Where LinkedIn collected 18 million email addresses, and any other related data?
2 min read
Some of LinkedIn’s practices were uncanny and violated data protection rules, shows a report published Friday by Ireland’s Data Protection Commissioner. The Report is covering activities in the first six months of this calendar year.
The details were revealed in this report. In a list of investigations are Facebook, WhatsApp and the Yahoo data breach. The DPC revealed one investigation that had not been reported before. The DPC had concluded an investigation of Microsoft-owned LinkedIn, originally prompted by a complaint from a user in 2017, over LinkedIn’s practices regarding people who were not members of the social network.
What is it all about?
In a bid to get more people to sign up to the service, LinkedIn admitted that it was using people’s email addresses. About 18 million in all, in a way that was not transparent. LinkedIn has since ceased the practice as a result of the investigation. LinkedIn has been called out a number of times for how it is able to suggest uncanny connections to you. It’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place.
The DPC found that LinkedIn in the US had emails addresses for 18 million people who were not members of the social network. LinkedIn used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller”.
There is the story behind this. After the EU was implementing of GDPR, LinkedIn, Facebook and others moved data processing that had been going through Ireland to the US. May 25 was the date that GDPR came into force.
The claim was that this was to “streamline” operations. Critics have said that the moves could help to shield companies a bit more from any GDPR liability over how they use to process data for non-EU users.
“The complaint was ultimately amicably resolved,” the DPC said, “with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint.”
But there was more
The DPC then decided to conduct a further audit after it became “concerned with the wider systemic issues identified” in the initial investigation. There, it found that LinkedIn was also applying its social graph-building algorithms to build networks to suggest professional networks for users, or “undertaking pre-computation,” as the DPC describes it.
Their idea was to build up suggested networks of compatible professional connections. In order to help users overcome the hurdle of having to build networks from scratch. This may be one of the hurdles in social networks for some people.
Excerpt from the report
“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the DPC writes in their report.
Denis Kelleher, Head of Privacy, EMEA, for LinkedIn, said:
“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated. Unfortunately, the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members. And we have voluntarily changed our practices as a result.”
LinkedIn’s reaction
It would seem that the company is trying to show that it is acting in good faith. They go one step further than simply modifying what has been identified by the DPC. They are changing practices voluntarily before some get to call them out.
LinkedIn would not be the first company to “ask for forgiveness, not permission.”
What they do when breaking the lines of what is permissible behavior? The very first step is to ask for forgiveness. Don’t you think that asking permission is the right way? Before everything.
LinkedIn was not punished in this process because the regulator had no power to enforce fines.
The main question is, where LinkedIn obtained those 18 million email addresses, and any other related data? We would like to know the answer.
More in the report
There are other cases reviewed in this report. The inquiry into Facial Recognition usage by Facebook, or how WhatsApp and Facebook share user data between each other, are still ongoing. Others are now trickling down into the companies modifying their practices. Such as the investigation Yahoo security breach that affected 500 million users.
Risk Disclosure (read carefully!)
Image Credit: LinkedIn