Don't trust a company on its word, trust it on its tech

Should we trust that LinkedIn won't do anything bad when we give it our email account credentials? The better question is: Why on Earth are we even doing that in the first place?!
Written by Michael Lee, Contributor

Give me all of your emails and I'll tell you something about the people involved. In fact, give me your account password and username, so I can do it myself. I'll even change your settings on your phone so all your emails go through me first. It's OK, trust me, I pledge I'll look after your privacy. Except for that time where I lost everyone's passwords.

If this sounds sketchy, it's because it is. But it's also a fairly accurate representation of what LinkedIn is doing with its new Intro product. It is the company's equivalent of Rapportive (which it acquired last year) for iOS.

While the Rapportive plugin can take an HTTP request and modify it in-browser to show information from LinkedIn about the people in your emails, doing this in iOS is not quite possible, due to how the native Mail application works.

Other providers wishing to add more functionality to email have simply written their own apps. Google, for example, has its own Gmail app so that profile pictures can be shown and to enable users to interact with Google Calendar.

LinkedIn's approach has been outside of the app, however. The user is prompted to hand over their email account credentials, and these are used to create a new configuration profile for their device. The profile creates a new email account, but instead of pointing to a user's actual account, it is pointed to LinkedIn's proxy server.

This means that any time a user attempts to check their mail with the new settings, they are actually querying LinkedIn's proxy server for their mail. LinkedIn's proxy server then logs into the user's actual provider using the credentials provided, and fetches their email. This should be verifiable by checking the last login or the active sessions feature available in some email providers.

LinkedIn's proxy server then modifies the email sent back to the device to display profile information about those in the email.

It also means that LinkedIn has access to the content of your email, and any other services that your credentials might be valid for. For example, because Google uses a single username and password across all of its services, LinkedIn could potentially have access to a user's Google+ page, calendar, location history, and other such tied-in services.

LinkedIn has not disclosed whether its Intro service would work if a user has enabled two-factor authentication on their email service. Google, for example, has a modified login challenge when logging in via the IMAP protocol (which Intro uses to fetch mail). Yahoo's two-factor system can be circumvented completely due to how it is implemented.

Although LinkedIn potentially has the ability to do pretty much anything it wants with your emails, its measure to protect users comes in the form of a pledge not to. It says it will never store emails, although it may cache them temporarily, and the servers will be monitored against unauthorised access.

What LinkedIn does gain from customers using its proxy server is an idea of who to suggest to build their network. If a LinkedIn user receives an email from someone who isn't in their network, the company takes the communication as a sign that you may know them, and might suggest connecting with them on its website and mobile app.

I don't actually blame LinkedIn for its controversial approach to increasing functionality. What I think is sad is that although there are more secure ways of doing this, they aren't convenient. And it's that inconvenience leading companies like LinkedIn to ask their customers to trust them, rather than show that they have app or a system that ensures information can't be misused or is not even placed at increased risk in the first place.

Securing information should be done with proper checks and balances, not with well-intended promises, but that's what is happening with increasing frequency.

Users hand over the keys to their accounts so that companies can import or export their contacts — never mind the fact that it should be technically possible to export your data yourself and never allow them to touch your account. On Android, many apps ask for overarching permissions, but we just have to trust that the developer is not actually doing anything bad.

And even if users trust in a brand, or understand that companies also don't want your data to be abused, that doesn't do anything when it's discovered that the National Security Agency thought it would be a good idea to tap into a proxy server that conveniently bottlenecks users email into.

These practices may be more convenient, but they slowly erode good security practices. We're telling mums and dads to never, ever give a third party their credentials, but it's difficult to convince them of that when the very companies meant to be doing the right thing don't do so themselves.

Editorial standards