
Embed Linkedin profile page to see who visited your website - alanorourke
http://audiencestack.com/static/blog-hack-linkedin-to-view-website-visitors.html
======
jedberg
This is why I hate the term "growth hacking". It encourages this kind of
behavior.

I'd be curious to know if anyone on HN thinks that this is morally and
ethically ok?

What happened to the good old days when "growth hacking" was building a good
product that people want to share with each other and then making it easy for
them to share?

~~~
lawstudent2
> I'd be curious to know if anyone on HN thinks that this is morally and
> ethically ok?

1\. Yes. Absolutely. What could be _morally_ unacceptable about this?

2\. I very strongly believe in business ethics. And consumer protection, and
worker protection. I don't think that this, in general, rises to the level of
even being an issue with regard to consumer protection _or_ worker protection.
I don't know what about this would be unethical.

3\. If you are going to say "user tracking" then I am just at a loss. This is
categorically no different than any of the many dozens of user tracking
services already in use. Except that, unlike many of those services who are
very, very explicitly shady and fly-by-night, LinkedIn is, overall, an ethical
player. When I visit NYTimes.com, my ghostery registers:

* Chartbeat * Doubleclick * Dynamic Yield * Facebook Connect * Facebook Custom Audience * Google Analytics * Moat * Netratings Site Census * New Relic * Optimizely * ScoreCard Research * WebTrends

As long as this guy has an appropriately written privacy policy, I see
absolutely nothing _legally_ wrong with this, either. Morally - I just don't
even know where to begin on how facile a complaint I consider that to be.

~~~
hyperpape
It is a third party exploiting LinkedIn's tracking to monitor and expose
identifiable information about who is visiting their website that LinkedIn
probably didn't intend to be public.

Obviously, there are lots of trackers out there. But the fact that those
trackers exist, and we're sorta, kinda, maybe ok with it, or at least resigned
to it--that doesn't imply that we're ok with any third party using leaks of
that information to track us.

Probably the reasonable thing to do is say "if we're ok with X tracking us,
we're ok with everyone tracking us, because the information will leak." But
that's not the same as saying it's ok for everyone to try and make it leak.

It wouldn't at all surprise me if it's against LinkedIn's TOS, and the author
admits as much.

What about this is not unethical?

~~~
themagician
Yes, but let's not forget the 263rd Rule of Acquisition: Never allow doubt to
tarnish your lust for data.

~~~
toomuchtodo
I am impressed that's the actual 263rd rule in the Ferengi Rule's of
Acquisition. Kudos.

~~~
zo1
It's not, the actual 263rd rule is: "Never allow doubt to tarnish your lust
for latinum. "

So they replaced latinum with data. Essentially implying that data is
money/wealth.

------
buro9
This is also why you should segregate your browsing to different browsers and
different browsing modes.

I personally now use two browsers for different reasons:

* Chrome = Gmail, Drive, Docs, Search that I wanted tracked (work related usually)

* Chrome Incognito = Social media (Twitter, Instagram) and sites I stay on most of the time (HN)

* Firefox Private Browsing = Search that I do not want tracked (shopping research usually), shopping, news sites, media sites, LinkedIn

One can also view these in terms of cookie/data retention periods:

* Chrome = +1 week

* Chrome Incognito = 1 day maximum

* Firefox Private Browsing = Session (created and destroyed for a specific purpose, short-lived)

And yes, it's not convenient as if I get an email with a link in it I will
copy the link into the appropriate browser and then browse to it. But then the
upside is that I don't get tracked relentless by tracking stuff that expects
cookies.

Oh, and I'm aware of IP tracking too. I tend to use PIA VPN for this reason
and do not autoconnect to the closest place, but instead semi-randomly pick
somewhere in Europe to surface from each day.

