paidContent » wiretap act

LinkedIn is “breaking into” user emails, spamming contacts – lawsuit

Jeff John Roberts — Sat, 21 Sep 2013 15:03:01 +0000

In a damning class action complaint, LinkedIn users are accusing the company of “tunneling” into their email accounts in order to repeatedly spam anyone who has ever had had contact with them.

The complaint, filed this week in Los Angeles, accuses LinkedIn of violating laws related to hacking, wire-tapping and false endorsements. Users say the social network’s marketing practices have given rise to fear and embarrassment as a result of emails sent to business associates, ex-spouses and, in one instance, a mentally ill former contact.

The claims draw attention both to email privacy rights, and to the tactics underlying LinkedIn’s aggressive growth strategy.

Update: LinkedIn has responded with a blog post that states, ”Claims that we “hack” or “break into” members’ accounts are false.”

“Breaking into” email accounts

According to the complaint, LinkedIn prompts users to enter an email address, and then uses the information to download every account from a user’s account such as Gmail or Yahoo. LinkedIn is allegedly able to do this so long as the user are logged into the email provider; if they are not, LinkedIn suggests they log-in:

users sign up for LinkedIn they are required to provide an external email address as their username and to setup a new password for their Linkedln account. LinkedIn uses this information to hack into the user’s external email account and extract email addresses. If a LinkedIn user leaves an external email account open, LinkedIn pretends to be that user and downloads the email addresses contained anywhere in that account to Linkedln’s servers. Linkedln is able to download these addresses without requesting the password for the external email accounts or obtaining users’ consent.

LinkedIn does not require the password to the email account, but is nonetheless able to download not just an “address book” but any address ever sent or received. The complaint says the tactic was a deliberate strategy by LinkedIn to add users and make money, and cites a former engineer who boasts of “hacking.” Here are screenshots (the engineer’s profile is still up here)

LinkedIn has told Bloomberg, which reported the complaint, that the lawsuit is without merit.

Thousands of invitations

The heart of the complaint involves LinkedIn’s practice of encouraging people to invite others to their network when they sign up with the service or, if they’re existing members, to expand their network.

If a user agrees, LinkedIn sends out an “invitation to connect” to all of the user’s contacts. If the contacts don’t respond, the service then send outs out two more reminder emails.

According to the complaint, the LinkedIn sign up process is deceptive and doesn’t clearly inform users that it will “spam” their contacts. The plaintiffs are a former ad manager for the New York Times, a professor, a lawyer and a movie producer. Their complaint, which is a request to sue on behalf other LinkedIn users across America, also object to the fact that LinkedIn does not provide an easy way to retract the multiple follow-up invitations.

The complaint also claims that LinkedIn often emails thousands of messages without disclosing it will do so:

Since Linkedln routinely takes well over 1,000 email addresses from a user’s external email account, it displays only a very small fraction of those email addresses on the “Why not invite some people?” screen.

The practice has given rise to hundreds of complaints on LinkedIn’s own website, says the claim, from people who accuse the company of sending spam, and putting them in embarrassing personal and professional situations:

I’m not the only one being hacked by linkedin, but extremely upset at the repercussions. one of the people on my contact list is mentally ill and the last thing I wanted was to invite her to be my connection on linkedin.

The lawsuit says the practice amounts to a violation of the Wiretap Act, the Stored Communications Act and a variety of California privacy and right of publicity laws. The suit seeks millions in damages, in part by noting that, on LinkedIn’s own pricing scheme, it costs $10 to send an email to someone with whom a user is not connected.

A growth strategy for LinkedIn

LinkedIn’s aggressive email solicitations are part of a strategy to boost revenue by increasing its user base, according to the complaint. The increase in users allegedly makes it easier for the company to pull in more money from its three revenue sources: selling its database to job recruiters; advertising to users; selling premium accounts to subscribers.

LinkedIn is not the only company that has come under fire for using invasive tactics to grow its user base. Path, a photo-based social network, has been criticized for scraping users contact lists in order to send messages to promote the app.

