First things first, I’ve updated my LI account with a new e-mail and 2FA and now my account is “Temporarily restricted”. LinkedIn require me to send them either my ID card (no way) or my legal information certified by a lawyer in my country (no way). The ID seems to be “verified” (they are nothing to compare against) by Persona, a third-party that is located in US.
I kindly asked by mail to delete my account (as outlined in Article 17 of the GDPR) using a webcall or a short video with me talkie-talking about how I would like to recover my account. “Kindly asked” whether they prefer me to bring the matter to the court (Article 77 of the GDPR). Gonna see what they reply.
Anybody who went through this? Any success? Any arguments that seemed to work on the support?
If you give your ID to a 3rd party company in the US, it’s impossible to know if they will delete you ID or whether you’ll be added secretly to a facial recognition system.
The US is allowed to issue secret orders to companies demanding they do things in the interest of “security.” They can also issue gag orders forcing companies to not talk about the secret orders. Therefore, any US company may be secretly forced to violate it’s supposed terms. A company that collects biometric information seems like it would be especially likely to be targeted.
Facebook, Instagram, and other social media such as Linked In are likely the largest source of law enforcement information being fed to facial recognition systems. Given the dystopian “ideals” of some politicians, I consider it a risk and wouldn’t do it. Your country may not be sharing that information with the US already.
Additionally, some of these companies have become the main way people get employed, rent things, or buy things. Because these companies serve a public function but are officially private, they can de-platform people for any reason, with no meaningful appeal, creating havoc and misery for an affected person. If you have been flagged to be banned, by giving them your ID, you will let them ban you based on a government document forever. Their system may have flagged you for verification, but it could have also flagged you to be banned forever based on TOS violations.
If you abandon your account, you can always create a new account, then later claim a hacker got you or your forgot your email password. If you provide an ID, you may be linking a government record to biometric information to something they can ban.
A company may also be claiming that they get rid of an ID but still keep a hash of some combination of biometric information.
In theory, anyone in Facebook in California should be able to submit a CCPA request to delete all information, including ban information, and then go on Facebook again, even after a lifetime ban. Anyone in the EU should be able to do this too through GDPR. But this doesn’t happen, because Facebook lies and is also just a rebranding of Lifelog.
Following. I’m working to get all my old accounts moved away from my gmail account so I’m guessing I’d run into this too.
Send them a fake/photoshopped ID. I did that with Facebook when they pulled that shit to try and stop me from deleting my account by locking it.
I’d might accept to send my ID with my photo, first and last name (data which they already have and might use to verify my identity) but with all the remaining info being anonymized / blurred. But I believe that Persona filter out blurred out images. And I have to admit, I am kinda afraid to send fake data. Sure, Persona is not a legal representative but a third party, sending them a fake ID isn’t any different to send a fake ID to a buddy but still.
It used to be possible to give them entirely fake IDs. When I want to delete my Facebook account, there was kind of a trend around the globe to give them McLovin ID. And so did I. It worked.
This is actually required to comply with the GDPR.
My experience was in the US and pre-GDPR, but how would they even verify that it’s not your real ID?
Proper identification requires a logged in device to take a picture of you and possibly a short video in which the document is moved in front of the camera (to confirm the holograms).
Seems like you can still use trickery there but ¯\_(ツ)_/¯
Total security is the same as zero risk: it does not exist. Still requiring companies to properly collect documentation about data subject requests is a positive in my book.
LinkedIn was doing this to me, too. But then I randomly was able to log on again. I wasn’t able to for months and thought it was ridiculous that they were asking for my ID.
You can try logging in on an IP address you previously logged in on. Then, delete your account ofc.
Good to know, thanks! I might try to log in every now and then. And indeed, no way I keep my account after that.
Would you prefer that anyone be able to request that any non-verified account be deleted?
I’d bet their security system saw you log in from a new IP, maybe even over VPN(?), then change the email and add 2fa, which are exactly the steps a malicious actor takes when securing an account acquired using credential stuffing. They presumably expect that your account has been compromised and are treating you as untrusted until you provide some form of validation that you are who you say you are.
I suspect that if you were to seek legal action against them they would claim that you refused to take basic actions to positively prove your identity and throw out some statistics, ie (making this up) 98% of users are able to verify using their system without any issues.
If you do seek to bring them to court under article 77, would you not then be putting into the public record a permanent association between your real identity and the account you seek to delete? Is that better than simply sending them a picture of your ID? With this in mind, is it worth the cost of legal representation to resolve the issue? I’m not sure where you’re from and you don’t need to answer me but I would encourage you to consider those questions when determining your path forward.
Thanks for your reply, there are many ideas that help me to think it through!
First of all: no, I agree that non-verified person should not be able to request an account deletion. However, I am in full possession of my id, password, 2FA, full access to both old and new e-mail boxes as well as to all devices that have ever been used to log into this account. I believe that this is enough to prove that I am the one holding the account.
I believe that I never used LI from any new VPN (I use either professional VPN or no VPN).
As per your last paragraph, I totally agree that it might “reveal” my sensitive data. My idea was the following: if I show myself ready enough and kinda literate about privacy (nothing fancy, just some well-known rights and regulations) I might get them to accept a video call or something similar to confirm my identity. If this case were to be brought to court after all, I believe that my ID data might remain within the jurisdiction of my country instead of be sent to a third party (Persona).
