
LinkedIn’s iOS app transmits names, emails, and calendar notes, in plain text - Kenan
http://thenextweb.com/insider/2012/06/06/linkedins-ios-app-collects-and-sends-names-emails-and-meeting-notes-from-your-calendar-back-in-plain-text/
======
rjsamson
This is off topic, but the next web really needs to make an effort to properly
credit images. They've been called out on this a number of times before, but
the way they credit image sources is just plain wrong. In this article, for
example, at the very bottom of the page is a generic link that says SOURCES:
IMAGE CREDIT. With this particular image, the photographer very clearly says
"please, kindly credit me (Nan Palmero) with the photo and link back here" -
nowhere do they credit him by name. A quick check of all of the other
publications using her photo do properly credit her by name, but the next web
can't be bothered.

If the author of this article is reading - PLEASE CREDIT THE PHOTOGRAPHER

~~~
nanpalmero
Thank you very much for looking out. It appears that this has been going on a
bit. Matthew, can you help with the following pieces that also do not have my
name attached to them, please? Doing so on both the desktop and mobile version
would be greatly appreciated!

[http://thenextweb.com/location/2011/08/01/foursquare-
reporte...](http://thenextweb.com/location/2011/08/01/foursquare-reportedly-
to-roll-out-new-pages-that-anyone-can-sign-up-for/)

[http://thenextweb.com/insider/2011/05/14/milestone-
foursquar...](http://thenextweb.com/insider/2011/05/14/milestone-foursquare-
hits-10-million-users/)

[http://thenextweb.com/apps/2011/03/17/agora-helps-you-
meet-n...](http://thenextweb.com/apps/2011/03/17/agora-helps-you-meet-new-
foursquare-friends-when-you-check-in/)

[http://thenextweb.com/insider/2011/10/24/linkedin-fixes-
bug-...](http://thenextweb.com/insider/2011/10/24/linkedin-fixes-bug-which-
exposed-celebrities-email-addresses/)

[http://thenextweb.com/apps/2011/08/16/linkedin-launches-
slic...](http://thenextweb.com/apps/2011/08/16/linkedin-launches-slick-new-
iphone-android-and-html5-mobile-apps/)

[http://thenextweb.com/socialmedia/2011/01/13/32-of-my-
friend...](http://thenextweb.com/socialmedia/2011/01/13/32-of-my-friends-
changed-jobs-last-year-how-many-of-yours-linkedin-will-tell-you/)

[http://thenextweb.com/mobile/2010/08/31/mtv-to-reward-std-
ch...](http://thenextweb.com/mobile/2010/08/31/mtv-to-reward-std-checkups-
with-a-foursquare-badge/)

[http://thenextweb.com/insider/2011/03/25/foursquare-plans-
to...](http://thenextweb.com/insider/2011/03/25/foursquare-plans-to-open-uk-
office-during-the-next-year/)

[http://thenextweb.com/insider/2011/01/27/linkedin-files-
its-...](http://thenextweb.com/insider/2011/01/27/linkedin-files-its-ipo-
developing/)

@Richiezc what a cool chocolate wrapper, thank you for making such a fun
piece.

~~~
rjsamson
Wow - I knew they were bad at image attribution, but that's just plain awful.
And these are just the photos from one photographer that have been improperly
used! TNW clearly has a large gap in their reporting standards that needs to
be corrected.

~~~
nanpalmero
Zee Kane, CEO of TNW is correcting the issue:
<https://twitter.com/Zee/status/210444016016306176>
<https://twitter.com/Zee/status/210444266185560064>

Thank you all for your help and support!

~~~
rjsamson
Glad to see it! Credit links in the body will be a great improvement!

------
MehdiEG
Putting aside the issue that much of this data shouldn't have been sent
anywhere in the first place, I'll never understand why, in 2012, SSL is still
not used by default when sending any sensitive or private data across the
network.

It's even more puzzling when we're talking about background data upload when
the potential SSL handshake latency isn't going to pose any UX issue. This has
boggled my mind for years actually. Why?

~~~
0x0
Maybe it's not an issue for LinkedIn, but the iOS app submission process
requires developers to do a lot of paperwork with several governments (US,
France) for export compliance when using any kind of crypto.

I can easily see smaller developers deciding to go for HTTP instead of HTTPS
just to avoid dealing with all that bureaucracy.

