LinkedIn Privacy Audit — What Microsoft Knows About You

// TARGET: LinkedIn Corporation (Microsoft subsidiary)

Audit level: comprehensive · Risk score: 8/10

   +-----------------------------------+
   |  LINKEDIN CORPORATION             |
   |  Founded:   2003 (Mountain View)  |
   |  Acquired:  2016 by Microsoft     |
   |  Deal:      $26.2B cash           |
   |  Users:     1.2B+ accounts        |
   |  Active:    ~280M MAU (est.)      |
   |  HQ:        Sunnyvale, CA         |
   |  Parent HQ: Redmond, WA           |
   |  Ireland:   EU data controller    |
   +-----------------------------------+

LinkedIn is the most data-dense professional network in existence. It collects more about you, infers more from that collection, and retains it longer than any alternative covered in this audit. If privacy is a primary concern, this platform sits at the far end of the spectrum.

section_01 — what is collected

Direct collection

When you fill out a LinkedIn profile, you explicitly hand over more career and personal information than any other commonly-used platform requests. The profile wasn't designed as a resume — it was designed as a dataset. Each field is monetizable signal.

Identity

Full legal name, profile photo, headline, headshot resolution (hi-res images requested for recruiter search)

Birth / age proxy

Graduation year (derives birth decade with high confidence), career-start year

Location

City, country, relocation willingness, plus IP-based real-time location on every visit

Employment history

Every title, employer, date range, job description. Continuous timeline from first job onward.

Education

Every degree, institution, dates, activities, honors

Skills

Self-declared skills plus peer endorsements (social graph signal)

Network graph

Every connection, their connections, who accepted your requests, who ignored them — a rich bipartite graph of your professional world

Messaging

All inbox content, read receipts, typing indicators, attachments

Posts & engagement

Everything you publish, every like / comment / reshare, dwell time on each post in your feed

Searches

Every query you enter — including those that reveal intent (job titles you want, companies you're researching, names of people you investigate)

Device signals

Device fingerprint, OS, browser, language, timezone, approximate geolocation via IP, app install ID on mobile

Off-platform tracking

Third-party sites with LinkedIn Insight Tag see you even when you're not on linkedin.com (pixel-based tracking)

Inferred from collection

The raw inputs above are not the whole picture. LinkedIn's ad products and recruiter tools let advertisers target on inferred attributes — things you never directly told the platform, but which the platform's models confidently derive:

Seniority level, approximate salary band, decision-making authority
Job-change probability in the next 90 days (a real product feature)
Political / ideological leanings (inferred from content you engage with)
Life stage events — parenthood, marriage, relocation planning
Companies you're secretly interviewing at (via profile views in both directions)
Your rough compensation (from role + tenure + location + company)

section_02 — who sees it

Primary access tiers

Tier	Sees what	Authorization
Public viewers	Name, headline, profile photo (based on your privacy settings)	None — anyone on the web, including search engines
Logged-in LinkedIn users	Most profile fields, connections count, recent posts	Free account is sufficient
1st-degree connections	Full contact info (if you exposed it), full activity history	You accepted them
Recruiter / Recruiter Lite	You appear in searches by industry, skills, seniority, location, school, and current/past employer filters	$170–$900+/mo subscription
Sales Navigator	Your company, role, recent activity — for outbound lead targeting	$119.99–$159.99/mo
LinkedIn (internal)	Everything	Employment at LinkedIn or Microsoft under data-access policies
Microsoft (parent)	Access level varies by jurisdiction; significant for US accounts	Intra-company data sharing agreements
Advertisers (aggregated)	Targeting is by attribute/audience, not by name — but unique audiences can effectively de-anonymize	LinkedIn Ads account
Governments	Per lawful access requests; LinkedIn publishes a transparency report	Subpoena, court order, or equivalent
AI training partners	Aggregated and (per LinkedIn) anonymized data may be licensed	Per updated 2024 privacy policy; regional opt-outs exist

The AI training question

In late 2024, LinkedIn updated its privacy policy with language explicitly covering the use of user content to train generative AI models. According to the company, data is aggregated and anonymized before being used for training or licensed externally. According to privacy advocates, the policy change was buried in dense legalese and most users never saw it.

If you're in the EU, UK, or a handful of other regions, LinkedIn had to offer an opt-out and pause training while the regulatory situation clarified. If you're in the US, the default is opt-in. The setting is under Settings > Data privacy > Data for Generative AI improvement. Flip it off if you haven't already.

section_03 — jurisdiction

Where your data physically lives

For most US users, data is processed in the United States. For EU users, LinkedIn Ireland Unlimited Company is the data controller, with primary processing in EU data centers — but data may flow to the US for certain operations under Standard Contractual Clauses. Microsoft's status under the US CLOUD Act creates a known tension point: US law can compel disclosure of data held by US-owned companies, even when that data is physically stored in the EU.

For German data protection authorities, this is an active concern, particularly for organizations in regulated sectors (public bodies, healthcare, legal). The €310M fine issued by the Irish DPC in October 2024 centered on consent mechanisms for behavioral advertising — the authority found LinkedIn had not established a valid legal basis for processing personal data for targeted ads.

section_04 — history

Breaches, fines, and incidents

2012 — 6.5 million hashed passwords leaked (later revised to 117M+). Hash algorithm was unsalted SHA-1. Affected accounts' credentials were reused across the web for years.
2021 — Scraped data on 500M+ LinkedIn users posted for sale on a hacker forum. LinkedIn characterized it as a compilation of publicly visible data, not a breach. The distinction matters legally, not practically.
2023 — Researchers at vpnMentor reported exposed data aggregated from 700M+ profiles circulating on the dark web. Same mechanism: large-scale profile scraping.
October 2024 — Irish DPC imposes €310 million fine. Largest single action against the platform to date.
Late 2024 — Privacy policy updated to cover AI training on user data. Regional opt-out required for EU/UK.
2025–2026 — Continued pressure from EU regulators on data-transfer mechanisms post-Schrems II. Market analysts now model AI training data as a revenue line for LinkedIn.

section_05 — what to do

If you keep using LinkedIn (most people will)

Complete avoidance isn't realistic for most careers. Harm reduction is. The following settings changes take ten minutes and materially shrink your exposure:

Turn off Data for Generative AI improvement if your region's policy allows it
Set profile visibility to Your connections or Your network for anyone not actively job-searching
Disable Profile discovery via email address and via phone number unless you need recruiter inbound
Turn off Research surveys and Partner advertisers
Revoke third-party apps you authorized years ago and forgot about (Settings > Data privacy > Other applications)
Disable read receipts and typing indicators — they're metadata leaks with no user benefit
Browse in private / incognito mode when researching companies or people you don't want notified
Separate job-search activity into a dedicated browser profile with its own cookie jar

If you want to leave

Request a full data export first: Settings > Data privacy > Get a copy of your data. Download everything — not just the profile. Then you can close the account. Note that deletion is permanent after the grace period and your connections lose contact info they had through you. Consider switching your primary professional URL to a personal domain before deleting.

Risk score: 8/10

1.2B+ users Microsoft-owned €310M GDPR fine (2024) AI training enabled by default (US) Off-platform tracking Multiple historical breaches Data export available Granular settings exist

LinkedIn is the default professional network for a reason — the network-effect moat is enormous and probably insurmountable. That same moat means it can get away with data practices that would sink a smaller platform. You are not the customer here; advertisers, recruiters, and soon AI labs are the customers. Whether that tradeoff is worth it depends on what your career needs. For most people it is — but go in with your eyes open and lock down the settings today.

next: audit_blind next: audit_xing full matrix report