Hacker News new | past | comments | ask | show | jobs | submit login
Embed Linkedin profile page to see who visited your website (audiencestack.com)
137 points by alanorourke on Oct 12, 2015 | hide | past | web | favorite | 74 comments

This is why I hate the term "growth hacking". It encourages this kind of behavior.

I'd be curious to know if anyone on HN thinks that this is morally and ethically ok?

What happened to the good old days when "growth hacking" was building a good product that people want to share with each other and then making it easy for them to share?

> I'd be curious to know if anyone on HN thinks that this is morally and ethically ok?

1. Yes. Absolutely. What could be morally unacceptable about this?

2. I very strongly believe in business ethics. And consumer protection, and worker protection. I don't think that this, in general, rises to the level of even being an issue with regard to consumer protection or worker protection. I don't know what about this would be unethical.

3. If you are going to say "user tracking" then I am just at a loss. This is categorically no different than any of the many dozens of user tracking services already in use. Except that, unlike many of those services who are very, very explicitly shady and fly-by-night, LinkedIn is, overall, an ethical player. When I visit NYTimes.com, my ghostery registers:

* Chartbeat * Doubleclick * Dynamic Yield * Facebook Connect * Facebook Custom Audience * Google Analytics * Moat * Netratings Site Census * New Relic * Optimizely * ScoreCard Research * WebTrends

As long as this guy has an appropriately written privacy policy, I see absolutely nothing legally wrong with this, either. Morally - I just don't even know where to begin on how facile a complaint I consider that to be.

> * Chartbeat * Doubleclick * Dynamic Yield * Facebook Connect * Facebook Custom Audience * Google Analytics * Moat * Netratings Site Census * New Relic * Optimizely * ScoreCard Research * WebTrends

In these cases, the NYT isn't getting private information about me from the third party. Facebook won't give the NYT a list of Facebook users who viewed an article on their website. Google Analytics won't tell me visitors' Gmail addresses.

It is a third party exploiting LinkedIn's tracking to monitor and expose identifiable information about who is visiting their website that LinkedIn probably didn't intend to be public.

Obviously, there are lots of trackers out there. But the fact that those trackers exist, and we're sorta, kinda, maybe ok with it, or at least resigned to it--that doesn't imply that we're ok with any third party using leaks of that information to track us.

Probably the reasonable thing to do is say "if we're ok with X tracking us, we're ok with everyone tracking us, because the information will leak." But that's not the same as saying it's ok for everyone to try and make it leak.

It wouldn't at all surprise me if it's against LinkedIn's TOS, and the author admits as much.

What about this is not unethical?

The fact that the author believes it is against LinkedIn's terms of service, terms of service to which he has explicitly, voluntarily agreed makes it unethical on its face. (Even if the terms of service don't prohibit this behavior, the fact that he believes they probably do is important.)

It's certainly not a grave matter in and of itself, but he doubles down by publishing a post to encourage people to join him in making a promise in bad faith.

Yes, but let's not forget the 263rd Rule of Acquisition: Never allow doubt to tarnish your lust for data.

I am impressed that's the actual 263rd rule in the Ferengi Rule's of Acquisition. Kudos.

It's not, the actual 263rd rule is: "Never allow doubt to tarnish your lust for latinum. "

So they replaced latinum with data. Essentially implying that data is money/wealth.

The hack presents a way for the owner of a site I visit, but did not give any other consent to whatsoever, connect that page visit to my LinkedIn profile (which is, basically, me). And then uses that to contact me.

This goes a lot further than an ad broker that knows I am the person that visited sites X,Y and Z and therefore probably have an interest in something (without, still, knowing really who I am).

I know Facebook (and the likes) could technically know where I've been, but I have no clue on whether they really do that, is there proof for that? And is that really accepted? And even then, it's a step further because Facebook at least knows who I am because I 'willfully' told them and chose to 'trust' them.

"Growth hacking" is nothing but marketers rebranding themselves because word "hacking" is hot and cool (i.e. meaningless).

> What happened to the good old days when "growth hacking" was building a good product that people want to share with each other and then making it easy for them to share?

