Sophos Cloud Optix
Brian Guan, a Principal Software Engineer at Linkedln (currently on sabbatical) said it all when he described his role on the site:
Devising hack schemes to make lots of $$$ with Java, Groovy and cunning at Team Money!
Also, LinkedIn’s 2011 10-K [*] identified its key strategy as being to “Foster Viral Member Growth.”
Mind you, the fact that LinkedIn wants to grow virally and make money isn’t terribly surprising, but the way the professional networking site is doing it has now spawned a class action lawsuit.
Four LinkedIn users in the US are suing the company for allegedly “hacking” users’ email accounts, downloading their address books, and then repeatedly spamming out marketing email, ostensibly from the users themselves, to their assumably beleaguered contacts.
The complaint, filed in US District Court on Tuesday for the Northern District of California, outlines the steps LinkedIn goes through to “hack” into users’ external email accounts and extract email addresses, all without obtaining users’ consent or requesting a password.
First, LinkedIn requires an email address to sign up for the service. Next, it harvests email addresses of anyone with whom the users have ever exchanged email.
The service then sends a total of three emails to a given user’s contacts, including an initial pitch, followed up by two reminder emails if the users don’t sign up for a LinkedIn account.
Each of these reminder emails contains the Linkedln member’s name and likeness so as to appear that the Linkedln member is endorsing Linkedln, and none of them entail notice or consent from the LinkedIn member, the complaint charges:
The hacking of the users' email accounts and downloading of all email addresses associated with that user's account is done without clearly notifying the user or obtaining his or her consent. If a LinkedIn user leaves an external email account open, LinkedIn pretends to be that user and downloads the email addresses contained anywhere in that account to LinkedIn servers.
The LinkedIn users who filed the complaint are Paul Perkins, Pennie Sempell, Ann Brandwein, and Erin Eggers.
Perkins, a New York resident, formerly served as manager of international advertising sales for The New York Times, the complaint says.
Brandwein is a statistics professor at Baruch College in New York. Eggers is a film producer and former vice-president of Morgan Creek Productions in Los Angeles, and Sempell is a lawyer and author in San Francisco.
The quartet acknowledge that in the complaint that LinkedIn asked for permission to “grow” their networks, but they claim that the service never said it would send a series of email invitations to their contacts.
In fact, it’s only Google that gives Gmail users a heads-up that downloading is going on, the complaint states (all four LinkedIn users on the complaint are also Gmail users):
In cases where the user's external email account is a Google Gmail account, a Google screen pops up stating, "Linkedln is asking for some information from your Google Account." ... The Google notification screen, however, does not indicate that Linkedln will download and store thousands of contacts to Linkedln servers. Rather, this notification screen misleadingly states that Linkedln is asking for "some information." Linkedln does not provide this notification to its users; it is Google that provides this screen.
The complaint notes that LinkedIn’s site contains hundreds of complaints linked to the practice.
The plaintiffs are accusing LinkedIn of violating the federal wiretap law as well as California privacy laws, and are seeking class-action status.
LinkedIn users, are your friends complaining about LinkedIn’s sending spam under your name and photo?
Would you sign up for the suit, or do you instead consider LinkedIn’s process just the cost of getting a free service?
And furthermore, what do you think of the word “hacking” with regards to LinkedIn’s alleged practices? It sounds more like “marketing” to me, but that all boils down to semantics.
Let us know what you think in the comments below.
[*] US companies submit Form 10-K reports each year to the Securities and Exchange Commission, giving detailed information about corporate performance, finances and so forth.
Marketing sounds like spamming, to me.
This is where it says "give us your gmail password so we can scrape your contacts", right? Surely these people have only themselves to blame for falling for such a blatant trick – if you don't want people using your contact list, don't give them access to it in the first place, however much more "convenient" it might sound to have a more impressive number of connections with no effort.
I agree it's not a nice thing to do, and it makes me like LinkedIn less just that the offer is there, but you can't really blame them for indulging in creepy marketing, it's how the un-paid-for web works.
I don't believe this is how it works. I don't believe any overt attempt was made by LinkedIn to notify users that their email address books were being harvested, nor were they required to give it before LinkedIn took those actions. I have never given LinkedIn my business email address, and yet LinkedIn started sending me emails to that address. I've also had associates claim that emails I received from them via LinkedIn were not sent specifically by them, and yet the email claims to be from the associates' business email address and purports to have come directly from them. This should be a slam dunk case for the plaintiffs.
Yeah, contacts in your address books are one thing. Those are people you know and are in touch with.
But LinkedIn also accesses anyone you've ever emailed from your email account. In my case, I have confidential lists of experimental subjects that may have received these emails from LinkedIn (who I obviously didn't have saved as contacts and never would have opted to include). So it's not just "creepy marketing," this is legitimately really sheisty.
I recently received an invitation to join LinkedIn sent from someone’s LinkIn account and happened to see them the following day. When I spoke to him the following day, he told me that LinkedIn had sent invitations to anyone he had previously sent e-mails to rather than just those on his contacts list.
This led to him having to apologise to the widow of someone he had deliberately removed from his contacts list to avoid him accidentally sending future e-mails to this address (a shared husband-and-wife email address).
Surely it’s illegal for someone to read your e-mails without your permission?
“it’s how the un-paid-for web works”…
Maybe so but I expressly denied LinkedIn access to my Contacts. If they go in and harvest without my permission I’d consider that a breach of contract (and join the lawsuit).
So far I’ve seen no complaints from friends regarding spam from LinkedIn.
