

Why I Just Closed My LinkedIn Account - dripton
http://www.ripton.net/blog/?p=84
Do not ask for your users&#x27;s email passwords.  It&#x27;s phishing, pure and simple.
======
adnam
I don't understand why people complain about being contacted by recruiters on
LinkedIn. It's your public CV and professional contacts; recruiting is what
LinkedIn was designed for!

~~~
dougbarrett
Exactly! I get multiple e-mails a week from recruiters on LinkedIn, and it's
not hard at all for me to just kindly decline their offer or ignore it all
together. I've never understood the stigma against recruiters, and why you
would get mad at someone that wanted to try to place you at a job, that just
sounds backwards and unappreciative.

~~~
ry_d
The problem is... They are trying to place you at a job and taking a
commission by obfuscating the actual salary paid by the company. I've
personally hired developers, salaried under big recruiting firms, who were
getting shorted 35% of their potential income just for allowing someone with a
marketing degree forward over a resume. With demand as high as it is for skill
sets in the tech fields... you are foolish to believe they serve any purpose
other than spam. Especially when spending an hour or so shotgun emailing your
resume personally with a cover letter would net you nearly double the salary.

Alas the core issue in this blog post has nothing to do with the abundance of
recruiter contact. Anyone with a Linkedin has already managed to figure out
how to manage the difference between spam recruiters and the good guys.

~~~
taude
Your comment doesn't make any sense to me. It's in the recruiter's best
interest to maximize the salary they get the candidate, so that they can
maximize the %-amount of the fill. They want to get the candidate 150K so that
the recruiter's 30% cut is 45K. If they only get the candidate $125K, then
there fee would only be 37.5K.

Are you confusing recruiting for a job with someone that does body-shop
contracting?

~~~
greenyoda
_" It's in the recruiter's best interest to maximize the salary they get the
candidate"_

Actually, it's in the recruiter's best interest to maximize the return he gets
over _all_ his candidates. If he can place candidates three times as fast by
offering them at 50% off their market rate, he makes a bigger total
commission.

~~~
taude
I'd buy that argument in a buyer's market. But I'm not aware of too many
recruiters with a surplus of sourced tech talent right now. And they have to
go through a lot of effort to source someone...so I'm going to still stand by
my comment that a good recruiter is going to maximize the candidates value.

Edit: I'd also add what tech talent is going to be so unaware of their market
value that they'd take 50% of it?

------
xauronx
I allowed it to connect to my gmail, hit the uncheck all (for inviting
friends) and checked one person. It ended up sending invites to a few hundred
people I had only had vague communications with. Apparently "uncheck all" only
means for the 10 they're currently showing you. A lot of awkward "do I know
you?"'s

~~~
jhandl
How long ago was that?

~~~
xauronx
Probably a couple months? They very well may have made it work differently by
now, but it wouldn't be much in their benefit to do so (other than to stop
people complaining).

~~~
alanh
More accurate to say, “but they may not perceive doing so to be in their best
interest.”

------
mathattack
Don't most social media sites ask for permission to upload your contacts from
elsewhere? The answer (as Nancy Reagan taught us) is to Just Say No.

Yes there is (a lot!) of job-hunting spam on LinkedIn, but when you need a job
the spam can help. Even if you don't, it's useful to have a public place with
an email address for professional contacts to find you, in case you switch
firms.

~~~
betenoire
Yes most sites do ask for permission to upload your contacts, but they do it
without needing your password. No need to log in as the user anymore to do
this.

[https://developers.google.com/google-
apps/contacts/v3/](https://developers.google.com/google-apps/contacts/v3/)

~~~
dripton
Not everyone uses Gmail.

~~~
tomkarlo
Are the similar token-based schemes for non-Gmail services? Seems like OpenID
or the like could provide similar functionality to avoid having to provide
your actual password to other services so they can look at your inbox.

~~~
pjscott
GMail allows you to give OAuth access to your email in an admirably simple way
that anybody could adopt:

[https://developers.google.com/gmail/xoauth2_protocol](https://developers.google.com/gmail/xoauth2_protocol)

In practice, I don't know any other email provider who does this.

------
incision
Interesting.

Being primarily a Gmail user I never realized that LinkedIn will ask for a
password directly when it doesn't recognize a service associated with the
domain.

