- Jurisdiction
- US Federal Law
If you've lost access to your LinkedIn account due to the social network claiming that there is a possible security breach of your account, you may find yourself without access for 2-14 days or more. LinkedIn sends users whose accounts they deem potentially susceptible to a breach to a verifier called "Persona" to verify that you are the owner of the LinkedIn account. Having access to your email address, your mobile phone and LinkedIn app, your home IP address, and a verifying from a second email is apparently not sufficient verification data for LinkedIn. Given the large number of cybersecurity breaches that occur, the lesser the amount of data stored and shorter the duration is greatly desireable and prudent practice.
LinkedIn sends users to Persona, which requires a live face verification and then demands documents such as a passport and driver's license (front and back), the user's signature, and potentially other data. Since LinkedIn never had this data to match and confirm, one may wonder why it is necessary. I looked at the LinkedIn terms and privacy policy and Persona privacy policy and will provide excerpts here.
LinkedIn's help section states:
So they aren't guaranteeing that your data is deleted within 14 days, but imply that it's likely. It's also not clear what data they would be keeping from your driver's license or passport for "fraud prevention purposes." The policy continues describing what Persona will require you to provide, in addition to taking live photos of your face, front and profile from each side.
Why six months for what should be an instantaneous, one time process? This is unclear, but I did notice that Persona has a "Reusable Persona" business where it appears to store customer biometric information so that it can be used for identification verification elsewhere. The following are excerpts from Persona's privacy policy.
If this is applicable as it seems it may be, three years is a very long time to retain data for a one time transaction. It's challenging to ascertain exactly what the duration is that data provided through this verification service is stored.
The privacy policy is longer and mentions that "Personal Data" may be used for a myriad of different purposes, including marketing, communicaitons, personalization, advertising, etc. As to exactly how all of this is applicable is beyond the scope of this short post.
If you don't want to use Persona, LinkedIn gives you an affidavit option and potentially also a work email option, but such may require request.
These alternative types of verification require special request from LinkedIn, assuming you've been able to find ways to contact customer support. I'll report back when I can determine exactly how long it will take to recover an account using an affidavit option or work email. In the meanwhile, LinkedIn users should hope that they are never placed in the awkward position of being locked out of their accounts due to alleged security concerns.
LinkedIn sends users to Persona, which requires a live face verification and then demands documents such as a passport and driver's license (front and back), the user's signature, and potentially other data. Since LinkedIn never had this data to match and confirm, one may wonder why it is necessary. I looked at the LinkedIn terms and privacy policy and Persona privacy policy and will provide excerpts here.
LinkedIn's help section states:
LinkedIn processes this data for the purpose of account recovery and retains it only while your account issues are being resolved. They're generally permanently deleted within 14 days of submission. We may retain non-identifying data about your ID for fraud prevention purposes. You can read our privacy policy here.
So they aren't guaranteeing that your data is deleted within 14 days, but imply that it's likely. It's also not clear what data they would be keeping from your driver's license or passport for "fraud prevention purposes." The policy continues describing what Persona will require you to provide, in addition to taking live photos of your face, front and profile from each side.
Persona will ask for your permission to send the following data to LinkedIn:
- Verification result
- Full name
- Year of birth
- City, state/province, country
- ID type and issuer
- Redacted copy of ID, with only the full name and face portrait being visible
Why six months for what should be an instantaneous, one time process? This is unclear, but I did notice that Persona has a "Reusable Persona" business where it appears to store customer biometric information so that it can be used for identification verification elsewhere. The following are excerpts from Persona's privacy policy.
This section describes how Persona treats scans of facial geometry extracted from photos...
Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification or within three years of your last interaction with Persona, consistent with the Customer's instructions unless Persona is otherwise required by law or legal process to retain the data.
Persona's third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored.
Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification or within three years of your last interaction with Persona, consistent with the Customer's instructions unless Persona is otherwise required by law or legal process to retain the data.
Persona's third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored.
If this is applicable as it seems it may be, three years is a very long time to retain data for a one time transaction. It's challenging to ascertain exactly what the duration is that data provided through this verification service is stored.
The privacy policy is longer and mentions that "Personal Data" may be used for a myriad of different purposes, including marketing, communicaitons, personalization, advertising, etc. As to exactly how all of this is applicable is beyond the scope of this short post.
If you don't want to use Persona, LinkedIn gives you an affidavit option and potentially also a work email option, but such may require request.
Through an Affidavit of Identity
If you don't wish to provide your ID, you can print the Affidavit of Identity and sign before a Notary Public. Once notarized, this form can be scanned and attached in your support case.
Through a work email address
If the job currently listed on your profile is up-to-date and accurate, you may be asked to verify your identity using the work email address associated with this company.
The work email you provide will only be used for the purpose of your account recovery and won't be added to your account.
If you don't wish to provide your ID, you can print the Affidavit of Identity and sign before a Notary Public. Once notarized, this form can be scanned and attached in your support case.
Through a work email address
If the job currently listed on your profile is up-to-date and accurate, you may be asked to verify your identity using the work email address associated with this company.
The work email you provide will only be used for the purpose of your account recovery and won't be added to your account.
These alternative types of verification require special request from LinkedIn, assuming you've been able to find ways to contact customer support. I'll report back when I can determine exactly how long it will take to recover an account using an affidavit option or work email. In the meanwhile, LinkedIn users should hope that they are never placed in the awkward position of being locked out of their accounts due to alleged security concerns.
