Ask HN: LinkedIn sent me a cease and desist for my Chrome extension. Help?
I'm the creator and solo developer behind Browserflow, a Chrome extension that lets you automate any website. (Show HN from around a year ago: https://news.ycombinator.com/item?id=29254147). Basically, it's a general-purpose browser automation tool like Selenium/Puppeteer/Playwright that anyone can use without writing code.
The Browserflow website includes examples of automations people often request, including scraping popular websites like LinkedIn. A few days ago, I received a cease and desist letter from LinkedIn: https://browserflow.app/linkedin.pdf
As a one-man operation with modest resources, I'm hoping I can get some help from the HN community in understanding what this means to avoid getting sued into oblivion. :)
At first I thought that I'd be fine if I removed all references to LinkedIn from the Browserflow website, but I'm not so sure about that. One of LinkedIn's demands is to “Cease and desist developing, offering, or using software or programs with features developed, marketed, or intended for automating activity on LinkedIn’s website or app, scraping LinkedIn member data, or otherwise violating the LinkedIn User Agreement”.
Even if I removed all the LinkedIn examples, Browserflow could still be used to automate or scrape LinkedIn because, well, it's a browser automation tool. Is LinkedIn demanding that I stop developing Browserflow altogether?
The letter cites hiQ Labs, Inc. v. LinkedIn Corp as the legal precedent for why Browserflow is in violation, but there are some differences between hiQ and Browserflow that I thought might be meaningful:
1. Browserflow is not designed specifically for scraping LinkedIn: It's a tool for general-purpose browser automation, not a service that scrapes LinkedIn and resells the data.
2. Browserflow does not scrape LinkedIn on its own: Any automation of LinkedIn is initiated by the user using their own LinkedIn account.
2. Browserflow does not create or use fake LinkedIn accounts.
I'd be fine with removing all the LinkedIn examples from the website, but I'd like to continue building Browserflow because I love working on it and it's my livelihood. I'd appreciate any advice or help. Thanks!
153 comments
[ 4.4 ms ] story [ 47.3 ms ] threadYou're asking random internet weirdos for business legal advice when you should definitely be contacting your lawyer instead.
It may not be a system that is geared towards fair play, but if you want to play at all, you really should have a lawyer, too.
Since they invented restaurants.
If you want a meal made for you, you go to the business and ask for a meal. If you want someone to lawyer for you, you go to the business and ask for some lawyering.
"I'm hungry"
"Ask your chef to cook you something."
So why do we hear this in law?
I once got asked to sign a stupid contact. I was pretty sure it was not enforceable, and if I didn't sign I'd be fired and make an annoying enemy.
Me and 3 other guys piled in and hired a lawyer for like an hour to have him look it over and tell us if we should sign it or quit.
In the end, my split was $200 or so, and I didn't really learn anything that googling hadn't already told me. I signed it and then quit on my own terms a couple months later.
Not many people these days, even devs, who will just chuck around money like this for far too little marginal benefit over (as someone else in a comment said) "asking randos on the internet".
And if presented with the same scenario again, I'd probably do it again, though probably with some chagrin.
But my point is, $200 isn't a ton but it's not nothing, and if you're already potentially going to be fucked, the probability of $200 being in the "not nothing" category is probably higher. And if it wasn't something a few other people were stuck with too, it'd have been quite a bit more. (Hard to figure the exact bill because one of us decided to talk to him for a lot longer to check on some specific things, so we just venmo'd him for what he thought our % of it was).
So - I guess what I mean is - even for fairly privileged people, "just check with a lawyer" is not something you "just" do.
And I find it super annoying that assholes (like LinkedIn for OP, and the person who was forcing me to sign the contract) can just write shit down and throw it at you and then you're supposed to spend $500+ to check them on their bullshit or you're the one in hot water.
(Though, that said, OP's example isn't perfect because using the LI logo probably should've been a "hmm wait a sec" moment for him. But also if all LI emailed him about was "stop using the logo" then he similarly probably wouldn't be feeling the need to seek legal counsel).
