Pages

2008-12-23

LinkedIn privacy case study: Stealing private data from your address book

If you give LinkedIn access to your Gmail account in order to find contacts on the site, you may be getting more than you bargained for.

The site, and its representatives claim that the information collected includes only names and emails addresses. However, it collection a lot more information. Due to the irrevocability of data, I have permanently lost control of and my and my contact's personal information. Most notably is all of our mobile phone numbers, which I would never give to any website.

The Import webmail contacts page states:
Find out which of your webmail contacts are already on LinkedIn.
and it links to the Privacy Policy. Neither of which imply that information other than Name and Email address are collected from your webmail account. Also, the privacy fails to include this imported information in its set of data that "will be secured with industry standard protocols and technology".

Furthermore here is my conversation with customer service:

Customer (William Entriken) 11/19/2008 09:58 AM I have used your tool to find contacts to add to linked in (via gmail). However, now I understand that you are also collecting my personal information about these contacts (their email address and phone numbers). I never gave you permission to collect this information. How can I be sure that you will delete it? How can I prevent you from collecting it in the future? How can determine what personal information you have of mine that has been uploaded by other users? Do you know my personal phone number and email? birthday? address?

Thank you and please note that this finding as well as any response you make, or lack thereof, will be published.

Response (LinkedIn - Lindsay (LB)) 11/24/2008 04:33 PM
Dear William,

Thank you for contacting LinkedIn Customer Support. Please note, when you import an address book we do not collect any information other than the information posted on your imported contacts list, which is the email address. Invitations are not sent from your imported contacts list unless it is approved by you.

If you have further questions, please feel free to reply to this message.

Regards,

Lindsay
LinkedIn Privacy Team

Customer (William Entriken) - Fri, Nov 28, 2008 at 5:07 PM
On the right side of my screen, I see "Your private info about ..."
and this includes an email address and phone number for some of my
contacts.

I have never typed this information in to your website. How did it get there?

Thank you,
WE

Customer (Will Entriken) 12/11/2008 10:46 AM
(This is my second request to LinkedIn, as my last email thread has not been replied. Please also note that I am publishing this issue, and I will consider any response public record.)

On the right side of the screen you show "Your private info about ..." for some of my contacts.

This area includes a phone number and personal email address for some contacts.

How did you get this information from my personal address book. I have not inputted this information in to your site, nor have I authorized you to collect this information.

Also, is there an option to delete this information?

Thank you,
WE

Response (LinkedIn - Mindy (MN)) 12/15/2008 01:49 PM
Dear William,

Thank you for contacting LinkedIn Customer Support. Please note, when you import an address book we do not collect any information other than the information posted on your imported contacts list, which is the email address. Invitations are not sent from your imported contacts list unless it is approved by you.

If you have further questions, please feel free to reply to this message.

Regards,

Mindy
LinkedIn Privacy Team
So... I was talking to a bot. Anyway, LinkedIn DOES collect more information than they specify, and they do not allow you to easily remove it. They do not provide the option to disable this additional importation and they lie to customers that inquire. Here is reproducable proof:

Here is my own profile page to start:

Here is me creating a Gmail account and adding some personal information:

Here is me importing my webmail account:

Here is my profile page with the new information:

... and closer up:

Results:

LinkedIn has a little work to do to bring this site up to my standards:
  • Edit the Import webmail contacts page to include an option allowing "collect extended contact information", preferably defaulting off
  • Allow an option to remove all "Your private info about..." from all your contacts
  • (Optional) When viewing "Your private info about..." on one of your contact's pages, include a note explaining where that information came from
  • Update the knowledge base to reflect the actual process

Carbon copy:

This message is being sent to LinkedIn privacy department and TrustE.