LinkedIn's Utilization of Small Print as a Shield for Bad Behavior
Product Background
- While a significant violation of the Product Manager’s Hippocratic Oath, companies regularly shield bad behavior behind small type, Terms of Service updates sent at midnight on Fridays, and unclear or outright false information.
- It is unfair to the user to both assume that they can completely understand the information presented to them and therefore make an informed choice or even care enough to spend time to do so.
- While LinkedIn has a history of disregarding user’s privacy and disrespecting data fair use, they have quietly rolled out 3rd party ad retargeting based on LinkedIn contact and profile data without adequately asking for consent or informing users of the ramifications.
- A (poorly structured) argument against this post is whether LinkedIn’s behavior is any worse than any other company. While I would argue they are a significant offender, most other technology companies are similarly bad actors, but that doesn’t support lesser condemnation of LinkedIn, it simply supports condemnation of the behavior and industry as a whole.
User Experience & Detailed Discussion
- Upon a recent login to LinkedIn, I received the following notification, alongside what I would assume to be millions of other users.
- Let’s break this update down piece by piece:
- As it appeared initially to the user, all of the information from “Information you’ve shared with other companies” down to If you select “Agree” was hidden from the user, and was only revealed after clicking the carrot. This is a dark pattern to start.
- Allow LinkedIn to keep showing you relevant jobs and ads.
- This is nefarious because if LinkedIn is already doing it, why do they need my approval again? If they need my approval, then they must be doing something different. This sentence preys on users continuing to agree to what has occurred in the past.
- In addition, it also implies that if you don’t agree, you may not be shown relevant jobs in the future, which most users wouldn’t like. However, this is not precisely what is occurring, it is just that LinkedIn won’t use additional data to make those recommendations more relevant, not that the recommendations won’t be relevant at all. These are two very different things.
- Information You’ve Shared With Other Companies
- “When You show interest (Like…” - The like here implies that there may be other ways in which I may show interest to a company and that I am agreeing to potentially unlimited, undetermined ways by agreeing to this. I could theoretically click on the link provided but there is no guarantee that I’ll find the information there.
- “When you visit their websites, some companies may use tools (like cookies)…” - Again there is the implication that there may be other ways that companies use and that I am agreeing to whatever those are, which LinkedIn has no control over and how they will use/misuse my information.
- “Also, if you provided consent directly to a company you trust to use your data for ad relevant, LinkedIn may rely on that consent when showing you ads.” - This translates to “If any company that has a direct incentive to obtain your consent to show you targeted ads is somehow able to obtain that consent, through whatever means or dark pattern they can, then LinkedIn will blindly trust that 1 or 0 signaling your consent and show you ads even if you click decline here that are more heavily personalized and targeted, which will have higher cost structures and will make us additional revenue.
- Finally, highlighting the Accept & Continue button in blue, which is the default action color for users on the site, abuses user trust in LinkedIn and pushes users towards that selection by default, likely increasing conversion rates.
- Most users likely will not understand that this one click will allow their data to be used across LinkedIn’s entire retargeting ad network. The gravity of that situation is not proportional to the copy or visuals of the dialogue.
Detailed Discussion Continued
Upon further digging through their latest privacy policy (Link) and LinkedIn’s additional primer on 3rd Party Ad Targeting (Link) as of this post, there are a number of additional data points that are collected that users may not realize. While the below are by no means exhaustive of the data items I believe are being misused, they illustrate the complexity and effort required to understand how a users data is used, and how most users have no idea.
LinkedIn (and others) also do a poor job, either intentionally or unintentionally, describing the interactions of data points that they collect. As a result, while they may be following the letter of their privacy policy, they may be doing so either by omitting the scenarios where data is combined, or describing them poorly.
In the below examples, text from the policy is italicized, while my comments are just below:
- Different Services & Device Tracking - Logging Sites after LinkedIn Visit
- Section 1.4 - Cookies, Web Beacons & Other Similar Technologies
- As further described in our Cookie Policy, we use cookies and similar technologies (e.g., web beacons, pixels, ad tags and device identifiers) to recognize you and/or your device(s) on, off and across different Services and devices.
- Fair enough, but what does across different Services and Devices mean? Let’s go to section 1.5
- Section 1.5 - Your Device & Location
- When you visit or leave our Services (including our plugins or cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to next. We also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier. If you use our Services from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location.
- I would hazard a guess that most users don’t understand that the site they go to after LinkedIn is also logged by LinkedIn. It is fairly standard practice to log which pages users are on before exiting, but I’ve rarely seen the logging of pages after exiting an application.
- Section 1.4 - Cookies, Web Beacons & Other Similar Technologies
- 3rd Party Advertising
- Section 2.4 - Advertising
- We do not share your personal data with any third-party advertisers or ad networks for their advertising except for: (i) hashed or device identifiers (to the extent they are personal data in some countries); (ii) with your separate permission (e.g., lead generation form) or (iii) data already visible to any users of the Services (e.g. profile). However, if you view or click on an ad on or off our site or apps, the ad provider will get a signal that someone visited the page that displayed the ad, and they may through the use of mechanisms such as cookies determine it is you. Advertising partners can associate personal data collected by the advertiser directly from you with our cookies and similar technologies. In such instances, we seek to contractually require such advertising partners to obtain your explicit, opt-in consent before doing so.
- Potentially my favorite section in here, with key bits underlined.
- We do not share your personal data with any third-party advertisers or ad networks for their advertising except
- So LinkedIn doesn’t share my personal information with 3rd party advertisers, except that it does exactly that thing.
- Advertising partners can associate personal data collected by the advertiser directly from you with our cookies and similar technologies. In such instances, we seek to contractually require such advertising partners to obtain your explicit, opt-in consent before doing so.
- LinkedIn seeks to obtain that consent, but it is not clear whether they will allow targeting even if they do not obtain proof from the advertiser of explicit, opt-in consent.
- How Businesses & Websites Can Use Third-Party Data for Advertising on LinkedIn
- There is an additional and entirely separate page on Third Party data usage (the second link in the intro paragraph above and here), the text of which is not included in the primary privacy policy.
- This policy essentially allows LinkedIn to serve retargeted ads across its entire network as well as across 3rd party sites with which it has a retargeting partnership.
- While this is similar to other retargeting relationships/providers, what is not clear is what unique situations LinkedIn may be able to exploit due to the network information effects that LinkedIn is the recipient of.
- For example, if a colleague uploads my email via the LinkedIn address book feature, is that email used for retargeting even though I never consenting to that being a retargeting data point? I would assume it is likely the case, but this scenario is not detailed implicitly or explicitly in these documents to my knowledge.
- Section 2.4 - Advertising