LinkedIn Sues 100 Individuals For Scraping User Data From the Site

Mark Wilson, writing for BetaNews: Professional social network LinkedIn is suing 100 anonymous individuals for data scraping. It is hoped that a court order will be able to reveal the identities of those responsible for using bots to harvest user data from the site. The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data. Its lawsuit seeks to use the data scrapers' IP addresses and then discover their true identity in order to take action against them. LinkedIn says that a botnet has been used to gain access to user data which is then passed on to third parties. The site has a number of measures in place to prevent this type of data harvesting, but it seems that scrapers have found a way to circumvent these security restrictions. A series of automated tools -- FUSE, Quicksand, Sentinel, and Org Block -- are used to monitor suspicious activity and blocking scraping.

LinkedIn Response in Summary

[damn_registrars]

"hey, data scraping is our gig"

Re: LinkedIn Response in Summary

[hackwrench]

I think the word you are looking for is hypocrisy, not irony... Just saying.

Security?

[shabble]

The Microsoft-owned service takes pride in [...] the security it offers their data

Oh? https://blog.linkedin.com/2016...

In 2012, LinkedIn was the victim of an unauthorized access and disclosure of some members' passwords. [...]

Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members

Re:Security?

[Big+Hairy+Ian]

2012 Wasn't that before M$ bought them for an obscene amount of money.

Security my Ass

[ketomax]

The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data.

Thanks to LinkedIn hackers are attempting to login to my accounts on sites like Steam, Facebook, eBay, Twitter, etc. Now, I know better and use different passwords for different sites. But, at least these sites have security in place to warn me of suspicious logins while denying the logins.

Re:Security my Ass

[0100010001010011]

I don't even have the same login in different sites.

Linked in? linkedin.com@example.org.

Facebook? facebook.com@example.org.

Re: Security my Ass

[MitchDev]

Point is, there's nothing tying two different sites to each other. Using even just the login ID of one is useless on the other.

Re:Security my Ass

[ketomax]

I don't know how but LinkedIn has linked all 5 of my email addresses in! And that is enough for the hackers to log in. But, I think these logins are automated too. Otherwise they could have used a proxy server to get past the country checks put in place by the other sites.

Re: Security my Ass

[ketomax]

Most user ids have become emails these days. Even if it is not mandatory to use an email as the login, people prefer to use that because one does not have to remember a unique id for each site.

Re:Security my Ass

[fuzzyf]

Agreed.
Any company that thinks is a good idea to get customers email password in order to "add information to the email" sucks at security. Basically channeling all emails through their service, even corporate email accounts. It's just unbelievable.

Re:Security my Ass

[ShaunC]

The annoying thing is, I'm getting a lot of SASL authentication attempts from Microsoft Azure IPs against the email address I used for LinkedIn. Microsoft's LinkedIn service leaked my email address and an ancient password, and lots of Microsoft Azure cloud instances are now busy attempting to login to that email account.

Aug 15 10:51:04 mail postfix/smtpd[12561]: connect from unknown[13.84.216.161]
Aug 15 10:51:07 mail postfix/smtpd[12561]: warning: unknown[13.84.216.161]: SASL LOGIN authentication failed: authentication failure
Aug 15 10:51:07 mail postfix/smtpd[12561]: lost connection after AUTH from unknown[13.84.216.161]
Aug 15 10:51:07 mail postfix/smtpd[12561]: disconnect from unknown[13.84.216.161]
Aug 15 10:51:07 mail postfix/smtpd[12561]: connect from unknown[13.84.216.161]
Aug 15 10:51:09 mail postfix/smtpd[12561]: warning: unknown[13.84.216.161]: SASL LOGIN authentication failed: authentication failure
Aug 15 10:51:09 mail postfix/smtpd[12561]: lost connection after AUTH from unknown[13.84.216.161]
Aug 15 10:51:09 mail postfix/smtpd[12561]: disconnect from unknown[13.84.216.161]
Aug 15 10:51:10 mail postfix/smtpd[12561]: connect from unknown[13.84.216.161]
Aug 15 10:51:12 mail postfix/smtpd[12561]: warning: unknown[13.84.216.161]: SASL LOGIN authentication failed: authentication failure
Aug 15 10:51:12 mail postfix/smtpd[12561]: lost connection after AUTH from unknown[13.84.216.161]
Aug 15 10:51:12 mail postfix/smtpd[12561]: disconnect from unknown[13.84.216.161]
Aug 15 10:51:12 mail postfix/smtpd[12561]: connect from unknown[13.84.216.161]

Yadda yadda. I report them all to Microsoft's CERT but despite the "thank you" emails, I wind up getting attacked from the same IPs day in and day out.