Business came in. The Internet became serious money, and with it came the "entrepreneurs". What you see is what happens everywhere where competition is intense enough - ethics are one of the first thing to fly out of the window. They harm the bottom line.

It's at least as ethical as what Google does, the same thing only more effort on their part.

Except totally not because GA doesn't give you the name and work history of your visitors.

He may be referring to Google's internal tracking, which is likely far more personal than GA.

Like all marketing it can be used for good or ill. It is something that we approached internally very carefully.

Should call this practice "auto-doxxing"

This is also why you should segregate your browsing to different browsers and different browsing modes.

I personally now use two browsers for different reasons:

* Chrome = Gmail, Drive, Docs, Search that I wanted tracked (work related usually)

* Chrome Incognito = Social media (Twitter, Instagram) and sites I stay on most of the time (HN)

* Firefox Private Browsing = Search that I do not want tracked (shopping research usually), shopping, news sites, media sites, LinkedIn

One can also view these in terms of cookie/data retention periods:

* Chrome = +1 week

* Chrome Incognito = 1 day maximum

* Firefox Private Browsing = Session (created and destroyed for a specific purpose, short-lived)

And yes, it's not convenient as if I get an email with a link in it I will copy the link into the appropriate browser and then browse to it. But then the upside is that I don't get tracked relentless by tracking stuff that expects cookies.

Oh, and I'm aware of IP tracking too. I tend to use PIA VPN for this reason and do not autoconnect to the closest place, but instead semi-randomly pick somewhere in Europe to surface from each day.

I do similar:

* Chromium = google services only

* Firefox = work, normal browsing (e.g. HN)

* Firejailed firefox = useful for sites too broken in regular Firefox

Both Chromium and FF are set to destroy cookies upon session termination and block third party cookies. I use uBlock Origin in "default deny"[0] mode which blocks all third party content by default. I never sign into accounts from google, twitter, linkedin, or any other advertiser purveyor within FF.

The firejailed firefox is for such advertising purveyors and/or for sites which are cumbersome to make work properly by selective whitelisting in uBlock origin. I use firejail, rather than incognito / private browsing, so that the browser will behave exactly as if it were freshly installed when I visit these sites. Some settings (and in the case of FF, add-ons) will impact incognito/private browsing; firejail allows me to run a browser "wide open" safely.

[0] https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...

Firejail looks great, I did not know about that. Thanks.

Love this, and this is similar to how I surf,

  Chrome + umatrix = Legit news and Google sites 
  Opera = Facebook, Instagram
  Firefox + FoxyProxy + Ghostery + noscript = Shady places

Something which might be useful if you want to do this: you can use Firefox with multiple profiles, by starting it with the '-P <profile-name>' option.

Chrome also has multiple profile feature.

google chrome has a multiple user option with quick switching, i have multiple profiles with different settings / extensions suited to mode.

saves the time to login to accounts [unless thats the whole point for you].

I know my browsing habits/history is not private, and I know I am being tracked, even though I use plugins to minimize that.

But having a marketing person send me a personalized email slapping me in the face with that tracking by explicitly telling me that they know what web page I visited on their site... that would be a pretty big turn off for me.

Exactly. The moment I get a cold contact like this, I'll put your business on the "Never use them for any reason" list.

After I send them an email explaining why.

Cataclysmic outcome: linkedin is embedded on a porn site/page and starts feeding the names and professional profiles of visitors to the owner. These people are then contacted and blackmailed based on socio-economic status (e.g. targeting rich married individuals).

This linkedin feature has always been a pure money grabbing ploy with no merit other than the premium revenues generated from exploiting the emotional vulnerability of people and #growthinghacking needs of recruiters.

LinkedIn sets X-Frame-Options: sameorigin on requests, so this is likely to only work on old browsers (IE7 and lower, basically).

I just tried it with Chrome. It works -- the view showed up, even though Chrome refused to load the page in the frame.

You could load it as an image, as cross-origin policies are not enforced for images. Not sure if their tracker is server-side or requires loading JS.

I've looked at the code - there definitely is some tracking done via XHR requests after the page load. This includes CSRF tokens so you can't hit those tracking links directly.

