TL;DR: someone went through emails I thought were private collected the email addresses and sold them to linkedin who offered me these addresses as possible contacts I should Invite. Several of these people have passed away, I feel violated.
I started thinking that privacy must be important when bringing PGP outside the US was considered “munitions export without a license” in the early 90s . And every time someone wanted to forbid encryption after that. Just this week I wrote an article on how to improve online privacy. Oh the irony.
When I talk to people about why it is so important that they should care about their privacy, the most common reaction is:
“Why should I care? I have nothing to hide.”
And my answer is always the same also: “Everyone has something to hide.”
We all have secrets, we just don’t always realize what they are. And in this age of technology all of these secrets are constantly in danger of getting into the wrong hands.
Here’s just a few examples that have already happened to me this year. Read on to see all the stuff I thought wasn’t going to be a problem and now I wish I had protected my privacy better.
No online Check-in when flying to North America
Just earlier this year, I got a tiny inkling of the horror people go through who have for some reason been profiled as “security risks” warranting additional scrutiny.
I was on two flights to North America within a year. Both times I could not check in online. The first time was due to a randomized selection for additional security controls by the police. It was a hassle but I understood.
But when it happened again and the hotline could not tell me what was wrong, of course, I thought the same had happened. My thoughts continued like this: “This is no longer random. Have I been singled out? Why? … Maybe I should not have sent those emails with research requests for my novel un-encrypted? Maybe I am on some kind of list now? Can I even find out if I am? Will they tell me or will I just keep having trouble now with flying?”
I slept badly the night before my flight. At the airport we found out – what the hotline should have known – that my Esta had not gone through for Canada because I had made a mistake with my passport number. But for one night I felt absolutely horrified, that I had made the mistake of my life by asking for advice on IEDs (and here I am doing it again) because I wanted to have a realistic scene in my novel.
I have heard of cases where the reasons these people ended up on no-fly lists were similarly far-fechted and that made it seem absolutely possible to have happened because of a couple of emails talking about explosives.
Flickr messed up
Just this week I got an email from flickr that they messed up badly with their software and private images may have been visible to anyone (it was a bit more complicated than that). I never used that part of their site and also I have few non-public pictures there so I wasn’t worried – but I am considering pulling pictures that are not public from the site. For me this is a minor incident. But it happens all the time … not a week goes by that there is not some large company that has lost customer data either to hackers or because they messed up all by themselves.
Nevertheless however accidental the publishing … it will have been a bad breach of someone’s privacy.
Linkedin wants me to invite the dead
And today after months I logged into my Linkedin account. There were a few contact requests most of which I rejected. And then I saw that there was a long list of “people you might know”. Weirdly there were some that didn’t have any connections to contacts I already had which is the normal way for social networks to make these proposals.
I began to look closer at these proposed contacts. These were not people with actual accounts, those were people I was supposed to “Invite”.
The longer I looked the more I began to shiver. There were several people on the list who have long since passed away.
There were people on the list with email addresses Linkedin had no way of knowing.
At first I thought they might have obtained these when I accidentally must have allowed them to search my contact list, which I can’t remember doing, especially since I never installed the Linkedin apps on my phones or tablets. I usually log onto the site only on my browser.
I verified this when I found a person on that list with whom I exchanged a couple of emails back in 2006 concerning I don’t even remember what. This person will never ever have been in any contact list or address book of mine. The only link between me and this person are 4 emails I found when I grepped through my email archives.
It’s not Google, this time.
I think Google’s code is too smart to sell an email address I contacted twice over 10 years ago as a possible contact. Considering Linkedin belongs to a competitor maybe they did. But still I am reasonably sure that google is not the culprit here.
I do think my mistake most likely happened after I moved away from gmail again, happy to return to my private server. On my desktop I have been using webmail interfaces for a while. I wanted to make the move complete and ditched the gmail app on my phone. So what to use instead? privacytools.io names K9 as the only acceptable mobile client. I have issues with K9. In the early days of smartphones it managed single-handedly to drain my data and my battery.
As of yesterday I thought Microsoft had become less evil
Now that ugly data kraken belongs to Microsoft. So I believe that Outlook is the connection that I am looking for. If it is indeed the connection, it means that for the two hours or less that Outlook was on my phone the app managed to go through my emails and deliver everyone I had contact with promptly to Linkedin. And there’s something else that makes this a better fit than just someone randomly slurping my emails from another source: all those weird invite proposals were from around the same few years 2006-2008. My archives are organized by year and to check out how the app handles folders I probably clicked on my archives …
What’s worse is there were no Linkedin emails in those folders and I am not using the same email address for LinkedIn or for Skype or Microsoft. Of course, I have some idea how I would program something that could still make the connection or guess at it. Something like this isn’t an accident. There is intent. Not malicious but nevertheless intent that ended up hurting me. Whoever programmed this feature, if they thought about the end user at all while drooling over shareholder value, they were probably convinced they were doing me a service. Of connecting me with people from my past. Dead people.
Somehow this latest thing is worse than all the others. I feel violated and I am mad. And I can’t stop thinking that something like this must be illegal. For me is a huge difference between (1) it’s my fault if I store my emails on the server of a company that more or less promises to analyze the heck out of the data for some nefarious AI development and (2) I install a mail-client expecting to read mails from my own server with my own device through an encrypted channel, and find out that after just two clicks the client hands the data over to some subsidiary/third party. The audacity and the unexpectedness of the latter are just too much.
So I am considering my options:
- do self-therapy by writing an article – check 😉
- getting over it – ask me again next week
- deleting my linked in account is still not off the table, I do get project proposals there every once in a while but Xing has always been better than Linkedin for me
- I couldn’t find a phone number on their website and anyway yelling at the hotline is unlikely to do anything meaningful for anyone
- baiting a trap with more email addresses and figuring out if it truly was Outlook mobile
- Checking out European privacy laws and maybe do what this guy did who had something similar happen to him, he “served linkedin with a request for a copy of all my data, as per Directive 95/46/EC of the European Parliament.” Which might help in finding out where they got the data from.