LinkedIn privacy case study: stealing private data from your address book

By William Entriken

3 minutes

IF you give LinkedIn access to your Gmail account in order to find contacts on the site, you may be getting more than you bargained for.

The site, and its representatives claim that the information collected includes only names and emails addresses. However, it collection a lot more information. Due to the irrevocability of data, I have permanently lost control of and my and my contact’s personal information. Most notably is all of our mobile phone numbers, which I would never give to any website.

The Import webmail contacts page states:

Find out which of your webmail contacts are already on LinkedIn.

and it links to the Privacy Policy. Neither of which imply that information other than Name and Email address are collected from your webmail account. Also, the privacy fails to include this imported information in its set of data that “will be secured with industry standard protocols and technology”.

Furthermore here is my conversation with customer service:

Customer (William Entriken) 2008-11-19 09:58 AM I have used your tool to find contacts to add to linked in (via gmail). However, now I understand that you are also collecting my personal information about these contacts (their email address and phone numbers). I never gave you permission to collect this information. How can I be sure that you will delete it? How can I prevent you from collecting it in the future? How can determine what personal information you have of mine that has been uploaded by other users? Do you know my personal phone number and email? birthday? address?

Thank you and please note that this finding as well as any response you make, or lack thereof, will be published.

Response (LinkedIn - Lindsay (LB)) 2008-11-24 04:33 PM Dear William, Thank you for contacting LinkedIn Customer Support. Please note, when you import an address book we do not collect any information other than the information posted on your imported contacts list, which is the email address. Invitations are not sent from your imported contacts list unless it is approved by you.

Customer (William Entriken) 2008-11-28 05:07 PM On the right side of my screen, I see “Your private info about …” and this includes an email address and phone number for some of my contacts. I have never typed this information in to your website. How did it get there? Thank you, WE

Customer (William Entriken) 2009-12-11 10:46 AM (This is my second request to LinkedIn, as my last email thread has not been replied. Please also note that I am publishing this issue, and I will consider any response public record.) [REPOSTING PREVIOUS MESSAGE]

Response (LinkedIn - Mindy (MN)) 2009-12-15 01:49 PM Dear William, Thank you for contacting LinkedIn Customer Support. Please note, when you import an address book we do not collect any information other than the information posted on your imported contacts list, which is the email address. Invitations are not sent from your imported contacts list unless it is approved by you.

If you have further questions, please feel free to reply to this message. Regards, Mindy

So… I was talking to a bot. Anyway, LinkedIn DOES collect more information than they specify, and they do not allow you to easily remove it. They do not provide the option to disable this additional importation and they lie to customers that inquire. Here is reproducible proof:

Here is my own profile page to start:

Profile

Here is me creating a Gmail account and adding some personal information:

Gmail

Here is me importing my webmail account:

Import

Here is my profile page with the new information:

Profile

… and closer up:

Profile

Results

LinkedIn has a little work to do to bring this site up to my standards:

This message is being sent to LinkedIn privacy department and TrustE.

Comments

I realize the above post is three years old, so I don't know what has transpired in that time, or if LinkedIn has addressed the William's issues. However, I do know this much: In the past two days LinkedIn has e-mailed me "How about these people?" suggestions that could only have come from them digging into the deepest levels of my e-mail system and address book! Some of the names being suggested are people I've had no dealings with in well over a decade. It's extremely unlikely these names just "popped up." LinkedIn had to dig them out of very old archived e-mails. I have NEVER given them permission to do that, or to import any of my contacts! There is nothing in the LinkedIn Privacy Policy that discloses their propensity to go fishing through my computer files. I have filed a complaint, and if I don't get an response I consider satisfactory, I'll be out of there faster than you can say LinkedIn sucks.

Lofa

Lofa, are you receiving emails to recommend people that you do NOT know? If so, this could mean that LinkedIn is guessing based on your contacts. I.E. you have 9 connections that are each connections with Mike, then you get an email: Please consider adding Mike.

William Entriken

Same thing just happened to me Lofa and I also demanded an explanation from LinkedIn. I never gave them permission to touch my private email.

Anonymous

I think this is based on "these people" viewing your profile or you visiting their profile on LI. Not from going into your email.

Anonymous

This has happened to me, and it makes me madder than hell. LinkedIn knows all the information in my Yahoo!mail address book. I have not ever given them my password or permission to access it. Either they have illegal compliance by Yahoo!, or they are using a browser exploit to simply access Yahoo!mail through the same browser I'm concurrently logged-on to LinkeIn with. This is criminal, and I'm looking forward to the EFF class-action suit.

Jerry Berry

Jerry, do you have a link on that please? Also, do you have some details on this Yahoo connection? Have you used Yahoo to find friends on LinkedIn or is it the same password as LinkedIn or something? Is what you saw reproducible?