I wouldn't bother trying to fight it as a one-person operation. Just accept that life is unfair and carry on. Unless that is you feel very strongly about it and am prepared to sacrifice yourself and future income and potentially employment prospects for the cause.
Good luck.
The OP should absolutely be very afraid because they’re posing a threat to LinkedIn’s hundreds of millions of dollars in revenue from a very vulnerable position. Bankruptcy is brutal and expensive, the OP’s focus should be on avoiding litigation no matter what: telling LinkedIn to suck it is not an option, and bankruptcy is not the “oops hehe bad roll I’ll try again” option you portray it to be.
[0] https://en.wikipedia.org/wiki/Chapter_11,_Title_11,_United_S...
Invert this: protect your assets before considering bankruptcy. As "the creator and sole developer" OP may not get any liability protection from their LLC.
Showing people examples of a website really looks like you're advertising that your extension will work with that site, and it's probably not too far from successfully arguing intent. So begin by getting rid of that.
Maybe add a couple disclaimers:
"The terms of service of some websites do not allow automated workflows. This extension is not intended to be used to collect data in contradiction to a site's Terms of Service. Please thoroughly read and understand the site's Terms of Service before using this extension. [Developer] cannot assume any responsbility for any action a website may take against you or your account as a result of the use of this tool."
And for future reference, be very careful when promoting the way that people are using your product: plausible deniability is your friend.
That seems like excellent advice. After looking at the examples on the site, I'm kinda surprised LinkedIn is the only company that's complaining. It'd be safer to make some leading suggestions to get people thinking of all the interesting things they could automate, but without ever using names, company specific-terminology, etc. Otherwise this arguably isn't a general purpose tool, it's advertising specific features.
My understanding of the LinkedIn v HiQ case is that it's legal to scrape public pages no matter what is in the website terms.
Scraping "privet" pages can be illegal as you have had to explicitly agree to the terms.
Your users would be breaking those terms, not you, as they do it on their own machine. As the parent said, just remove all reference to LinkedIn and you can move on.
There is some kind of cloud stuff here though.
https://blog.ericgoldman.org/archives/2022/12/as-everyone-ex...
https://blog.ericgoldman.org/archives/2022/12/hello-youve-be...
However, they were civilly liable for breaking LinkedIn’s terms of service.
Furthermore, do not assume that a ruling pertaining to hiQ is relevant to you without doing further research.
(This comment is targeted at people browsing HN for entertainment. I am not a lawyer and I don’t know what I’m talking about.)
Summary judgment was granted on behalf of LinkedIn against hiQ Labs for breach of contract. Summary Judgment was denied against hiQ Labs on its CFAA claims. So the court ruled that hiQ breached LinkedIn's contract.
The parties settled their dispute with hiQ Labs agreeing to court-imposed injunction to never again scrape LinkedIn and by paying LinkedIn $500k.
Despite the headlines, the final resolution of these disputes was a win for LinkedIn, not hiQ.
For the longer version, read the posts above.
I think your analysis is pretty much spot-on, but I would ask you as a lawyer to answer this hypothetical:
If hiQ had scrupulously and categorically avoided ever using logged-in accounts (as opposed to the facts claimed re 'Turkers') would LinkedIn still have had the leverage to shut us down?
Also note that LinkedIn, as part of its strategy to force us to settle, threatened to permanently delete the _personal_ LI accounts of everyone who worked at hiQ. How does that sit with you ethically, knowing that a LinkedIn account is precisely what you must have in this business, especially when your company shuts down and you need to seek employment?
That's pretty shady re: the threat to permanently delete the personal accounts. But it's also not surprising. At this point LinkedIn and their fellow social media cohorts are emboldened by these recent decisions and they're on the warpath. People need to be careful out there.
They could put warnings on them, though - much as they do with plastic bags. I'd sure feel safer.
There was a recent piece of caselaw relating to scraping, in USA, IIRC. I seem to remember it was allowed for user accessible areas.