~~~
JeremyNT
I do similar:

* Chromium = google services only

* Firefox = work, normal browsing (e.g. HN)

* Firejailed firefox = useful for sites too broken in regular Firefox

Both Chromium and FF are set to destroy cookies upon session termination and
block third party cookies. I use uBlock Origin in "default deny"[0] mode which
blocks all third party content by default. I never sign into accounts from
google, twitter, linkedin, or any other advertiser purveyor within FF.

The firejailed firefox is for such advertising purveyors and/or for sites
which are cumbersome to make work properly by selective whitelisting in uBlock
origin. I use firejail, rather than incognito / private browsing, so that the
browser will behave exactly as if it were freshly installed when I visit these
sites. Some settings (and in the case of FF, add-ons) will impact
incognito/private browsing; firejail allows me to run a browser "wide open"
safely.

[0] [https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-de...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-default-deny)

~~~
buro9
Firejail looks great, I did not know about that. Thanks.

------
codingdave
I know my browsing habits/history is not private, and I know I am being
tracked, even though I use plugins to minimize that.

But having a marketing person send me a personalized email slapping me in the
face with that tracking by explicitly telling me that they know what web page
I visited on their site... that would be a pretty big turn off for me.

~~~
dizzyviolet
Exactly. The moment I get a cold contact like this, I'll put your business on
the "Never use them for any reason" list.

After I send them an email explaining why.

------
_xander
Cataclysmic outcome: linkedin is embedded on a porn site/page and starts
feeding the names and professional profiles of visitors to the owner. These
people are then contacted and blackmailed based on socio-economic status (e.g.
targeting rich married individuals).

This linkedin feature has always been a pure money grabbing ploy with no merit
other than the premium revenues generated from exploiting the emotional
vulnerability of people and #growthinghacking needs of recruiters.

------
ceejayoz
LinkedIn sets X-Frame-Options: sameorigin on requests, so this is likely to
only work on old browsers (IE7 and lower, basically).

~~~
bkm
You could load it as an image, as cross-origin policies are not enforced for
images. Not sure if their tracker is server-side or requires loading JS.

~~~
diggan
Also, you should be able to have a proxy on your own domain, changing nothing
but the `X-Frame-Options` header.

~~~
dangrossman
It's cookies in each user's browser that tell LinkedIn who's viewing a
profile. They wouldn't be transmitted to your proxy, so this wouldn't work.

~~~
diggan
Oh, that's true. Good point that I didn't think about at all. Just have done
this myself in simple cases where cookies aren't involved.

------
bigredtech
While doing this for your own profile could be useful for you and some metrics
you may want, someone else could be a bit more nefarious.

On a high profile/traffic blog, web app, or site - could just include some
targeted, random, or interesting LinkedIn profiles, and then all of these
people would be bombarded with misinformation about who's viewed their page.

Want to confuse sales team at XYZ Startup Corp., sure have all of their
profile links in hidden IFrames too...

~~~
userbinator
If all you need to get onto the list is a request to the profile page URL,
even a simple image link in a forum signature/profile image/etc. might be
enough...

~~~
samstave
Hmm so you could then see everyone who loaded that page/comment?

This has probably already been an exploit used by some people..

------
Tinyyy
That's one more reason to use extensions like Ublock and Ghostery.

~~~
vlunkr
And one more reason to avoid linked in! If this actually works.

------
julien
This is terri(fic|ble).

------
userbinator
The essence of this hack is "turn LinkedIn into a tracking pixel." I suppose
it's possible to do it with some other social-network-type sites too.

------
yati
I have a LinkedIn profile that I've not updated for a long time. Have
programmers here found it to be of any value, apart from being in the know of
what your friends/colleagues are up to in their careers?

~~~
krschultz
Being able to contact former co-workers is invaluable. I moved out of New York
in 2009 and moved back in 2012. In between the startup I had worked at
basically gone out of business and everyone had new jobs. I didn't have
anyone's email address or phone number or even Facebook connection, but I was
connected on LinkedIn. I was able to reach out, find out what companies were
hiring, get some interviews, etc. It massively helped in my move back and I'm
in a far better place because of it.

