Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: LinkedIn suggesting I connect with my infertility doctor
108 points by throwaway_97532 on June 25, 2021 | hide | past | favorite | 47 comments
Looks like they mined my Gmail account and got the e-mail.

From a damage control perspective (obviously I want this info known to nobody but me and my healthcare provider), what can/should I do?

Are LinkedIn's affiliates looking at this data?

Who are they sharing it with?

I'm hoping to publicize this enough that someone at LinkedIn takes notice.



Ask your doctor if they gave LinkedIn access to their contacts file. If so, it could be a HIPAA violation, which both they and LinkedIn would have to take seriously.


Avoid LinkedIn as much as possible, from 2016:

"LinkedIn accesses Gmail contacts via ‘auto-authorization’ "

https://news.ycombinator.com/item?id=12769494


LinkedIn is not a Covered Entity or the Business Associate of a Covered Entity and as such does not fall under HIPAA. They have nothing to worry about. The doctor on the other hand...

HIPAA is, contrary to popular belief, not about medical information but about specific entities that process medical information. In this way it differs from a law such as GDPR.

edit: This is also why a company like Fitbit or Apple do not fall under HIPAA despite having your medical information. They are not a health plan, clearinghouse, medical provider (that does electronic billing in specific formats), or the Business Associate of those entities.


don't ever listen to someone on the internet talking about hipaa


Possible that they mined your Dr.'s email, not yours. I assume it is possible you have fallen for LinkedIn dark pattern, but I would bet it more likely that your physician did.


They will suggest people who have looked at your profile. And I have noticed, if you have shared an IP address with - ie if you have used the wifi at your doctor’s office. I don’t think they can access your gmail - how would they do that?


Wouldn’t the more reasonable explanation be that either OP’s (to their own admission) or the doctor’s contact list got extracted and the “match” was established that way?

I don’t believe that visiting someone’s profile automatically makes you a suggestion, but I may be wrong.


It is part of the suggestion algorithm. It's not "automatic" in the sense that it won't instantly and consistently trigger a recommendation without any other signals, but it can, especially if there aren't enough other strong signals to find sugestions on the person's account. A person who barely uses LinkedIn is more likely to get these very lightly associated suggestions because there is so little other signal for them.


In years gone by social media sites would try to login to your email provider using the social media password to scrape your contacts. This often worked because people reuse passwords.

More recently, they were explicit about what they were doing and offered it is a convenience feature.

Have they stopped this now?


That’s a serious statement! Do you have direct knowledge of this, or is it just gossip?


This was a well known fact during the years 2012 - 2015. It's not like it was hidden. LinkedIn asked you to enter your GMail password in a form on their website. It didn't require any sleuthing – you just had to log into LinkedIn and you could see for yourself.

The reason they implemented it that way is because Google did not yet provide APIs to facilitate contact import. As Google adopted more secure standards like OAuth, LinkedIn started using the official GMail API features like "import contacts," rather than logging into your account on your behalf.

People underestimate just how far privacy/security have come since 2013 (pre-Snowden), when even major websites still used HTTP on their payment portals. Someone could sit in a coffeeshop with FireSheep and alter your Amazon order. Privacy enhancing features like OAuth, TLS, and 2FA have only become widespread in the last 7-8 years.


Having the user enter their password for connecting to Gmail is very different to having the service try the passwords themselves. The service shouldn't even have the password in clear text to begin with.

Until OP provides proof I doubt this claim from such a big service like LinkedIn.


What you're describing is them asking you to give them the password explicitly so they could log in and get your contact list. GP suggested they did this behind the scenes by trying the password you use with their service. That's a pretty big claim.


Oh, yeah I see what you're saying. They didn't "guess" your GMail password as far as I know (although I wouldn't put it past them, especially back then).

Giving them your password so they can login on your behalf is just as egregious, IMO. Then again, Plaid did the same thing with your bank account and created a multi-billion dollar business out of it.


> LinkedIn asked you to enter your GMail password in a form on their website.

That is entirely different than what was claimed. The claim was platforms were running "credential stuffing" attacks against their own users by attempting logins to other platforms by guessing that they use the same email address and password for both.


Haven't heard about LinkedIn trying to login using social media, but LinkedIn has a feature that does contact import.

LinkedIn asks me to sync my contact/address book information from another source. After the import runs they show you connections that match your contacts sometimes in the connections tab.

https://www.linkedin.com/help/linkedin/answer/1278/syncing-c...


100% agree, pretty bold claim to make without support.


> social media sites would try to login to your email provider

I'm skeptical. That would be a federal crime, unless you explicitly allowed it.


I deleted my LinkedIn account a while ago hoping to never look back but unfortunately it's impossible to completely avoid it if you are in business of any kind, in any capacity. At the very least when you look up a potential hire (or a potential employer, partner, etc) you end up on their LinkedIn profile in the majority of cases. For this, I keep a zero-contact account under a different email so that I can preview people's and companies profiles.

For my online CV I settled at AngelList. Not as creepy and invasive as LinkedIn, very clean and honest UI, does the job of presenting your positions and projects just fine.


I haven’t had a LinkedIn account for the last ~5 years. In that time I’ve changed jobs about twice. I didn’t need it for the search nor did the companies require me too. My CV and other online profiles (aka GitHub) were enough. Possibly anecdotal but it appears to be very possible to ditch LinkedIn and thrive.


I'm following up with the Doc.'s office. Among other things, I'm also worried about "algorithms" automatically adding a "fertility treatment" risk weight to my future health insurance quotes.

Disgust at LinkedIn aside, this is a real problem for me and others who've been tricked into sharing their contact info. How do I fix this now?


Delete your current account for good, wait 30 days to have their spiders clean the cache, then start a new account by using a new e-mail address.


When I first joined LinkedIn, it suggested all kinds of obscure connections to me, like the real estate agent I'd used two years previously, and the wife of my landlord... I had definitely not given LinkedIn my contacts, and in any event, I didn't even have my landlords wife in them. I'm assuming my info must have been inferred from info those contacts or their network had about me.

So in any case, LinkedIn is super creepy with way (and I thought I'd read they lost a lawsuit about contact mining) but the information leak may not be anything you did, but rather information that was inferred from the doctor somehow, your partner, or some higher order connection.

Great example of poor algorithmic governance.


Yes, a lot of people have shared their contacts with LinkedIn. I get suggestions to match with employees of moving companies I've used, owners of small stores whose mailing lists I'm on, etc.

I really think use of LinkedIn deserves a dedicated email address unassociated with anything else.


Way back when I was still on LinkedIn they suggested I connect with a neighbor in my apartment building. The only thing we had in common was the street address. We'd never spoken. I recognized her from being around, and that she worked in the store around the corner.

What finally pushed me out was they kept suggesting I connect with people from a former employer, which employer I would prefer to just forget. I'd even taken the employer's name off my resume.

I wonder what people trying to avoid abusive spouses and other dangerous people can do. Probably have to leave LinkedIn.


How sure are you that they got the Gmail account? Is it possible that you might have used an app that tracks your location at an infertility clinic and the that information got sold to LinkedIn?


Have you searched his name in LinkedIn before? If not, there is a chance that he has searched your name for some reason.

I once heard that some dentists would check patients LinkedIn profile to estimate how much they should charge them next time. And some people are just creepily curious. They look into your online profiles for no reason.

I don't use LinkedIn's mobile app. But, if the app has permission to read your contact numbers, it could be simply that.


I've had this with people with whom my only contact was saving their phone number. AA fellows and dates. It's gross and I hate it.


Well this is Facebook too. It is beyond apalling.


Yep had that with facebook suggested friends. And we didn't have anyone nearly in common at all, the only connection is saving the phone numbers. Paid a lot to have pictures on my contacts; feel like a dummy.


LinkedIn will suggest people from the same IP address. If you accessed LI from your doctor’s office that would explain it.


Is this definitely true, or is it rumored?

I have trouble believing this one because there are so many edge-cases that would cause it to behave poorly - universities and companies with a single shared IP address, VPN users etc.

I suppose the rule-of-thumb could be "if this IP address has only had <4 unique cookies associated with it, consider a match - if it has had >100 it's probably shared too broadly, ignore it"


I've noticed this myself a couple years ago. A new flatmate moved in and he was quickly suggested to me by LinkedIn, before we even exchanged any contact details such as phone number or e-mail.

> universities and companies with a single shared IP address

It's relatively easy to weed these out (simply ignore any matching results from IPs which see a lot of different people logging in), but actually I'm not sure that would even be a problem - universities and workplaces with a single IP would be exactly what LI wants, as the probability of you "knowing" someone from that same organization is high.


> universities and companies with a single shared IP address

I think that's exactly what they want with that feature if it indeed exists.


LinkedIn’s least damaging usage in 2021 maybe? Zero contacts, no posts, no interactions in any form, closed to any connection. Just a bland CV, which is pretty unavoidable.


Gotta have exactly 501 random connections so it says 500+ connections and looks good.


Linkedin suggested the Dr who delivered our son. In fairness we both work for the sample employer, live in the same city, and coincidentally share the same last name.


tl;dr: The recommendation is likely driven from you and the provider adding each other to a contacts app LinkedIn has been authorized to source connection data from.

The "People You May Know" feature on LinkedIn is powered by a combination of:

- network analysis (you know A, B, and C. they all know D. you may know D.)

- mining data from your mobile address book (you have A in your contacts, A has you in their contacts, you may know A.)

The recommendation likely occurred as a result of you and the provider adding each other as a contact in a contacts app each of you have authorized LinkedIn to access.


This is exactly it. LinkedIn harasses you to turn this on every time you launch the app on your mobile. If you have their number in your contact list and you enabled this setting.

I don’t know about Android, but in iOS you can see if you have enabled access to contacts. It’s also totally feasible your contact info is in their phone and they enabled it (email address).


LinkedIn has been a abomination since the day it started. Creepy suggested connections, cringeworthy contrived posts and an unashamed desperate pursuit to cash in on recruitment agency money under the thin pretence of a service that on some way pretends to be useful. If they pulled the plug on it tomorrow the world would be a better place.


A perfect match for Microsoft who saw that shady shit and said, "that's perfect for us!"


Have you trying using LinkedIn recently? Your comment sounds like it’s from a decade ago.


Yes recently.


Pretty sure linked in saves your Gmail contacts once you login using Gmail. Similar thing happened to me too. LinkedIn is an abomination and so is it's ceo. Really surprised someone like Microsoft bought them.


They used to present something that looked like a gmail login, that if you used it, LinkedIn would take your credentials and spam all your contacts. I think they lost a lawsuit about that, and no longer have that dialogue... perhaps the app mines your contacts directly? This is one of the reasons I have never installed it.


Did you choose to have a Linkedin account? Did you choose to communicate using Gmail? If so, at the time you made these choices, did you consider if they were prudent, taking into account what we know about Linkedin and Google? I don’t want to assume that you were reckless, as it’s possible that you signed up many years ago, before the true nature of these companies was common knowledge. But these stories always sound to me like “I borrowed money from the Mafia and their interest rate is unreasonable. Plus, they broke my knees when I couldn’t pay. I am outraged.”


This is an absolutely ridiculous response. Even if we've come to reason that tech companies can not be trusted to be ethical with our data it's a false equivalency to compare them to a criminal organization.

I don't think it's unreasonable for OP to use any application and not expect this misuse of their data. And it's definitely not their fault.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: