Someone Used My Email for Their LinkedIn
Posted on :: rant story

I don't know if this is something that everyone gets from time to time, but I do.

You'll get an email for verification to a website you didn't sign up for. Usually, you just ignore the email and nothing comes of it. After all, if the email is unverified, they shouldn't use it for anything, right?

Image of email verification code from LinkedIn

Personal information redacted

Some of the emails I'm sharing I've altered only enough to remove any names, unique links, or otherwise identifiable things. I want to stress that the individual that used my email almost certainly did so with no malicious intent and it was just a typo. I don't blame them one bit.

Now, I don't speak this language, but popping it into Kagi I find that it's Indonesian. The verification email came to an old gmail address I haven't used in many years. I still have its mail being checked by Thunderbird, but generally I don't expect to get any email at that address. Obviously someone had registered a new LinkedIn account using my email address.

As I said, I simply ignored this email figuring that, because I clicked no link or verified that email, I wouldn't hear any more from it.

I was wrong.

Notification Emails

Anyone familiar with LinkedIn knows that, without changes to your notification preferences, LinkedIn loves to email you with trash.

Emails from LinkedIn to unwanted email address

All of these emails were sent to the email address that was never verified.

Just block them?

I'm far to petty for that.

Trying to stop them

I first tried by clicking the "Unsubscribe" link in the email. However, this brought me to a LinkedIn login page. As the account the email address was now tied to is not mine, I had no way to "log in" to this account to change my notification settings.

I next attempted to contact them through their documented support steps. This is already a frustrating hurdle because all methods of contacting LinkedIn support requires you be logged into an account. They offer no other way to contact them (at least publicly documented that I could locate).

Now I, begrudgingly, have a LinkedIn account. So I sign in and start a live chat. This live chat is very obviously an LLM which is unable to assist me in any way and immediately tells me this and directs me to open a ticket. Sadly I have no screenshots of this, so you'll have to take my word for it.

I open a ticket stating the simple issue that there's an email address I own that someone else used and I'd like it removed from their system.

This is the response I got.

Initial response email from LinkedIn asking for confirmation

I figured this was a good sign, they simply wanted to verify with an email response that I wanted to be removed. I responded simply enough.

My response to LinkedIn confirming removal

The response I got back made my jaw drop.

LinkedIn verification

Email from LinkedIn requesting personal information to stop emailing me

LinkedIn responded by stating that, in order to stop sending me emails, they required either:

  • A scanned image of my government issued ID
  • A notarized affidavit of my identity

To say I was shocked at the audacity to even ask for this information is an understatement.

Now, I'm a person who respects my own privacy as well as knows my rights. Asking for this information when you've received a request to stop communication isn't just inappropriate, it's illegal.

Legality of requesting this information

The United States has a law on the books referred to as the CAN-SPAM Act, codified in 15 U.S.C §§ 7701-7713

Under the CAN-SPAM act, you have the right to opt out of marketing and solicitation emails in a simple way. This is why you see those "unsubscribe" links at the bottom of all those spam emails you get - and why LinkedIn's requirement to log in to use that link is unacceptable.

Now, I'm not a lawyer and I'm not going to read the US code version of the law and try to convey it. However, the FTC publishes a very nice article on guidance for businesses to be in compliance with the law. Specifically, I want to direct attention to this section:

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

CAN-SPAM Act: A Compliance Guide for Business

The guidance is very clear. If you've received notice, either by an email reply or visiting an unsubscribe page, that the account holder wishes to stop receiving emails you must comply within 10 business days. There is no exception for this. The guidance clearly directs that the company cannot request any additional personal information.

My response to LinkedIn's request for personal information

Finally I received the response I was looking for.

LinkedIn final response

Final thoughts

While I got my desired outcome in the end, what prompted me to make this post was LinkedIn's request for personal information.

Had I not known my rights, I would have been left with the options of:

  • Deal with continuing to get these emails forever
    OR
  • Handing over personal information to LinkedIn

I think of how many people accept what a large company tells them about what they must do. They speak very confidently that "in order for <x> to happen, you must do <y>" and this imbalance of power leaves you vulnerable to companies who will take advantage.

Table of Contents