Ask HN: How to avoid getting a privacy-aware LinkedIn profile restricted?

18 points by data_maan ↗ HN
I'm rather privacy-aware, so I use a lot of browser plugins to disable trackers, VPNs etc. which by accident are sometimes active when I log in to LinkedIn => account restricted and ID requested to un-restrict it. Submitting an ID to LinkedIn is a no-go. I have been over the years already 3 times in this situation.

Last time it happened when I logged in through the LinkedIn app on my phone, that I didn't have a VPN connection running, and I guess the sudden geographical jump of my IP triggered LinkedIn.

I can't keep going on like this, to discover with each new profile that I make once every 2-3 years another bit of info that may trigger LinkedIn (I have read up on various triggers, and they keep shifting). Is there a comprehensive list of what I have to do to avoid this fate the next time?

I would also be happy to pay for LinkedIn to avoid getting restricted, but again I don't feel comfortable using my personal credit card, because I don't want to give LinkedIn any other data point than a frugal version of my CV. I'm wondering whether perhaps my name already is permanently "tainted" so that it will automatically get restricted due to my past attempts.

Do you use an agency to manage your LinkedIn profile? I'd be willing to spent a reasonable one-off amount for someone to let me know precisely what I have to do to avoid.

Are there specialists out there that can manage a privacy-aware LinkedIn profiles?

It MUST somehow be possible to balance the need for a reasonable level of privacy with the need of having a LinkedIn account that is robust under using VPNs etc. and that I just use to received some recruiter mail every once in a while (no crazy attempts to hoard connections etc.).

13 comments

[ 3.5 ms ] story [ 43.0 ms ] thread
I deleted LinkedIn years ago when it stopped allowing me to use the site normally without first supplying which city I reside in.
This might not answer your question or needs, but if I were in your position I would create a minimal LinkedIn profile for discovery purposes and then link to a password protected static website that has more details for businesses that you are actually interested in engaging with. Use a canary email address email alias on LinkedIn so that it is easy to filter their emails into a folder. In my opinion it is also important to use a burner phone specific to LinkedIn if that is an affordable option.

All of that said I would not expect too many legitimate communications to this anonymous account. Recruiters, debt collectors and investigators pay to see more data on LinkedIn than others and will avoid unverified accounts. They can bypass most privacy settings. The automated bots would still reach out giving the appearance this setup works. Their system can also detect VoIP numbers.

Minimal LinkedIn profile for discovery purposes is what I always had in mind - yet it got restricted several times without me doing anything offensive to LinkedIn, just using general privacy-enhancing measures.

The static link is a good idea!

But my question remains how I can prevent getting restricted. I have already had two profiles, with somewhat similar CVs, in one where I'm called John Doe and in the other Doe John (my name makes permuting these less obvious). So I guess I can't keep going like this, because at some point my entire name and CV will be tainted after too many restricted attempts. I need to get it right the next time, to not be restricted.

Regarding the legitimate communications: I am actually positive about this, because a big part of LinkedIn are connections. If I (somehow) manage to have an account that doesn't get restricted within weeks so that I can actually add my peers, I will have a number of high visible and important people endorsing me (well known professors and researchers). That should give my profile a lot of value, I think?

At the same time it would not compromise my privacy, other than that a part of my professional network is public - but that is public anyhow since it can be derived (with some work) my articles, so not much is actually lost.

But my question remains how I can prevent getting restricted.

The only thing I could suggest is use a browser with very little or no browser addons running in a sandbox or VM and connect from a coffee shop wifi. Set up your profile then nuke that sandbox/VM. If the time comes you need to edit your profile repeat the process.

“that I didn't have a VPN connection running”

Likely not telling you something you don’t already know, but many sites persist access logs and can answer “Which IPs accessed this account?” for a very long time indeed.

If you’re using VPN providers rather than a DIY approach, or even if you DIY through a cloud or other hosting provider, it’s extremely easy to answer questions like, “Which IPs that accessed this account came from known eyeball networks like Comcast?” (or cellular networks).

If your goal is masking your true location then all it takes is one slip-up and it’s somewhat irreversible. In security roles, I’ve seen more than one threat actor busted through one slip-up (“Whoops we forgot to VPN when accessing one time, 14 months ago”).

If you’re aiming to have a site not know Profile A and Profile B are the same, ditto, except now you also need to not access the site using the same methods, and also consider to what degree your browser / client can be fingerprinted.

> many sites persist access logs and can answer “Which IPs accessed this account?” for a very long time indeed.

What would a very long time actually? I don't have any sysadmin experience, so I'm not sure. One year? Five years? I guess at some point there will be just too much data to keep everyone's logs...

> If your goal is masking your true location

My goal using VPNs was actually an entirely different; you might be surprised by this: One of my Facebook profiles got blocked when I travelled a lot because (I imagine) geography based on my IP addresses changed too quickly and I think they thought I got hacked. My reasoning thus was now to just use one single place

Another goal of using a VPN was to decrease the fingerprinting that you also mentioned, since I give LinkedIn one datapoint less.

> “Which IPs that accessed this account came from known eyeball networks like Comcast?” (or cellular networks).

What exactly do you mean by this, do you mean that because they fingerprint me, when I use the browser without a VPN, they can use the other fingerprinting information to figure out who is behind the VPN?

LinkedIn can happily know my geographic location, because that reveals very little about me as a person; what I don't want LinkedIn to know is all the other websites that I visit and I also don't want other entities like Google to be able to connect my real-name LinkedIn and (frugal) CV with my website activity, because I consider that a clear trespassing of my privacy.

I guess my only approach is a DIY where I reserve one computer only for LinkedIn and nothing else and when travelling SSH into that. I guess that is what you had in mind with a DIY approach?...

After my own attempts, I concluded that LinkedIn doesn't meet my expectations for privacy, so I don't use LinkedIn. Per your standards, you also don't think LinkedIn sufficiently values your privacy (or your time), so why keep using it?

> It MUST somehow be possible to balance the need for a reasonable level of privacy with the need of having a LinkedIn account

1. You do not "need" a LinkedIn account. Lots of people use it, some even like it, but you don't have to. I don't.

2. Why "must" that balance be possible? Many privacy-conscious people don't use social media sites like LinkedIn. LinkedIn doesn't have to accommodate us, and we don't have to bend to them either.

I have colleagues from PhD who get a ton of recruiter messages and land awesome jobs, whilst I'm still stuck with my small network. Also, getting all these recruiter spam is actually a nice, heartwarming thing, of making you feel needed and wanting - compared to cold-hearted academia, where nothing is ever good enough.

I have resisted LinkedIn for years and only had the mentioned, half-hearted attempt to create an account. But I feel I have reached some kind of tipping point now. I wonder, if they request my ID, and I just upload a fake one, what would happen, could they sue me worst case, supposing they go through the hassle to connect my real name that I have my profile with to my identity?...

Just delete the LinkedIn. Despite what everyone under 30 will tell you, you don't need it to get or maintain a job.
When you asked to unlock your account, did they provide any explanation on what had triggered it?
No, nothing. Just a very vague sentence about "flagged due to suspicious activity".

Generally all social media seem to offer very little information. And probably for good reason: If a black-box non-interpretable deep net flagged me, the company itself may not really have a good explanation. Perhaps all the people that moved their mouse really fast that day over thr screen where found to be (spuriously) correlated with fraudulent behavior. Did you move your mouse too fast? Bad luck, now your account is restricted. Of course no one could tell you that, if that is what is going on, so companies resort to vague statement.

There really should be a law (or a lawsuit?) about this.

Hey LinkedIn, if you're reading this pop me an email jellymax@protonmail.com to get my account unstuck before I'll drag your name through the mud all over he place! :D