LinkedIn Concerned about Tech Regulations

LinkedIn CEO Jeff Weiner raised concern about a tide of tech regulation following recent data privacy scandals.  Of particular concern is the impact of removing tech company immunity for the content shared by users under Section 230 of the Communications Decency Act.  If the Section were removed, social networks would be forced to proactively censor posts.

“Even if the [technology] industry were to do greater self-regulation, you’re going to see more regulatory oversight.”

Just as the wide use of algorithms has provided a megaphone to misinformation and fringe social media, regulation can have unintended consequences.  “The unintended consequences work both ways,” said Weiner.  “Companies make decisions only with the best of intentions, and there are unintended consequences of those decisions.  But from a regulatory perspective, I think it’s the same thing.”

“You could stifle a lot of innovation.  You could stifle a lot of openness.  You could stifle a lot of the things that create value by virtue of changing these liability rules and laws. That is just almost a canonical example of where these unintended consequences would really proliferate.  The things companies would need to do to ensure that they were protected is going to hurt the way in which people can communicate with one another.”

LinkedIn CEO Jeff Weiner

LinkedIn operates in China where it is subject to censorship.  The firm decided to enter the market as it’s mission is to create economic opportunity globally.  “The censorship issue in China is always a painful one,” he said.  “It has to be navigated and managed in the context of the broader vision.” While LinkedIn is advocating for Section 230, its parent company has taken a pro-regulatory view on data privacy, calling for an American version of GDPR.  Microsoft has built GDPR into the infrastructure of its platforms.

Court Rules LinkedIn Scraping Legal

In a ninth Circuit Court ruling last week, the Court sided with hiQ Labs which had been barred from accessing LinkedIn for the purposes of scraping public profiles.  hiQ Labs, a data analytics company which identifies employees who may be looking to depart, won a preliminary injunction against LinkedIn.  This is the second court which has evaluated the case and sided against the Microsoft subsidiary.

LinkedIn argued that scraping after a cease-and-desist letter was “without authorization” under the federal Computer Fraud and Abuse Act (CFAA), but hiQ Labs argued that the content was public and that scraping public data was not akin to hacking.

The Court ruled that “there is little evidence that LinkedIn users who choose to make their profiles public actually maintain an expectation of privacy with respect to the information that they post publicly, and it is doubtful that they do.”

The Court continued, “LinkedIn invokes an interest in preventing ‘free riders’ from using profiles posted on its platform.  But LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles.”

The National Law Review summarized the case:

Most notably, the Ninth Circuit held that HiQ had shown a likelihood of success on the merits in its claim that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA.

In light of this ruling, data scrapers, content aggregators and advocates of a more open internet will certainly be emboldened, but we reiterate something we advised back in our 2017 Client Alert about the lower court HiQ decision: while the Ninth Circuit’s decision suggests that the CFAA is not an available remedy to protect against unwanted scraping of public website data that is “presumptively open to all,” entities engaged in scraping should remain careful. The road ahead, while perhaps less bumpy than before, still contains rough patches.  Indeed, the Ninth Circuit cautioned that its opinion was issued only at the preliminary injunction stage and that the court did not “resolve the companies’ legal dispute definitively, nor do we address all the claims and defenses they have pleaded in the district court.”…

On appeal, the parties offered dueling visions of what the law surrounding the CFAA and scraping should be:

LinkedIn: “[A]uthorization from LinkedIn—the server’s owner—is ‘needed’ to avoid CFAA liability, regardless of whether those servers also host data that LinkedIn generally makes available on its website.  hiQ lacked that required “authorization” once LinkedIn sent hiQ its cease-and-desist letter and implemented additional technological barriers restricting bot access.”

HiQ: “LinkedIn does not grant permission to access its public content because those pages are, by definition, open for all to see and use.  hiQ, like any other Internet user, simply requests LinkedIn’s public pages, and LinkedIn’s servers automatically provide them.  There is no “authorization” for LinkedIn to revoke.  Reading the statute in accordance with the language’s ordinary significance, “without authorization” refers to circumstances where authorization is a prerequisite to access.”

National Law Review

Intentional access without authorization under the CFAA generally covers hacking and employee access after permission has been rescinded.  As public profiles are not subject to passwords, the question of whether the CFAA applied was in question.

“It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA,” wrote the Court.  “The data hiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system.  HiQ has therefore raised serious questions about whether LinkedIn may invoke the CFAA to preempt hiQ’s possibly meritorious tortious interference claim.”

