This weekend LinkedIn was hit with a high profile class action lawsuit alleging invasion of privacy, violation of the Stored Communications Act and Wiretap Act (a.k.a. “hacking”), and right of publicity violations. Perkins v. LinkedIn Corporation, no case number yet (NDCA filed Sep. 21, 2013).
Basically, LinkedIn is accused of accessing the email accounts of its users and extracting the email addresses of their contacts. Then, according to the complaint, LinkedIn sends those contacts messages from the original users’ emails (ostensibly endorsed by the users) inviting the users’ contacts to join the LinkedIn network.
When I read the complaint (linked above) my initial reaction was, “holy crap, has LinkedIn been sending emails to my clients and colleagues from my email address without my knowledge?” Aside from the general embarrassment of this, there is also the horror of wondering whether LinkedIn had accessed what is supposed to be a confidential database of client emails. Thankfully, this was not the case.
Apparently, when you register a new LinkedIn account, at some point in the registration process LinkedIn will prompt you with a “Why not invite some people?” option. If you agree, then LinkedIn will allegedly proceed to email every one of the contacts who has ever emailed you or been emailed by your LinkedIn-connected email address.
Thankfully, my healthy distrust of social media websites caused me to automatically turn down LinkedIn’s invitation to pillage my email. But apparently, this was not the case for thousands of users on behalf of whom the class action was filed.
According to the complaint, nowhere in LinkedIn’s terms of service is it stated that LinkedIn will send your contacts repeated emails inviting them to join. In fact, according to the complaint, LinkedIn’s policies state the following:
We will not store your password or email anyone without your permission…
We do not rent, sell, or otherwise provide your personally identifiable information to third parties without your consent…
Nevertheless, it is alleged that LinkedIn, without permission, emails users’ contacts endorsement emails “in a way that suggests that the user composed the content of the email him or herself.”
While, as I explained above, the complaint does admit that LinkedIn requires an initial consent to “invite some people.” It seems to be the case that LinkedIn does not explain to users the sheer breadth of what they are consenting to (e.g., multiple spam emails to what are potentially thousands of your email contacts). If this is true, LinkedIn may have breached its own policies.
Violations of the Stored Communications Act
LinkedIn is also accused of “hacking” email accounts:
If a LinkedIn user leaves an external email account open, LinkedIn pretends to be that user and downloads the email addresses contained anywhere in that account to LinkedIn servers.
In cases where the user’s external email account is a Google Gmail account, a Google screen pops up stating, “LinkedIn is asking for some information from your Google Account.” The Google notification screen, however, does not indicate that LinkedIn will download and store thousands of contacts to LinkedIn servers.
While the complaint is obviously arguing that LinkedIn did not have consent to send endorsement emails, it is also clear (from the fact that I, for example, did not unknowingly send endorsement emails to my contacts) that LinkedIn does require some sort of user consent prior to engaging in the above practices.
Thus, it seems the major question in this case will be whether LinkedIn’s various prompts to “Invite your contacts” were deceptive in nature and did not sufficiently explain to users the ramifications of saying “yes.”
An even more interesting question, with regard to the Stored Communications Act claim, is whether the contact information (email addresses) appended to emails are considered stored communication under the act. Several federal courts have already ruled that the Stored Communications Act does not protect emails that have been opened and read by the users (as opposed to emails that are “stored” and waiting to be read). And in this case, LinkedIn is not even accused of accessing the content of users’ emails, just the “metadata” connected to it.
I think that the allegation of damages is the most clever part of the complaint. The plaintiffs argue that each unsolicited endorsement email that LinkedIn sent without permission to users’ contacts is worth $10 because that is essentially what LinkedIn charges users who want to contact other LinkedIn users that are not in their network.
Where the calculation (or even allegation) of damages is perhaps the most difficult part of litigating a privacy lawsuit, alleging this type of quasi-admission by the defendant is, in my opinion, brilliant.
I’ll update on this case as it moves forward.
(Note: You can check whether you have been annoying your email contacts with unsolicited LinkedIn invitations by clicking the “Invitations” link in the top-right of your LinkedIn interface, then click the “Sent” category to browse all the invitations that you have ever sent.)
Enter your email to get started.