LinkedIn case highlights employee privacy issues

A San Francisco firm is using bots to track public profile changes of clients on LinkedIn. The monitoring is being challenged in court and may impact employee privacy practices.

IT managers have long had the ability and right to monitor employee behavior on internal networks. Now, HR managers are getting similar capabilities thanks to cloud-based services -- but for tracking employee activity outside of their employers' network. A controversy is swelling over its potential impact on employee privacy.

A San Francisco-based startup, hiQ Labs Inc., offers products based on its analysis of publicly available LinkedIn data. One is Keeper, which identifies employees at risk of being recruited away, and another is Skill Mapper, which analyzes employee skills.

The profile data is collected by software bots. The clients of hiQ's service may learn whether a LinkedIn member is a flight risk thanks to an individual risk score: high (red), medium (yellow) or low (green), according to court papers.

Individuals can already look at publicly available social media profiles. That's not in dispute. But the use of bots takes Employee monitoring to another level. LinkedIn is trying to stop it. The two sides are fighting in federal court, and the outcome may reshape how social networking and HR operate and how they treat employee privacy issues.

The ethics debate over this form of automated social media monitoring almost seems beside the point. It's hard to imagine any employee saying they are comfortable with it. Indeed, they may find it worrisome. But a federal judge is allowing it and recently stopped LinkedIn from blocking hiQ.

Employee privacy issues and HR's quest for actionable data

The case raises some specific questions about employee privacy rights on social networking sites, but it poses questions for HR managers as well.

There is an aspiration in HR tech "to start making things more actionable, to start going a level deeper in terms of intelligence," but the "big unknown is: Where does that data come from and who owns that data?" said Rami Essaid, CEO of Distil Networks, which makes bot defense tools.

LinkedIn said the scraping of members' personal data is being done "without their consent" and is in violation of the Computer Fraud and Abuse Act (CFAA), the 1986 anti-hacking law, according to court records filed in the U.S. District Court in the Northern District of California, where the employee monitoring case is being heard.

But hiQ argues it only uses profile data that is "wholly public information" and accessible to anyone. It "pulls data for a limited subset of users -- usually its client's employees -- and uses scientific methodology to analyze the information," it wrote in a court filing.

The two sides have sharply different views on how the LinkedIn data may be used.

The information developed by hiQ in its Keeper tool, the company explained, may prompt employers to give an employee at risk of leaving a "'stay bonus' or career development or internal mobility opportunity."

LinkedIn describes a less positive outcome to employee monitoring: "If an employer thinks an employee is about to leave, the employer could terminate her or refuse to give her access to sensitive information, even if she actually has no intention of departing."

LinkedIn chided for own employee privacy issues

The legal drama began in May after LinkedIn sent hiQ a cease-and-desist letter. In response, hiQ sought an injunction to prevent LinkedIn "from misusing the law to destroy hiQ's business."

In August, U.S. District Court Judge Edward Chen granted hiQ the injunction and cited, in part, LinkedIn's use of one of its services aimed at hiring, Recruiter.

Chen's decision leaned on LinkedIn marketing materials, which were presented by hiQ. The court noted that user changes are provided to third parties who subscribe to LinkedIn's Recruiter. LinkedIn "trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case," he wrote.

But Chen also took exception to the use of the CFAA in this case "to punish hiQ for accessing publicly available data." The judge warned such an interpretation "could profoundly impact open access to the internet."

Chen's decision means LinkedIn can't prevent hiQ's "access, copying or use of public profiles" on its website -- citing, specifically, only that information which is public and visible not only to LinkedIn members but those who access LinkedIn via search engines.

The case has potential to have a massive impact on how social media sites operate, said Shain Khoshbin, an attorney at Munck Wilson Mandala, LLP in Dallas. Social media sites may turn to password protection, "and that will deal a crushing blow to LinkedIn and a lot of the social media sites -- Facebook, frankly."

LinkedIn has appealed the judge's order. The company uses anti-bot technology. In discussing bots generally in its appeal, LinkedIn said, "Bots have been programmed to make complete copies of LinkedIn's website, combine scraped member data with data found elsewhere (such as telephone numbers or addresses) and otherwise infiltrate LinkedIn's physical servers. Once scraped from LinkedIn's servers, member data can be sold to the highest bidder."

LinkedIn describes extent of bot threat

LinkedIn's automated countermeasures include systems that scan for, throttle and block suspicious activity associated with specific IP addresses, as well as systems that monitor "patterns of access" to its servers that look for "non-human activity indicative of scraping."

The firm said it invests "millions of dollars annually in this effort to stop bots and blocks over 95 million bot access attempts per day." But it said it can't "fully shield its servers from this kind of bot-related gamesmanship." It has legal tools as well, including its user agreement, which expressly prohibits using automated software, including bots, to scrape data.

Distil Networks' Essaid does not believe that the LinkedIn data is public data. "It is a private social network," he said.

Susan Razzano, an attorney at Eimer Stahl, said if hiQ was copying data protected by copyright and representing it as its own, it would be a problem. "The laws are reasonably clear on that," she said. "But if hiQ is copying publicly available information and processing that data and applying analytics to that data and repackaging it and making it its own, I'm not sure that that's an illegal practice."

The problem is something the courts are trying to figure out, Razzano said. "If we as a society think that it's good or OK for people to be able to use public information to be creative and turn it into something else, how do I protect my information?"

The lawsuit is hiQ Labs, Inc. v. LinkedIn Corp. and is now being heard in the U.S. Court of Appeals for the Ninth Circuit.

Next Steps

Find out how some companies protect HR data

Learn about other uses of AI in HR

Get the basics on software robotics

Dig Deeper on HR data management