January 9, 2014
LinkedIn Sues After ‘Data Scraping’ Hackers Compromise Their Network
redOrbit Staff & Wire Reports - Your Universe Online
Professional social networking site LinkedIn has filed a federal lawsuit against ten unspecified individuals over the use of bots that stole personal data from the profiles of hundreds of thousands of users.According to the suit, which was filed Monday in the Northern California federal district court, the bots were used to register thousands of fake LinkedIn accounts for the purpose of mining data from legitimate accounts – a process known as scraping, which is prohibited by LinkedIn’s user agreement.
The court documents also claim the fraudulent activity, which began last May, breaks state and federal computer security laws as well as federal copyright law.
"Since May 2013, unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have registered thousands of fake LinkedIn member accounts and have extracted and copied data from many member profile pages," LinkedIn said in its complaint.
"This practice, known as 'scraping,' is explicitly barred by LinkedIn's User Agreement, which prohibits access to LinkedIn 'through scraping, spidering, crawling, or other technology or software used to access data without the express written consent of LinkedIn or its Members.'"
With nearly 260 million professional members, the LinkedIn network includes a vast amount personal data that could prove highly valuable to cyber criminals who wish to conduct identity theft, phishing attacks and other scams.
However, it is not clear from the filing what the people who set up the fake accounts planned to do with the scraped information, and there is no evidence that the bots attempted to breach LinkedIn’s systems.
LinkedIn said it had deleted the fake accounts and traced them to an Amazon Web Services account, and is now asking the online retailer to disclose the names of the owners of those accounts.
Phony user accounts such as the ones described in LinkedIn’s complaint can present serious problems for social networks by weakening the credibility of their network and causing advertisers to question the rates they pay to reach a certain number of users.
“The world’s professionals utilize LinkedIn with the expectation that its contents are accurate and its user profiles legitimate,” LinkedIn said.
"The Doe Defendants' unlawful conduct threatens the LinkedIn platform in several ways. It undermines the integrity and effectiveness of LinkedIn's professional network by polluting it with thousands of fake member profiles. Moreover, by pilfering data from the LinkedIn site, the Doe Defendants threaten to degrade the value of LinkedIn's recruiter product, in which LinkedIn has invested substantially over the years."
LinkedIn’s Recruiter service allows recruiters and headhunters to search for candidates from the company's database, and the pricey paid service is now used by more than 16,000 clients and companies.
While LinkedIn’s lawsuit may not ultimately expose the people behind the scraping scheme, the company said the goal of its complaint is to give lawyers the legal means to conduct "expedited discovery to learn the identity of the Doe defendants."
The success will depend, in part, on whether the Amazon service account holders used traceable payment methods or IP addresses.
“Filing the lawsuit allows you to issue enforceable subpoenas to third parties,” noted Al Saikali, co-chair of the data privacy and data security practice at law firm Shook, Hardy & Bacon, in an interview with Bloomberg News.
“Otherwise you’re simply sending a letter to the in-house lawyer at the service provider, who will usually either ignore it or file it in the trash can because it has no legal weight, and most service providers try to protect their users’ anonymity.”
However, LinkedIn may not need to uncover the John Doe defendants to claim victory, and could simply be seeking to thwart future bot operators from targeting the site, Saikali said.