
LinkedIn sued over allegation it secretly reads Apple users' clipboard content - kitotik
https://www.reuters.com/article/us-microsoft-linkedin-lawsuit/linkedin-sued-over-allegation-it-secretly-reads-apple-users-clipboard-content-idUSKBN24C010
======
cassalian
People seem pretty upset about their clipboards, I wonder if apple/google will
listen and make the reading of your clipboard something that you must get
explicit user permission for (similar to your camera). IMO this is how almost
every possibly permission should be and I think most users would agree with me
that having 2 seconds of inconvenience when you first setup the app is worth
the peace of mind gained.

~~~
gentleman11
It should just work the way that every user assumes it works: apps can’t read
it at all, but the user can explicitly paste from it

~~~
willis936
Right? On what planet should an app be allowed to read or write to the
clipboard? The _only_ piece of software that should access the clipboard is
the keyboard, and even that I have trouble trusting with all of these
predictive services. I’d like to feel more confident that my most used device
isn’t loaded up with keyloggers.

~~~
Denvercoder9
On Android, one of the suggestions when you focus the address bar in Chrome is
the URL currently on your clipboard. That's tremendously useful. (It helps
that pasting isn't especially ergonomic on Android.)

~~~
cannedslime
To be honest I hate that they have gimped the address bar on android chrome.
Its just one more button press if i need to edit the url, and i think its
creepy that they read the clipboard to be frank.

~~~
Denvercoder9
I replace the address more often than I edit it, so personally I like it. But
yes, reception has certainly been mixed.

------
sloshnmosh
“ According to the complaint, LinkedIn has not only been spying on its users,
it has been spying on their nearby computers and other devices”

Facebook’s SDK’s which are embedded in more than 30-40% of all Android apps
also scan the users internal network and also uses Bluetooth looking for
devices nearby.

I was shocked to discover that more than half of the third party apps I had
installed had Facebook’s software embedded in them.

~~~
kraemahz
Is there a list of these somewhere? What are the steps needed to verify for
myself? Exfiltration of data from my phone is theft; I prefer not to be stolen
from.

So far I've found: Spotify Tinder Yelp Duolingo

~~~
throwclassy491
I am a noob, so please correct if wrong. I think you can use the fdroid app
'ClassyShark3xodus' to scan apps installed and apks on your phone for trackers
etc.
[https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus...](https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/)

~~~
kraemahz
That got me far enough to get started, thanks!

------
jmiserez
Previous discussion of the issue:
[https://news.ycombinator.com/item?id=23716451](https://news.ycombinator.com/item?id=23716451)

Explanation from LinkedIn and the actual (open-sourced) code in question
linked in the top comment:
[https://news.ycombinator.com/item?id=23719995](https://news.ycombinator.com/item?id=23719995)

That explanation seems plausible to me, and would imply that there is no
spying going on there.

~~~
chiefalchemist
> "According to the complaint, LinkedIn has not only been spying on its users,
> it has been spying on their nearby computers and other devices, and it has
> been circumventing Apple’s Universal Clipboard timeout."

That's the last paragraph, which probably should have been stated sooner. The
timeout issue could be a mistake, but if not it seems to support the spying
theory.

------
eyeball
What functionality would be broken if clipboards were changed to be completely
unreadable other than when the user initiates a “paste” command manually?

~~~
filleduchaos
All copying and pasting relating functionality would be broken, because
clipboards literally function by granting programmatic access to applications.

"The user initiates a paste command manually" is a requirement that may be
trivial for a human to express but near impossible for software to implement.

~~~
cheeze
> "The user initiates a paste command manually" is a requirement that may be
> trivial for a human to express but near impossible for software to
> implement.

What? No.

Sure, there would be changes required, but both Android and iOS could support
this pretty easily IMO.

~~~
filleduchaos
How do you imagine that copying and pasting works on Android and iOS at the
moment?

"There would be changes required" is a very euphemistic way to phrase what
would basically be banning all apps that don't use the high-level views in the
OS SDK from having clipboard functionality. Funnily enough, if Apple were to
come out tomorrow and say "we're removing the ability to cut, copy and paste
from any and all apps that don't use UIKit" this website would have a field
day tearing them to shreds and smugly posting about "walled gardens".

Convenience, freedom, security. Pick two.

------
arpa
Well hello all the passwords that are safely copied from the password manager.

------
dbt00
Checking the clipboard for relevant patterns and possibly enabling user
actions is not the same thing as stealing your clipboard. Consider the Apollo
reddit app:

[https://www.reddit.com/r/apple/comments/hejb9i/ios14_catches...](https://www.reddit.com/r/apple/comments/hejb9i/ios14_catches_apps_spying_on_your_clipboard/fvscjyz/)

~~~
asplake
Then these should be permissioned separately, the patterns perhaps available
for inspection

------
ChrisMarshallNY
I’m wondering if a dependency common to these apps is the thing reading the
clipboard.

