I notice patterns, and over the years, I've seen a very disturbing series of trends with various companies. LinkedIn is one of those companies. This article endeavors to lay out a timeline that explains why, in my opinion, the organization is fundamentally untrustworthy and anyone aware of these issues is a fool to use LinkedIn should they have any semblance of a choice.
A Clear Trend
Let's take a look at a rough timeline of LinkedIn's indiscretions over the years, shall we?
June 2012: 6 million accounts breached
In June of 2012, it was discovered that the SHA-1-hashed passwords of 6.5 million accounts had been breached and leaked on the dark web. For those unfamiliar with SHA-1, it's a relatively weak hashing algorithm that's long been considered a bad choice for password hashing (certainly by 2012 the industry knew better). Nonetheless, LinkedIn made the choice to use it instead of something more secure. They certainly had the budget for something better, or at the very least, for a professional security audit. Did they bother? Obviously not.
Okay, everyone's had a bad day. One mistake can most certainly be forgiven - even one this large. Yeah that's bad, but at this point in time one major mistake is not enough to justify just throwing an entire platform with the market-dominating footprint of LinkedIn out the window for all time. And so on we go.
June 2012: Caught Red-Handed Spying On Your Calendar
From the same article, by CNN:
The company's mobile application was caught collecting data from users' calendars and sending it back to the company for analysis. The tool matches up information about the people users have scheduled with information from their LinkedIn profiles.
Let's unpack this small paragraph a bit more here than CNN did, because we should. Folks who installed LinkedIn's mobile application in good faith - most of them probably looking for a job and therefore economically vulnerable - were spied upon by that very application. It hoovered up all the information from their calendars and beamed it up to LinkedIn's servers where we know they did...something...with that information that resulted in "matching up" information about invitees for meetings being linked to that person's LinkedIn account identity as a contact. So if Bob from accounting is in a meeting with you, he's now a known contact for you from LinkedIn's perspective, whether or not he's shown as a connection on LinkedIn. So their data analysis platform knows that you two have met at least once because of that calendar invite, and can intuit more information about you both from there. Perhaps you both know Sheryl in marketing, too? Given you're all between the ages of 30 to 45, work in the same building, and using the information we bought from 14 other data brokers and combined, we know a LOT of things about you, your spouse, your friends, your family, and even your kids.
You can see where I'm going with this. That was ten years ago.
2013-2015: Class Action Suit Over Spam Invites
In 2013 LinkedIn was a defendant in a class-action lawsuit over them automatically spamming a person's address book contacts with LinkedIn invites via email. Ultimately the court upheld that users granted permission for the first invite, but not the two subsequent "reminder" (lol) invites. They settled for $13 million USD.
Unpacking this a little, think about how they got those email addresses in the first place. How do you get email addresses out of a user's address book? You either (a) ask permission via the mobile app, or (b) steal it out of the mobile app via a hack/exploit. Yes, the latter absolutely does exist, even today, and even on iOS (black hats call these "private exploits" and that's what products like Pegasus are based on). "Oh but they'd never do that, which means the user must have granted access!" Well, consider that users are often manipulated or coerced into that, and you'll start to get a more accurate picture of how these guys operate. Can I say for certain that's how it went down in each and every case? Of course not. But it's not like imagining some dark things from these guys would put you too far off the mark, given their track history already, and this article is just getting started, folks.
Consider the trend.
May 2016: Whoops, it was way worse...
Remember that 6.5 million accounts they screwed up and leaked due to sloppy security back in 2012? Yeah, well, turns out it was was actually closer to OVER ONE HUNDRED MILLION.
So, wait a second, hold up. Let's do some napkin math real quick.
100 - 6.5 = 93.5
NINETY THREE POINT FIVE MILLION is a hell of a lot of accounts to be off by. Do these guys not know simple math?!
Did they really have no idea how many user accounts were in their database at the time of the hack? Seriously? You can't grab a database replica and run
SELECT COUNT(*) FROM users WHERE badly_hashed_password IS NOT NULL;?
But you know what's even worse? LinkedIn didn't bother admitting it until the press leaked it four years after the fact!
So either LinkedIn has to admit:
- They're too stupid to do math;
- They're too stupid to secure their own database;
- They're too crooked to be trusted.
At least one of these is absolutely, demonstrably true. They've proven it with their own actions. Given the size and market dominance of their company, option one is off the table. Given their obvious budget size, so is option two. That only leaves option three.
Clearly they hid this and hoped to get away with it, then got caught red handed and only admitted it after the fact. Once again people, consider the trend.
2019: hiQ vs. LinkedIn
In 2019, LinkedIn pulled the ultimate in "punching down" with a cease-and-desist against a small competitor called "hiQ", who scraped public information about companies from their LinkedIn profiles. When California's 9th Circuit found in hiQ's favor, LinkedIn went all the way to the SUPREME COURT in an effort to squash the little guy as hard as they could. SCOTUS kicked it back down to a more appropriately-scoped court who reaffirmed the previous decision in hiQ's favor was appropriate and correct. Thankfully, LinkedIn lost this one.
So again, consider the trend.
June 2021: 700 Million Personal Details Leaked
In June 2021, LeakedIn LinkedIn had the personal private details of over 700 million people - more than twice the entire population of the United States - leaked again in another data breach, including personal phone numbers and geolocation data.
