Skip to content
Naked Security Naked Security

LinkedIn accused of chilling access to information online

It's an epic legal battle for the future of the internet, and it's not net neutrality.

It’s the epic legal battle that has bitterly divided US business opinion, and its critics believe could have a chilling effect on digital competition.

It’s about the future of the internet, and it’s not net neutrality, amazingly, but another head-to-head some think has the potential to be every bit as significant and then some: the court case pitting social media giant LinkedIn against a miniscule Silicon Valley startup called hiQ Labs.

The latest development is that an alliance of the Electronic Frontier Foundation (EFF), search engine DuckDuckGo, and the Internet Archive, have weighed in on hiQ’s side, last week filing documents backing the startup’s case and accusing LinkedIn of trying to stifle “open access to information online.”

Why the angst? As ever, money, authority and who gets to own precious disruption.

LinkedIn, of course, is a professional networking platform, while hiQ is a company that makes its money by “scraping” LinkedIn’s public member profiles to feed two analytical systems, Keeper and Skill Mapper.

Keeper can be used by employers to detect staff that might be thinking about leaving while Skill Mapper summarises the skills and status of current and future employees.

For several years, this presented no problems until, in 2016, LinkedIn decided to offer something similar, at which point it sent hiQ and others in the sector cease and desist letters and started blocking the bots reading its pages.

LinkedIn’s case has two main arguments:

  1. hiQ is scraping data that belongs to LinkedIn and threatens its members’ privacy
  2. It does this using bot-scraping programs that have negative effects

Controversially, it invoked the famous 1986 Computer Fraud and Abuse Act (supposedly inspired by Hollywood movie WarGames) as part of its case, a criminal anti-hacking law that also featured in a famous 2009 case Facebook brought against Power Ventures.

More recently, similar issues have emerged from airline Ryanair’s case against Expedia for alleged fare scraping.

Data scraping, its seems, has become a booming tech sector that increasingly divides the industry ideologically.

One side believes LinkedIn is simply trying to shut down a competitor wanting to access public data LinkedIn merely displays rather than owns. Allowing it to do this using a law as draconian as the CFAA would threaten competition and perhaps even (in an echo of net neutrality arguments) the open internet.

Said the EFF:

LinkedIn’s position will also impact journalists, researchers, and watchdog organizations, who (increasingly) rely on automated tools including scrapers to support their work, much of which is protected First Amendment activity.

The other sees companies such as hiQ as parasitic. According to Rami Essaid of Distil Networks, allowing hiQ’s case to succeed might also inadvertently legitimise “bad bots” which conduct harmful activities such as:

Denial-of-service attacks, competitive data mining, online fraud, account hijacking, data theft, stealing of intellectual property, unauthorized vulnerability scans, spam and digital ad fraud.

So far, hiQ is just about winning the legal battle and in August was handed an interim court judgement requiring LinkedIn to stop blocking hiQ’s scraping bots from accessing its site. The next stop in this case comes in March 2018 when the court will hear oral arguments.

Caught in the middle of this are millions of LinkedIn users who set about creating and building a profile they hope will gain them professional visibility.

Having that possibly inaccurate or out-of-date information mined by a hidden third party in ways that might disadvantage them was probably not what they had in mind when they joined.

Or perhaps, because all hiQ is doing is accessing what anyone can already see, that’s inevitable anyway.

Which raises the disturbing possibility that what hiQ v LinkedIn is really about is not so much the adage that users are now the product, but whose product they are destined to become.


so how exactly does Linkedin get my contact details from people who I hardly know, to pester me to join their odious network? Can’t possibly be scraping the contents of address books, surely….?


They are, but with the users’ permission.
LinkedIn asks to do it every time you go to add contacts.


hiQ bots can only access the ‘public’ data. When users decide to make their data available to public, isn’t it the same as granting permission to access contacts?


Seems pretty clear cut to me. It’s basically public so that Google can read it, so LinkedIn has no problem with *that* kind of computer program reading and classifying its public data (although it has a means to prevent that data capture, via the robots.txt standard, so maybe it ought to insist that hiQ respect that instead).


@Adam- “They are, but with the users’ permission.” Actually, my contact info is mine. If I give it to someone else, it’s for them to use. If they are asked for my contact info, then they should ask me if I want the requester to have it, not just give it away as if it were theirs.


“keeper” and “Skillmapper” for those poor employers who can’t seem to figure out whom they have employed? Just another yummy tidbit of life in the new world order.


LinkedIn does not surreptitiously scrape address books. They do, however, regularly ask each member for credentials to read the address book (e.g., password for Gmail/Hotmail/Yahoo/other webmail so they can download the address book and send “connect” requests on the member’s behalf). In my 6-7 years as a LinkedIn member, I’ve always declined, but I can see how non-techies would agree–the requests are pretty persuasive. I’ve gotten connect requests from people I’ve written to just once or twice.

Unlike Facebook, etc., LinkedIn is not all about affirmations and sharing. You’re not supposed to reach out for a “connection” unless you know the other party or wish to start a business relationship. I’m an independent consultant and I’ve gotten a couple of good assignments from it. Of course, there are a few people who think it’s like Facebook and try to amass huge numbers of connections. I always reject requests from them.

I’ve listed my LinkedIn profile below as it really does serve as my professional “shingle.”

About the only things I don’t like about the service are:
–Their casual former approach to security leading to a breach of 106.5 million passwords which was reported as a leak of 6.5 million email addresses+easily crackable passwords and found to really be 106.5 million. I just don’t have any respect for careless companies. (Equifax, this includes you, too.)
–Like many other business models, many services that used to be free are now only available by subscription.


Interesting to see how this is interpreted by the EU GDPR law next May as well as ePrivacy Regulation (when passed). Specifically for organisations that deliver electronic communications and files relating to any citizen residing in the EU. That should make the court case over there rather more interesting.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!