LinkedIn Accused Of Tricking Users With 'Cryptic Disclosures'
- by Wendy Davis @wendyndavis, January 23, 2014
LinkedIn users who are suing the company for allegedly “hacking” into their email are asking a judge to reject the social-networking service’s contention that it obtained users' permission to access their email contacts.
In new court papers, the users say LinkedIn made only “cryptic disclosures” before harvesting email addresses and sending invitations to those contacts. They argue that those minimal disclosures didn't alert them to LinkedIn's plan to send solicitations to their contacts.
“Accepting LinkedIn’s theory of consent -- that a few cryptic disclosures on a Web site provide LinkedIn the right to harvest users' email addresses and broadcast users’ persona to hundreds of people -- offends the principles enunciated in privacy laws,” the users argue in papers filed last week with U.S. District Court Judge Lucy Koh in San Jose, Calif.
advertisement
advertisement
The lawsuit dates to September, when a group of users sued LinkedIn for allegedly “hacking” into their email accounts and accessing their contacts. The users, including a former ad sales executive for The New York Times, allege that LinkedIn asked them to provide an email address when they signed up for the service, and then proceeded to harvest the email addresses of everyone they had ever exchanged messages with. The consumers -- all Gmail users -- say LinkedIn never requested their passwords, but was nonetheless able to retrieve addresses of thousands of their contacts.
Last month, LinkedIn asked Koh to dismiss the case on the grounds that the users consented to the company's actions. LinkedIn said in
its court papers that users must click through two different “permission screens” -- one of which says “allow” and one of which says “add connections” -- before it
imports information about their address books.
“Any reasonably prudent Internet user who reviewed these screens would understand that, by clicking buttons labeled 'Allow' and 'Add
Connections,' they were consenting to the challenged actions,” the company said in a recent motion to dismiss the lawsuit. The consumers say LinkedIn violated federal wiretap laws, as well as
California state laws.
LinkedIn acknowledged in its papers that users who are signed in to Gmail don't have to provide their passwords for LinkedIn to access their email contacts. But the company said that those signed-in users are “presented with a second permission screen from Google,” which tells them that LinkedIn is requesting information from their accounts.
The LinkedIn users counter in papers filed last week that the company deceived them by promising not to “email anyone without your permission.” They add that the service never said it would access external email accounts. “A reasonable person would not find LinkedIn’s welcome screens evidence consent for LinkedIn to download data on everyone a user has ever emailed or been emailed by,” the users argue.
I don't want to try playing 'blame the victim' here, but if you don't want a site to e-mail you or have anything to do with your e-mail, don't give them your e-mail address. It's also too easy to miss a permission request from a website and possibly approve it without meaning to. Personally, the only reason I have a Facebook account is because Facebook provides authentication for lots of other sites where they ask Facebook to ask you for permission to disclose your information to them. I do recognize these and that's the whole idea. But sometimes some of what I've put in on those sites ends up as a posting on Facebook even though I generally do not use the site except as a replacement for signing up for an account on hundreds of sites. It's a small hazard that the convenience of having single-sign-on outweighs the "trouble" of an occasional added item on my account on Facebook.