Don't trust a company on its word, trust it on its tech

Don't trust a company on its word, trust it on its tech

Summary: Should we trust that LinkedIn won't do anything bad when we give it our email account credentials? The better question is: Why on Earth are we even doing that in the first place?!

SHARE:

Give me all of your emails and I'll tell you something about the people involved. In fact, give me your account password and username, so I can do it myself. I'll even change your settings on your phone so all your emails go through me first. It's OK, trust me, I pledge I'll look after your privacy. Except for that time where I lost everyone's passwords.

If this sounds sketchy, it's because it is. But it's also a fairly accurate representation of what LinkedIn is doing with its new Intro product. It is the company's equivalent of Rapportive (which it acquired last year) for iOS.

While the Rapportive plugin can take an HTTP request and modify it in-browser to show information from LinkedIn about the people in your emails, doing this in iOS is not quite possible, due to how the native Mail application works.

Other providers wishing to add more functionality to email have simply written their own apps. Google, for example, has its own Gmail app so that profile pictures can be shown and to enable users to interact with Google Calendar.

LinkedIn's approach has been outside of the app, however. The user is prompted to hand over their email account credentials, and these are used to create a new configuration profile for their device. The profile creates a new email account, but instead of pointing to a user's actual account, it is pointed to LinkedIn's proxy server.

This means that any time a user attempts to check their mail with the new settings, they are actually querying LinkedIn's proxy server for their mail. LinkedIn's proxy server then logs into the user's actual provider using the credentials provided, and fetches their email. This should be verifiable by checking the last login or the active sessions feature available in some email providers.

LinkedIn's proxy server then modifies the email sent back to the device to display profile information about those in the email.

It also means that LinkedIn has access to the content of your email, and any other services that your credentials might be valid for. For example, because Google uses a single username and password across all of its services, LinkedIn could potentially have access to a user's Google+ page, calendar, location history, and other such tied-in services.

LinkedIn has not disclosed whether its Intro service would work if a user has enabled two-factor authentication on their email service. Google, for example, has a modified login challenge when logging in via the IMAP protocol (which Intro uses to fetch mail). Yahoo's two-factor system can be circumvented completely due to how it is implemented.

Although LinkedIn potentially has the ability to do pretty much anything it wants with your emails, its measure to protect users comes in the form of a pledge not to. It says it will never store emails, although it may cache them temporarily, and the servers will be monitored against unauthorised access.

What LinkedIn does gain from customers using its proxy server is an idea of who to suggest to build their network. If a LinkedIn user receives an email from someone who isn't in their network, the company takes the communication as a sign that you may know them, and might suggest connecting with them on its website and mobile app.

I don't actually blame LinkedIn for its controversial approach to increasing functionality. What I think is sad is that although there are more secure ways of doing this, they aren't convenient. And it's that inconvenience leading companies like LinkedIn to ask their customers to trust them, rather than show that they have app or a system that ensures information can't be misused or is not even placed at increased risk in the first place.

Securing information should be done with proper checks and balances, not with well-intended promises, but that's what is happening with increasing frequency.

Users hand over the keys to their accounts so that companies can import or export their contacts — never mind the fact that it should be technically possible to export your data yourself and never allow them to touch your account. On Android, many apps ask for overarching permissions, but we just have to trust that the developer is not actually doing anything bad.

And even if users trust in a brand, or understand that companies also don't want your data to be abused, that doesn't do anything when it's discovered that the National Security Agency thought it would be a good idea to tap into a proxy server that conveniently bottlenecks users email into.

These practices may be more convenient, but they slowly erode good security practices. We're telling mums and dads to never, ever give a third party their credentials, but it's difficult to convince them of that when the very companies meant to be doing the right thing don't do so themselves.

Topics: Security, Privacy, Social Enterprise

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Policies are Vapor Ware

    The proof is in the technology. The EU has shown that live tests of technology that was negotiated with Google to solve some competition issues mean more than a bunch of ambiguous words that may not mean the same thing in French, German, Italian or Lithuanian that they do in English.
    jnffarrell
    • Like the old Soviet Constitution

      Did you know that the Constitution of the Soviet Union guaranteed freedom of speech? Of course, it didn't specify HOW MANY TIMES you could exercise it!
      jallan32
      • Nor...

        ...did it guarantee that "disloyal" speakers would still have jobs.
        John L. Ries
  • It'll have to get worse before it gets better

    Unfortunatly, the worst is going to have to happen a few times before things get better.
    NZO893
  • linkedin - don't trust them

    I love LinkedIn, but when it comes to security... Remember that not so long ago, they where not encrypting your password, and had a security breach!
    lallardin
  • "Trust their technology"

    OK, what will you do? audit their source code? millions and millions of lines ? not likely. the best option is to use open source software. you do not need social nets: e/mail works just fine and if youu are into secure mail you can implement the ENIGMAIL interface in Thunderbird to GnuPG . of course you could just check with Jim Clapper if you prefer.
    Mike~Acker