LinkedIn Sued for Hacking Users and Spamming Contacts

Four LinkedIn members filed a stunning complaint in federal court last week,  accusing the professional social networking giant of hacking members’ email accounts in an effort to increase membership and revenues. The plaintiffs, seeking class action status, claimed that LinkedIn will surreptitiously harvest email addresses using “open” connections to email accounts such as Yahoo! Mail, Microsoft Mail, Google Gmail, and a number of other web-based email service providers. After doing so, the company will send multiple reminders to the recipients to join, ostensibly on behalf of LinkedIn members.

Summary of the LinkedIn Lawsuit

The lawsuit claims that LinkedIn has been on a massive  campaign to boost revenues and its subscriber base. While engaged in this plan, it allegedly violated state computer fraud and abuse laws, the Wiretap Act, the Stored Communications Act and state privacy laws. The gist of the “hacking” allegation is that users may remain logged into web-based email such as GMail, Yahoo! Mail and others at the same time that they are logged into LinkedIn. During those times, LinkedIn may access the external webmail account (which you have supposedly given them permission to access) to harvest not only emails in your address book but also those contained in your incoming, stored and outgoing email folders.

Some of the notable highlights of the complaint include the following:

  • The Principal Software Engineer at Linkedln (whose profile states that he is currently on sabbatical from high tech slacking) posted on Linkedln’s web site that his role is “devising hack schemes to make lots of $$$ with Java, Groovy and cunning at Team Money!”
  • Complaints taken from the LinkedIn website where one user is extremely upset that email invitations were sent to a mentally ill individual, inviting her to be a connection (among several others who were preferred to remain in the “forget and stay at a distance” category).
  • Assuming members found out about invitations being sent out to the email addresses harvested from their external email accounts, a distraught LinkedIn member must invest an average of 20 seconds to withdraw each invitation and subsequent messages from being dispatched.

Private user email addresses are valuable to the company, which are used in order to provide its premium “InMail” product. This allows members to send emails to another member who is not a direct link or connection. The company charges users $10 per email for the service and claims that they are far more effective than any other standard email communication. What makes this case even more controversial is the fact that the email invitations to new users lend the appearance to the recipient that they may be personal messages or at least sent with the knowledge and consent of the LinkedIn member. The company is accused of violating the “credibility factor” that LinkedIn itself promotes is the true value of its own network.

LinkedIn Fails to Follow Legal & Privacy Practices

The complaint includes a detailed explanation of the user registration process for new users. It  claims that LinkedIn didn’t even follow generally accepted legal practices and those which would be socially acceptable.

Linked in old registration

Linked in old registration page

A screen capture of a popup indicates that links to legal policies are not clearly visible when a user signs up and hands over their external email address. Instead, a small asterisk is provided to serve as some type of notice that if a user scrolls further down the page, they will be presented with links to view LinkedIn’s User Agreement, Privacy Policy and Cookie Policy. It would appear that this has been remedied in the current version of the registration process, as the box has conspicuously visible text and hyperlinks to the legal policies aside the “Join now” button. However, the social networking giant still departs from the practice of many online services in requiring users to take an affirmative action that guarantees that they saw and consent to the terms, such as clicking a checkbox.

The plaintiffs further alleged through their attorneys that the terms of service are extremely vague and fail to adequately inform a new member the nature of what is actually happening when users consent to sharing their data. This would include having LinkedIn scan their external address book contacts for the limited purpose of determining whether other known people are existing members. This is probably one of the key issues in the complaint, which is answering the paramount question of “did I even understand what handing over some of my data means?”

A more detailed analysis of the complaint, including a copy available to download, is available in an article by Jeff John Roberts, an intellectual property lawyer writing for Gigaom.

A Response on the LinkedIn Blog

Blake Lawit, Senior Director of Litigation at LinkedIn, made a bare denial of the allegations in a post called “Setting the Record Straight on False Accusations” dated September 21. It is neither unexpected nor surprising. Lawit insists that members come first at LinkedIn and that the company never conducts any activity (such as accessing your email account or sending messages and invitations) without your permission.

What remains to be seen over the course of this lawsuit is whether “your permission” also includes your knowledge that you were giving permission to LinkedIn to carry out certain activities.

Michael M. Wechsler, Esq. – has written posts on The Law Professor.

Michael M. Wechsler, Esq.

Internet / Mobile entrepreneur since 1989, Intellectual Property attorney since the mid 1990s, former in-house counsel at iVillage.com, Senior Vice President of Business Strategy at Zedge, Co-Founder of the IDT Internet Mobile Group, E-Discovery expert and legal consultant with Kroll Ontrack, and owner and operator of TheLaw.com