Some of the information would make sense - of course LinkedIn has information on your job title, company you work for, etc. But why are they maintaining your geolocation information, physical addresses, salary information, and social media data? What the hell could they possibly need that information for? What legitimate use case could they possibly have for that, short of whoring that information out to third parties?
Absolutely none, that's what. None whatsoever.
So not only did they keep information about you that they obviously gathered on the sly without your knowledge or legitimate consent (nobody in their right mind lets LinkedIn keep a log of where they've been, physically) for the obvious sole purpose of whoring it out to who-knows-whom without your actual consent (nobody reads, or has a choice to negotiate, click through contracts, let's be honest here), but they were too damn sloppy to bother even securing it in the first place.
Again, consider the trend.
This one isn't directly LinkedIn related, but could have had a massive impact and still might if you're the paranoid type, or, like me, assume the worst in these companies.
Quick refresher: Microsoft acquired complete ownership of LinkedIn back in December 2016. They own it lock, stock and barrel.
So you might find the potential for interoperability of messages and content exchanged via LinkedIn winding up being ingested into Microsoft Purview a rather interesting possibility. I certainly do.
What's MS Purview? Basically it's Orwell's Thought Police, but with any content that Microsoft gets its hands on that some company pays them to crunch through their machine learning system. It analyzes content they can link to a person's identity - an employee of some organization - to look for signs of potential collusion for things like money laundering, corporate espionage, etc. These are certainly good tools and could go a long way toward helping prevent serious abuses of power, and in some cases may be necessary due to various regulations.
What gives me pause, however, was a certain attempt at what Microsoft tried here with a particular classification filter, called "leavers":
The leavers classifier detects messages that explicitly express intent to leave the organization [...]
Translation: you respond positively to that recruiter on LinkedIn (a Microsoft property)? Pack your shit; you're fired.
Now, it's worth noting that one source claims Microsoft has, "after your feedback" (yeah, right), decided not to go forward with this particular initiative. Gee, wonder why. That's not the problem. The problem is that they tried to pull this in the first place. They definitely knew better and still they tried to get away with it when they damn well knew they shouldn't have.
If this source complains about an ad blocker, just right click, inspect, and delete the full screen div covering everything. Worked in my case to get rid of the trash obscuring the content.
Some interesting discussion on Purview over at HN:
And here's some documentation about it from Microsoft:
Note that Microsoft owns many, many digital properties that most folks aren't aware of, including LinkedIn, Yammer, and others, and they will have absolutely no qualms about digesting communications from people not in an organization, or otherwise clearly intended to be private or even protected by law, and leaking that to employers of only a single party involved in that conversation (and even in some cases where no such employees are involved, erroneously so). I guarantee this will happen many thousands of times. And we will all suffer for it, many of us through LinkedIn. Now, what do you think employers are going to do with that information they get through LinkedIn via this vector when they receive it? Do you really think Mary in HR is going to act all nice and kind when she realizes that their top performer in
$DEPT_WHATEVER is about to leave because LinkedIn leaked that data to Microsoft Purview which now leaked it to her via 365 Purview/Insights/Whateverthey'recallingitthismonth? Hell no!
And don't even get me started on how bad this is for emerging efforts to unionize!
What's the alternative?
I stumbled on to Polywork a while back and absolutely love it. I can't promise they won't make some of the same mistakes eventually, but so far I've had absolutely zero spam from recruiters, no ads, no upsell nonsense, no begging for money, nobody asking me to invite my friends, no deluge of emails, no attempts to trick me into installing an app, exfiltrate data off my phone, integrate social media, my calendar, Google this or Outlook that, no attempts at stealing stuff out of my address book, no trying to authenticate to tweet on my behalf, no geolocation data requests - none of that. When I went to get my profile verified, I met with a real human being over a video call and talked to her. We cracked a few jokes (about how bad LinkedIn is, actually!), I showed her my driver's license, and we had a very pleasant conversation. They're doing it right, so far anyway, and I highly recommend them instead at this point.
You can see my Polywork profile here to give you an idea of what it's like. Basically, imagine LinkedIn, but not trashy and somewhat slightly useful.
For over a decade, LinkedIn has been acting in a clearly negligent - I'd say criminally negligent - manner with regard to the way it handles the data it gathers from its users. As someone on the internet once famously said, "if it's free, YOU are the product", and here they're obviously quite right, but more than that, LinkedIn sees you as even less than a product, but a mere thing to be tossed about and abused. I mean, take a store like, say, Wal-Mart or Target. At least they will try to secure their product against theft! But not LinkedIn! Your personal whereabouts, your personal phone number? Nope, they don't care! It's like a sociopathic chimp drunk on cheap wine with a massive database that knows everything about you is in charge over there, and there isn't a damn thing you or anyone else can do about it because, let's face it, our government isn't much better when it comes to creating consequences for this level of gross ineptitude/malfeasance.
Realistically, the only play most of us have is to just disable and/or delete (at least, attempt to delete) our account and move on with life. But given their monopoly position in the marketplace, that isn't a viable option for everyone. It is for me, and rather than be their next victim, my choice was hit the eject button. I'd encourage everyone who reasonably can do to the same.