LinkedIn issues lawsuit to stop bots stealing its data

Thousands of fake LinkedIn accounts have copied data from authentic user accounts using virtual machines (VMs) hosted by Amazon Web Services. LinkedIn intends to find and bring the owners of these VMs to justice.

LinkedIn has over 259 million users worldwide and 84 million members in the US. It is concerned that not all of its users are real, and has filed a complaint with the court in the district of Northern California, claiming that the site has been "polluted" with fake user profiles.

(Image: Wikimedia Commons)

The complaint centres around LinkedIn's claim that since May 2013, "thousands of unknown persons and/or entities employing various automated software programs (often referred to as 'bots') have registered thousands of faked LinkedIn member accounts, and have extracted and copied data from many member profile pages".

Data scraping is against the user agreement of LinkedIn and many other social networking platforms.

The user agreement, like Facebook's, states that users shall have only one LinkedIn account at any given time, and will use their real name on the account.

LinkedIn is suing under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and the California Penal Code as it believes that these bots are undermining its integrity as a platform.

LinkedIn has invested "significantly" in its Recruiter product, and it believes that it has needed to expend significant time and resources to "investigate and respond to this misconduct".

The LinkedIn Recruiter product is a paid-for service that enables head hunters and corporate recruiters to discover candidates. This service is paid for by over 16,000 companies.

In July 2013, I wrote about how LinkedIn clones show our desire to connect. I had been contacted by one of these cloned accounts. I accepted the connection out of curiosity.

I wanted to see why a commander in the Canadian Army would want to connect with me. Perhaps the Canadian Army wanted to hire me as a consultant. Straight away, I noticed that there were irregularities with the cloned account.

I contacted the real commander, and got in touch with LinkedIn to try to get the cloned account shut down. It took two weeks of repeated requests to LinkedIn before it shut down the cloned account.

LinkedIn has controls in place to prevent automated data scraping from occurring. Its FUZE and Sentinel programs monitor suspicious activities and limit the activity that individual users can initiate on the site.

Worryingly, LinkedIn admitted that during May and June 2013, its robots.txt file was circumvented. Its "UCV" system, which uses CAPTCHA to check whether a user is genuine, was also bypassed.

FUSE, which limits volume of activity for accounts, was circumvented, and Sentinel, which watches for successive requests made by IP addresses, was also circumvented.

LinkedIn was accessed by bots that ran on virtual machines hosted on Amazon Web Services. LinkedIn can subpoena Amazon to discover who is behind the attacks.

If LinkedIn does not pursue the creators of these bots, the potential damage to its credibility could be huge.

Users who are paying for premium services will turn to sites that deliver more accurate search results. LinkedIn users who use the site to find new jobs will go elsewhere to further their career.

LinkedIn must pursue these unknown "doe defendants" — and discover who they are. Whether these does are owned by rival networking sites or malicious pranksters is irrelevant.

LinkedIn's continued ability to generate revenue depends on its good reputation for accuracy in its user base.

At the mercy of automated bots, it will have value for nobody.