The site appears to spend some time trying to do something with the bogus
credentials I provided. Now I'm really curious what that something is.

~~~
nwh
I assume it attempts to hit the server with IMAP with the details you
provided, then scavenge email addresses from your sent email.

~~~
incision
Right, that's certainly logical, but if they are doing something like that,
particularly considering their big breach last year - wow.

------
edgesrazor
My biggest annoyance with LinkedIn is the Endorsement feature. I have people I
barely know endorsing me for skills I barely have. Right now my highest
endorsement total is for PostgreSQL. While I'm proficient with Postgres,
there's other skills I know way better that only have 1 or 2 endorsements. If
a recruiter were to contact me (I'm not looking), I'm assuming it would be for
db work. It would be a waste of both their time (to contact me) and mine (to
respond and apologize that some of my contacts don't understand my job).

------
l0c0b0x
I don't _love_ LinkedIn, but there really isn't any other platform where to
keep professional contacts at the moment (at the same level or close). I get
their spam from time to time (join groups, free pro-membership for a month)
but not a lot of recruiters, which is great.. and I have a lot of professional
contacts.

I'm wondering if you might be overlooking the _connection_ gains to bad
wording in LinkedIn's part. "Give us your password, it's secure" is pretty
dumb language if you tell me. My understanding is that they supply you with
the ability to use 3rd party APIs to gather your email contacts from various
sources. That is not really giving your password to them -per say-.

~~~
dripton
No, there was a password input box. Definitely giving them my password per se.

(Someone else noted that Gmail has a contacts API, so if you use Gmail then
they can harvest your contacts without actually getting your password. Which
is much better, though still kind of rude to your friends.)

------
kevjiang
>> LinkedIn leaked 8 million users' passwords less than a year ago, because
they were storing them in the database in plain text.

The password leak from last year was really a leak of the password hashes. I'm
pretty sure they didn't store passwords in plaintext.

I think the backlash was because they didn't salt the hashes and only used one
iteration of SHA1 instead of a more appropriate hash function.

That being said, this doesn't really change the OP's point. Which was, "secure
my ass"

~~~
dripton
I apologize for the error and have edited the post.

------
ChuckMcM
Sigh, so LinkedIn is trying to boost their numbers and you didn't fall for it.
Good on you! Why the hate? If you want to get a ton of unsolicited links to
connect just put 'VP' in your title. Amazing. I've only got two policies on
LinkedIn, one I only link to people I actually know and have worked with
_already_ , and two I don't allow { recruiters | sourcers | HR } types to link
to me after having a bad experience of one of them trolling all my contacts
with "Hey I'm working with Chuck and would like information about what you're
up to ..." emails.

But a lot of people really dislike the service and I completely support that
choice of theirs, but so far I haven't seen a lot of discussion about the
service the people _wanted_ when they joined but didn't get. Is it 'view only'
(as in I want to view other people but no one can view me!) or maybe (no
contact) as in only my contacts can email me?

~~~
rpedroso
The complaint wasn't about marketing tactics, or about LinkedIn's quality of
service. The complaint was specifically about LinkedIn asking for the
passwords to their users' email accounts.

As the author points out, LinkedIn doesn't have a very good track record on
security, plus giving out your email password isn't a very good practice in
any situation. Unfortunately, because of LinkedIn's clout among professionals,
many people are unwittingly putting their online identities at risk.

In the end, the author doesn't close his LinkedIn account because of
recruiters, but rather as a protest against this bad practice.

~~~
ChuckMcM
_" The complaint was specifically about LinkedIn asking for the passwords to
their users' email accounts."_

Fair enough. He didn't enter his password, it isn't required to use the
service. It is only useful for discovering more people via your contacts (and
perhaps to spam them as you, that would be bad).

So they implement a feature poorly. Why the hate? The automatic climate
control on my Subaru sucks dead gophers through a hose, but I don't translate
the fact that Subaru let an crappy design get of an auxiliary feature get into
production with "the car sucks, I'm selling it." Especially if my use of it
doesn't require a lot of climate management (which it doesn't in California).
I might think differently if the car wouldn't start unless the windows were up
and the climate control engaged on automatic, that _would_ cause me to sell
it.

