
LinkedIn violated data protection by using 18M email addresses of non-members - sidcool
https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/
======
whiddershins
I am 99% sure LinkedIN used my IP address to match with my second floor
neighbor, despite their claims that they would never use IP address as a
connection data point.

I was sharing my wifi for a brief period with my neighbors on the second
floor. My neighbor had a new room mate. The guy was from another country. He
didn't work in the same industry I do. I didn't have any of his contact
information anywhere on any of my devices, and afaik, vice versa. We had no
formal contact in any fashion, monetary or electronic communication or any
other kind of contact other than passing each other in the hall. I didn't even
know his name. He's just one of millions of people who live in my region.

Yet they suggested him as a possible contact.

If they weren't using IP address, they were using black magic.

edit: to clarify, i forgot to mention that i had no linkedin connection to my
neighbor, afaik he didn't have a linkedin account, he definitely doesn't have
one currently. He was sort of a luddite, barely used his computer, and i don't
believe we ever emailed each other, or even had each other's email, I just
searched my mail and have record of any.

And I very much doubt my neighbor had any obviously traceable connection with
the roomate anyway, at most a phone number and received rent through cash or
check.

~~~
I_am_tiberius
That's creepy. Different topic: I think the biggest connection business is
whatsapp. If a person does not use whatsapp but a friend of that person does,
whatsapp knows the person's phone number anyway. If >= 2 whatsapp users have
that person's phone number stored with the same name in the contact list,
whatsapp even knows the person's name (and other information). With that
information they can accurately identify the person's facebook profile.
Horror!

~~~
WeAreGoingIn
And then you add [1] this - Facebooks ability to access WhatsApps files on iOS
from any other app in their “family”.

[1]
[https://news.ycombinator.com/item?id=18479567](https://news.ycombinator.com/item?id=18479567)

------
DeusExMachina
> What we also don’t really know here — the DPC doesn’t really address it — is
> where LinkedIn obtained those 18 million email addresses, and any other
> related data, in the first place.

Well, one such source of email addresses was me.

When I joined it more than 10 years ago, I was not as privacy aware as I am
today. So, upon joining, I uploaded my address book to connect to people who
already had a LinkedIn account.

I shortly after realized that they abused it. They sent an invite email to
every person that was not on their platform.

I only got to know about it becasue one of my university professors sent me an
email saying that she was not interested in joining yet another network. I had
to apologize, because I did not expect that to happen.

To this day, LinkedIn still uses that information to suggest new connections
to me and to prompt me to invite people that are still not on their platform.

In retrospect, it was a stupid move to upload my address book, but I'm sure I
am not the only one that made that mistake, and probably many people still do
nowadays.

~~~
logicallee
It wasn't stupid of you, not your fault LinkedIn literally impersonated you.
The mail it sent out all those years ago was written in your name and as
though you had actively crafted and sent it. Anyone who knows your name could
have impersonated you. Don't worry about doing something wrong.

A quick google suggests linkedin was sued and reached a class action
settlement in exchange for the practice.

~~~
adwhit
You can be almost certain that LinkedIn knew it was illegal when they did it,
and accurately calculated that the fine they would receive (if any) would be
much lower than the value derived from increased membership. In fact they
would be stupid not to in winner-takes-all markets like social media.

Silicon Valley has a phrase for such flagrantly unethical practice, it is
called "growth hacking".

~~~
cyphar
To gratuitously quote Fight Club:

"It was my job to apply The Formula™. [...] Take the number of vehicles in the
field, A. Multiply it by the probable rate of failure, B. Then multiply it by
the average out-of-court settlement, C. A times B times C equals X. If X is
less than the cost of a recall, we don't do one."

------
Renaud
LinkedIn is one of the worse dark-pattern based business out there. Their
whole business model is based on making connections between people, however
unwanted they are.

They use any means necessary to get your contact list and abuse it to spam
your contacts with dubious marketing ploys and unverifiable claims (someone
looked you up! you're missing on new jobs opportunities!).

Liars.

I've resisted creating an account so far but the pressure to conform is there
as you basically "don't exist" without a profile that lazy HR managers can
look up.

~~~
forkLding
Reminds me of that mobile popup I always get that tells me to download their
mobile app when I'm viewing Linkedin on a mobile phone and I can't move on
unless I press something.

~~~
masonic
Reddit is almost unusable on mobile browsers because of this.

