Sunday, September 22, 2013

The people suing LinkedIn don't understand

Update October 4, 2015: If you added a LinkedIn connection between September 17, 2011 and October 31, 2014, you should have received an email titled "LEGAL NOTICE OF SETTLEMENT OF CLASS ACTION." The deadline to submit a claim for this class-action lawsuit is December 14, 2015. I'm not authorized to include any more information about this; if you feel you should have received the legal notice and didn't, please contact LinkedIn directly.

An interesting note on the post below: LinkedIn is still asking me to connect to people using email addresses that were discontinued over 10 years ago. This shows you that, once an email address is in LinkedIn's system, they will retain it forever. I will be looking for a feature to remove all the stale email addresses and upload new ones.

Note September 15, 2014: There is new information about LinkedIn. This post needs to be replaced. Stay tuned. Brian Krebs describes a possible hack of LinkedIn, "LinkedIn Feature Exposes Email Addresses."

Original post:
According to an article in The Verge, LinkedIn has been accused of hacking users' email accounts. I think I know what's going on and why the plaintiffs don't understand what's happening.

Let's look at two people: a fictional John Doe (john.doe@example.com) and me (bruce.hobbs@gmail.com). John Doe is one of the plaintiffs in the the lawsuit; he claims his email account was hacked. Not at all. Here's what I think happened:

1. When I signed up with LinkedIn, I gave them one-time access to my Gmail contacts. I did this by changing my Gmail password, letting LinkedIn harvest my contacts, then changed my Gmail password again. This guaranteed that LinkedIn only had one-time access to my email contacts.

2. Let's say John Doe was in my contact list under john.doe@example.com. At that time, John Doe was not a member of LinkedIn. LinkedIn doesn't contact him, it just files his email address away linked to my email address. I gave LinkedIn permission to do this.

3. Several years pass and John Doe joins LinkedIn using the email address john.doe@example.com. Guess what? LinkedIn goes through their database and sees the connection between John Doe and me. So I get an email message saying that John Doe has joined LinkedIn. Would I like to send him a connection request?

4. John hears about this and thinks, "Oh my God, they've hacked my email account!" I think it's exactly the other way around: John's friends gave LinkedIn his address and there was no hacking involved.

Is there validity in the lawsuit? I'm not an attorney but I don't think so. I might suggest that LinkedIn only keep the email addresses they receive (see step 1) that don't match current LinkedIn subscribers for a year and then discard them.

Update June 6, 2014: LinkedIn filed a motion in December to dismiss the lawsuit on the grounds that the new user (John Doe in my example) consented to sending invitation requests to other members of LinkedIn. Click here for the Bloomberg story.



No comments: