Ask HN: LinkedIn suggesting I connect with my infertility doctor
Looks like they mined my Gmail account and got the e-mail.
From a damage control perspective (obviously I want this info known to nobody but me and my healthcare provider), what can/should I do?
Are LinkedIn's affiliates looking at this data?
Who are they sharing it with?
I'm hoping to publicize this enough that someone at LinkedIn takes notice.
53 comments
[ 3.0 ms ] story [ 111 ms ] threadSo in any case, LinkedIn is super creepy with way (and I thought I'd read they lost a lawsuit about contact mining) but the information leak may not be anything you did, but rather information that was inferred from the doctor somehow, your partner, or some higher order connection.
Great example of poor algorithmic governance.
I really think use of LinkedIn deserves a dedicated email address unassociated with anything else.
What finally pushed me out was they kept suggesting I connect with people from a former employer, which employer I would prefer to just forget. I'd even taken the employer's name off my resume.
I wonder what people trying to avoid abusive spouses and other dangerous people can do. Probably have to leave LinkedIn.
I don’t believe that visiting someone’s profile automatically makes you a suggestion, but I may be wrong.
More recently, they were explicit about what they were doing and offered it is a convenience feature.
Have they stopped this now?
LinkedIn asks me to sync my contact/address book information from another source. After the import runs they show you connections that match your contacts sometimes in the connections tab.
https://www.linkedin.com/help/linkedin/answer/1278/syncing-c...
The reason they implemented it that way is because Google did not yet provide APIs to facilitate contact import. As Google adopted more secure standards like OAuth, LinkedIn started using the official GMail API features like "import contacts," rather than logging into your account on your behalf.
People underestimate just how far privacy/security have come since 2013 (pre-Snowden), when even major websites still used HTTP on their payment portals. Someone could sit in a coffeeshop with FireSheep and alter your Amazon order. Privacy enhancing features like OAuth, TLS, and 2FA have only become widespread in the last 7-8 years.
Giving them your password so they can login on your behalf is just as egregious, IMO. Then again, Plaid did the same thing with your bank account and created a multi-billion dollar business out of it.
Until OP provides proof I doubt this claim from such a big service like LinkedIn.
That is entirely different than what was claimed. The claim was platforms were running "credential stuffing" attacks against their own users by attempting logins to other platforms by guessing that they use the same email address and password for both.
I'm skeptical. That would be a federal crime, unless you explicitly allowed it.
The "People You May Know" feature on LinkedIn is powered by a combination of:
- network analysis (you know A, B, and C. they all know D. you may know D.)
- mining data from your mobile address book (you have A in your contacts, A has you in their contacts, you may know A.)
The recommendation likely occurred as a result of you and the provider adding each other as a contact in a contacts app each of you have authorized LinkedIn to access.
I don’t know about Android, but in iOS you can see if you have enabled access to contacts. It’s also totally feasible your contact info is in their phone and they enabled it (email address).
For my online CV I settled at AngelList. Not as creepy and invasive as LinkedIn, very clean and honest UI, does the job of presenting your positions and projects just fine.
HIPAA is, contrary to popular belief, not about medical information but about specific entities that process medical information. In this way it differs from a law such as GDPR.
edit: This is also why a company like Fitbit or Apple do not fall under HIPAA despite having your medical information. They are not a health plan, clearinghouse, medical provider (that does electronic billing in specific formats), or the Business Associate of those entities.
"LinkedIn accesses Gmail contacts via ‘auto-authorization’ "
https://news.ycombinator.com/item?id=12769494
I have trouble believing this one because there are so many edge-cases that would cause it to behave poorly - universities and companies with a single shared IP address, VPN users etc.
I suppose the rule-of-thumb could be "if this IP address has only had <4 unique cookies associated with it, consider a match - if it has had >100 it's probably shared too broadly, ignore it"
I think that's exactly what they want with that feature if it indeed exists.
> universities and companies with a single shared IP address
It's relatively easy to weed these out (simply ignore any matching results from IPs which see a lot of different people logging in), but actually I'm not sure that would even be a problem - universities and workplaces with a single IP would be exactly what LI wants, as the probability of you "knowing" someone from that same organization is high.
I don't think it's unreasonable for OP to use any application and not expect this misuse of their data. And it's definitely not their fault.
Disgust at LinkedIn aside, this is a real problem for me and others who've been tricked into sharing their contact info. How do I fix this now?
I once heard that some dentists would check patients LinkedIn profile to estimate how much they should charge them next time. And some people are just creepily curious. They look into your online profiles for no reason.
I don't use LinkedIn's mobile app. But, if the app has permission to read your contact numbers, it could be simply that.