Privacy

35706 readers

430 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

LinkedIn ID verification (lemmy.zip)

submitted 1 day ago by ka1ikasan@lemmy.zip to c/privacy@lemmy.ml

15 comments fedilink hide all child comments

First things first, I've updated my LI account with a new e-mail and 2FA and now my account is "Temporarily restricted". LinkedIn require me to send them either my ID card (no way) or my legal information certified by a lawyer in my country (no way). The ID seems to be "verified" (they are nothing to compare against) by Persona, a third-party that is located in US.

I kindly asked by mail to delete my account (as outlined in Article 17 of the GDPR) using a webcall or a short video with me talkie-talking about how I would like to recover my account. "Kindly asked" whether they prefer me to bring the matter to the court (Article 77 of the GDPR). Gonna see what they reply.

Anybody who went through this? Any success? Any arguments that seemed to work on the support?

you are viewing a single comment's thread
view the rest of the comments

[–] unconfirmedsourcesDOTgov@lemmy.sdf.org 5 points 1 day ago (1 children)

Would you prefer that anyone be able to request that any non-verified account be deleted?

I'd bet their security system saw you log in from a new IP, maybe even over VPN(?), then change the email and add 2fa, which are exactly the steps a malicious actor takes when securing an account acquired using credential stuffing. They presumably expect that your account has been compromised and are treating you as untrusted until you provide some form of validation that you are who you say you are.

I suspect that if you were to seek legal action against them they would claim that you refused to take basic actions to positively prove your identity and throw out some statistics, ie (making this up) 98% of users are able to verify using their system without any issues.

If you do seek to bring them to court under article 77, would you not then be putting into the public record a permanent association between your real identity and the account you seek to delete? Is that better than simply sending them a picture of your ID? With this in mind, is it worth the cost of legal representation to resolve the issue? I'm not sure where you're from and you don't need to answer me but I would encourage you to consider those questions when determining your path forward.

[–] ka1ikasan@lemmy.zip 4 points 19 hours ago (1 children)

Thanks for your reply, there are many ideas that help me to think it through!

First of all: no, I agree that non-verified person should not be able to request an account deletion. However, I am in full possession of my id, password, 2FA, full access to both old and new e-mail boxes as well as to all devices that have ever been used to log into this account. I believe that this is enough to prove that I am the one holding the account.

I believe that I never used LI from any new VPN (I use either professional VPN or no VPN).

As per your last paragraph, I totally agree that it might "reveal" my sensitive data. My idea was the following: if I show myself ready enough and kinda literate about privacy (nothing fancy, just some well-known rights and regulations) I might get them to accept a video call or something similar to confirm my identity. If this case were to be brought to court after all, I believe that my ID data might remain within the jurisdiction of my country instead of be sent to a third party (Persona).

[–] unconfirmedsourcesDOTgov@lemmy.sdf.org 3 points 13 hours ago

Yeah I totally agree that the whole ordeal is unnecessarily complex and confusing. The number of websites that have started mandating 2FA despite having complex, unique passwords that have never been shared annoys me regularly. It's frustrating that because other people can't figure out how to use a password manager, we can't have nice things.

My guess is that there is a certain number of account actions you're allowed to take (changing password, email, etc) before they force you into a cool down period where you can't delete your account for like a week. Maybe not, but this is one approach I've seen before.

As for the video call, I totally see your train of thought. This is gonna sound dumb, but consider that nobody at LI knows you, so a video call is of limited value, especially in this world of ai models that can apply filters to video in real time. I'm not saying this is their rationale, but it could be part of it.

I'm gonna nerd out here for a second but hopefully you'll humor me. Authentication is tricky, especially if you want more than one factor for 2FA/MFA. The factors are often explained as something you know (password), something you have (perhaps a yubikey, in this case a state issued ID), or something you are (biometrics). The biggest issue as I understand it is that people reuse the same password over and over, so if your LI password were compromised then it isn't too big of a leap to assume that your email was also compromised, meaning that any form of authentication relying on email cannot be trusted.

If LI has a policy that any account deletion actions attempted within a month of changing the primary email require the account to have at least 2 factors, that would trigger the request for your ID, because they're assuming that a threat actor is controlling all of the relevant accounts and they are no longer useful for authentication. State issued ID is one of the best ways to authenticate because when your state provides the ID, they are providing a level of guarantee that the information is both true and being provided without modifications (authentic).

Having said all of that, could you not photoshop a state ID and provide that? Some in the comments have suggested that as an option. If I were designing the program then this third party, Persona, would have relationships with issuers of state ids and could do some level of validation that the ID being uploaded is authentic.

I realize none of this solves your problem, but sometimes I feel better about "stupid" policies if I can work backwards and understand how they came to be in the first place and what they're meant to accomplish. My advice is to wait a week or 3 and try to delete again, but obviously that is still no guarantee. Good luck!