Thus, the ruling supports web scraping of public sites.  What it doesn’t address is whether harvesting member data for the purposes of generating datasets which counter the interests of social media sites and its members is against the public interest.  This question may be more of a public policy question than a legal one.  Members join LinkedIn for the purposes of professional networking, job searching, and self-marketing.  While public LinkedIn does not publish emails or direct dials, it includes work and educational histories, interests, affiliations, and other personal content.  Furthermore, it is easy to guess at emails making it fairly trivial to assemble email files for spammers.  It is very possible, that the HiQ Labs ruling conforms with US law but due to the Personally Identifiable Information content being gathered is counter to European GDPR.  The result could well be the loss of public LinkedIn profiles or a thinning of publicly posted profiles.

The Court focused on the CFAA and did not evaluate other arguments when granting relief.  “State law trespass to chattels claims may still be available.  And other causes of action, such as copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy, may also lie,” stated the Court.

Orin Kerr, a law professor at UC Berkeley called the ruling a “major decision for the open internet.  It doesn’t establish that scraping websites is completely legal, but it goes a long way toward establishing that it’s not a federal crime.”

In the case of HiQ, they offer predictive attrition models which could result in individuals not being hired or employees not being promoted.  “Keeper is the first HCM tool to offer predictive attrition insights about an organization’s employees based on publicly available data,” says the firm.  While some high-value employees may enjoy additional leverage due to these models, others may be mistrusted.  

One could imagine other detrimental use cases such as credit companies tracking employment and lowering credit scores.  The result would be higher interest costs and a lowered ability to find a job.  The result would be decreased transparency and truthfulness on LinkedIn.

As such, the scraping of LinkedIn data could undermine the trust members have in LinkedIn or limit the permissions granted to LinkedIn.  If LinkedIn played fast-and-loose with member data, they would have less standing, but LinkedIn does not permit downloading of member data to Excel or the uploading of member data to CRMs.  Sales Navigator treats member data as view only in its SNAP connectors.  Thus, LinkedIn is placing data privacy rules on itself that it cannot place on third-parties that gather LinkedIn data.  More broadly, parent company Microsoft has committed itself to GDPR as a global data privacy standard.

Analyst David Raab of the Customer Data Platform Institute had a tongue-in-cheek view of the case: “In what I like to think of as CSI: Obvious Division, a federal appeals court ruled that LinkedIn can’t block scraping of published member data because people had no expectation of privacy for their public profiles.  It’s rather amazing LinkedIn thought they could win with that one.” .dialogRendere

GDPR First Anniversary (Is Your Data More Secure?)

EU Flag

As GDPR hit its first anniversary on Saturday, Microsoft once again called for a US privacy law which shifts the onus of data privacy from the individual to corporations.  Today, Americans operate in an opt-out regime which requires them to find and manage their privacy settings.

“This places an unreasonable — and unworkable — burden on individuals,” wrote Microsoft’s Deputy General Counsel Julie Brill.  “Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.”

Microsoft prefers a single federal standard to piecemeal state-level laws such as California’s CCPA.  Brill said the legislation should be interoperable with the GDPR to help reduce the “cost and complexity of compliance.”  This framework should reflect ”the changing understanding of the right to privacy in the United States and around the world.”  The proposed legislation should “uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.”

“For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting requirements—for privacy protection in the countries where they do business,” said Brill.

According to eMarketer analyst Ross Benes, the US ad industry has shifted from a call for self-regulation to supporting national privacy regulations, fearing ”a patchwork of different rules” as “legislation looks increasingly inevitable.”

A TrustArc/Ipsos survey of UK adults (16 – 75) found a 36% improvement in trust concerning personal data since GDPR went into effect.

Source: TrustArc / Ipsos GDPR Survey of 2,230 UK adults (May 2019)

A Snow study found that 39% of global business professionals believe their data is better protected since GDPR passed, with the biggest increase in the APAC region (48%).  40% of Europeans also believed their personally identifiable information is more secure, but only 30% in the US held the same belief.

74% of surveyed professionals believe that the technology industry needs more regulation with 83% of APAC and 72% of US respondents wanting additional tech regulation.

The EU has yet to strictly enforce the law with only one large fine ($56M) versus Google in France. However, Google and the social media and advertising companies are all subject to ongoing suits:

The latest investigation — the first by the Irish watchdog into Google — brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.

Los Angeles Times, “Google could face hefty EU fine over possible privacy violations,” May 22, 2019

“What is important to recognize is that the EU is taking GDPR very seriously, with fines being established for any breach,” said Ben Feldman, SVP of strategy and innovation at NYIAX.  “I would expect that the first six-to-nine months of any new regulation action would be spent working out the kinks and processes of implementation.  It is quite likely that we will see more fines in the coming months.”