William Entriken

I just established a LinkedIn account two days ago, absolutely refused to give them access to my personal email accounts. Now, two days later, on their page "People You Might Know", I see people who are listed as either shared connections, 2nd & 3rd connections, etc. Ok, I can understand that. They are looking for connections within their own database. BUT, I also see many people with no shared connections or indirect connections that could only have come from my personal email address book: my friends, my sister-in-law, my wife's friends, an engineer from another company I interacted with back in 2006, parents from my son's elementary school, and more. I'm outraged! What's the best way to register the most effective complaint about this? FYI. My LinkedIn password is different than my personal email password and there are no imported contacts in LinkedIn right now (I checked). 2nd FYI: My profile only has my current position and company, nothing else. I have also specified most of the datasharing options to be minimal.

Anonymous

Anonymous, this is very likely because those people had given their email password and your name is in their email account. When people are freely giving away their own and their contacts' personal information, there is little we can do.

William Entriken

Yea, I had a situation occur the other day where a contact used my email address on my new b-card to invite me to connect. Well, I've been in Asia for 3+ years and built a huge rolodex of contacts there. Now all of a sudden, I'm getting contact requests from people in Asia and once that happens east meets west. Not what I want!

Anonymous

They just love to cut the "connectors" out of the picture like you... by taking all your private information and making it public

William Entriken

Lofa, Anonymous, Jerry.....same thing happened happened to me today. I hadn't experienced this before today on Linkedin, and then today half of my personal e-mail contact list showed up on my "People You May Know"....going all the way back to 2008. It included previous employers/supervisors, company HR personnel where I have applied for positions, recruiters, relatives, .....you name it and they were on there. I assume it worked in reverse and my Linkedin profile went out to all of those people as well. Unfortunately, for both personal & professional reasons, I did not want my Linkedin profile automatically broadcast to several people on my e-mail contact list. This is not just cookies following me around on the internet.....this is taking my personal email account contact list for their personal use and is outright Theft, and no other explanation can be made for it. I also contacted Linkedin today to officially have them delete my contact list from their system.....we'll see what happens.

This whole "cookie theft" thing has gone too far.

Anonymous

Lofa, Anonymous, Jerry.....even though horse is already out of the barn, I found a way to take all my personal webmail contacts out of Linkedin system.....I'm hoping permanently but not betting on it. All my webmail contacts were in Linkedin's "Imported Contacts", although I did not do the importing. That was Linkedin's doing....totally. If it happens again I think Linkedin should be held legally accountable, as my personal webmail contact list is not on public domain and can not be publicly shared by anyone, let alone stolen via cookies in the first place.

See below process for removing Imported Contact List...

Removing Imported Contacts

Click Contacts at the top of your home page.
Click the Imported Contacts tab.
Make sure the Select All box is unchecked by clicking on it.
Click the box in front of the contact you wish to remove.
At the bottom of the page, click Delete selected contacts.
Click Delete to confirm.

Good Luck !!

Anonymous

yes I agree, I have found linkedin is suggesting I connect with people who I work with. The thing is, I have not recorded any information about my currect workplace on my profile (my old workplace details are still listed) and I have not connected to any of the people at my currect workplace. Also I use a different email address at work to the one I use with linkedin...so my suspicion is linkedin is scanning my outlook for addresses of the people I have communicated with via email because these are the only ones it suggests I connect to.

Anonymous

Why are my email contacts being stolen by linked in? And why no one is doing anything about it. I never give anyone permission to do such a thing. This is bs. I need some answers and linked in is ignoring everyone that have a problem. I will try to post this thing in as many places in web so that people are aware of this scam

Anonymous

It doesn't matter WHAT you give them permission to do. I've been a LIn member for many years. Their entire business model is built up them intalling malware on your computer that steals the contents of your address book repeatedly even if you NEVER give them permission to access ANY of you addressess or contact info. They simply steal it, then slyly ask if you happen to know any of the people they present to you. Of course you know them. They stole them illegally and without permission. THAT IS THEIR BUSINESS PLAN. It's built upon the. incompetence and corruption of Microsoft. The only fix is to keep ALL of you contacts saved in a separate XL file. Never gonna happen so get used to pervasive criminality from LIn. Brave New World for many years now. I've never given them permission to access anything and they've simply stolen it dozens of times over the years. It's easy to catch them: add a new conact that totally not related to the others, and soon they will ask if you know them. Duh!

Anonymous

I received an email from LinkedIn, which I had never heard of or cared to remember if I had heard the name before. It was an invitation from an individual with whom I had important on-going legal business. I clicked on a link that opened a LinkedIn web page where I was asked to set-up an account. I cautiously began to enter login info and some personal profile info but decided not to continue as I really didn't want to supply some of the info that was being asked of me, so I backspaced and deleted all field entries without submitting anything and then closed the web page. Minutes later I received an email from LinkedIn welcoming me as a member and asking me to login and complete the profile questions. This time the page had names and photos of people I have listed in my outlook contacts folders as LinkedIn members. I feel as if I have been raped and can sympathize with William Entriken and his plight. Where are the authorities who are supposed to protect us from predators like LinkedIn? or are there any? I unsubscribed by not logging in using the password that I had typed and deleted with out submitting, but by getting a temporary password by clicking on "I forgot my password", logging in with it, and finding the link to delete the account that I never submitted information for I deleted the account. It was a nightmare and my world has changed as does some ones life who has been forcibly raped.

Anonymous

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.