LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

LinkedIn, the social network for the working world with close to 600 million users, has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place.

Now, a run-in with a regulator in Europe illuminates how some of LinkedIn’s practices leading up to GDPR implementation in Europe were not only uncanny, but actually violated data protection rules, in LinkedIn’s case concerning some 18 million email addresses.

The details were revealed in a report published Friday by Ireland’s Data Protection Commissioner covering activities in the first six months of this calendar year. In a list of investigations that have been reported concerning Facebook, WhatsApp and the Yahoo data breach, the DPC revealed one investigation that had not been reported before. The DPC had conducted — and concluded — an investigation of Microsoft-owned LinkedIn, originally prompted by a complaint from a user in 2017, over LinkedIn’s practices regarding people who were not members of the social network.

In short: in a bid to get more people to sign up to the service, LinkedIn admitted that it was using people’s email addresses — some 18 million in all — in a way that was not transparent. LinkedIn has since ceased the practice as a result of the investigation.

There were two parts to the supervision, as the DPC describes it:

First, the DPC found that LinkedIn in the US had obtained emails for 18 million people who were not already members of the social network, and then used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller” — that is, LinkedIn Ireland — “as is required.”

Some backstory on this: LinkedIn, Facebook and others in the lead-up to GDPR coming into effect moved data processing that had been going through Ireland to the US.

The claim was that this was to “streamline” operations but critics have said that the moves could help to shield companies a bit more from any GDPR liability over how they use process data for non-EU users.

“The complaint was ultimately amicably resolved,” the DPC said, “with LinkedIn implementing a number of immediate actions to cease the processing of user data for the purposes that gave rise to the complaint.”

Second, the DPC then decided to conduct a further audit after it became “concerned with the wider systemic issues identified” in the initial investigation. There, it found that LinkedIn was also applying its social graph-building algorithms to build networks — to suggest professional networks for users, or “undertaking pre-computation,” as the DPC describes it.

The idea here was build up suggested networks of compatible professional connections to help users overcome the hurdle of having to build networks from scratch — that being one of the hurdles in social networks for some people.

“As a result of the findings of our audit, LinkedIn Corp was instructed by LinkedIn Ireland, as data controller of EU user data, to cease pre-compute processing and to delete all personal data associated with such processing prior to 25 May 2018,” the DPC writes. May 25 was the date that GDPR came into force.

LinkedIn has provided us with the following statement in relation to the whole investigation:

“We appreciate the DPC’s 2017 investigation of a complaint about an advertising campaign and fully cooperated,” said Denis Kelleher, Head of Privacy, EMEA, for LinkedIn. “Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action, and have improved the way we work to ensure that this will not happen again. During the audit, we also identified one further area where we could improve data privacy for non-members and we have voluntarily changed our practices as a result.”

(The ‘further area’ is the pre-computation.)

There are some takeaways from the incident:

Taking LinkedIn’s words at face value, it would seem that the company is trying to show that it is acting in good faith by going one step further than simply modifying what has been identified by the DPC, changing practices voluntarily before it gets called out.

Then again, LinkedIn would not be the first company to “ask for forgiveness, not permission,” when it comes to pushing the boundaries of what is considered permissible behavior.

If you are wondering why LinkedIn did not get fined in this process — which could be one lever for pushing a company to act right from the start, rather than only change practices after getting called out — that’s because until the implementation of GDPR at the end of May, the regulator had no power to enforce fines.

What we also don’t really know here — the DPC doesn’t really address it — is where LinkedIn obtained those 18 million email addresses, and any other related data, in the first place.

Other cases reviewed in the report, such as the inquiry into Facial Recognition usage by Facebook, and how WhatsApp and Facebook share user data between each other, are still ongoing. Others, such as the investigation Yahoo security breach that affected 500 million users, are now trickling down into the companies modifying their practices.