Quora: Does LinkedIn Sell Your Info?

The following is a Quora post answering the question, “Does LinkedIn Sell Your Info?”


This is likely to fall into a semantics question. If data is employed in the aggregate and your personally identifiable information is not disclosed, then I would argue that your information is not sold. Likewise, if you are presented an ad because your LinkedIn profile conforms with a target audience definition, your data is also not being sold.

I can’t answer for LinkedIn Recruiter, but can answer in the Sales and Marketing context.

LinkedIn offers a sales product called Sales Navigator. Users can view company and contact information on Navigator just as they can on the free service. It even supports viewing this data within third-party SNAP products. However, Navigator and SNAP are view only. Sales reps cannot download your profile or sync it with any of their partner platforms. They also restrict display of your email and phone information to your direct connects as well as other content you flag as restricted.

LinkedIn Marketing sells advertising on LinkedIn and Bing based upon your profile attributes. Advertisers define their target audience across a broad set of firmographic, career, and location variables, but these segments are not provided directly to the marketer. Instead, they are used for advertising display. Thus, your data isn’t sold, just your eyeballs.

LinkedIn treats its member’s data with respect. Microsoft, its parent company, has called for a US version of GDPR, the European data privacy standard. CEO Satya Nadella stated that “privacy is a fundamental human right” on an April 2018 earnings call and said that the firm has implemented an “end-to-end privacy architecture” which is GDPR compliant.

The LinkedIn SNAP AppExchange connector displays LinkedIn content and functionality within Salesforce, but does not sync any company or contact data with SFDC.
The LinkedIn SNAP AppExchange connector displays LinkedIn content and functionality within Salesforce, but does not sync any company or contact data with SFDC.

LinkedIn Email Downloading

LinkedIn users can block connections from downloading their emails.
LinkedIn users can block connections from downloading their emails.

LinkedIn added the option to restrict downloading of emails by their connections.  LinkedIn does not generally allow profile downloading or CRM synching except for permissioned connections.  Users now have the option to permit connections to view their emails but block them from downloading emails.  By default, emails are not downloadable unless users change their settings to permit downloads.

While the change is pro-privacy and consistent with GDPR, TechCrunch took a negative view of the new setting.

A win for privacy on LinkedIn could be a big loss for businesses, recruiters and anyone else expecting to be able to export the email addresses of their connections.…[The new option] could prevent some spam, and protect users who didn’t realize anyone who they’re connected to could download their email address into a giant spreadsheet. But the launch of this new setting without warning or even a formal announcement could piss off users who’d invested tons of time into the professional networking site in hopes of contacting their connections outside of it…

On a social network like Facebook, barring email exports makes more sense. But on LinkedIn’s professional network, where people are purposefully connecting with those they don’t know, and where exporting has always been allowed, making the change silently seems surreptitious. Perhaps LinkedIn didn’t want to bring attention to the fact it was allowing your email address to be slurped up by anyone you’re connected with, given the current media climate of intense scrutiny regarding privacy in social tech. But trying to hide a change that’s massively impactful to businesses that rely on LinkedIn could erode the trust of its core users.


Josh Constine, TechCrunch

TechCrunch overstates the loss.  Member control their data, not LinkedIn or LinkedIn connections.   Second, there are multiple ways to reach users from within LinkedIn including InMail, messaging, and PointDrive.  Unless the email is blocked on the profile, connections still have access to emails from within LinkedIn.  Finally, most emails in LinkedIn are personal emails, not business emails (an issue they should address by allowing both and setting privacy and messaging rules around multiple emails), so reaching out to individuals on their emails only makes sense for friends, family, and recruiters on LinkedIn, not businesspeople networking with colleagues and clients.

While LinkedIn wasn’t transparent about the privacy change, it enhanced the privacy of its members.  As such, looking for nefarious reasons for the enhancement is a reach.

Salesforce: Trust is the Key Value for Tech Companies

Salesforce: Trust is the Key Value for Tech Companies

Speaking to Jim Cramer on Mad Money, Salesforce CEO Marc Benioff argued that for technology companies, the key value is no longer the great idea, but trust:

In technology over the last two decades, the most important thing has been the idea. That is, the best idea wins.   That has been what gets you funded, that’s how you grow your company, that’s been your highest value: the best idea wins. No longer true.

The current highest value is trust, and if trust is not your highest value, if the most important thing to you and your company is not trust, you need to look again, and that’s what’s happening with these companies today.

