Home / News & Analysis / LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

LinkedIn, the social network for the working world with close to 600 million users, has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place.

Now, a run-in with a regulator in Europe illuminates how some of LinkedIn’s practices leading up to GDPR implementation in Europe were not only uncanny, but actually violated data protection rules, in LinkedIn’s case concerning some 18 million email addresses.

The details were revealed in a report published Friday by Ireland’s Data Protection Commissioner covering activities in the first six months of this calendar year. In a list of investigations that have been reported concerning Facebook, WhatsApp and the Yahoo data breach, the DPC revealed one investigation that had not been reported before. The DPC had conducted — and concluded — an investigation of Microsoft-owned LinkedIn, originally prompted by a complaint from a user in 2017, over LinkedIn’s practices regarding people who were not members of the social network.

In short: in a bid to get more people to sign up to the service, LinkedIn admitted that it was using people’s email addresses — some 18 million in all — in a way that was not transparent. LinkedIn has since ceased the practice as a result of the investigation.

There were two parts to the supervision, as the DPC describes it:

First, the DPC found that LinkedIn in the US had obtained emails for 18 million people who were not already members of the social network, and then used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller” — that is, LinkedIn Ireland — “as is required.”

Some backstory on this: LinkedIn, Facebook and others in the lead-up to GDPR coming into effect moved data processing that had been going through Ireland to the US.

The claim was that this was to “streamline” operations but critics have said that the moves could help to shield companies a bit more from any GDPR liability over how they use process data for non-EU users.

“The complaint was ultimately amicably resolved,” the DPC said, “with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint.”

Second, the DPC then decided to conduct a further audit after it became “concerned with the wider systemic issues identified” in the initial investigation. There, it found that LinkedIn was also applying its social graph-building algorithms to build networks — to suggest professional networks for users, or “undertaking pre-computation,” as the DPC describes it.

The idea here was build up suggested networks of compatible professional connections to help users overcome the hurdle of having to build networks from scratch — that being one of the hurdles in social networks for some people.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the DPC writes. May 25 was the date that GDPR came into force.

LinkedIn has provided us with the following statement in relation to the whole investigation:

“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated,” said Denis Kelleher, Head of Privacy, EMEA, for LinkedIn. “Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”

(The ‘further area’ is the pre-computation.)

There are some takeaways from the incident:

Taking LinkedIn’s words at face value, it would seem that the company is trying to show that it is acting in good faith by going one step further than simply modifying what has been identified by the DPC, changing practices voluntarily before it gets called out.

Then again, LinkedIn would not be the first company to “ask for forgiveness, not permission,” when it comes to pushing the boundaries of what is considered permissible behavior.

If you are wondering why LinkedIn did not get fined in this process — which could be one lever for pushing a company to act right from the start, rather than only change practices after getting called out — that’s because until the implementation of GDPR at the end of May, the regulator had no power to enforce fines.

What we also don’t really know here — the DPC doesn’t really address it — is where LinkedIn obtained those 18 million email addresses, and any other related data, in the first place.

Other cases reviewed in the report, such as the inquiry into Facial Recognition usage by Facebook, and how WhatsApp and Facebook share user data between each other, are still ongoing. Others, such as the investigation Yahoo security breach that affected 500 million users, are now trickling down into the companies modifying their practices.

Read more

Check Also

The Cloud Native Computing Foundation adds etcd to its open source stable

The Cloud Native Computing Foundation (CNCF), the open source home of projects like Kubernetes and Vitess, today announced that its technical committee has voted to bring a new project on board. That project is etcd, the distributed key-value store that was first developed by CoreOS (now owned by Red Hat, which in turn will soon be owned by IBM). Red Hat has now contributed this project to the CNCF. Etcd, which is written in Go, is already a major component of many Kubernetes deployments, where it functions as a source of truth for coordinating clusters and managing the state of the system. Other open source projects that use etcd include Cloud Foundry and companies that use it in production include Alibaba, ING, Pinterest, Uber, The New York Times and Nordstrom. “Kubernetes and many other projects like Cloud Foundry depend on etcd for reliable data storage. We’re excited to have etcd join CNCF as an incubation project and look forward to cultivating its community by improving its technical documentation, governance and more,” said Chris Aniszczyk, COO of CNCF, in today’s announcement. “Etcd is a fantastic addition to our community of projects.” Today, etcd has well over 450 contributors and nine maintainers from eight different companies. The fact that it ended up at the CNCF is only logical, given that the foundation is also the host of Kubernetes. With this, the CNCF now plays host to 17 different projects that fall under its ‘incubated technologies’ umbrella. In addition to etcd, these include OpenTracing, Fluentd, Linkerd, gRPC, CoreDNS, containerd, rkt, CNI, Jaeger, Notary, TUF, Vitess, NATS Helm, Rook and Harbor. Kubernetes, Prometheus and Envoy have already graduated from this incubation stage. That’s a lot of projects for one foundation to manage, but the CNCF community is also extraordinarily large. This week alone, about 8,000 developers are converging on Seattle for KubeCon/CloudNativeCon, the organization’s biggest event yet, to talk all things containers. It surely helps that the CNCF has managed to bring competitors like AWS, Microsoft, Google, IBM and Oracle under a single roof to collaboratively work on building these new technologies. There is a risk of losing focus here, though, something that happened to the OpenStack project when it went through a similar growth and hype phase. It’ll be interesting to see how the CNCF will manage this as it brings on more projects (with Istio, the increasingly popular service mesh, being a likely candidate for coming over to the CNCF as well).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.