Re: Security my Ass

[MitchDev]

Same with Passwords eh?

See, Security requires a lack of convenience, you don't get both.

If you use the same login ID and same password multiple places, especially in today's world, you are kind of inviting yourself to be hacked.

Re: Security my Ass

I have an account with your mother

Re: Security my Ass

[The-Ixian]

and... lack of edit sucks. Thought I proof read the whole thing but, of course, overlooked the angle brackets (again)...

anyway: YYYY@domain.com is what I meant.

Re: Security my Ass

[ketomax]

Well, I had like 4 passwords. One for the Hub account like Google, one for bank accounts, one for social networks and one for web hosts, course providers, etc. At some places I have Multi-factor Authentication setup. How do you remember all those passwords? Do you use a password vault? What if that gets compromised? What sucks is that I can google my old LinkedIn password and find it in a bad password list. Did they store the passwords in reversible format? Or was it decrypted from the hashes? On a side note, a week ago I bought a custom T-Shirt from a local company 99tshirts.com. When I hit the forgot password link, it emailed me my password. Who does that these days!

Re: Security my Ass

[MitchDev]

Simply using a different login ID can work. THat way a hack of one place doesn;t give your userID and password to other sites as well.

This isn't rocket science.

So...

[The-Ixian]

You publish a public document then get mad when people use it for their own purposes.... brilliant.

How about you just make user privacy a default so that anonymous users cannot see any information?

You would then see which throw away accounts are being used to log in to see the data...

Re:So...

[freeze128]

I'll do you one better: Don't use LinkedIn.

Re:So...

[Gr8Apes]

Linked In is a public billboard. Treat it like that and this doesn't matter.

Re:So...

[MitchDev]

LinkedIn is basically Facebook for business purposes....Is anyone surprised?

Re:So...

[JustAnotherOldGuy]

I'll do you one better: Don't use LinkedIn.

That was my solution. So while everyone else is running around in hair-on-fire mode, my defensive plan is to have a sandwich and then take a nap.

Re:So...

[thegarbz]

How about you just make user privacy a default so that anonymous users cannot see any information?

Err this is linked-in we're talking about. Don't you remember the point of it all? Do you put a "looking for work" notice up on a public billboard and expect that note to be private?

Please sell my data to everyone and make it as public as possible.

Re:So...

[thegarbz]

I'll do you one better: Don't use LinkedIn.

Yes please don't. We don't need more competition in the employment market as it is.

Re: So...

[hackwrench]

Yeah and have undesirables come sniffing around. I'd rather the information be visioly to friends and employers vetted by something or someone.

Re:So...

[The-Ixian]

Simple. If you are an employer or recruiter, create an account. Once you are inside the gates, things are nice and open.

I was simply suggesting that they not make this level of access available to anonymous users.

If it turns out that a single account is crawling thousands of user's info... there you go, you have the user account responsible and can then do whatever internal correlations you need to do in order to determine who is scraping data.

Re:So...

[Dutch+Gun]

Let's be clear about this. LinkedIn is upset because that collection of professional data is extremely valuable. Microsoft just paid billions of dollars for it, and someone else just grabbed a lot of it for free. While having a static copy of the data isn't valuable as owning the network, there's still a lot of value of it, especially while the data is still reasonably fresh.

In short, individual users have nothing to fear from this, as they've already made all this data public, presumably because they want the world to see it. This is only an issue for MS and Linked-In.

Re: So...

[thegarbz]

Yeah and have undesirables come sniffing around

Why do you think you're some how forced to work for someone because they find you on LinkedIn? But hey I'm all for it. The less you are known the better chances I have come the next redundancy.

Re:So...

Technically we have a lot to fear from a legal system that lets a company sue anonymous people who've been downloading said publicly-available data. We must remain vigilant against this kind of BS; the amount it's gotten worse over the last 20 years is already enough to make one basically give up and assume we live in a 100% orwellian world. :P

Re:So...

[Dutch+Gun]

The only reason to scrape all of LinkedIn's public data is to compile and sell it as a database, probably to some shady advertising network that doesn't care where the data comes from. So... I'm not exactly sympathetic to whoever is doing this.