Salesforce CEO Marc Benioff

Benioff observed that a lack of trust is eroding Silicon Valley companies such as Facebook.  “Their executives are walking out, employees are walking out,and that happens with a lot of companies in tech right now. We’ve had a lot of walkouts this quarter.  And the reason why is because it’s kind of amessage to the executives: it’s time to transform.”

“Every company has to hold themselves to a new level of trust, and if your brand is not about trust, you’re going to have customer issues, and you can see that in that brand,” observed Benioff.

And trust has long been part of Salesforce’s value proposition.  The firm emphasizes it’s 1:1:1 philanthropy program (Donating 1% of technology, people, and resources) which has been adopted as a model by other companies.  Salesforce also promotes local nonprofits at Salesforce events, emphasizes Trailhead and meetups for skills advancement, embraced a San Francisco tech company tax to address homelessness, called for a US GDPR to protect privacy, raised womens’ wages to address a pay equity gap following a self-audit, and spoke out against anti-gay legislation.  Under a short-term profit-maximization model, these activities make little sense, but under a longer-term stakeholder’s approach, they make perfect sense.

Trust is based on a stakeholders approach to corporate governance.  It recognizes that Milton Friedman’s stance against social responsibility (“there is one and only one social responsibility of business to use its resources and engage in activities designed to increase its profits so long as it stays in the rules of the game, which is to say, engages in open and free competition, without deception or fraud.”) is wrong.  A stakeholders approach recognizes that employees, customers, partners, investors, and the general public all place value on companies that take a long-term view of their role in society.  Simple profit maximization is a short-term approach which fails to recognize that you can’t attract the best employees or close multi-million dollar deals if you are not trusted.

And you can see this in the stock price growth of Facebook and Salesforce over the past five years.  Facebook’s stock price outpaced Salesforce for the past five years, but once Facebook lost trust, its stock price declined.

Salesforce and Facebook both had strong stock price growth over the past five years, but Facebook retreated this year after it lost trust amongst stakeholders.
Salesforce and Facebook both had strong stock price growth over the past five years, but Facebook retreated this year after it lost trust amongst stakeholders.

Apple CEO Tim Cook on Data Privacy

Speaking at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), Apple CEO Tim Cook forcefully called for expanded global privacy protections akin to GDPR:

Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold. Taken to the extreme this process creates an enduring digital profile and lets companies know you better than you may know yourself. Your profile is a bunch of algorithms that serve up increasingly extreme content, pounding our harmless preferences into harm…

We shouldn’t sugarcoat the consequences. This is surveillance…

We should celebrate the transformative work of the European institutions tasked with the successful implementation of the GDPR. We also celebrate the new steps taken, not only here in Europe but around the world — in Singapore, Japan, Brazil, New Zealand. In many more nations regulators are asking tough questions — and crafting effective reform.

It is time for the rest of the world, including my home country, to follow your lead.

We see vividly, painfully how technology can harm, rather than help. [Some platforms] magnify our worst human tendencies… deepen divisions, incite violence and even undermine our shared sense or what is true or false.

This crisis is real. Those of us who believe in technology’s potential for good must not shrink from this moment…

They may say to you our companies can never achieve technology’s true potential if there were strengthened privacy regulations. But this notion isn’t just wrong it is destructive — technology’s potential is and always must be rooted in the faith people have in it. In the optimism and the creativity that stirs the hearts of individuals. In its promise and capacity to make the world a better place.

It’s time to face facts. We will never achieve technology’s true potential without the full faith and confidence of the people who use it.

He also warned about the dangers of AI which fails to protect privacy:

Artificial intelligence is one area I think a lot about. At its core this technology promises to learn from people individually to benefit us all. But advancing AI by collecting huge personal profiles is laziness, not efficiency.

For artificial intelligence to be truly smart it must respect human values — including privacy. If we get this wrong, the dangers are profound. We can achieve both great artificial intelligence and great privacy standards. It is not only a possibility — it is a responsibility…

Yesterday, Cook tweeted that privacy is a human right

Tim Cook on GDPR

based upon four principals:

  • Data Minimization – Personal data collection should be minimized or de-identified.
  • Transparency – Individuals have the right to know what is being collected and for what purpose.
  • Right to Access – “data belongs to users” with personal data available to individuals for copying, correcting, and deleting.
  • Right to security – “security is foundational to trust and all other privacy rights”

Cook isn’t the first CEO to call for a global GDPR. Microsoft has built GDPR into its products and CEO Satya Nadella has expressed similar thoughts. Salesforce CEO Mark Benioff discussed data privacy and cybersecurity on a May earnings call and SugarCRM CEO Larry Augustin has also voiced concerns.

