LinkedIn case highlights employee privacy issues

Large Man Looking At Co-Worker With A Magnifying Glass --- Image by ©

A San Francisco firm is using bots to track public profile changes of clients on LinkedIn. The monitoring is being challenged in court and may impact employee privacy practices.


IT managers have long had the ability and right to monitor employee behavior on internal networks. Now, HR managers are getting similar capabilities thanks to cloud-based services — but for tracking employee activity outside of their employers’ network. A controversy is swelling over its potential impact on employee privacy.

A San Francisco-based startup, hiQ Labs Inc., offers products based on its analysis of publicly available LinkedIn data. One is Keeper, which identifies employees at risk of being recruited away, and another is Skill Mapper, which analyzes employee skills.

The profile data is collected by software bots. The clients of hiQ’s service may learn whether a LinkedIn member is a flight risk thanks to an individual risk score: high (red), medium (yellow) or low (green), according to court papers.

Individuals can already look at publicly available social media profiles. That’s not in dispute. But the use of bots takes employee monitoring to another level. LinkedIn is trying to stop it. The two sides are fighting in federal court, and the outcome may reshape how social networking and HR operate and how they treat employee privacy issues.

The ethics debate over this form of automated social media monitoring almost seems beside the point. It’s hard to imagine any employee saying they are comfortable with it. Indeed, they may find it worrisome. But a federal judge is allowing it and recently stopped LinkedIn from blocking hiQ.

Employee privacy issues and HR’s quest for actionable data

The case raises some specific questions about employee privacy rights on social networking sites, but it poses questions for HR managers as well.

There is an aspiration in HR tech “to start making things more actionable, to start going a level deeper in terms of intelligence,” but the “big unknown is: Where does that data come from and who owns that data?” said Rami Essaid, CEO of Distil Networks, which makes bot defense tools.

LinkedIn said the scraping of members’ personal data is being done “without their consent” and is in violation of the Computer Fraud and Abuse Act (CFAA), the 1986 anti-hacking law, according to court records filed in the U.S. District Court in the Northern District of California, where the employee monitoring case is being heard.

But hiQ argues it only uses profile data that is “wholly public information” and accessible to anyone. It “pulls data for a limited subset of users — usually its client’s employees — and uses scientific methodology to analyze the information,” it wrote in a court filing.

The two sides have sharply different views on how the LinkedIn data may be used.

The information developed by hiQ in its Keeper tool, the company explained, may prompt employers to give an employee at risk of leaving a “‘stay bonus’ or career development or internal mobility opportunity.”

LinkedIn describes a less positive outcome to employee monitoring: “If an employer thinks an employee is about to leave, the employer could terminate her or refuse to give her access to sensitive information, even if she actually has no intention of departing.”

LinkedIn chided for own employee privacy issues

The legal drama began in May after LinkedIn sent hiQ a cease-and-desist letter. In response, hiQ sought an injunction to prevent LinkedIn “from misusing the law to destroy hiQ’s business.”

In August, U.S. District Court Judge Edward Chen granted hiQ the injunction and cited, in part, LinkedIn’s use of one of its services aimed at hiring, Recruiter.

Chen’s decision leaned on LinkedIn marketing materials, which were presented by hiQ. The court noted that user changes are provided to third parties who subscribe to LinkedIn’s Recruiter. LinkedIn “trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case,” he wrote.

But Chen also took exception to the use of the CFAA in this case “to punish hiQ for accessing publicly available data.” The judge warned such an interpretation “could profoundly impact open access to the internet.”

Chen’s decision means LinkedIn can’t prevent hiQ’s “access, copying or use of public profiles” on its website — citing, specifically, only that information which is public and visible not only to LinkedIn members but those who access LinkedIn via search engines.

The case has potential to have a massive impact on how social media sites operate, said Shain Khoshbin, an attorney at Munck Wilson Mandala, LLP in Dallas. Social media sites may turn to password protection, “and that will deal a crushing blow to LinkedIn and a lot of the social media sites — Facebook, frankly.”

LinkedIn has appealed the judge’s order. The company uses anti-bot technology. In discussing bots generally in its appeal, LinkedIn said, “Bots have been programmed to make complete copies of LinkedIn’s website, combine scraped member data with data found elsewhere (such as telephone numbers or addresses) and otherwise infiltrate LinkedIn’s physical servers. Once scraped from LinkedIn’s servers, member data can be sold to the highest bidder.”

LinkedIn describes the extent of the bot threat

LinkedIn’s automated countermeasures include systems that scan for, throttle and block suspicious activity associated with specific IP addresses, as well as systems that monitor “patterns of access” to its servers that look for “non-human activity indicative of scraping.”