LinkedIn faces a proposed class action after it was revealed the social media platform programmed its iPhone and iPad apps to read and capture sensitive information on Apple’s universal clipboard, the temporary storage where a user’s cut- or copied-and-pasted information is kept, without authorization.
Filed in California federal court, the 43-page suit says the most recent beta release of Apple’s iOS operating system, iOS 14, included a new privacy setting that allowed users to be notified each time an app on their iPhone or iPad read from the system clipboard. Per the case, the security feature was hailed as “an important step toward improved data privacy” for mobile devices and apps.
As the lawsuit tells it, however, developers and beta testers receiving iOS 14 privacy notifications soon began to realize LinkedIn’s mobile app for iPhone and iPad was secretly reading users’ clipboards near constantly. As of July 2, 2020, LinkedIn’s iOS app was “immediately reading the contents of the device’s system clipboard” after each user keystroke, the complaint claims.
An Apple user’s system clipboard may contain “some of the most sensitive data users routinely and temporarily store on their devices,” including photos, voice recordings, text messages, emails, cryptographic keys or medical records, the suit relays, alleging LinkedIn “was surreptitiously reading it—again and again and again—without any user-triggered paste commands” or disclosure.
“Plaintiff and the Class Members never authorized LinkedIn to receive, access, or intercept the data that the LinkedIn App accessed and copied. LinkedIn’s iOS users, including Plaintiffs and the Class Members were not informed that LinkedIn has repeatedly accessed the contents of their Universal Clipboard, including electronic communications stored there, without authorization.
Moreover, LinkedIn never disclosed in any user agreement or public website that it reads the contents of user clipboards, including electronic communications cut or copied to the Universal Clipboard. It did so in secret.”
Further, the plaintiff, a New York LinkedIn user, alleges the defendant’s conduct was “particularly egregious” for Apple users with more than one device given the iOS and macOS operating systems allow for information cut/copied and pasted onto a clipboard to be transferred instantly from one device to another for a short period of time.
The suit says, however, that although information copied between Apple devices remains available on a user’s universal clipboard for only 120 seconds, LinkedIn has circumvented this timeout period, repeatedly reading a universal clipboard “with every user keystroke.” According to the complaint, each LinkedIn “read” of a universal clipboard is interpreted by Apple as a paste command, which stores the temporary information on the device’s local clipboard and erases the 120-second timeout.
“Simply put, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple’s Universal Clipboard timeout policy in doing so,” the plaintiff alleges.
In all, LinkedIn has ignored users’ expectation that the information stored temporarily in the universal clipboard would remain available only to them and used only with their consent, the lawsuit says. The suit alleges LinkedIn “carefully hid what it was doing from users, knowing just how far beyond the boundaries of reasonable conduct it had gone.”
“Indeed, until recently, users had no idea that their most sensitive communications were being indiscriminately intercepted and read by the LinkedIn App, including prior to, or contemporaneously with, transmission from one device to another,” the complaint charges.
In a statement shared with Law360, LinkedIn said it was aware of the lawsuit and was reviewing the plaintiff's claims. On July 2, LinkedIn head of engineering Erran Berger said on Twitter that the universal clipboard reading problem was traced to a code path that performs an equality check between clipboard contents and the content currently typed into a text box. Berger added two days later that a new version of LinkedIn’s app removed the code.
The lawsuit looks to cover all LinkedIn users who installed and used the app in the United States from September 13, 2016 through the present, or, alternatively, until the date upon which LinkedIn “ceased or ceases accessing electronic communications and information inside the Apple Universal Clipboard” without consent or notification.