Facebook Reaps What It Sows

Facebook dropped 20% in one day as the ongoing news about their misuse of personal data began to hit their bottom line a few weeks ago.  Here is a guerilla protest campaign in London which encapsulates their issues:

The problem at Facebook is that they forgot that they were there for their members not their advertisers.  The idea was free content (news, fake news, and social), no editorial review, and monetization of the data exhaust from their platform.

When that happened, truth and privacy became irrelevant.  They can whitewash their actions and pretend that the problems are exogenous to their company, but hiring editors is only the beginning of excising the rot that rests at the center of Facebook’s business model.


Source: Instagram images from ProtestStencil

Rhetorik: What Does GDPR Mean for B2B Marketing? (Part II)

Yesterday, I presented a discussion of Legitimate Interest as the basis of GDPR communications.  For B2B companies in the UK, the 2003 PECR (The Privacy and Electronic Communications Regulations of 2003) law is often applicable when assessing GDPR and Data Privacy:

GDPR and Data Privacy under UK PECR and Non-PECR scenarios (Source: Rhetorik)
GDPR and Data Privacy under UK PECR and Non-PECR scenarios (Source: Rhetorik)

The PECR discusses soft opt-ins for individuals, sole traders and some partnerships, but not B2B.  The ICO states that “the term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.  The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts.”

Legitimate Interest also applies to data licensing relationships and marketing partnerships.  If personal data interest is maintained for a specific purpose (e.g. Technology Sales), data licensing and sharing needs to be kept within the original scope.

Legitimate Interest and Consent also apply within a company.  Data maintained for one product line may not be usable for others, particularly if the firm spans multiple sectors.

The UK Direct Marketing Association published guidance on the subject of Legitimate Interest helping make sense of Article 6.1.f:

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

And Recital 47:

“The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”

Once the basis of holding personal data is met, companies have additional conditions to meet around transparency (notification and the right to object), data minimization (Is there a legitimate interest in collecting all of the fields? How long is data retained?), and reasonable expectation (limited impact to personal and private life; ensuring data accuracy).

For individuals who opt out, firms must retain suppression lists to prevent the re-collection of personal information.  The suppression list should be the minimal information required to ensure the individual is not added back into the marketing database at a later date.  With B2B, the list may simply be name and email.

The GDPR also sets out expectations which are relationship specific:

  • Suspects – legitimate interest, reasonable expectation, transparency
  • Prospects – reasonable expectation; consent
  • Clients – contract, legitimate interest, reasonable expectation, data minimization, transparency

Part III of Rhetorik’s presentation discusses GDPR myths and applicable laws across Europe.


GDPR Article 6.1
GDPR Article 6.1

LinkedIn the #2 Social Media Platform across Multiple Metrics

LinkedIn is now the number two social media platform by usage, advertising spend, ROI and analytics tools.  Facebook remains number one.  “While LinkedIn is often considered a hub for job hunters and corporate recruiters, the platform has also shifted to position itself as a marketing engine in recent years,” said Jerry Ascierto, executive editor of The Social Shake-Up Show. “The recent updates to its ad platform and UI seem to be encouraging brands to increase spend. As a result, more companies are experiencing better ROI from this network than others considered more popular and ‘fun,’ such as Instagram, Twitter and YouTube.”

Source: Social Shake-Up.
Source: Social Shake-Up.

LinkedIn has benefited from a native video feature that was launched last year and was recently extended to company pages.

LinkedIn’s last official member count was 546 million global professional profiles.

Microsoft Chairman John Thompson said that the LinkedIn acquisition has been “wildly successful” and that Microsoft would be “all in” on a similar deal.  Of particular interest are firms that would help connect users to the Microsoft cloud.

Thomson was critical of firms that share or sell user data.  “Many of them make money off ads and they have used that as kind of a leverage point,” Thomson told Bloomberg.  “At Microsoft, we don’t believe in that.”

While Facebook has taken a series of hits on its sharing of member data, LinkedIn has long protected member data (for example, Sales Navigator does not permit the uploading of member information to CRMs but makes it available for display).  What’s more, Microsoft has built GDPR compliance into its product line and set it as a global standard.

LinkedIn celebrated its 15th anniversary last month.  “15 years ago, we launched LinkedIn in Reid Hoffman’s living room with the tagline ‘relationships matter’,”  said VP of Product Strategy Allen Blue.  “I’m proud to say that this mantra still rings true today in both the halls of LinkedIn and on the platform. While the world of work has evolved immensely — be it the tools and products we use, the ways we communicate, and even the jobs themselves — our need to connect with one another to be productive in our careers remains at the core of all we do.”