So I'm confused about the LinkedIn rant a bit.

~~~
dripton
You and I are educated enough about web security that we know not to type one
site's password into another site.

Many people aren't. Phishing is a real problem.

When "legitimate" sites start doing slimy, insecure things like asking for
third-party passwords, three things happen. One, those "legitimate" sites have
the power to do things that most users don't really want them to, like spam
their entire contact list as them. Two, it becomes harder for unsophisticated
users to distinguish legitimate sites from phishing sites. Three, it means
that if a criminal breaks into a "legitimate" site, there's more valuable
information there for him to steal.

~~~
ChuckMcM
Completely agree, the confusing bit then is the call to action, instead of
"Help me educate LinkedIn" its "I'm deleting my account."

Does the author want to fix LinkedIn? Do they want a different service (or the
same service done differently?) or a nearly the same service? It is easy to be
dismissive of this form of rant, and sometimes that is actually the best
response. But if there is something to learn here[1] that would be good too.

I suspect I'm overthinking it and the author was just venting.

[1] I get the 'here is another exemplar of stupid design' thought as well.

~~~
genofon
the call to action it's up to you I guess, the author exposed some annoying,
dishonest and potentially dangerous interaction that LinkedIn is using.

when you read the news do you ask yourself: "what's the call to action of this
article?"

~~~
ChuckMcM
_when you read the news do you ask yourself: "what's the call to action of
this article?"_

Always.

------
Pxtl
LinkedIn is everything I would expect from a social network created by and for
enterprise software business types. I don't know anybody who actually _likes_
LinkedIn other than recruiters.

------
Finster
Wait. In order for this to work, wouldn't they HAVE to store your email
password in plain text?

O_O

~~~
r00fus
Does it actually store the password? Perhaps it simply passes it on to the
IMAP or CardDAV request to get your contacts?

~~~
miahi
Who would discard this kind of precious info?

------
ianstallings
Oh good, another "why I'm taking my ball and going home" article.

~~~
Finster
I know, right? I mean, complaining about a major social network straight up
asking for your email account password is just so WHINY!

Especially when said social network has had major data breaches in the past.
What could possibly go wrong?

Stupid whiners!

~~~
ianstallings
So why not just send them an email instead of posting a blog post with a link-
bait title like "Why I'm leaving X" and then posting it yourself to HN? Am I
supposed to help with this cause? Is there a petition? Should I leave linked
in immediately because there is a box that you can voluntarily put your
password into? Well I guess I'll just add it to the list of "things I need to
be outraged about today".

~~~
HNJohnC
Because the author is trying to effect change and that is much easier with a
little publicity.

~~~
ianstallings
I didn't see any mention of actually contacting linked in. Maybe he should
start with them.

~~~
chrisbennet
I'm sure they know that what they are doing is slimey. Asking them to change
won't have any effect. Hitting them in the wallet is the only influence he
has.

~~~
ianstallings
That's not fair. I would hope someone would at least contact me regarding my
products before lashing out and having people call me slimy.

------
eli_gottlieb
LinkedIn seems far more sensible once you realize it's a honeypot.

------
richkuo
Good reasoning here.

Might I add that LinkedIn has implemented the same stalker features that make
it just as creepy as online dating websites...

Can you imagine if Facebook had a "who's been viewing your profile" page? It'd
be gg.

Not to mention the NSA would be overloaded with 'suspicious activity'.

~~~
scragg
I was about to post the same thing. I can't believe they get away with having
this feature. If I click a Linkedin link on Google, oops I'm logged in, my
viewing history is for sale.

------
mrt0mat0
I don't know if anyone noticed this, but LinkedIn didn't store their passwords
in plain text. they were stored in SHA1, with no salt, which is as close to
plain text as you can get without being plain text, but there is a difference
:)

~~~
dripton
I apologize for the error and have edited the post.

------
jmcrozzy
I haven't seen the "Enter password box" and I have a hard time imagining why
it would exist. Why would they choose to deal with logging into your email,
scraping for email addresses(spawning parallel processes etc), risk
blacklisting and (more)user hatred (not to mention trying to prove to google
you're not a robot)when there is a perfectly good OAuth(2) protocol/spec that
along with good google apis to retrieve this data securely (well:
[http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-
hell...](http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/)). I
agree its still cheap and tacky but not really nefarious.

There is a 10 message / api-key / day limit using the linkedin messaging API I
think [http://developer.linkedin.com/documents/throttle-
limits](http://developer.linkedin.com/documents/throttle-limits) still
annoying getting spammed.

~~~
thedufer
I believe this password box is something you only see if they don't recognize
your email address as something that they can interact with via OAuth (i.e.
Gmail).

------
malanj
I'm very impressed that you actually managed to close your account. Every time
I've tried to do that I was sent into some bizarre redirect hell that seemed
downright malicious.

LinkedIn seems like a prime example of what happens when you substitute good
product design for a series of A/B tested micro-optimisations. The net effect
is a shitty product that gets worse and worse...

~~~
dripton
I _think_ I managed to close it. I had to click 4 or 5 times, but the process
didn't seem to generate any errors. We'll see.

------
tlongren
Congrats man. LinkedIn isn't all that useful to anyone but recruiters anyway.
I closed mine long ago because I simply never used it.

~~~
smaili
Yup, same here.

------
auctiontheory
It's really not practical to stop doing business with every large company with
whom you have a disagreement, especially when they are the dominant player in
their industry. I'm sure most of us could find a nit to pick with both Apple
and Microsoft, not to mention Google.

If you will never need LinkedIn, that's fine. If you might, then you're only
hurting yourself.

~~~
dripton
That's a pretty defeatist attitude. If nobody complains when companies do bad
things, what incentive do they have to stop?

~~~
jasonlotito
Because what you consider bad isn't necessarily bad.

Let's take your post at heart, and we'll ignore the part about phishing
(ironic, considering your own site's setup).

Your assertion is mostly paranoia, what could happen, and what LinkedIn
shouldn't do. LinkedIn should not ask for your email password, despite that
being a way to access email. Now, I'm not suggesting you hand over your email
password without thought, but you do hand out your email password.

You hand out your email password to any email client you choose to use, with
the hope that it doesn't share out that password to anyone else. After all,
just as a LinkedIn employee could steal your password, so could a Google or
Apple employee as well. I mean, Google even asks for the password to other
email accounts if you want to use Gmail for non-Gmail accounts. And let's hope
that no browser is tracking anything. It might be open source, but have you
checked the source code?

Sounds crazy.

So leave LinkedIn. But really, it's a rant, and not even a good rant at that.
And we didn't even talk about glass houses.

~~~
dripton
I have a plain old Wordpress blog. What is it doing that you consider phishy?
(Should I disable comments? I hardly get any anyway.)

~~~
jasonlotito
It's your assertion that LinkedIn is trying to phish people, when phishing has
a very real meaning. If that is phishing, then what you have displayed when
someone goes to comment could be considered just as phishy. You have to
remember, WordPress is not just an app that you can install, but it's also a
hosted service. Your page has the WordPress logo on it, and it's asking to log
in. Is someone supposed to use your site's u/p or the WordPress's hosted
services credentials.

You don't intend to steal anything, but you could, making you just as guilty
as LinkedIn. That is to say, not guilty of anything.

------
carlob
Why I never had LinkedIn. Back in the good old days the only way to prevent it
from spamming you on behalf of your friends was creating an account and then
unsubscribing from emails.

I had to contact costumer support twice to remove two email addresses from
their databases.

Fortunately mass emails or notifications without a single-click unsubscribe
button are forbidden now.

------
iheart2code
If you've used this particular contact system before, you'll know that your
e-mail login information won't pass through LinkedIn's servers. A popup from
your e-mail provider's server asks you to grant LinkedIn access to your
contacts via that provider's APIs.

~~~
dripton
LinkedIn showed my email address on their web page, and provided a box under
it to type my email password.

Maybe they wouldn't have actually stored my password locally, but there's no
way for a user to know that for sure.

~~~
iheart2code
Ah, I use GMail, which allows that the type of functionality I mentioned. I
didn't see that it behaves differently with other providers.

------
gesman
All platforms are like hookers - they are generally offering some in-demand
service, you might get a nasty bug, you get what you paid for (or not paid
for) and they are not obligated to please you.

So use platform for what it's good for, but do not rely your business on it.

Gleb

------
codva
LinkedIn has a new service where they offer to centralize your contact
management by importing all your contacts from wherever and giving you one
central place to keep track of them.

It may or may not be a good idea, but it isn't phishing.

~~~
dripton
Asking for my email password is phishing, period.

