Privacy Warning: LinkedIn is giving your email address to people you do not know

Did you know that LinkedIn is giving away your personal information to people you do not know? And, there's no privacy setting to prevent this and the only way you can stop it is to completely remove your LinkedIn account.

I have discovered two separate privacy breaches at LinkedIn and have been discussing this with them for over 5 months now to try to get it fixed.

LinkedIn Messaging privacy breach

The first problem is with their messaging system. When you send a message to your LinkedIn contacts using their messaging system, you get the option marked below ticked by default:

If you send a message to your contacts using Facebook or any other online messaging system, you don't get this option. What happens is that the message is sent and any recipients who have configured their account to receive email notifications will INDIVIDUALLY receive an email from This email address is being protected from spambots. You need JavaScript enabled to view it. (or whichever network is being used).

However, this feature on LinkedIn means that you can send a message to Person A, Person B and Person C, and if you send the message with the tick box still ticked, they will be able to see each other's email addresses in the To: or CC: fields of the email that they receive......even if they do not know each other....even if they are mortal enemies of each other.

This also means that your contacts can inadvertently distribute your email address to their contacts, whom you may or may not know, and more importantly, whom you may or may not trust.

Sophos, the IT security experts, have also noticed this problem.

When you gave your email address to LinkedIn to open your account, you agreed to their Privacy Policy and Terms and Conditions, which state that:

"Your contact information will only be shared with another User if both of you have indicated that you would like to establish contact with each other."

Which is all very reasonable.

However, LinkedIn have clearly breached this agreement because it is very easy for your email address to get shared with other users whom you have not agreed to contact with.

OpenGlobal contacted LinkedIn about this and they have decided that they are exempt from the Data Protection Act, and also exempt from their own terms and conditions and it is the users who must honour LinkedIn's obligations, not them:

"...it is up to the member who is sending the message (in this case, your trusted connection) to choose whether to allow your email address to be visible to the remaining recipients or not." - LinkedIn response to my complaint.

The immediate implications of this are admittedly minor, the most that is likely to happen is that your spam will go through the roof and you will receive numerous email viruses. However, I am personally unimpressed with their disregard for privacy (and our "agreement") and the flippancy with which they have treated our complaint. So far, my email address has been sent out to users I do not know on three occasions using this method and is now receiving spam. I use a unique email address for my LinkedIn account so when this account starts to receive spam, I know exactly where this has originated.

LinkedIn Notifications privacy breach

The second privacy breach that was discovered proved a little more successful to resolve (I think).

I commented on a LinkedIn contact's status update and a short while later, one of his contact's also commented on the status update. This other contact is completely unknown to me, we simply have a contact in common.

I received a notification email to say that somebody else had also commented on the status update, however, instead of coming from something appropriate like This email address is being protected from spambots. You need JavaScript enabled to view it., it came from the other person's email address. LinkedIn had divulged this user's private email address to me, despite me not knowing them or having any connection with them on LinkedIn.

I reported this to LinkedIn because it means that if you comment on anyone's status, your email address can be given to unknown third parties without your consent.

I took more than 7 weeks for this privacy breach to be first acknowledged by LinkedIn and then fixed. At least, they claim it is fixed, I'm still waiting for some unknown third parties to comment on some status updates so that I can verify this.

What can you do?

Firstly, complain to LinkedIn about the "CC" tick box on the "Compose Message" screen. It's bad enough that this tick box is present, it's even worse that it is ticked by default for unwitting users to fall into the trap. Secondly, send a complaint to the Information Commissioner's Office (ICO) regarding this matter.

I would advise all of you who send messages using the LinkedIn messaging system to always untick the "CC" box for 2 reasons:

1) If LinkedIn are ever sued/prosecuted for this feature, they plan to pass the buck onto you.

2) Some of the recipients of these emails may take extreme displeasure that their personal details now reside on other people's computers and choose to remove you from their contact lists.

There are no privacy settings to prevent users sending your details to their contacts, except to delete your account completely. Deleting your account is pretty drastic action, so I would instead advise that you create a separate email address (create one on GMail or Hotmail) and switch your LinkedIn account to use this as the primary email address. Delete all other email addresses from your LinkedIn account then don't use that email address for anything else. This way, any breach of your email address is restricted to an otherwise unused account.

I would also recommend that you keep any eye on any emails that come from LinkedIn. Having discovered two independent privacy breaches, my opinion of LinkedIn's competence in this area is shattered, so I would not be surprised if more breaches were found later.