All the recruiters, resumes, cover letters, and interview prep pale in
comparison to just having a bunch of people that want to work with you again.
Ultimately whether you use LinkedIn or Facebook or a paper rolodex of phone
numbers, the key thing is that you need that collection of weak connections.
These are not my 20 friends, these are the 150 people that have been in a
company with me and know my reputation but probably don't know much more than
that.

I find LinkedIn is a good tool for that. Sure there are some negatives, but I
haven't found anything better. I don't necessarily want to be Facebook friends
with all of the people I currently or previously worked with, and there is no
way to keep an up to date contact list by yourself.

~~~
yati
> Being able to contact former co-workers is invaluable.

Agreed. Maybe I never felt the need of using LinkedIn for this because I'm
already well connected with most of my former colleagues via other channels,
since before this, I was at a pretty small startup.

My friends with management jobs love LinkedIn as a job finding tool, and some
even claim that being connected to influential people in the industry on
LinkedIn helps them stand out somehow, but most of my programmer friends do
not like the type of recruiters on LinkedIn. In my personal job searches, I
almost never needed anything other than a CV, a cover letter and
Github/StackExchange accounts (as opposed to "connections" with famous
people).

------
noer
I read about this over a year ago (I think it may have been on HN, though the
article was different). It seemed like it might be a security flaw and that it
would get resolved, but I guess not.

------
BillFranklin
Interesting, I just tested this. It doesn't work as an image or an iframe on
Chrome.

iFrame wont work on modern browsers: Refused to display 'my linkedin url' in a
frame because it set 'X-Frame-Options' to 'sameorigin'.

Image also probably did not work, though Linkedin might delay reporting
profile visits, any ideas?

------
lucb1e
Neat one! Not sure it will work too great for a hacker audience -- all sorts
of content blockers, and they probably aren't logged into Linkedin 24/7 anyway
-- but I really like the idea.

The only issue I have with this is that it tracks people on yet another part
of the Internet. Same reason as why I don't have Google Analytics or Youtube
embedded videos or embedded Google Maps on my website (let alone Google Ads).

------
uptown
I've been thinking about creating a separate Chrome login for use on any
browsing on social sites (FB, Twitter, LinkedIn) - maybe even a unique login
for each. Would that be an effective way to isolate this type of thing?

~~~
pavel_lishin
Why not a create a new Chrome profile that's not signed into Google, and use
its Incognito mode?

~~~
uptown
That's what I meant by Chrome login - a separate Chrome user profile, and
wouldn't incognito mode require that I authenticate each time I visit these
sites since any authentication cookies would be disposed of at the end of a
session?

------
bigtunacan
This is interesting; I was wondering though are you really using the Chrome
Scraper extension to get this data? Is there some way to run that on a
schedule, or are you manually scraping periodically?

------
santialbo
That's actually a sneaky way of following up with people who visited your
carrers page. Check their linkedin and if they are a nice candidate send them
a message through linkedin.

------
ejcx
You might not need a whole iframe. Why not just an img tag like a regular
cross site request forgery over GET.

If the WHO isn't logged with any js Magic it will work all the same.

------
dorfsmay
I wonder what impact it has on page rank? I remember playing with 1x1 pixel
links a few years back and finding my page completely disappear from Google.

------
lotsofcows
I love it when people use meaningless phrases like "reach out to you". It
makes spam filtering so easy!

------
mgalka
I think there are some ethical issues with this, but the idea is brilliant.

------
squiggy22
What size is the request / overhead?

~~~
userbinator
The size of a LinkedIn profile page:

    
    
        <iframe src="LINK TO YOUR LINKEDIN PROFILE" height="1" width="1" frameBorder="0"></iframe>

------
monochromatic
Creepy. I hope LinkedIn breaks this soon.

------
hbbio
Can someone kill this news immediately, please?

We fear for our current business model.

~~~
rubidium
You need a new business model.