I'm not sure LinkedIn have a legal basis for their complaint, but of course that won't stop them.
This is not legal advice and does not relate to my employment.
Some thug came out of some building telling me I was not allowed to take any pictures.
I told him to get lost. and he said "Policy is that you cannot take pictures"
I said "I am standing on public property. If I can see it with my eyes from where I am standing in public, then I can take pics of it. Get lost."
Same goes for scraping a site: If I can see it in open public from any browser anywhere on the globe: that is open data. I dont give a shit what lawyers or companies think in this regard.
The term "walled garden" exists - if you want your shit hidden... then dont make it available to the open web.
I would be surprised if their letter has any teeth besides scaremongering.
get an opinion from legal, i am definitely not a lawyer.
It is not clear how is it that your company is violating their user agreement, when it is the users using the extension that are. The extension on its own does nothing? This is my very layman reaction and first thing I would seek to understand better from legal council.
> Cease and desist developing, offering, or using software or programs with features developed, marketed, or intended for automating activity on LinkedIn’s website or app, scraping LinkedIn member data, or otherwise violating the LinkedIn User Agreement;
> Cease and desist marketing or advertising Browserflow as a tool or service to be used in a manner that violates LinkedIn’s User Agreement, or promoting Browserflow in any way that represents or suggests functionality or features that can be used to violate LinkedIn’s User Agreement;
> Cease and desist violating LinkedIn’s intellectual property rights by removing from all Browserflow materials all unauthorized uses of logos likely to cause confusion with LinkedIn’s trademark; and
> Affirm in writing that you will not engage in any violations of the LinkedIn User Agreement in the future.
Just remove all LinkedIn examples and tell them you will stop marketing it as a LinkedIn scraping tool in the future. I don't know your extension if you make any "significant" money then get a real lawyer to look it over.
This seems like the weirdest one to me. I mean if they don’t have a LinkedIn user account, why should they abide by the User Agreement?
In any case, LinkedIn accounts are clickwrapped in the EULA, and you can't build a scraper for stuff behind their auth wall - which, I believe as a direct response to LinkedIn vs. HiQ, is more or less everything they serve - without being able to get past it yourself. So the question of whether or not OP has agreed to the EULA, which LinkedIn complains Browserflow is marketed in part to violate, isn't remotely germane to a meaningful discussion of the issue.
I mean if they have a contract with LinkedIn and they are violating it, they should stop lol. Since they make money from the tool apparently, and LinkedIn accounts are worthless, I’d probably stop violating the contract by terminating my LinkedIn account.
LinkedIn is being a lot more generous here than they really need to be. Getting an Ask HN to the front page about it wasn't terribly smart, but then this is why the only good advice for OP in this thread is "talk to a lawyer", which anyone who's already incorporated an LLC really should not need telling, but whatever.
(I also think we're talking past one another, which tends to happen when I participate in discussions like this. I'm not a lawyer, but when you spend long enough sleeping with someone who is, it's amazing what you pick up - and how many silly notions originating in the assumption that 'law is really just a kind of code, right?' you find yourself perhaps ungently disabused of.)
Lawyer/legal time is costly, they probably didn't look into it too deep, they just saw the LinkedIn logo with "Scrape LinkedIn" written next to it on OP's main page.
The demands seem pretty reasonable in this case, I'd probably accede.
> You agree that by clicking “Join Now”, “Join LinkedIn”, “Sign Up” or similar, registering, accessing or using our services (described below), you are agreeing to enter into a legally binding contract with LinkedIn
in other words, anyone that "access[es] or us[es]" their services are agreeing to the contract. This definitely includes what OP is doing.
[1]: https://www.linkedin.com/legal/user-agreement#introduction
Not a lawyer, but that is ridiculous. You'd have to accept the terms to even be permitted to read the terms, as they are hosted on linkedin.com.
Bob would have to agree. And Bob would have to be getting _something_ out of it.
(I'm not a lawyer)
I know law doesn’t work that way, but it doesn’t make it non-absurd either.
