[HN Gopher] Google breaking European privacy law by hoarding per...
___________________________________________________________________
Google breaking European privacy law by hoarding personal data of
job candidates
Author : isaacfrond
Score : 136 points
Date : 2023-05-10 14:37 UTC (8 hours ago)
(HTM) web link (fortune.com)
(TXT) w3m dump (fortune.com)
| justinclift wrote:
| https://archive.is/jhpB1
| erosenbe0 wrote:
| In the US you have to keep certain records for EEOC purposes and
| if an applicant comes back within the statute of limitations with
| such claims, you need supporting documentation. Four weeks is
| definitely not customary.
| [deleted]
| jruohonen wrote:
| "Maslouh was last year a 34-year old employee of Randstad, which
| was contracted by Google to identify potential job candidates and
| enter their publicly available information--derived from services
| such as LinkedIn--into gHire, Google's applicant tracking
| system."
|
| At this point it is probably well-presumed that LinkedIn leaks to
| who-knows-where. Therefore, the real punchline is:
|
| "When he accessed the system with authorization, Maslouh noticed
| the excessive age of some of the European personal data within
| it, and also noted that many of the records for so-called passive
| applicants--who had not actively applied to Google-- showed no
| evidence of Google ever having reached out to them. Many of these
| individuals were listed as working for organizations such as
| Interpol, the CIA, the U.K. Home Office, the European Parliament,
| and the U.S. Securities and Exchange Commission."
|
| I've always wondered the apparent gullibility of people who
| should probably know better, including those working at, say,
| INTERPOL. That said, the CIA stuff is presumably fake, given the
| huge amount of fake personas curated in LinkedIn over the decades
| for all kinds of nefarious purposes.
| Macha wrote:
| Amazon has gotten contact addresses for me from Gravatar being
| hacked, so it's not just a matter of "you should have known
| linkedin will share with anyone". Recruiters, even at major
| tech companies, are very don't ask don't tell with the vendors
| that will get them direct contact details for an extra couple
| of percent in response rate.
| reaperducer wrote:
| _Amazon has gotten contact addresses for me from Gravatar
| being hacked, so it 's not just a matter of "you should have
| known linkedin will share with anyone"._
|
| My cat gets spam to his facebook-catname@example.com address.
|
| I created the address to segregate his mail from mine. It was
| only used to sign up for his Facebook account.
|
| The cat is long dead, but he still gets spam from whomever
| Facebook sold/leaked/trusted partered his information to.
| randominversion wrote:
| "Maslouh was last year a 34-year old employee of Randstad,
| which was contracted by Google to identify potential job
| candidates and enter their publicly available information--
| derived from services such as LinkedIn--into gHire, Google's
| applicant tracking system."
|
| GDPR defines that it does not apply to individuals for "purely
| personal or household activity and thus with no connection to a
| professional or commercial activity."
|
| Now if you check the LinkedIn T&Cs your LinkedIn account is
| your _personal_ account, e.g. it is not your employers account.
|
| So anyone using their (personal) LinkedIn account in the course
| of their job (or other professional/commercial activity) is
| then potentially subject to GDPR.
|
| In the case of Maslouh, based in London, performing work for
| his employer, Randstad, who themselves were hired to do this
| work for Google presents a problem with respect to GDPR and
| his/their "processing" of people's personal data from LinkedIn.
|
| Basically it seems that Maslouh is acting at the very least as
| a Data Processor (and perhaps likely as a Data Controller
| himself in which case he must register with UK ICO and pay the
| annual fee) by retrieving personal data from LinkedIn using his
| own account and then transferring that personal data into
| Google's gHire system.
|
| If Maslouh had used a Randstad LinkedIn account to do so then
| he personally wouldn't be directly affected by GDPR, though
| Randstad would - however LinkedIn AFAIK do _not_ offer company
| accounts at all (rather they provide mechanisms for companys to
| pay for features that specified individuals ' accounts can
| access).