~~~
wakenmeng
Well, it's not rare. A lot of apps have sort of feature, search while
inputing, to search before user completing spelling. And some apps go further
to search and show what people copy from other place, because they thought
user may want that. I think its original idea is to bring convienience to
user, not to inspect privacy data. But this seems to end now.

------
IceWreck
Yeah, please just use mobile websites instead of apps whereever possible.

------
mtbnut
So, do we need to redefine the term “sandbox” as it relates to secure
software? Obvi, it doesn’t do what we’ve been told it was supposed to do.
Apple uses the term about 600 times per keynote, but we now know it’s been lip
service. They either lied or just did a shitty job securing iOS. However,
“sandbox” doesn’t necessarily imply secure; that would be a “secure sandbox,”
in which case we were all naive, heard “sandbox,” and assumed it was secure,
which by default and definition, it isn’t.

------
DavideNL
...just imagine how many passwords must have leaked like this. Or is there
some kind of 'limitation' when accessing clipboard data copied from password
managers?

~~~
jannes
Some password managers have a feature to automatically clear the clipboard
contents 30 seconds after copying a password. But I have only seen this on
Android, Windows and macOS. Not on any iOS apps, likely due to tougher
restrictions on executing in the background.

~~~
DavideNL
Yea, 1Password on iOS also clears the clipboard after 90 seconds.

------
filleduchaos
To me the real problem is that so many people don't actually understand how
clipboards work. If they did, they wouldn't have this (in my opinion) strange
trust in their security in the first place.

As a developer and as a user: don't put things in the general/system clipboard
if they're truly sensitive/secret. Developers especially really should be
promoting the use of named and/or private clipboards (and of the share sheet
in Android and iOS).

~~~
mileycyrusXOXO
How am I supposed to use a password manager if I can't copy paste?

~~~
filleduchaos
"How am I supposed to use a password manager if I can't put my plaintext
password in a file that everyone can access?"

Like I have already said,

>> Developers especially really should be promoting the use of named and/or
private clipboards (and of the share sheet in Android and iOS).

And for the specific case of a password manager, iOS offers Password Autofill
integrations. It's not the OS's fault if developers are too lazy to use the
right tools for the right job.

~~~
manquer
iOS does not offer auto fill for third party password managers and there is no
unified service that Apple offers for web and desktop and works across OS and
multiple browsers . So it is less to with developer laziness and more to do
with lack of usability beyond iOS

~~~
filleduchaos
> iOS does not offer auto fill for third party password managers

Yes, it does - see the section very literally titled "Integrate a Password
Management App with Password AutoFill" at
[https://developer.apple.com/documentation/security/password_...](https://developer.apple.com/documentation/security/password_autofill).

But again, many devs don't actually keep up with and/or look up the proper way
to do things on the platform they're deploying on.

> and there is no unified service that Apple offers for web and desktop and
> works across OS and multiple browsers

Apple has a duty to its own software. Why exactly is the onus on Apple to
offer a magical grand unified service instead of on third party software
developers to actually take the time to study and use the appropriate tools on
each platform they want to deploy on?

If you want things to be secure you generally have to put in the work for it.
1Password spends resources building & maintaining browser extensions to
integrate directly with input fields - why doesn't your password manager of
choice offer similar? As a developer one could use named and/or private
clipboards to actually have control over when and how the data their users
clip is accessed - why not do that over complaining that a shared, global
buffer that applications can access programmatically by design is, while
convenient, also not exactly the most secure way to transmit sensitive data?

------
andersco
My hope is that stories like this help to educate non technical users about
what a clipboard is and does. That in turn might result in improved clipboard
privacy.

------
olcor
This is very weird, I notice a lot of apps are doing this.

Even Firefox Focus, considered to be a "privacy-focused" browser, has this
notification pop up every time you add a character to their address/search
bar.

------
electro_blah
shitty company that uses dark patterns[0]

[0][https://twitter.com/darkpatterns](https://twitter.com/darkpatterns)

------
pwdisswordfish2
Awesome!

------
justapassenger
While LinkedIn is sketchy, this is a modern iteration of ambulance chasing
lawsuits.

~~~
manquer
If it improves privacy by making the cost of acquiring a user’s information
higher then that’s a _very_ good thing .

~~~
justapassenger
You can also say that ambulance chasers improve public safety by making errors
more costly.

This isn't about privacy. It's a money grab by lawyers.

