During the first half of 2018, LinkedIn US came up with the idea to buy Facebook ads targeted to the owners of 18 million email addresses.
This was done discreetly by uploading hashed versions of the email addresses, which were presumably matched to the same hashes spotted among Facebook’s user base.
We don’t know how successful the campaign was, but with the publication of a report by Ireland’s Data Protection Commissioner (DPC) last week we do know that LinkedIn has been publicly rebuked for doing it at all.
What upset the Irish: none of the 18 million email addresses were those of LinkedIn users.
How did a LinkedIn US campaign come to the attention of Ireland’s data commissioner in the first place?
Where did LinkedIn get hold of email addresses for 18 million non-LinkedIn users?
Unravelling the answers to these questions starts with a complaint the DPC says it received in 2017 from one of those 18 million people who objected to being targeted by LinkedIn, which has its EU headquarters in Ireland.
After investigating, the DPC discovered that:
The audit identified that LinkedIn Corp was undertaking the pre-computation of a suggested professional network for non-LinkedIn members.
That’s a jargon-heavy way of saying that LinkedIn US had run its algorithms on some of the data LinkedIn Ireland was responsible for and identified the 18 million email addresses it was interested in.
Moreover, this was done in the “absence of instruction” from the data processor, that is without legal consent under Irish data protection law.
What is not explained is where LinkedIn obtained these 18 million email addresses from, nor what connection they had with LinkedIn Ireland.
One interpretation is that it had something to do with a move by companies such as LinkedIn and Facebook to minimise their exposure to the EU’s GDPR regulation by shifting data on non-EU users to the US.
This still doesn’t explain why this would have included data on 18 million non-LinkedIn users.
One possibility is LinkedIn’s mobile app, which asks for permission to access each user’s contacts list (including email addresses) to work out which of them has/doesn’t have a LinkedIn account.
We may never know the true source of the data. What we do know is that the complaint to Ireland’s DPC has since been “amicably resolved”, with LinkedIn releasing a mea culpa of sorts:
Unfortunately the strong processes and procedures we have in place were not followed and for that we are sorry. We’ve taken appropriate action and have improved the way we work to ensure that this will not happen again.