LinkedIn, meanwhile, has long been a hit with investors though in, recent months, the media has expressed more skepticism with stories like “All LinkedIn with Nowhere to go.”

Here’s the complaint. I’ve underlined the key legal bits and some of the juicy stuff:

LinkedIn Hacking

What you need to know about that $15 billion Facebook privacy case

Jeff John Roberts — Fri, 18 May 2012 21:53:39 +0000

Lawyers tried to ruin Mark Zuckerberg’s big day with a sprawling lawsuit that portrays the Facebook founder as a rogue hacker, and accuses the company of tracking users on their computers and iPhones. The lawyers want to collect $15 billion for you and me and nearly everyone else on Facebook.

Here’s a plain english Q&A of what’s going on:

What did Facebook do that was so wrong?

The company placed files on users’ computers called cookies that told the social network which websites they visited.

Is that so unusual? I thought lots of sites do that

The problem is that Facebook appears to have tracked you even after you logged-out. Under the company’s own policy, it promised not to do that and thus violated the limits of your consent when it did.

How exactly did Facebook track me?

Many websites like CNN or Justin Bieber Zone have a “Like” button that acts like an extension of Facebook. The company collects data about your visits to those sites — including, it seems, when you are logged out. The unauthorized tracking reportedly took place across smartphones and tablets too.

Well, maybe this was an honest mistake?

After blogger Nik Cubrilovic called out Facebook for stalking its users, the company awkwardly suggested that the tracking of logged-out users was a “bug” or a narrow technical measure. That claim hasn’t stood up well. Cubrilovic and German regulators soon called BS and suggested Facebook was doing this deliberately for more than a year. The lawsuit also points to a Facebook patent application for cookies that follow users after they log out.

So where did this lawsuit come from?

There are actually more than a dozen cases across the country. They were recently consolidated into one lawsuit in San Jose, California.

Why are the lawyers asking for $15 billion?

It’s a great way to grab headlines during a week the press is already in a Facebook frenzy. The $15 billion itself is loosely based on the Wiretap Act which lets people sue for $10,000 if someone records their conversation without permission. The lawsuit also cites studies that claim an individual’s web history is worth $52. There are also state law penalties. And so on. The lawyers had to pick some number so they chose $15 billion.

Will Facebook actually have to pay that $15 billion?

The short answer is no. The Wiretap Act was written with telephone conversations in mind so it’s no slam dunk that a court will decide the law should apply the same way to computer cookies (Google, HTC and Samsung are facing similar lawsuits under the same legal theory). At the same time, some judges have ruled that Facebook-style “privacy invasions” aren’t worth anything in dollar terms because no one has been harmed.

In this case, however, a judge would likely conclude that Facebook’s behavior (if the allegations are true) was egregious enough to find liability under at least one of the plaintiffs’ 11 claims. But if other tech related privacy suits are anything to go by, the case will settle long before a trial.

I’m on Facebook. Will I get some of that money?

Doubtful. While the class action aspires to cover everyone who was on Facebook from May 2010 to September 2011, a cash payout is unlikely. As noted above, judges have a hard time putting a dollar value on this type of privacy breach. When there has been a privacy settlement in other tech-related cases (like Google Buzz or Facebook Beacon), the money has been divided up between lawyers and non-profit groups that act as privacy activists.

What does Mark Zuckerberg have to do with all this?

The lawsuit paints the Facebook CEO as a creep who has a long history of using his hacking skills to steal people’s personal data. The complaint opens by reproducing this email exchange:

The lawsuit also lists a chronological history intended to show that Zuckerberg and his company have long displayed a systemic disregard for user privacy. This is, of course, just a legal tactic that doesn’t necessarily prove that Facebook is any better or worse than other tech companies on privacy issues. Facebook, which told Bloomberg the complaint is baseless, would likely add that this was an accident that shouldn’t detract from the fact it provides a popular free service to millions of people.

Are lawsuits the best way to solve the privacy problem?