That being said, it doesn't strike me as being illegal either. LinkedIn has every right to try to block mass access, but I agree, it seems like they're on shaky ground, legally speaking (not that I'm a lawyer). Maybe a judge will disagree. We'll have to keep an eye on this one.

Re: So...

[hackwrench]

No, but when undesirables come sniffing around they find a way to make themselves irritable, like trying to use that data to guess passwords for your accounts and who knows what else. I could try to come up with more what elses, but where there's a will...

Crime?

[redbaran360]

Are they trying to say that's some kind of crime?

Re:Crime?

[omnichad]

Yes. They're trying to turn a civil suit about a breach in contract into a criminal charge of anti-circumvention (DMCA) of their IP blacklist procedures and CFAA and criminal trespass for the access to the nearly public profiles that anyone with a free account can view.

Re:Crime?

[infolation]

What contract did the botnet breach? I am sure the botnet didn't agree to their terms of use.

Re:Crime?

[omnichad]

The botnet created accounts, under influence of a programmer's hand. That programmer "agreed" to the terms of use. Unless we're going to say that assistive technology acts of its own free will.

Re:Crime?

[Big+Hairy+Ian]

The account that the Botnet was using to scrape the data would have had to agree to the T's & C's

Re:Crime?

[MitchDev]

And has the entire T&C been tried in court to see if it's even actually legal and valid? Companies can and WILL say ANYTHING they want in T&Cs and EULAs, doesn't make them legal...

Re:Crime?

[omnichad]

They have a pretty standard severability clause - and those hold up in court just fine. If part of the contract is invalid / unenforceable, the rest still stands.

IANAL, but I'd say "no bots / no scraping" is probably perfectly valid legally speaking.

Re:Crime?

[knorthern+knight]

That's what happened to Aaron Swartz https://en.wikipedia.org/wiki/... He was charged under the CFAA.

Gotta love the "contextual advertising" around this article on Slashdot. I see a "Clear Your Criminal Record for Life" ad (I'm in Canada).

Re:Crime?

[omnichad]

bots != botnet. A bot can be a computer you own. All of the accounts were created in the same manner and all are behaving the same.

Whether it can be proven or not has nothing to do with whether the contract terms are legally valid.

Re: Crime?

[omnichad]

Look closer. They are creating accounts.

Is data scraping illegal?

[mwvdlee]

I know scanning the data from a yellow pages breaks copyright law, but using an army of typists to copy the same data from the same source is perfectly fine.
How does scraping data from a website measure up, assuming all scraped data is available to visitors through normal means (i.e. not using security holes).
At what point does using data from a website become "scraping" and at what point does it violate copyrights?

Re:Is data scraping illegal?

[omnichad]

When it's an automated tool (just like scanning from the yellow pages)

Re:Is data scraping illegal?

[Big+Hairy+Ian]

Hmm Yellow pages doesn't require you to sign off on T's & C's before you use it

Re:Is data scraping illegal?

It isn't a violation of copyright at all.

The law making it illegal is the Computer Fraud and Abuse Act, which states it is a federal crime to violate a websites terms of service.

LinkedIn is claiming web scraping is against their TOS, and the CFAA states violating the TOS is a federal crime.

Re:Is data scraping illegal?

[pem]

A compilation of names and phone numbers is not subject to copyright in the US. See, e.g. Feist

Re:Is data scraping illegal?

[JustAnotherOldGuy]

I know scanning the data from a yellow pages breaks copyright law, but using an army of typists to copy the same data from the same source is perfectly fine.

Exactly. They should have just hired 100 guys from a labor pool in India to do it, or used Amazon's Mechanical Turk.

Re:Is data scraping illegal?

[Dan+East]

Hmm Yellow pages doesn't require you to sign off on T's & C's before you use it

I don't think the data-scraping bot that agreed to the terms and conditions gives that much thought.

Re:Is data scraping illegal?

Scanning the data from a yellow pages book doesn't break copyright law. Republishing that data in the same layout is what triggers copyright issues. If you scan and then reformat you're fine. If you learn the basics about copyright law, which is very specific, then you'd be able to answer your own questions. Scraping doesn't require using that data so your second question isn't even valid.

