Word of LinkedIn’s recent lawsuit against unknown defendants is quickly spreading across the internet – and it’s not just about finding out who is scraping the site. There seems to be a clear message embedded in the 17-page complaint, filed on Monday by the company in the U.S. District Court for the Northern District of California: any activity on this 'professional network' which negatively impacts its product offering (read: revenue streams) will be pursued - and prosecuted., an unusually aggressive approach to litigation designed to prove that when it comes to misappropriating LinkedIn's intellectual property, "you can run, but you can't hide."
LinkedIn claims that Defendants created thousands of fake profiles and used them to run automatic scraping programs via virtual machines hosted by Amazon Web Services. Amazon is not named in the suit, but will be subpoenaed by LinkedIn to discover the IP addresses of the alleged hackers. LinkedIn will then need to subpoena associated payment records and/or the ISPs connected to the addresses to track down the individuals. It will then amend the complaint to include the discovered Defendants. This is not an uncommon practice in data breach litigation.
The damages claimed by LinkedIn include various allegations as to disruption of the accuracy and integrity of the site because of the fake profiles, strain to its servers caused by the scraping programs and the time and resources wasted responding to the Defendants’ activity.
But what's really at the center of this lawsuit? LinkedIn Recruiter. According to the complaint, this remains one of LinkedIn's "fastest growing services," which has grown to over 16,000 customers and clients currently paying for access to this notoriously expensive service, including 90% of the Fortune 100. According to the complaint, "corporate recruiters and headhunters purchase LinkedIn Recruiter memberships in order to search ... the entire LinkedIn network for top candidate's names and profiles ... including passive candidates who might not be looking for a job."
In fact, LinkedIn Recruiter is specifically mentioned in the complaint more than 10 times. Among allegations threatening “ongoing and irreparable injury to LinkedIn,” the complaint states:
"by pilfering member data from the LinkedIn site, the Doe Defendants misconduct threatens to degrade the value of LinkedIn’s Recruiter product, which LinkedIn has invested substantially in over the years. On information and belief, the Doe Defendants, who have invested none of their own time and resources into developing and building the LinkedIn platform, have engaged in their scraping activities in an attempt to establish competing recruiting websites and usurp LinkedIn’s Recruiter product.”
LinkedIn has already shut down the fake accounts and implemented “additional technological barriers” to protect its data, however the lawsuit seeks additional enforceable protections (injunctive relief) as well as damages (money), attorney’s fees and “all profits attributable to the Doe Defendants’ wrongful acts to be proven at trial.”
There are 6 claims listed in the complaint, and most of them require the company prove it used some form of technological barriers to protect itself. Scrapping is explicitly barred by LinkedIn’s User Agreement and its robot.txt file; however the company goes on to support its claims by listing additional technological measures it takes to protect its data. The practices include limiting the level of activity on individual profiles, monitoring IP addresses for unusually high activity and CAPTCHA protections to prevent automatic registration of multiple new accounts.
Craigslist v. 3Taps recently told us that, at least in the Northern District of California, tracking suspicious activity and blocking an IP address is sufficient to create a technological barrier for otherwise publically accessible sites under the meaning of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 ct seq. LinkedIn is telling us in this lawsuit that they are tracking suspicious activity to IP addresses, not just individual user accounts.
Read between the lines here, because this is where it gets important. Only two of the claims, Breach of Contract and Misappropriation, actually rely on the LinkedIn User Agreement. If successful, the other claims may set a precedent that would apply to anyone that accesses and scrapes the site, not just logged-in members.
LinkedIn may never actually find the individuals responsible for scraping data in this particular instance, but that may not be the point. This suit sends a message from anyone collecting information from LinkedIn profiles without its permission – especially companies that use the information to enhance a tool marketed to recruiters. If I ran a profile aggregation service, I would certainly be keeping an eye on this case and taking a good look at my data collection practices right about now. Because the potential claims against you could, like those listed in the Complaint, include:
Read the full complaint here: LinkedIn Corp. v. Does, 14-cv-00068, U.S. District Court, Northern ...
DISCLAIMER: This article and any links provided are for general informational purposes only and should not be construed as professional or legal advice. Receipt of these materials does not create an attorney-client relationship nor is it a solicitation or advertisement to provide legal services. The views expressed in this article may be outdated or repealed by current law. Do not act upon this information without seeking professional counsel in the appropriate jurisdiction.
Originally Published on Recruiting Daily