LinkedIn sues anonymous data scrapers

LinkedIn is trying to lock down its exclusive relationship with its users.

The professional networking company filed suit against 100 unnamed individuals last week for using bots to harvest user profiles from its website. The lawsuit is a preliminary step to revealing the identities of the scrapers — LinkedIn intends to ask the court to reveal the true identities behind the scrapers’ IP addresses — and a way to maintain its exclusive hold on users’ resumes.

But LinkedIn’s lawsuit also raises questions about how to police bot use. The company, which was recently snapped up by Microsoft for $26.2 billion, has invoked the controversial Computer Fraud and Abuse Act (CFAA) in its suit against the unidentified scrapers, claiming that collecting user profiles from the site amounts to hacking.

“During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages,” the lawsuit claims. “To access this information on LinkedIn’s site, the Doe Defendants circumvented several technical barriers employed by LinkedIn that prevent mass automated scraping, and have knowingly and intentionally violated various access and use restrictions in LinkedIn’s User Agreement, which they agreed to abide by in registering LinkedIn member accounts. In so doing, they have violated an array of federal and state laws, including the Computer Fraud and Abuse Act.”

The CFAA allows companies like LinkedIn to bring cases against anyone who gains “unauthorized access” to a “protected computer.” The law has been criticized for essentially criminalizing Terms of Service violations, and Representative Zoe Lofgren and other lawmakers have pushed unsuccessfully for CFAA reform.

LinkedIn’s case accuses the anonymous scrapers of building a massive botnet and circumventing the restrictions LinkedIn uses to prevent profile collection by undesirable third parties.

The lawsuit details several of LinkedIn’s automated tools that prevent data harvesting. Dubbed FUSE, Quicksand and Sentinel, these tools monitor the web traffic of LinkedIn users and limit how many other profiles a user can view, and how quickly a user can view those profiles. This tracking is intended to prevent scrapers from signing up for fake LinkedIn profiles and then vacuuming up vast amounts of data. The company also uses a tool called Org Block to block IP addresses it suspects of scraping and uses Member and Guest Request Scoring to track page requests.

But paradoxically, LinkedIn doesn’t want to prohibit scraping altogether. Search engines like Google use bots to index websites and turn up relevant results — and LinkedIn wants to allow this type of scraping to occur.

“LinkedIn ‘whitelists’ a number of popular and reputable service providers, search engines, and other platforms so as to permit them to query and index the LinkedIn website, without being subject to all of LinkedIn’s security measures,” the company explains in its suit. The scrapers targeted in the lawsuit circumvented LinkedIn’s bot-blocking tools by sending their requests through one of these ‘whitelisted’ entities, a third-party cloud service provider.

A LinkedIn representative declined to comment on how the company differentiates between good and bad scraping, referring TechCrunch to the complaint, which does not discuss how the company makes that determination.

It’s also not clear what kind of behavior LinkedIn is trying to prevent, since the lawsuit doesn’t specify what the scraped data is being used for. Does LinkedIn want to squash a competitor? Or is it targeting a research project like ICWATCH, which archives the resumes of individuals in the intelligence community?

LinkedIn likely defines ‘bad’ scraping based on the scrapers’ effort to circumvent the company’s preventative measures. While it gives special access to search engines and other friendly bots, LinkedIn obviously didn’t give permission to the data harvesters it’s suing.

Similar CFAA lawsuits, like Craigslist’s against 3Taps and Facebook’s against Power Ventures, have been favorable to the plaintiffs, so LinkedIn has a good shot at shutting down its scrapers. Twitch filed a comparable CFAA lawsuit against view-bots earlier this summer, in which the live stream site alleged that using bots to inflate a channel’s view count amounts to an unauthorized access of Twitch’s ‘protected computers.’ However, Twitch’s complaint also claims a number of other violations, including trademark infringement.

Clearly, companies are interested in stamping out certain kinds of bots. But other scraping, like that done by search engines and web archiving services like the Wayback Machine, is welcomed. That dichotomy could create an anti-competitive business atmosphere, the Electronic Frontier Foundation argues.

“If you make it illegal for bots to access websites, you’ve given existing search engines a monopoly,” EFF staff attorney Nate Cardozo told TechCrunch. “Google and Bing got started by crawling the entire web. That’s essentially what LinkedIn is talking about here. To call scraping a CFAA violation is extremely anti-competitive. Using the CFAA to stifle innovation is certainly not what it was intended for.”

But LinkedIn says that fighting some bots and allowing others is essential to protecting its members. The case is scheduled to be heard in U.S. District Court in San Jose.