~~~
nsajko
You can use [https://old.reddit.com](https://old.reddit.com) .

~~~
mintplant
Or [https://i.reddit.com](https://i.reddit.com) for a faster mobile view.

------
dawhizkid
What I don't get is why Jeff Weiner and Reid Hoffman are never held
accountable for their blatant disregard for user privacy despite many lawsuits
over the years. Why is their reputation still so in tact even when
Zuck/Sandberg's is hurting over the exact same privacy violations? Why is Reid
Hoffman today selling a book on "blitzscaling" which is all about achieving
hypergrowth at all cost? Could you imagine how tone deaf it would be if it was
Zuckerberg who authored that and not Hoffman?

~~~
skrebbel
> Why is their reputation still so in tact even when Zuck/Sandberg's is
> hurting over the exact same privacy violations?

I have no idea, but the cynic in me says "because Facebook forms a bigger
threat to media organizations".

~~~
archon810
LinkedIn is also less "sexy" to cover for the media than Facebook. Nobody
cares about LinkedIn news, especially in middle America, but Facebook is
popular everywhere.

------
uptown
Just go to the “people you may know” page and you’ll see dozens of shadow
profiles of people who clearly don’t have LinkedIn accounts. Mine shows
relatives who I know don’t have accounts — but whose contact info was scraped
by LinkedIn during my dumber years when I opted into their “help us connect
you by linking your account” bullshit.

Is there a way to request they remove this data? I sure don’t know how.

~~~
brickpaste
From linkedin.com/settings I clicked sync contacts, which took me to this url:
[https://www.linkedin.com/mynetwork/settings/manage-
syncing](https://www.linkedin.com/mynetwork/settings/manage-syncing)

There you will find an an option to "remove all."

~~~
tjoff
Once synced it is game over...

------
ukulele
Now all LinkedIn has to do is apologize and work with regulators to make sure
this never happens again... thus ensuring no future competitor will have it as
easy as they did.

~~~
TeMPOraL
If someone abuses people to get ahead, the answer isn't to allow others abuse
people in the same way, in the name of fairness.

~~~
Latty
No, the answer is to meaningfully punish that business so that it costs them
more than they gained by abusing it.

LinkedIn should be burned to the ground, frankly.

------
Topgamer7
I naively installed the app on my phone, which gave them my phone number. Then
I started getting cold calls from people who paid to have access to my number
through LinkedIn. I never entered my number anywhere, however the cold callers
repeatedly told me they got my information from LinkedIn.

~~~
jmiserez
To be fair, they could just be saying LinkedIn because it's easier than saying
they bought the number from some shady middlemen, and people are less likely
to react negatively to it. Unless you used a unique number _only_ for
LinkedIn, the number could have been shared by anyone (even your telco).

~~~
reaperducer
_they could just be saying LinkedIn because it 's easier than saying they
bought the number from some shady middlemen_

What's the difference?

------
__bjoernd
I guess we'd never found out without GDPR. This is why big corporations
require regulation because a single user will never win this fight.

------
fbinthrow
I wish people would remember that LinkedIn is an evil platform created
entirely by dark patterns whenever they idolize Reid Hoffman as some sort of
business genius.

------
SwellJoe
Of course they did. In an industry full of shady characters, LinkedIn is among
the worst. They're proof that dark patterns and other nasty tactics are
profitable, and also that if you make enough money, people in the valley will
look past how you made it. The fact that Hoffman is enthusiastically welcomed
in polite society says something not great about Silicon Valley ethics.

------
harshulpandav
Unrelated but I'd like take this opportunity to write that the "switch to our
app" popup on the LinkedIn mobile site is super annoying. It shows up every
time I open the site on mobile browser. On several occasions in attempts of
closing the popup I've accidentally clicked on advertisements (Promoted posts)
or 'liked' someone's post. And then you see more such promoted posts as they
think you like them. If anyone from LinkedIn team is reading this - I do not
want to install your app. Please store that flag in the cookie.

~~~
avip
Li is aware. “Install our app” nag is by design, and is now part of the
pantheon of user hostile web de-facto standards.

~~~
ndnxhs
Its a typical user engagement trick. If you install the app then you have a
constant advert on your home screen and they have the ability to constantly
spam you with reengagement notifications

~~~
saagarjha
And they get far more access to your information than they would in a browser.

~~~
rapnie
Plus no opportunity to block ads + trackers, etc. in the embedded chromium-
based browser.

~~~
Rjevski
First thing I do when I click on a link on LinkedIn is to open the
context/share menu and press “open in Safari”.

Hopefully if enough people do this it will make it clear in their analytics
that nobody wants their shitty knockoff browser.

The worst is that it’s using deprecated APIs on iOS that make it several times
slower than Safari.

~~~
saagarjha
It’s still using UIWebView?!

~~~
Rjevski
It's a lot slower so I assume so. It's definitely not a Safari View
Controller.

