In a report published on Friday by Ireland’s Data Protection Commissioner revealed that LinkedIn with an aim to get more people on the platform used email addresses of almost 18 million people to buy targeted ads on Facebook. It has now stopped this practice as a result of the investigation and as a solution has introduced a new feature that asks user’s permission to allow exporting email addresses.
What was the DPC’s investigation about?
The final report by Ms. Helen Dixon, the Data Protection Commissioner shows the conclusions of the audit about LinkedIn’s processing of personal data for the period 1 January – 24 May 2018. The audit was done after a non-LinkedIn user notified to the DPC that LinkedIn has obtained and used the complainant’s email address for the purpose of targeted advertising on the Facebook platform. This investigation revealed that LinkedIn has processed hashed email addresses of approximately 18 million non-LinkedIn members.
LinkedIn implemented several actions to stop the processing of user data for the purposes that gave rise to this complaint. To make sure that LinkedIn is indeed taking right measures to solve these complaints, DPC did the investigation, which revealed:
“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018.”
One thing that the report does not reveal is the source of these emails. Other parts of this report list cases such as the inquiry into Facial Recognition usage by Facebook, how WhatsApp and Facebook exchange user data, and the Yahoo security breach that affected 500 million users.
What was LinkedIn’s response?
Denis Kelleher, the Head of Privacy (EMEA), at LinkedIn told TechCrunch that they have now taken appropriate actions to cease the data breach:
“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated. Unfortunately, the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”
LinkedIn has also introduced a new privacy setting that defaults to blocking other users from exporting your email address. You can find this option under Settings & Privacy -> Privacy -> Who Can See My Email Address?
This step could prevent some spam and give more control to the users over with whom they want to share their email address. But also, according to TechCrunch, this update could upset some users:
“But the launch of this new setting without warning or even a formal announcement could piss off users who’d invested tons of time into the professional networking site in hopes of contacting their connections outside of it.”
LinkedIn confirmed TechCrunch that this is a newly introduced setting to ensure better privacy of users:
“This is a new setting that gives our members even more control of their email address on LinkedIn. If you take a look at the setting titled ‘Who can download your email’, you’ll see we’ve added a more detailed setting that defaults to the strongest privacy option. Members can choose to change that setting based on their preference. This gives our members control over who can download their email address via a data export.”