A judge has handed LinkedIn a victory in a lawsuit alleging that the social networking service violated a user's privacy by “leaking” information about him in referrer headers.
LinkedIn user Kevin Low of San Francisco didn't adequately spell out how he had been injured -- either emotionally or economically -- by LinkedIn's alleged practices, U.S. District Court Judge Lucy Koh in San Jose, Calif. ruled on Friday. Koh gave Low up to 21 days to amend his allegations and refile his case -- a potential class-action.
Low filed suit against LinkedIn in March for allegedly transmitting his unique ID by embedding it in the referrer headers that were transmitted to ad networks and other third parties. Low said those ad networks were able to then discover his name and connect it to tracking cookies on other sites. The result, he alleged, was that ad networks were able to compile a comprehensive view of him through his browsing activity.
He said in his legal papers that he was “embarrassed and humiliated by the disclosure of his personally identifiable browsing history."
But Koh ruled that Low hadn't made clear what actual information about him was disclosed to anyone. "Plaintiff has not alleged that his browsing history, with embarrassing details of his personal browsing patterns, was actually linked to his identity by LinkedIn and actually transmitted to any third parties," she ruled. "More to the point, Plaintiff has not alleged how third-party advertisers would be able to infer Low’s personal identity from LinkedIn's anonymous user ID combined with his browsing history."
Low also argued that he suffered economic harm because his data was valuable. But Koh rejected that position as well, writing that Low didn't show “how he was foreclosed from capitalizing on the value of his personal data."
LinkedIn isn't the only social networking service that was sued for leaking information about users via referrer headers. Facebook also was hit with a potential class-action over similar allegations. That company scored a preliminary victory in May, when U.S. District Court Judge James Ware ruled that the users hadn't sufficiently alleged they were harmed. Those users refiled the case and the matter is still pending.
Internet law expert Venkat Balasubramani points out that judges handling the recent spate of privacy lawsuits don't seem eager to accept the argument that users' personally identifiable information is their property. He says that one recent exception was a lawsuit against RockYou, which suffered a security breach that exposed users' email addresses and passwords.
In that case, U.S. District Court Judge Phyllis Hamilton in the Northern District of California rejected RockYou's argument that the case should be dismissed at an early stage on the grounds that the security breach did not result in any economic losses to consumers. That victory could be short-lived, however, according to Balasubramani."The court expressed skepticism as to whether the argument will ultimately prevail," he says.