning of Kiwi’s scraping activities, Southwest sent multiple cease and desist letters informing Kiwi of its breach of the Southwest terms. It demanded that Kiwi cease scraping fare data, publishing fares on Kiwi’s site and using Southwest’s “Heart” logo in conjunction with the selling of tickets. Kiwi responded and sought to form a business relationship, an overture that Southwest refused. According to Southwest, when discussions failed to yield a resolution, Kiwi allegedly continued its prior activities, prompting the filing of the suit. Continue Reading

Tags: breach of contract, browsewrap, CFAA, commercial party, fare information, public website data, unauthorized access, web scraping

How to Respond to the SolarWinds “Orion” Supply Chain Attack

By Jeffrey Neuburger, Ryan P. Blaney, Margaret A. Dale and Nolan Goldberg on December 21, 2020 Posted in Contracts, Data Security, Software

As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.

The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.

The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion. However, the number of organizations impacted may be even higher. Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers. And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.

It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion. “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.

While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation. While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.

There are two sobering consequences from this recognition. First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature. Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection. Accordingly, it may be necessary to revisit prior incidents thought long resolved. Continue Reading

Tags: breach notification, forensic investigation, SolarWinds cyberattack response, SolarWinds incident response, SolarWinds response checklist, SolarWinds supply chain attack

Mobile Platforms to Block Data Broker from Collecting User Location Data

By Jeffrey Neuburger on December 11, 2020 Posted in Mobile, Privacy, Technology

On December 9, 2020, the Wall Street Journal reported that Apple and Google will block the data broker X-Mode Social Inc. (“X-Mode”) from collecting location data from iPhone and Android users. Apple and Google have reportedly informed app developers to remove the X-Mode social tracking SDK from all of their apps within a short period of time or risk removal from the platforms’ app stores. This action apparently was prompted by reports that X-Mode was selling location data to certain defense contractors and government entities.

The WSJ report suggests that Apple and Google notified Senator Ron Wyden about this action. Senator Wyden and a group of other Senators have been soliciting government inquiries over the last several months into the sale of location data to government contractors and agencies. It is Senator Wyden’s position that such sales of users’ location data by commercial data brokers to government entities are unlawful without a warrant (citing the Supreme Court case, Carpenter v. United States, 138 S.Ct. 2206 (2018), which held that the acquisition of cell-site location information was a Fourth Amendment search).

Senator Wyden’s scrutiny over such practices does not seem to be limited to sale of location data to government sources, but more so toward the wider data tracking ecosystem. He was one of the senators that earlier this year sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act (a request which led to at least one civil investigative demand being issued by the FTC to Yodlee and a putative class action suit over such practices). In the WSJ article, Wyden is quoted as stating: “Apple and Google deserve credit for doing the right thing and exiling X-Mode Social, the most high-profile tracking company, from their app stores. But there’s still far more work to be done to protect Americans’ privacy, including rooting out the many other data brokers that are siphoning data from Americans’ phones.” Continue Reading

Tags: app developer terms, data analytics, data brokers, digital marketing, geolocation data, mobile platform terms, mobile user data, social tracking

New York’s Automatic Renewal Law Coming in February 2021: New Compliance Issues to Follow

By Jeffrey Neuburger on December 4, 2020 Posted in Contracts, Legislation, Online Commerce

New York has enacted a new law, effective February 9, 2021, regulating automatic renewal and some “free trial” type agreements. While some organizations may have already taken steps to be in compliance with industry requirements, the federal Restore Online Shoppers’ Confidence Act (ROSCA), and similar auto-renewal laws in place in California and other states, all businesses should review their practices to ensure compliance with this new law.

The New York law is, in many ways, modelled after California’s comprehensive auto-renewal law. (See Cal. Bus. & Prof. Code § 17600 et seq.). With such a legislative template in mind, on November 11, 2020, New York’s Governor Cuomo signed into law S1475, which amends the General Business Law to enact New York’s own strict auto-renewal law. S1475 includes broad consumer protection requirements and imposes notice and transparency requirements regarding offer terms and cancellation options for automatic renewal plans and arrangements.

The new law is relevant to all consumer-facing businesses that might enter into automatic renewal or continuous service agreements, such as online businesses, media companies, subscription-based companies (including software providers), and many more entities in the consumer space.

For an in-depth discussion of the new law, please see our Client Alert posted on Proskauer’s website.

Tags: automatic renewal law, free trials, new legislation, New York auto-renewal law, online subscriptions

Supreme Court Hears Oral Argument in Its First CFAA Case

By Jeffrey Neuburger on December 1, 2020 Posted in Computer Fraud and Abuse Act, Data Security, Screen Scraping

On November 30, 2020, the Supreme Court held oral argument in its first case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer and thereby obtaining information and causing a “loss” under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11^th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason. He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.” In rebuttal, the Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover. Continue Reading

Tags: CFAA criminal liability, CFAA liability, circuit split, exceeds authorized access, narrow CFAA interpretation, screen scraping, Supreme Court review, unauthorized access