Machine Learning False Positive

Amy and I decided a few months ago that broadening the horizons of kegomatic.com might motivate us to start writing new content more consistently. I have chosen to interpret this statement to mean that if these posts impelled someone to consume at least one beer at some point, it was well within the legitimate purview of kegomatic.com. The particular experience that I am about to relate involved me drinking beer a) to enable me to more effectively contemplate the ridiculousness of the situation and b) to celebrate once it came to a satisfactory resolution.

Wednesday 1 May 2019 marked the following notable events:

  • May Day or International Workers Day, a public holiday in many countries outside the USA and Canada akin to Labor Day.
  • Emperor Naruhito of Japan ascended to the throne following the abdication of his father Emperor Akihito the day prior.
  • LinkedIn decided that I was a Bad Actor of the Internet and suspended my account for “potential violations to the terms of service.”

Since May Day is not a holiday in the US, I was at the office as usual, although my colleagues in Manufacturing in Penang, Malaysia, who I had visited the week prior, had the opportunity to observe International Workers Day by…not working.

I mention Japan because on the way back home to San Francisco from Penang, I stopped over there for a quick visit. I took full advantage of my Japan Rail Pass, to explore Tokyo, Kyoto, and Osaka. Quanttux the Polyester Penguin enjoyed taking in the view of Mt. Fuji from the Shinkansen:

Getting to Japan involved a scheduled 8 hour layover in Hong Kong, which in reality was closer to 10 hours after accounting for incoming flight delays. While killing time in the Terminal 1 Plaza Premium Lounge near Gate 40 [Pro Tip: the lounge near Gate 1 always seems to have a really long line, so try decamping to the other one because many people are lazy and don’t want to walk that far], I received an email from my brother informing me that he had been the recipient of one of these infernal sextortion Bitcoin scam emails and asked for advice. Courtesy of a haveibeenpwnd search, he ascertained that his login credentials been one of the 164M exposed in the May 2016 breach:

LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Lovely.

I responded: “Ignore it, change your password, and don’t use the same password for multiple accounts.” After dispensing this snippet of Internet security wisdom to my younger sibling, I decided to take my own advice. I spent the next hour using Dashlane to change all of my easily guessable and/or repeated passwords while connected over Express VPN, which I routinely use when on public WiFi networks while traveling.

Another pertinent fact: recently, I’ve been logging on to LinkedIn much more regularly than I typically do. My company has reorganized and decided to shut down R&D operations in Silicon Valley, which will make it impossible in the near future for my R&D team to continue to work together. This new reality is horribly depressing, but it also presents an opportunity to pursue something new and different. But first things first. LinkedIn is quite a helpful tool for both candidates and employers to do some initial screening. One’s profile and connections go a long way in convincing total strangers that one is an upstanding, experienced, capable, well-educated professional and not a sociopathic, nefarious bottom-dweller.

So imagine my dismay when I attempted to log on the my LinkedIn account and was greeted by the dreaded Your account has been restricted screen. I like to think I care less than most people what others think of me, but in this particular instance, I did care quite a bit. Heaven forfend a recruiter or a hiring manager at a company at which I might be interested in interviewing might think that I engaged in socially unacceptable LinkedIn behaviors like carpet-bombing random strangers with invitations to connect or fabricating false credentials in my profile! I dutifully followed the instructions to upload the front and back of my driver’s license and crossed my fingers.

Three hours later, I received the following response:

Hi Robin,

Thanks for contacting us. 

The security of your account is one of our top priorities. We’ve suspended your account temporarily to verify you’ve performed the following actions 

* Have you accessed your account from another country (IE – Traveling, Business trip, etc.)? 

* Have you authorized a 3rd party (Assistant, Virtual Assistant, etc.) to access to your account? 

* Have you accessed your account through a VPN (Virtual Private Network) or Proxy Server?

* Did you make recent updates to your profile such as add email & Phone number

I want to help you gain access back to your account as quickly as possible. Please reply to this message at your earliest convenience with your responses to the questions above. I look forward to hearing from you.

Regards,
Ella
LinkedIn Safety Operations Support Specialist

Well, OK. Fraud detection false positive. So I set about convincing Ella that I am not in fact a Bad Person:

Hi Ella. Thank you very much for the prompt response– much appreciated. It definitely looks like this situation is a Machine Learning False Positive.

Here are my answers to your questions: 

1) Yes. I was in Penang, Malaysia, on business from <Start Date> to <End Date>. I flew there via Hong Kong both ways. (My current
company has a manufacturing facility in
Penang.) On <Travel Date>, I had an extended layover in Hong Kong en
route to Tokyo. I accessed LinkedIn from a HKG
Airport lounge that day. My visit to Japan was for a few days of vacation 
on the way back. I was in Tokyo on <Day 1> Kyoto on <Day 2> Osaka on <Day 3>, and then back in Tokyo to fly home to SFO
via LAX on <Day 4>.

2) I do not have an assistant (virtual or human) but I do use the Dashlane 
password manager app and used it to generate a new, secure password on <Day 4> after I returned to the US.

3) Yes. I use Express VPN while traveling because I
was connected over public wifi.

4) Yes, I added an email address <email> on <Day 4> after
I got home to San Francisco at the same time I changed my password, enabled two-factor authentication, and clicked on the verification email generated by LinkedIn.

Please let me know if you need additional information to resolve this 
issue. I look forward to having my access restored ASAP because I am actively searching for a new job.

-Robin 

Twelve hours later, this saga ended with a positive outcome:

Hi Robin,

Thank you for answering our questions with great detail, much appreciated.

LinkedIn takes a proactive position when it comes to the security of our member’s accounts. In order to safeguard your account from unauthorized access, we placed a temporary restriction to verify that the activity mentioned in the previously email was performed by you. We appreciate your cooperation in verifying this activity and we’ve reinstated your account. You should be able to access it right away.

We’d also recommend these best practices for your online
privacy: 

• Check the email addresses on your account to ensure they are current: https://www.linkedin.com/help/linkedin/answer/60
• Turn on two-step verification as an added layer of security: https://www.linkedin.com/help/linkedin/answer/544
• You can also find more tips here: https://www.linkedin.com/help/linkedin/answer/267

If you still can’t get signed in, please let me know and I’ll help you get access to your account right away. Member safety is our top priority and we take
such measures to ensure the security of your account. 

Thank you for using LinkedIn!

Have a great evening!!

Regards,
Ella
LinkedIn Safety Operations Support Specialist

This incident, while relatively innocuous, does represent my first direct experience with machine learning going slightly awry and pushed the larger issue of ethics in data science and technology policy up the stack inside my head. [Another, more humorous incident was when Carlos, a dual US-Mexican citizen, was not able to withdraw Mexican pesos from an ATM in Tijuana with his Bank of America debit card, whilst I did so with impunity.] Cathy O’Neil’s brilliantly titled book, The Weapons of Math Destruction, is well worth a read. We have not even come close to succeeding in mechanizing the expert judgment and moral adjudication capabilities of principled human beings and it is debatable if such an outcome is even remotely desirable.

Returning to the more prosaic matter of the newfound legitimacy of my LinkedIn account, I’ll drink to that!