~~~
MehdiEG
I should go back and take a look at the exact wording of the Apple App Store
rules but I never had problems submitting apps that use SSL.

There's one step of the submission process that asks about the use of
cryptography and I've always picked the option that doesn't require submitting
any additional paperwork - never had problems. I forgot the exact wording but
I always worked under the assumption that SSL isn't what Apple is talking
about when they ask about the use of cryptography.

If developers had to file paperwork with various governments just to use SSL
in their app, then simply using one of the many third party APIs that require
SSL (e.g. the Foursquare API) or even just embedding a web browser view that
may end up loading an https URL would require the developer to go through the
paperwork route to get their app approved. That wouldn't make sense.

~~~
0x0
You would think so, but I've never been able to find a definitive answer, in
public at least. Some forum posts seem to imply you should answer YES if you
utilize HTTPS/SSL even if it's just through the iOS standard frameworks.
Whether anyone _really_ cares remains to be seen. The vague wording is
probably Apple's way to C.Y.A. should any problems arise later.

------
malpern
We've just posted a response about what we do and don't do.
<http://blog.linkedin.com/2012/06/06/mobile-calendar-feature/>

Important point, all data _is_ shared of SSL.

~~~
nodata
> Important point, all data is shared of SSL.

What does that mean?

Since comments are disabled on your blog, can you tell us which data was _not_
sent over SSL? (and if that has been fixed now)

------
Bjoern
Why would they choose to transmit the data in plaintext rather than use SSL?
Lazy?

------
brudgers
What I find interesting is how Linkedin's approach to their mobile app was
treated as technological savvy a month ago.

[http://venturebeat.com/2012/05/02/linkedin-ipad-app-
engineer...](http://venturebeat.com/2012/05/02/linkedin-ipad-app-
engineering/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Venturebeat+%28VentureBeat%29#s:1-linkedin-
ipad)

<http://news.ycombinator.com/item?id=3920368>

------
cletus
This is only tangentially related but I really don't understand why anyone
cares so highly about their contact list. Does it really matter? Why does it
matter?

Concerns about spam seem anachronistic (in that you have to deal with spam and
services like Gmail have become pretty good at countering it). Is it just
privacy? If so, I'm confused.

~~~
chubot
Will you post your email and cell contacts to this thread now? If not, why
not?

I'm confused that you're confused. There are a hundred scenarios I can think
of. Gmail being good at spam detection is your defense? For one, I get text
message spam all the time now. I dont want people having my number who don't
need it.

~~~
bobsy
> Will you post your email and cell contacts to this thread now? If not, why
> not?

Well that is completely different to what LinkedIn is doing.

Sending information via plain text is bad but is fairly unlikely to be read in
transit. (This isn't to say that it shouldn't be changed)

LinkedIn shouldn't be collecting the data. At the same time it isn't making
the data public. It is somewhat unclear what they are doing with it. It is
unlikely though that is for some evil scheme.

Compare this to posting a tonne of personal information on what is essentially
a public forum. Completely different.

~~~
chubot
The OP was making a very broad claim. Why would anyone want to keep their
contact list secret? Who cares?

In this particular case, I agree LinkedIn in all likelihood is not going to
post your contacts to a public forum. But it's completely conceivable that it
could happen.

But if there are hundreds of apps and services out there storing your contacts
(and there will be if you're careless), then it's a virtual certainty that
they will be used in ways you didn't attend.

It almost seems more likely than not these days that a big trove of personal
information will be hacked. Even if it doesn't contain your credit card
numbers, personal information is still extremely valuable because it allows
hackers to bypass security questions and reset passwords.

EDIT: Haha, front page, huge dump of linkedn PW hashes leaked:
<http://news.ycombinator.com/item?id=4073309>. I had written something about
LinkedIn probably having "decent engineers", and being safer than giving your
personal data to a shoddy government website. But I realize security is more a
matter of process than hiring top engineers. And all these startups in a huge
rush. They're only going to do security right after they're embarrassed. Being
a programmer, I know how the sausage is made.

------
gshakir
I am deeply disturbed by this. Now I know how the connection suggestions show
up like they have a fancy algorithm.

------
davidmp
At least it's opt-in.

------
89a
Why would anyone be shocked at this?

They already spam anyone unfortunate to be in the Address Book of someone who
signs up for this awful service and connects with their gmail whatever.

------
philip1209
I don't believe that this is an egregious error.