Perhaps a new email account with an empty contacts list is in order.
This is going to go ballastic. Its become pretty clear that LinkedIn is hacking not just member's address books but also their stored email. There are numerous examples of member solicitations going out to people whom the member has only exchanged an email but not added to their saved contacts i.e. craigslist messages, customer service contacts, etc. There was an account on another posting of this story about a psychologist whose professional email messages to patients had triggered invitations to connect which were actionable malpractice breaches for which he could face disciplinary action. LinkedIn's pursuit of growth has become malicious and arrogant. They deserve to be taken down over these practices.
I often wonder about the language we use in security though, 'hacking' and 'cyber' are two of the words so over-used and sometimes misleadingly so.
This is very very bad behavior, with a hint of hack.
Whether or not the word "hacking" is in any way warranted here depends on whether the users gave LinkedIn access to their e-mail – i.e. by providing the password as well as the address – or whether they only provided their e-mail address and LinkedIn somehow cracked the password to access their contacts, saved messages, etc. The latter would actually be hacking, but it seems unlikely that that's what actually happened. In the case of the former, it's more a case of them using information the users willingly provided, albeit apparently without realizing what they'd do with it. Deceptive marketing, maybe, but not hacking.
When I signed up LinkedIn (a long time ago), they asked at one point during the signup process if I used any of the major free web-based e-mail services and if so, did I want to provide my login credentials so that they could add my contacts to my LinkedIn network. I don't use any of those services – my e-mail goes through my own domains – but even if I did, that would have been a "Hell, no!" I think this is really only partially a case of LinkedIn using people's info in a shady way, and predominantly an illustration of why people shouldn't just blithely hand over their e-mail login credentials to anyone who asks.
I gave @chetwisniewski of Sophos a headsup about this on August 15 2013 >>: "I'm on LinkedIn and have today noticed two things indicating that somehow LinkedIn knows the email addresses of my contacts who are not LinkedIn members: 1) Somebody I know has joined LinkedIn (not linked to me on their system) and I received an email inviting me to welcome them 2) My home page on LinkedIn offered me a ribbon of links to people I know who are not in any way connected to me other than by their email addresses (which are displayed in the ribbon) suggesting that I invite them to join LinkedIn. I've seen another friend on Facebook complaining of a similar kind of intrusion today. Never known this before. Creepy. Any ideas what's going on?"
Well, now we know it's no one-off coincidence.
To be clear, I've never given LinkedIn permission to use my email contact list, but I continue to receive communications from them inviting me to greet a 'contact' who has joined LinkedIn quoting email addresses, so – again – it appears they have somehow 'trawled' my personal contact list.
I've a feeling we've not seen the last of this story.
I do understand that there's no such thing as a free lunch, but the strings attached must be clear so that we make an informed decision – IN or OUT (apologies for mixed metaphors).
Good luck to the class action guys. Somebody must make a stand to define and defend the firewalls of privacy.
Or the person you knew who joined LinkedIn gave them permission to trawl their contacts and it found your email in their contacts. It makes sense to match the new user's emails against existing email addresses in their system so you don't send an invitation to linkedin email to existing users, but rather a "this user has joined linkedin".
Yup. You may well have a point there, Garth. Can't do much about that, I guess. Can't control every link in our chain of contacts, can we? Thanks for your observation.
No hack to it. Anyone who gets Naked Security from Sophos is surely sufficiently attuned to security that when LinkedIn asks for an email password he surely declines.
I actually view the LinkedIn solicitation as an intelligence test. If I get a LinkedIn request from someone who I corresponded with once, three years ago, I know he isn't reading/thinking carefully.
I access LI from an android tablet and use gmail. Oddly enough, every single contact in the address book showed up in the LI sidebar to connect with them. I did not click the prompt to have LI scrape my contacts and yet they still appear in LI to connect. This is not a coincidence. LI should be slammed for hacking and privacy violation in the same manner Facebook and Google are since it is walking down the exact same path,
I agree with the spirit of the lawsuit. LinkedIn has crossed a line somewhere. The thing is, when you go to your account you're presented with what looks sort of like a login screen. We're all busy people. We know when we go an access-controlled site we enter our username – usually our email address, and the password.
But what LinkedIn does without providing much context is make this "login" actually be your Gmail login – so they can scrape all your contacts and spam them.
I'm in IT and I almost fell for it.
My wife, who is always in a hurry, has fallen for it more than once. My long-retired father-in-law asked her why she's sending him all these LinkedIn connection requests! As well as members of our choir, etc.
There is no warning about the damage you are about to do to your relationships.
But, to provide some balance, LinkedIn is a generally good service. They just went overboard in this area.
Here is one of the larger convo's at LI
http://community.linkedin.com/answers/97854/view….
THIS is so important to me. I just found out and verified that LinkedIn set up a page using the descriptions I have on my phone, “Mom Helgesson” has a profile she never set up. She has tried to take it down and they will not let her. I have just written them in the “feedback” service about the stolen information via hacking of my phone. I have private clients of a vulnerable state of mental health who have exchanged numbers so they can text me if they are late for a session or cannot come. ANY use of their data is a serious breach of my professions ethics and I could be sued or be investigated for having seemingly ‘furnished’ their data to LinkedIn. I need to know how this suit has proceeded. YOU ARE OUR CHAMPIONS
I have a long detailed correspondence from a year ago about invitations for link ups being generated by softeware and falsely attributed to a person. I would happily supply this as evidence of malefiesence.