It may be phishing for a less nefarious cause, but how's the average enduser
supposed to know the difference? We need to plant the meme that any site
asking for another site's password is always wrong.

~~~
adrr
Cancel all your social network accounts. Everyone does it. They say they don't
store email addresses, technically true but they store a hash of it. They use
this data to recommend friends/connections. It can also be used to recommend
friends/connections when a new user signups during the signup flow.

~~~
dripton
I have cancelled two out of two accounts that have tried to phish my email
password. (Udacity and now LinkedIn.) "Everyone" certainly does not do it. (I
know Facebook does it, but just because the slimiest big company on the web
does something doesn't mean it's okay.)

------
lumens
The main problem with LinkedIn, especially for the HN crowd, is that it’s
essentially just go-go-gadget arm for recruiters, who themselves represent a
very broken system ([http://bit.ly/14gMFnB](http://bit.ly/14gMFnB)). Modern
recruiting is a horrible mess
([http://bit.ly/11Jnnez](http://bit.ly/11Jnnez)), so a social network that
encourages and magnifies their actions is of course going to produce pretty
terrible results.

LinkedIn is a _great_ business development tool. Want to know the name of the
person at company X who could use your product? LinkedIn is awesome for that.

But time and time again, the main thing one hears about LinkedIn is the
(systemically encouraged) abuse of the system by spammy recruiters, not the
‘business networking’ it should be a haven for.

A significant move away from the traditional recruitment paradigm as a whole
is the only thing that will make LinkedIn enjoyable to use. When traditional
recruiters aren’t the best way to find talent, LinkedIn will be free to grow
and prosper as a business networking community.

We’re trying to solve this problem at Mighty Spring
([https://www.mightyspring.com](https://www.mightyspring.com)). Whereas on
LinkedIn your information is public and ripe for recruiter abuse, Mighty
Spring profiles are only visible to the public in a cleansed, anonymous form.
Behind the safe walls of our system, our users are free to indicate their
career aspirations, explore new opportunities, and accept incoming interview
requests (from first party companies only, not agency recruiters). Externally,
the profiles are anonymous, so no one even knows you are a member of the
community unless you choose to reveal your information specifically to them
and accept an interview.

We’re in private beta now, but are already successfully connecting our users
with great companies -- all at each user's discretion, of course! We’d love to
help all of you solve your problems with LinkedIn, so we’ll live-monitor
signups coming from Hacker News and expedite beta invites to all you guys.
Definitely let us know if you have feedback or questions. My email is in my
profile.

~~~
bjterry
Please don't use URL shorteners on Hacker News. It is contrary to established
norms.

~~~
lumens
Noted, thanks.

------
MrDOS
Wow, offering to log into an account that holds contact information in order
to retrieve those contacts and automatically invite them to connect with you.
I'm glad the innovation will both start and stop here – it's a good thing
MySpace never did this. Or Facebook. Or any one of a million other services.
I'm not trying to detract from the potential severity of anyone actually going
ahead and _doing_ it, but OP, is this seriously the first time you've seen
something like this? I'm very surprised.

~~~
xauronx
I think the issue was with it actually asking for the password itself. If it
were an OAuth screen he probably wouldn't have blinked. Would I have shaken my
head and even MAYBE deleted my account if I were having a bad day? Maybe.

Would I write a blog post about it even if I did? No.

------
jdbernard
The only things I supply to LinkedIn are things I would put on a resume and
send to strangers. It is a useful service if you can be disciplined about what
you share.

------
samweinberg
Can anyone confirm LinkedIn actually sent this email? I mean, straight out
_asking_ for your customers' email password is pretty ridiculous.

~~~
dripton
LinkedIn sent me an email saying I had a new contact. When I clicked the link
in the email, it put me on the LinkedIn site. As an afterthought on the "we
added your new connection" page, they tried to phish my email password.

~~~
samweinberg
It's a shame that a company with an already bad track record in user security
would do something so careless yet again.

------
gexla
Interestingly, I have received lots of great contacts and work through various
sites I use, but never anything through LinkedIn. Different communities
gravitate to different channels. For me, I wouldn't miss my LinkedIn account.
Though maybe I'm just not trying hard enough.

------
diminoten
Can't you do what LinkedIn does with your contacts through some kind of Google
universal auth API? Why does LinkedIn actually need my freaking password to
view my contacts?