LinkedIn isn't suing over copyright issues (so why did you even bring that up?), they're suing over unauthorized use of their site (automated scanning being against their terms of use) which is a completely different thing.

I don't understand how you got modded up.

Re:Is data scraping illegal?

[jdavidb]

I know scanning the data from a yellow pages breaks copyright law, but using an army of typists to copy the same data from the same source is perfectly fine.

To me, anybody who thinks this is a reasonable distinction to make in law shouldn't be making law for other people.

Re:Is data scraping illegal?

[omnichad]

You can't copyright facts, but you can copyright a compilation. It's likely there are a handful of fake listings in your average yellow pages just to ensure that they can prove copying.

The same happens with fake streets on GPS to prove when maps are copied. I won't do the research for you, but there's plenty of case law out there.

It's Illegal activity, but LinkedIn went too far

[omnichad]

The charges are a bit trumped up and ridiculous. The illegal access by using a bot and breaking the legally binding user agreement is enough.

Claiming that it's a violation of the DMCA (anti-circumvention) and CFAA to circumvent their blacklisting procedures is silly. Not being on a blacklist is not a thing you "circumvent" nor is it a different kind of illegal access than using the bot in the first place.

What security?

[in10se]

How is the site offering security? If a bot can literally crawl/scrape your site, then given enough time, that is something a human could do as well. How is that data secure in any way?

Botnet?

[wcrowe]

So they're saying a botnet was used to gain access to the data, then passed on to third parties. Unless I'm mistaken, the IP addresses will be pointing to machines on the botnet, and the owners of those machines have no idea that is happening. It sounds like a lot of innocent people might get swept up in this.

Also ironic that LinkedIn is owned by Microsoft, who is no doubt responsible for the operating systems running on all those bots on the aforementioned botnet.

Microsoft?

" The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data."

No, the Microsoft PURCHASED service, none of those users signed to hand their data to Microsoft, they just got shafted.
As to "the security it offers their data", Microsoft BOUGHT their data, LinkedIn handed all that lovely data over as part of the deal, yum yum yum.

LinkedIn itself implemented an API that is licenses to others to access that data, so basically, their entire business is selling your data to others. All the nice info on who works for whom on what projects, all that business intelligence, all waiting to be sold to competitors, recruiters, scalpers, intelligence agencies, anyone for any reason.

LinkedIn has this habit of asking for email passwords, then logging in as you (IMPERSONATING YOU TO THE EMAIL PROVIDER), data mining your contacts and emails, and using that to send fake emails, pretending to be you, inviting others to connect their accounts to yours. They KEEP the login details and REPEAT the data mining periodically to see if you have new contacts.

If you have the misfortune to have a LinkedIn account, now that thy are owned by Microsoft, there are a myriad of opportunities to cross link that data to Microsoft's advantage and your disadvantage. Microsoft paid $65 per USER, they can extract $65 of value from selling your data to others. Realize that, change your email password, stop updating your LinkedIn account (you can never undo the information you gave them), and walk away.

What a load of bull...

[NaughtyNimitz]

LinkedIn is the most idiotic brain dead company I've ever worked with.

I had a simple question: tell me how i can get the number of jobofferings that my customer's company has posted so i can show this number on their corporate site with a linked to LinkedIn. There must be an API for it, i've got OAuth2 credentials and a signed letter from the God/Darwin..

"Ah, but yes, but no, but yes, but no..."

Long story short, i've written a small program to check the LinkedIn site and get the value manu militari and it works great.
And I know this is not the same level as the bad-ass scrapers do, but I like to see LinkedIn tear in its own flesh...

Re: Er, Pot, Kettle. Linkedin harvested data itsel

[mSparks43]

thats just a relationship map thing.

several people in your contacts list are connected closely to them and in a similar field.

that applies to all their suggestions. you just only recognise and therefore see the ones you actually recognise.

How would you prove this?

I was just refreshing your website every 20ms, not scraping any data.

How would you prove that any "scraping" took place, and why would it be illegal if it's publicly accessible information? If no security breach occurred, how is it different from other users accessing the same information?

Or is it just one of these american things where a corporation pays a large amount of money to lawyers and judges to imprison and/or financially ruin people that did something they didn't like?

dupe from 4 days ago

[tomhath]

Maybe /. should sue LinkedIn for spamming them about this lawsuit

Let's see...

[MitchDev]

Samples from the list of the 100 individuals being sued...