|
| So does Maslouh have a contract in place with Randstad for his
| to act as a Data Processor for Randstad? Does Randstad have a
| Data Processor contract in place with Google which indicates
| that Maslouh is a sub-Data Processor?
|
| I raised this fundamental GDPR-related issue of LinkedIn
| accounts being personal accounts and the implications for
| recruitment people (both employees of a company and also
| "contractors" of recruitment agencies) with the UK ICO when
| they had a "Future of Recruitment" consultation (last year?
| 2021?). The published ICO consultation document from memory
| made a vague passing reference to LinkedIn-related implications
| not currently considered.
| Macha wrote:
| LinkedIn defining an account as a personal account does not
| have any bearing on whether the activities someone performs
| with that account are their personal activities or their
| employer's business activities in terms of GDPR enforcement
| randominversion wrote:
| It means someone is using their own LinkedIn account, not
| their employers - in the same way that there are
| implications if you use your own personal laptop rather
| than a company laptop (i.e. where personal data is stored)
| or your own personal email account rather than a company
| email account...
|
| The individual's account is giving them access to view and
| copy other people's personal data on LinkedIn...
| jwestbury wrote:
| > That said, the CIA stuff is presumably fake, given the huge
| amount of fake personas curated in LinkedIn over the decades
| for all kinds of nefarious purposes.
|
| Plenty of people have open employment with the CIA. They likely
| need to get specific approval to post that on LinkedIn, but I
| guarantee many of them are real.
|
| Source: Previously held TS/SCI clearance at an intelligence
| contractor. (I don't recommend cleared work, though, and I've
| been out of that world for years, thank God.)
| jruohonen wrote:
| Sure: plenty of people all around the world are quite open
| with their work on agencies, which I think is a good thing as
| such. I am just saying that this openness probably then
| implies that the whole LinkedIn is at the databases of
| GRU/SVR, MSS/MPS/UFWD, cyber criminals, and whatnot.
|
| Thus:
|
| On one hand, I cannot say whether that matters; CVs and such
| are probably worthy of being public for most people. On the
| other hand, identity theft is an ever-increasing menace.
|
| As for fake personas in LinkedIn, there has been quite a lot
| of academic research on this topic. Though, like in social
| media, the ratio of real/fake is difficult to contemplate.
| mikeyouse wrote:
| There were some fun examples of CIA or NSA folks getting
| approval to post their roles on LinkedIn - but then adding
| far too much detail to their profile which exposed
| previously-unknown intelligence programs.
|
| From one talk when it became public in 2015;
|
| https://youtu.be/xipI-0HU010?t=371
| erosenbe0 wrote:
| If you have open employment at the CIA it is a semi-public
| record. All of the usual things apply like employment
| verification and creditors or family courts tracking down
| paychecks for garnishments. I have no idea what the social
| media policy is though.
| 666satanhimself wrote:
| [dead]
| H8crilA wrote:
| Devil's advocate: someone wants more attempts at Google's
| interviews?
| treis wrote:
| This seems a little bit hysterical for trawling LinkedIn for
| recruitment targets. Seeing that's, y'know, basically the entire
| point of LinkedIn.
| oatmeal1 wrote:
| https://archive.ph/jhpB1
| lesuorac wrote:
| > "If they cannot have a deletion process in place that is good
| enough, then why did they collect the data in the first place, if
| they knew it?" Kissler asked.
|
| It always shocks me how prevalent leaping before looking is.
| rsynnott wrote:
| Huh, a couple of years back, I got an email from [enormous tech
| company, not Google] saying that I was no longer under
| consideration for a role. This confused me at the time, as I had
| never applied to them (they did pester me on email and LinkedIn a
| bit, and continued to do so on LinkedIn even after this email)
| but I wonder in retrospect did someone realise "hey, this data
| might be a bit GDPR-y" when looking at scraped data and choose
| the wrong option when removing it...
___________________________________________________________________
(page generated 2023-05-10 23:01 UTC)