------
mkay313
Having deleted my account months ago, I still keep receiving an email about
one particular guy (who I don't know) wanting to become part of my network. I
tried their unsubscribe link multiple times, to no avail. First I just didn't
want to have an account anymore, now I hate them.

------
kbad1000
They have deliberately slowed the mobile website and then give notification to
switch to app. So they can steal the contacts.

------
mwfunk
People are talking about how they have a LinkedIn account and how creepy it is
when LinkedIn suggests Facebook friends who don’t have LinkedIn accounts, but
obscure that information in some way. You think you’re sending a friend (who
you mistakenly believe already has a LinkedIn account) a connection request,
but really LinkedIn has tricked you into spamming your own friends on
LinkedIn’s behalf. This is obviously bad, but I’ve seen much worse.

I first made a LinkedIn account a few years ago because I got an email that my
sister wanted to connect on LinkedIn. I’m not into social networks at all, but
in the interest of family bonds I clicked the link to make an account and
“connect” with her.

So I made the account, and the link in the email must’ve been set up to
automatically connect our accounts. But a few days later she emails me that
she got my LinkedIn request via email, but she hadn’t yet made an account, and
as soon as she made one she’d add me. So this was a tricky spamming strategy
in which no one started out with an account, but neither party was aware of
that.

TL;DR LinkedIn knew my sister’s email address, my email address, and our
connection, and basically tricked both of us into thinking that the other
person was already on LinkedIn and wanted to connect. That’s a step beyond
what people are talking about here, and is IMO seriously sketchy,
unprofessional, and messed up. I don’t think they kept up this practice for
very long, but it’s so over the top and beyond the pale that I’m surprised it
didn’t result in lawsuits and the entire company being tarnished for decades.
Obviously they’ve tarnished their name in plenty of other ways, but the fact
that no one talks about this particular practice makes me wonder what other
awful stuff they do that most people don’t know about.

------
kevmo
It is time for the American government to step up consumer protection.

------
downandout
LinkedIn's growth, much like Facebook's, can mostly be attributed to the use
of its "contact importer," which seems to have been where the 18M email
addresses came from. Generally speaking, you should read the fine print when
using such "features".

I do see an issue with part of this complaint: storing _hashed_ emails and
uploading those to use for targeted advertisements. The general consensus
seems to be that even under the draconian rues of the GDPR, a _hash_ of an
email is not personally identifiable and therefore that data would not be
subject to the GDPR. It appears that the DPC overstepped their bounds on that
specific aspect of the investigation.

~~~
travem
An email hash can be used to identify an individual and so would very much be
in the scope of GDPR, the same as any other number used to identify an
individual. Curious why you think that would not be the case. It seems to fall
squarely into Article 4’s definition of personal data.

------
Cyclone_
I've gotten suggestions to people who have only been on an email chain whom
I've never directly emailed with before. In my opinion that goes too far.

------
askaboutit
Now I know why I was getting messages from these pricks. I tried to login and
had no account. Scum.

~~~
kerouanton
I confirm Linkedin is a vector for spam, the way they handle and publish your
email address: I use a dedicated, unique email address for my account, and
systematically start receiving unsollicited emails and spam a few days after.

I now have the habit to register a new email address every few months on
Linkedin, to track the issue. It's clear and easy to prove that the new email
address is used by spammers after a short time. One of the main reasons is
probably because once you are connected to someone, he/she can access your
profile contact details including email and phone number. My guess is there
are bots scraping the contacts to populate their spam databases.

I'm sure most, if not all users of Linkedin don't realize this issue, as they
generally register using a non-dedicated email address, preventing them to
check the origin of the spam leak.

~~~
Marsymars
> One of the main reasons is probably because once you are connected to
> someone, he/she can access your profile contact details including email and
> phone number. My guess is there are bots scraping the contacts to populate
> their spam databases.

I'd expect this is the case; I have a LinkedIn account with a dedicated email
for name reservations purposes, but do not accept any connections, and have
yet to receive any spam.

------
brownbat
I'm constantly alarmed by the recommended matches on LinkedIn. I'm also torn
by the business community's insistence that this site is a necessary part of
networking and any of its practices are therefore beyond scrutiny.

And no, you did not match me to my second cousin "based on my profile." Unless
you mean "based on your email address, which is already included in the
massive social graph of all address book connections we've harvested from
people who know you."

If you have to mislead your users about how you're finding potential
connections, maybe you shouldn't be doing that thing in the background, or
maybe you shouldn't be so focused on aggressively pushing those connections.

------
peter_retief
I deleted my linkedin account many years ago but still get mysterious messages
saying that I appeared in n searches (n being 2 or other random number)

------
daveheq
This doesn't surprise me. They went out of their way uploading my contacts
without my permission even after declining multiple times, over multiple phone
and app versions, as well as adding my connections to my phone contacts... I
can't tell if they're stupid or evil.

------
S-E-P
I wonder how long they can do these sneaky things that they've been accused of
before someone (or more appropriately, something) brings the long arm of the
law into this.

Litigation could be a possible avenue. Cut off the serpant's head and all
that.

------
tmarkov
So the "X wants to connect with you on LinkedIn" mails are not a virus but
actually from LinkedIn?

I'm getting these without having a LinkedIn account, where X is someone I had
emailed with earlier.

------
xianb
accurate description of LinkedIn by Blake Lively and Anna Kendrick
[https://youtu.be/xmo8-Bh98fw?t=270](https://youtu.be/xmo8-Bh98fw?t=270)