I. P. Freely
Mike Hunt
Hassant bin Laid
Prince Albert-in-a-can
Anna und Elsa
Bartman Simpson

etc, etc, etc

Lol, too funny

[JustAnotherOldGuy]

"The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data."

Yes, and slave owners in 1700's took pride in the 'relationship' they had with their slaves and the security it offered their profits.

CFAA?

[campuscodi]

Why is LinkedIn using the CFAA hacking-related law to reveal details about a privacy-related issue. Data scraping is not hacking.

In other words...

[ilsaloving]

They're only pissed that people tried to take the data without paying them first.

VPN and Proxy

Yet another reason to make sure everything you do online is anonymous. What's legal and reasonable today might not be tomorrow. Everything you do is saved forever.

Passing user data on to 3rd parties.

[thegarbz]

As a matter of interest, what is the point of LinkedIn if not to pass my user profile to as many people as possible?

They should be hiring these bots, not taking action against them. The whole purpose of LinkedIn is a public advertisement for work. They like to pretend they are a "social network for business" but really all they are is a giant platform for classifieds, and within that purpose the bots are doing a great job.

Scammers harvest LinkedIn for victims

[AnalogDiehard]

I was a (brief) victim of a dating scam. After I got wise and cut them off, I wondered where how they profiled me. My "date" claimed she found me on a FB group but scammers hide their tricks. Googling a quick ego surf revealed that the only place any profile of mine shows up is LinkedIn, which I thought was private. Seeing that I got zero benefit from LinkedIn and I had no other profile stored anywhere, I promptly deleted my LinkedIn account.

This is really about paying for the data

The data is readily available if you get a salesman/vendor type account.

In fact, LinkedIn provides almost no value for the typical person. It's a platform to sell access to computer professional.

I get 10 requests to "link" with a saleman every week. I delete every one of them.

I get 5 requests to apply for jobs... in fields that are unrelated to my experience and degrees.

It's a crap platform these days, and you'd have to be dense not to get that.

Bing scrapes Youtube

Bing scrapes Youtube to index its contents. Bing is Microsoft owned.

It makes zero difference what EULA terms you put on a public website since the scraper doesn't read or agree to those terms. They don't use your service, they just index your website. If you don't like it Microsoft, don't publish the data publicly, keep the good stuff behind a login and monitor/limit accounts usage of those logins.

Put it this way, if you weren't scraping you, but you let others index the public data (e.g. Google, DuckDuckGo etc.), then they'd scrape Google and DuckDuckGo instead. Once you published it freely, without first showing a screen sayng "here is the EULA, you agree to this by clicking agree, we show you nothing till you agree", once you did that publishing freely, you lost control.

Good luck with that...

[drew_92123]

If the folks running the bots are even half as smart as the average geek they'll never figure out who was behind it... but perhaps they'll get lucky? lol

People make it easy

[snookiex]

I've already seen on LinkedIn quite a few guys posting stuff like "Hey this is a crappy Excel sheet that allegedly does what a ton of other applications already do better and for free, why don't you post your emails and I pinky promise I'll send it back to you". By the comment 10K someone says "hey, has anyone received the email?". By the comment 20K someone else says "I hope this is not a scam to harvest our email addresses. Anyway, my email is XXX".

My opinion is that they deserve it.

Re:scraping without permission

[tomhath]

You like Microsoft's Bing scraping Google results? Pot meet kettle.

What if I build....

[snususer]

......a bot which uses my own LinkedIn login and password? As it's my account and I am, a) gaining access to LinkedIn via the same methods I would do manually; and, b) reviewing data that I would also do so manually, would there be an issue? If so, under what premise/guise, etc.?

Re:What if I build....

[fluffernutter]

Actually I just scrolled down to post the same thing. The bot is only seeing the data that linkedin shows everyone anyway. This is definitely not a security issue, if it is even an issue.

Linkedin scrapes U

[WaffleMonster]

Is this the same LinkedIn that created a MITM proxy to scrape whatever it pleases from everyone's emails and proceed to mercilessly spam anyone you've ever known to join their happy little cult?

This is the same company now trying to sue people for scraping data from a publically accessible site?

Re:Botnet

[Megol]

X86 based notebook and desktop machines running Windows. Why would a botnet creator go for anything but the most common configuration of hardware and software?

Standard Microsoft Procedure:

[jopet]

Hire good lawyers instead of good developers.