When is public information not public? When LinkedIn says so

There is a David and Goliath tale unfolding in Silicon Valley. The Goliath is LinkedIn, the professional social network where approximately 500m people post their bios and resumes. The David is hiQ Labs, a San Francisco startup with 24 employees.

hiQ has two products, both dependent on access to the 500m LinkedIn member’s public profiles. The products are Keeper, which identifies which employees might be ripe for being recruited away, and Skills Mapper, which summarizes an employee’s skills.

They derive this information by harvesting LinkedIn’s publicly available profile section, information that anyone with a browser and a search engine would be able to see without being logged into LinkedIn. Their clients, according to hiQ, are mostly large companies (they identify eBay, Capital One and Go Daddy as current customers and are courting Chevron, Honeywell and IBM).

Every LinkedIn user’s public profile is different, based on what the individual wishes to make public. The profile consists of a number of areas, including a summary, work history, publications, groups and recommendations.

If you want to limit visibility of all or part of your profile, LinkedIn shows you how on its Help page. LinkedIn reminds users that “the public profile appears when anyone searches for you on Bing, Google, Duck Duck Go, etc”.

It’s not just individuals, though, who can search for you and see your public profile: businesses and intelligence agencies can search for you, too, as we were reminded by the UK’s MI5 when it sent a warning memo to government offices. Yes, the public profiles of LinkedIn are harvested  regularly.

Did LinkedIn just stumble on hiQ and its business model? Apparently not: it appears LinkedIn has not only been witting of hiQ, but engaged with hiQ as evidenced by LinkedIn’s participation in hiQ’s Elevate Conference, which included LinkedIn’s director of business operations and analytics, Lorenzo Canlas, receiving hiQ’s 2015 Elevate Impact Award.

So what’s the beef?

LinkedIn apparently took exception to hiQ’s use of its products, and decided to put a stop to it. It sent a cease-and-desist order to hiQ in late May, alleging hiQ was violating the Computer Fraud and Abuse Act, Digital Millennium Copyright Act, and California Penal Code § 502(c). In the letter to hiQ, LinkedIn also noted that it had used technology to hiQ from accessing its data.

Once LinkedIn blocked access to its publicly available data, hiQ’s ship was essentially dead in the water.

Following an exchange of letters, emails and phone calls, hiQ filed for relief in early June, asking for a temporary injunction and recommending that the parties take 30 days to discuss and come up with an amicable solution. LinkedIn went silent.

According to hiQ’s court filings and letters to LinkedIn, hiQ thinks LinkedIn is building its own capabilities in this space and is simply pushing hiQ out of what LinkedIn considers its playground.

US district judge Edward Chen noted his dim view of restricting access to publicly available information at the end of June, saying:

If restrictions are placed on that process, that has serious implications for future research, access and speech.

He then admonished the two parties to arrange a ceasefire or he would rule on hiQ’s request for a temporary restraining order. The two parties listened, and agreed to a standstill period. Their joint filing states:

During the standstill period, LinkedIn shall authorize hiQ to access and use public member profiles in a manner consistent with hiQ’s current business model in terms of both the quantity and type of data being utilized. LinkedIn will not assert that hiQ’s access to and use of the LinkedIn website during this standstill period was unauthorized. During the standstill period, hiQ will be able to access the LinkedIn site using the same technological means that it employed prior to LinkedIn’s cease and desist letter, and LinkedIn will withdraw its current IP address blocks. If for any reason hiQ is unable to access LinkedIn’s site at any time during the standstill period, hiQ can ask LinkedIn to rectify the situation and LinkedIn will promptly work toward restoring access.

The next instalment of this David and Goliath story will take place on 20 July 20, when both parties will file simultaneous briefs, followed by simultaneous responses on July 27, to be followed by Judge Chen’s ruling on hiQ’s request for a preliminary injunction.  We’ll be watching, as the implications this ruling may have on access to “public information” are very real.


from Naked Security – Sophos http://bit.ly/2tiDiYl
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s