Just a few days ago, a new LinkedIn feature called “Intro” — a series of technological hacks that would display a bar featuring the LinkedIn profile of anyone who communicated with you through email. As a long-time user of Rapportive, an add-on that shows you the LinkedIn account, Twitter feed, and the last few posts a contact has made across other social media properties, even I was excited about it.
Until I spent some time digging around their engineering blog, that is.
To add that little bar to your mobile email account, all you have to do is set up “Intro” and your incoming email to a specific account will scanned by LinkedIn’s proxy server. When a match from the sender is found, their profile appears inside of the email. Because nothing could possibly go wrong with letting a third-party access and scan all of your emails and insert a little bit of HTML/CSS in there to make it easier to connect to them on a social network, right? It’s covered by their privacy policy, guys!
Wrong.
Email is already a flawed system– but this opens it up to even more insanity. If you link your personal email account to Intro, all of your personal emails (financial information! private communication! online account info!) will be flowing through LinkedIn’s servers. If you link your professional email account to Intro, all of your professional information– trade secrets, contracts, info subject to confidentiality laws and agreements– will be flowing through LinkedIn’s servers. While their privacy policy says that this information won’t be used, blah blah blah… their privacy policy doesn’t specify how exactly they will do the right thing by their users, and their privacy policy doesn’t stop third parties from mounting attacks on their servers and databases to compromise your data, either.
“Oh noes!” you’re probably thinking, “here she goes with hackers again!”…. and you’re not wrong. LinkedIn’s security record isn’t great, and user data has been compromised numerous times. Sorry guys, your track record is nowhere near stellar enough to be worthy of access to the goings-on of millions of inboxes.
We already know that email isn’t a secure method of communication–it can be cracked, hacked, manipulated and pulled apart in no time. We know that Gmail scans accounts to better-place ads. We know that our email accounts are under daily attack from spammers, phishers, and all kinds of other sources attempting to gain access to our machines and personal information. But at a time when numerous widespread surveillance operations on online behaviors come to light every day, any service that wants to use a proxy server to scan your this should creep you the hell out.
Three words of advice about LinkedIn’s new “Intro” feature: don’t do it!
And if you don’t believe me, here are is a great post from a security researcher about why using this new LinkedIn feature is a terrible, terrible idea.
jessysaurusrex 