LinkedIn is facing a common plague of social networking companies: thousands of fake accounts used for spam and other nefariousness. So the company is using an increasingly familiar tactic: It’s suing those responsible for setting up the fake accounts, even though it doesn’t know who they are.
Suspicious patterns of activity started on LinkedIn’s network last spring, according to a complaint filed Monday in federal district court in Northern California. Thousands of accounts were set up with automated tools, then used to gather information about actual people on the site. LinkedIn has tools in place to monitor accounts with suspiciously high levels of activity. Whoever was running the scheme was apparently aware of these limits, the complaint says, and designed the fake accounts to do just enough not to hit the thresholds.
All this violates LinkedIn’s user agreements and, the company claims, also breaks state and federal computer security laws, as well as federal copyright law. The hackers are making the site fundamentally less useful by gumming up the system with fake accounts, LinkedIn argues. As such, the hackers are unfairly competing with LinkedIn by stealing user data that it worked hard to assemble legitimately. (The company declined to comment about the case to Bloomberg Businessweek.)
LinkedIn isn’t the first Silicon Valley company to sue parties that’ve used computer programs to scrape data from its site. Late last year, Facebook won a long-running case against a company that collected user data to send spam. Craigslist has pursued companies that pull listings from its site and display them in different ways.
In those cases, the companies know who to target. LinkedIn, however, isn’t quite sure who it’s up against. Filing a lawsuit is one way to put pressure on Internet service providers to help the networking platform find out—it’s a tactic used by other technology companies in similar situations.
“Filing the lawsuit allows you to issue enforceable subpoenas to third parties,” says Al Saikali, co-chair of the data privacy and data security practice at law firm Shook, Hardy & Bacon. “Otherwise you’re simply sending a letter to the in-house lawyer at the service provider, who will usually either ignore it or file it in the trash can because it has no legal weight, and most service providers try to protect their users’ anonymity.”
LinkedIn’s lawsuit won’t necessarily unmask the people behind the scheme. The computers carrying out the activity could very well be owned by victims of some previous attack; hackers simply have co-opted the machines without the owners’ knowledge. A court case is an early step in an investigation, with several more to follow. “If the accused are sophisticated in any shape or form, it may not help at all,” says Chester Wisniewski of security firm Sophos.
LinkedIn may not need to identify the John Doe defendants to claim victory. Saikali guesses the company is looking to intimidate future bot operators from targeting the site. And the case could be winnable, even without a known defendant. In recent years, Microsoft’s digital crimes unit has won a series of court orders to shut down the physical infrastructure used to carry out various cybercrimes, even in instances when it doesn’t know who is behind the attacks.
As victories go, this one could be mixed, says Jose Nazario of Arbor Networks. As he told the New York Times: “You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again.”