Edit: I remember from my childhood public transport “artists” who could enter a train, perform their “art” and then demand money “because I’ve seen that you watched it”. Not exactly the same, but strong vibes.
“I’ll never do it again” may help decrease the punishment if this ends up in court, but why would you promise that now? IANAL, certainly not for every jurisdiction on earth, but I would think that’s risky from your side in that you’d have to agree to their user agreement, even if, in the future, they put things in it that aren’t legally enforceable.
Remove all linked in examples, and indicate that you will not include them in your docs again
I wouldn't admit to writing or advertising this as a linkedin scraping tool regardless of if that was my original intention or not
IANAL, this is not legal advice, etc.
Not a lawyer, either.
people get the meaning without directly naming them.
Linkedin vs hiQ was about the ability to scrape public data. (https://calawyers.org/privacy-law/ninth-circuit-holds-data-s...)
Pretty much everyone agrees that you need to follow the Linkedin terms if you are logged in, and those say no scraping. Your site has examples of scraping data from logged-in pages.
Normally you could say "it's just a tool, there are legit uses, go after the users", like in the Betamax case: https://en.wikipedia.org/wiki/Sony_Corp._of_America_v._Unive....
By including examples of breaking the Linkedin ToS on your site though, you might have opened yourself up to some kind of claim, maybe tortuous interference. I don't really know though, you should get a lawyer to look for you.
Again, I am not a lawyer, do not trust me, I am just some idiot who likes to read about copyright law about the internet on the internet. Get your own lawyer.
https://www.natlawreview.com/article/court-finds-hiq-breache...
What is clear is that Linkedin is not playing around about logged-in scrapping.
2) It does sound like your app is more general, like you say, similar to browser automation tools or AutoHotKey. The user requests are not coming from an IP you control. Remove references / examples to LinkedIn for sure. This is basically what they are asking you to do. Talk to a lawyer
Side note, I thought LinkedIn lost that case on appeal, and after being sent back down from the Supreme Court for re-evaluation.
https://www.zdnet.com/article/court-rules-that-data-scraping...
https://blog.ericgoldman.org/archives/2022/12/hello-youve-be...
As I understand it, OP built a no-code browser automation extension, which can be used to create a LinkedIn automation. It does not come with this ability out of the box, though it seems easy to install: https://browserflow.app/shared/1ac2a868-02ac-4435-a91f-b0203...
I'm not convinced that LinkedIn has a solid case for Cease and Desist. The court didn't find that someone cannot _build_ such a tool, only that they cannot run it (_conditions & nuances_). OP is not running any such scraping service (except maybe during development), and it is in fact a user of the browser extension who would be violating the ToS. This is not unique to Browserflow and the same situation could exist for any browser automation tool.
That being said, LinkedIn (Microsoft) could bury OP in legal fees, so decide if you want to die on that hill...
Maybe OP could create a community hub and use 230 to shield them self from user submissions of LinkedIn automations?
>Even if I removed all the LinkedIn examples, Browserflow could still be used to automate or scrape LinkedIn because
Technically you can block it from being used on LinkedIn. But all they ask is not advertise that can do it. (And remove any trademarks of course.)
This is like building a bomb, publishing instructions, shipping the chemicals to the customer’s door, "building it for the customer" for a fee, and still claiming no responsibility.
IANAL, but… it would certainly sound sketchy to the least litigious lawyer in a room.
1. Recognize that they have requested exactly four specific actions from you (bullet points, second page)
2. Do not follow the 4th bullet point, affirming in writing any future conduct only opens you up to liability. (By affirming, you'd create some agreement that they could later make hay about you breaching if they're not happy with your future conduct.)
3. Follow the 3rd bullet point rigorously. They do have a claim on Trademark infringement, and that will hold up well enough. Clean it up ASAP.
4. Take a legal position on where you stand vis-a-vis the LinkedIn User Agreement.
- BrowserFlow (or Road to Ramen LLC) is not a party to that agreement, so you can argue that you're not bound by it. The individual person who is using BrowserFlow is, since they have a LinkedIn account.