Probably not. But since the government often has a hard time understanding (let alone regulating) the tech industry, the lawsuits can be an effective way of raising awareness and forcing companies to take care about how they handle consumer data.

Here’s the complaint itself:

Facebook Wiretap Act Complaint Copy

FAQ: What you need to know about CISPA (Update: bill passes House)

Jeff John Roberts — Thu, 26 Apr 2012 18:40:36 +0000

The U.S. House of Representatives passed a major cyber-security bill that would change how companies like Facebook can share personal information. Privacy advocates are in uproar and the Obama Administration is threatening a veto. What’s going on?

UPDATE: The vote was originally scheduled for Friday but took place Thursday evening instead. It passed 248 to 168 on largely partisan lines. (Read our account here)

Here’s a plain English guide to the polices and politics driving the Cyber Intelligence Sharing and Protection Act:

So is this SOPA all over again?

Not really. The ill-fated Stop Online Piracy Act was about Hollywood trying to force tech companies to become copyright cops. CISPA, on its face, is about giving those same companies tools to confront cyber-attacks.

Isn’t that the same thing?

Critics said that an earlier version of CISPA was a stalking horse for the copyright industry — they worried that companies would dress up anti-piracy initiatives as security complaints. New language makes this unlikely and emphasizes that the bill is indeed about cyber-security.

Well, what cyber-security concerns are we talking about?

Major U.S. companies and government agencies have suffered hacking attacks in which intruders have stolen classified files, trade secrets or source code. The attackers include criminal gangs and state-sponsored (read: China) cyber espionage teams. Security experts warn that cyber-attacks lead to economic loss for companies and military vulnerabilities for the country.

Sounds scary. What does CISPA do to address this?

One of the bill’s main goals is to improve the sharing of information between companies and the government. In theory, it will be easier for the government to warn companies about security threats. In turn, the companies will have more ability to alert the government about suspicious activities or attacks.

So why do we need a law new for this?

CISPA wants to update existing laws like the National Security Act of 1947 to require authorities to share information about cyber-attacks as well as conventional military threats. There are also laws like the Wiretap Act and the Electronic Communications Privacy Act that limit what private companies can do with information about their customers. CISPA would help companies avoid getting sued under those laws when they share information about cyber-security.

Sounds reasonable. Everyone’s got to do their part to prevent a cyber-attack, right?

The problem, as you may have guessed, is that CISPA may be a lot broader than what is needed to get the job done. Critics worry that companies will be cavalier about passing data around if they don’t have to fear privacy lawsuits. Companies like Facebook, Amazon, Google and Netflix (many of which are supporting CISPA) are facing dozens of privacy-related lawsuits — CISPA might be a way to sidestep some of these in the future. Also, the government could invoke CISPA as a pretext to override civil liberties. From this perspective, CISPA is not so much SOPA but instead a new form of the Patriot Act.

Uh, oh. Is the law actually going to pass?

The bill passed the House amidst Democratic grumbling. Politico reports that Sen. Joe Lieberman expects a Senate version will see floor time as soon as next month. This does not, of course, mean that the bill will become law anytime soon — the approach of the November election is likely to put Congress into its semi-annual state of paralysis. Also, there are competing bills from the White House and also from people like Lieberman who want stronger measures to protect infrastructure like dams and utilities.

What about the veto threat?

The White House issued a strong statement on Wednesdays that attacked CISPA for trampling privacy and civil liberties. It said the bill should include a provision obliging the government and companies to minimize the amount of personal data that passes between them. The statement stressed the “civilian nature of cyberspace” and warns of a veto. But veteran political types noted the veto threat contains a hedge — it says advisers would recommend a veto, not that the President will veto it.

Where can I learn more about all this?

The Electronic Frontier Foundation has its usual top-rate privacy analysis here. CNET’s Declan McCullagh has a worthy overview of the lobbying forces here and GigaOM’s Derrick Harris has a cool-headed look at the bill here. And the non-partisan Congressional Research Service has the bill and a summary here.