~~~
roter
Funny because on their home landing page, there is a gallery of people. The
one at top, second from left, is a dead ringer for Blake Lively. I wonder if
that spawned the question.

------
onetimemanytime
I thought US had discovered and was thinking, here come the "crippling 1.2
million fine" :) but maybe EU will make them think twice. 2%-4% of their
revenue does send a message.

~~~
antod
Aren't some of those GDPR fines based on the parent companies revenue too?

~~~
onetimemanytime
Not sure but if I had to guess, not. They are incorporated on their own so
that corp suffers the fine. Linkedin must be making over $1 billion a
year...so it will bite and EU can repeat on future violations

------
borplk
While we're on the topic of annoying LinkedIn behaviors. They periodically
"generate" fake useless notifications to get you to click on the bell icon.

------
consultSKI
wob: (waste of bandwidth) in the final analysis very, very few people really
care. me included. however, too many folks want to bust amazon's chops because
of what alexa might hear while awaiting the wake word. you don't even want to
think about what your cell phone carrier [and to a great extent your phone
manufacturer] knows about you. p.s. i personally believe this behavior has
gotten much worse under linkedin's new owner.

------
acobster
Welp. Guess that's the last little push I needed to go close my LinkedIn
account. Good riddance.

------
perfunctory
Has anybody closed their LinkedIn account and do you miss it? I keep
procrastinating to do it myself.

~~~
Rjevski
Despite all of this bullshit, LinkedIn can be a good tool for finding
opportunities if used correctly.

You just need to make sure your privacy settings are bulletproof and don’t
give out more information than they need to.

~~~
perfunctory
That's the thing, I don't know if I can trust their privacy settings.

~~~
Rjevski
True, but at least you can begin with making sure _trusted_ privacy settings
(the ones provided by your OS) are set correctly.

You can also not install their app and use their website in a browser with an
ad blocker and in private browsing mode.

------
paavoova
_we also identified one further area where we could improve data privacy for
non-members_

And what about members? It's utterly horrifying that a professional has to
sell themselves on glorified social media and all its nefarious practices just
to give themselves a change on the job market.

~~~
zeroname
> And what about members?

Presumably, they agreed to this.

> It's utterly horrifying that a professional has to sell themselves on
> glorified social media and all its nefarious practices just to give
> themselves a change on the job market.

I would say that's a gravely mistaken belief.

~~~
paavoova
Arguably, you have no choice in a lot of such matters, so any agreement is by
submission. If "the" popular platform is X, and you're not using it, you're
missing out. And it isn't far fetched to consider instances where choice of
any kind isn't applicable.

> I would say that's a gravely mistaken belief.

Plenty of companies appear to use third-party recruitment services, which
entails you giving your personal, identifiable information to a third-party
instead of going directly to said company. LinkedIn being one of such third-
parties, indirectly or otherwise. The observation that trends like LinkedIn
are a imposed reality is in no way a mistake.

~~~
zeroname
> If "the" popular platform is X, and you're not using it, you're missing out.

Missing out on _what_? What good opportunity comes through LinkedIn? By my
account, nobody actually likes LinkedIn and nobody takes it serious. Nobody
will hold not using it against you.

> Plenty of companies appear to use third-party recruitment services, which
> entails you giving your personal, identifiable information to a third-party
> instead of going directly to said company. LinkedIn being one of such third-
> parties, indirectly or otherwise. The observation that trends like LinkedIn
> are a imposed reality is in no way a mistake.

That's not what I replied to. You said "It's utterly horrifying that a
professional has to sell themselves on glorified social media". You don't have
to do that. Believing that is a mistake and only helps LinkedIn achieve more
dominance.

------
based2
I received automatically spam from them years ago: growth hacking.