- If you want to play it safe, remove the LinkedIn examples from your website. (Bullet two.)
- I would not change the existing functionality of BrowserFlow -- my view here is that this is general-purpose tech and BrowserFlow doesn't have an agreement with LinkedIn. Any consequence of misuse of BrowserFlow is on the end-user, not you. (As spelled out by the terms at https://browserflow.app/terms, which contain a limitation of liability section.)
Do prepare for your LinkedIn account to be banned though.
From all the recruiter spam I've received over the years, I almost see that as a good thing.
I am not a lawyer. I deal in this area, but I have lawyers--lots of lawyers--and my primary recommendation is that if you work in this space you have a lawyer.
I am going to tell you something, though, about this cease and desist. From the perspective of it effectively being "advice", I encourage you to consider it a "this is the minimum level of damage they can do to you": I am not saying there aren't interesting things that I don't know off--that's like, why we have lawyers--that would really screw you. I also haven't analyzed your extension in any way to know anything about your situation other than what you wrote.
> Cease and desist developing, offering, or using software or programs with features developed, marketed, or intended for automating activity on LinkedIn’s website or app, scraping LinkedIn member data, or otherwise violating the LinkedIn User Agreement.
The user agreement is an agreement that has limited consideration and limited recourse. Typically, they can take their balls back and send you home (it's their court, so they don't have to leave), so if they want to they can terminate your account... it isn't illegal to violate the terms of even a well-accepted and carefully done contract (which terms of service ain't), but the recourses for such a limited consideration is also pretty limited, and they know this enough that it even says it in the agreement: they can terminate your account.
If this were me, I barely use LinkedIn. I haven't had a normal looking job in forever and I have no interest in getting one ever again. I don't care about my profile (despite updating it every decade or so) and I only check for new connections and messages once every year or so. I really only use the service for cyberstalking, and never understood why people care so much about it. If they wanted to terminate my account, well, "big whoop", right? I'd tell them to go pound sand. Hell: that user agreement--which they are really trying to make legit--seriously says you can terminate it at any time (in exchange for your account being terminated).
But maybe you like LinkedIn and need your account. If that's the case, you should cease and desist and maybe even try to apologize while pleading a lack of knowledge of what you were doing or why it was a problem. (But of course, if they then terminate your account, come back with a literal vengeance and refuse to deal with them until they give you back your account.) But like, just realize: you likely aren't coming out of this one with a LinkedIn account if you want to keep developing this extension. FWIW, I have definitely done stuff like this for years despite large companies with lawyers wishing they could stop me.
That said, you also might get sued. You can always get sued: that's how our legal system works. They might not have a case, and maybe you can get it thrown out, but that's a leap. You should have a lawyer, and they can advice you on the risks of that. But I can say: if you can't afford to sit around in court for a year arguing with them about this, you might be playing in the wrong league, as the court system in the United States requires you to be prepared at any time to pay to be in court and very much assumes anyone doing commercial activity has a lawyer.
Again: I am not a lawyer. For all I know, you are also violating the CFAA or a law I have never heard of. I have not seen your e...
First, talk to a lawyer. LinkedIn is highly litigious about scraping, and browser plugins often fall in that category. The law isn't settled on the issue at all, and here's a law firm (Farella Braun + Martel) article about HiQ vs LinkedIn from just a few weeks ago: https://www.fbm.com/publications/what-recent-rulings-in-hiq-...
You have time to get a consultation and draft a response; the language in use is overly broad in the letter and intentionally so. This is to be rebutted and basically tell them "you will stop advertising that it _can_ scrape LinkedIn, but LinkedIn cannot outright ban any tool that might be used for scraping as that's not their right." A real attorney will write this in a very nice way with proper wording that you will stop advertising that it can scape LinkedIn but they can stuff the other parts of the demands wherever is convenient for them.
It will cost a bit of money regrettably, but it should be manageable.