The professional social networking site LinkedIn is being sued by its customers for apparently hacking into their email accounts in order to hunt for contacts in their address books, a report in Bloomberg claims. According to the complaint, LinkedIn does so in order to bombard those contacts with promotional emails aimed at growing the website’s user base.
The complaint reads:
“As a part of its effort to acquire new users, LinkedIn sends multiple emails endorsing its products, services, and brand to potential new users. LinkedIn’s sending of multiple emails to each address that it has harvested is driven by monetary gain.”
According to the unnamed plaintiffs, LinkedIn’s desire to grow its user base is so extreme that it’s quite prepared to resort to illegal methods:
“”When users sign up for LinkedIn they are required to provide an external email address as their username and to setup a new password for their LinkedIn account. LinkedIn uses this information to hack into the user’s external email account and extract email addresses. LinkedIn is able to download these addresses without requesting the password for the external email accounts or obtaining user’ consent.”
According to the complaint, these are not just isolated incidents but part of a widespread campaign by LinkedIn to get more members to sign up to the site. Even though the lawsuit has been brought before the Californian courts, the plaintiffs believe that their case could eaily encompass thousands, if not millions, of other LinkedIn users, pointing out that there are “hundreds of complaints” on LinkedIn’s own website about this practise.
Hacked, Or Just Hacked Off Users?
What isn’t clear is exactly how LinkedIn went about hacking its user’s emails, nor is it clear how the supposed ‘promotional’ emails would have been sent to its hacked user’s contacts. The plaintiffs argue that LinkedIn has somehow secured unauthorized access to their contacts by masquerading as the email account’s owner, but doesn’t detail how this was done.
Unusprisingly, LinkedIn has vigorously denied any accusations of foul play. Blake Lawit, the company’s senior director of litigation, wrote a blog post on LinkedIn hours after the allegations emerged, saying that the accusations were a “falsehood,” and pointing out that many users willingly upload their contacts to LinkedIn anyway:
“As you may have read recently, a class action lawsuit was filed against LinkedIn last week. The lawsuit alleges that we “break into” the email accounts of our members who choose to upload their email address books to LinkedIn. Quite simply, this is not true, and with so much misinformation out there, we wanted to clear up a few things for our members.
We do not access your email account without your permission. Claims that we “hack” or “break into” members’ accounts are false.
We never deceive you by “pretending to be you” in order to access your email account.
We never send messages or invitations to join LinkedIn on your behalf to anyone unless you have given us permission to do so.
We do give you the choice to share your email contacts, so you can connect on LinkedIn with other professionals that you know and trust. We will continue to do everything we can to make our communications about how to do this as clear as possible.”
From the technical details in the filing, it seems that the plaintiffs are unhappy with the contact-sharing function on LinkedIn, even though most social networks use similar methods to help new users connect with people they know. When signing up to LinkedIn, the site requires that users provide an email address in order to verify their account – this email address is then used to log into the site, though users can choose a different password. If these new users then happen to click on the contact-sharing tool in LinkedIn, to help “grow your network”, they’ll be asked if they wish to share contact information between the site and their email account – and this is when LinkedIn helps itself to your contact’s email addressed, with your permission.
However, the suit claims that LinkedIn is actually doing this without asking for user’s permission, simply stealing contacts from people’s email accounts anyway, regardless of whether or not they “agreed” to it doing so.
At the moment it’s unclear whether or not LinkedIn is actually doing as the plaintiffs suggest. On the one hand, that the case has even got this far would suggest that there might be some merit to these claims, but on the other hand, it’s hard to believe that LinkedIn would do anything quite so stupid as to actually hack its own customer’s data – especially in light of the PRISM scandal that’s brought into question the privacy practices of some of the web’s other biggest social networking sites. Perhaps the more likely explanation is that the concerned plaintiffs simply don’t understand how LinkedIn’s contact sharing feature actually works.