Having said that, we still can't know whether or not the profile view information is harvested from the server-side logging of the main page view or not without testing it.

Also, you should be able to have a proxy on your own domain, changing nothing but the `X-Frame-Options` header.

It's cookies in each user's browser that tell LinkedIn who's viewing a profile. They wouldn't be transmitted to your proxy, so this wouldn't work.

Oh, that's true. Good point that I didn't think about at all. Just have done this myself in simple cases where cookies aren't involved.

For what it's worth, this technique used to work by loading profiles as a 1x1 pixel image. That technique may still be effective.

but the request has already been sent. Yes, the browsers will respect this header and not display the page and not run javascript, BUT what if the user tracking is done on the server in the first request? In that case, this technique might work...

I assume they make a preflight HEAD request the same as CORS, in which case they would have to be very sloppy to make that count towards the stats.

Nope. There's no preflight for X-Frame-Options, as it was designed as a click jacking prevention.

To play the devil's advocate: if LinkedIn are smart they should offer this functionality (for premium users, of course). This is really useful info for businesses.

People don't want every website they visit to automatically know their real identity. This would chase people off their platform.

I think you overestimate how much ordinary people care / know about their online privacy. I think almost nobody would leave. That said, I myself wouldn't be too happy about it, but I would try to find some other solution instead of leaving LinkedIn.

LinkedIn also has an option 'Select what others see when you've viewed their profile' in account privacy settings which one can set to 'Anonymous'.

Not sure why you're downvoted - because they already do this for businesses, just not private users.

There's no money in it outside of selling data to businesses but LinkedIn, Facebook and tons of other major internet properties all share login data specifically to identify users across the web.

(I work in digital advertising)

What kind of data for each profile? Sites? URLs? What types of "selectors" are available, e.g. "profile number X" or various demographics? And roughly what does it cost?

There are lots of ways data is shared.

For the vast majority, it's demographics and interest based stuff. LinkedIn for example will keep lots of 1st party data to itself for it's own ad business but will share generic data like: female, 30s, IT engineer, new york, etc. This is how much of the ad targeting works. Trying to target a single person/identity just isn't easy, scalable or worth it so big overlapping buckets are used.

On the other side, specific identity data is also shared, called PII (personally identifying information), in a hashed format with other data networks. This is often used in retargeting by profile, an example being if a company wants to target all of it's current customers, it'll upload it's CRM database full of emails and data providers will match this up to cookies or other identifiers and let that company target these users with ads online. It's anonymized in that the advertising company doesnt know your identity, just that you're in this bucket of "XYZ email address list".

The way providers get to know your identity is major sites that share your profile data when you login, because they definitely know that it's you. LinkedIn will set a cookie when you login and then they'll have an API or data dump to other providers that can request your info or if you fit a bucket (in a hashed format).

Data is usually on a CPM (cost per 1000 impressions) basis although ranges widely from $1-$100 depending on quality and depth of targeting.

Thanks for info, didn't know that! If I understand correctly, you don't get the data about specific users, like OP did?

About me being downvoted - yeah, I figured I would be, because lots of people here use voting as "I (dis)agree" or "I (don't) like" button instead of "post is (not) useful" button. For the record: I would rather live in a world where such tracking was not possible and/or allowed, however, this is just not the case. As business you would be stupid to not consider using such data though. I personally would welcome a browser with privacy built in (for instance, browser which would disallowed all references to external domains - including images, JS and similar). But in reality this probably wouldn't fly.

Advertisers don't. It's all anonymized and usually as a big bucket of either demographics, interests or matched to a customer list of some sort. Honestly targeting an individual person online is very hard and expensive - at that point you probably have their name so you can just get their address and send them some mail instead.

The major companies like Google, Facebook, LinkedIn and other sites with logins will have more personal info because people provide it willingly, but they also keep this as valuable 1st party data since it's their edge in the ad business. Advertisers don't get access to it but can target against it if they advertiser on that specific platform.

While doing this for your own profile could be useful for you and some metrics you may want, someone else could be a bit more nefarious.

On a high profile/traffic blog, web app, or site - could just include some targeted, random, or interesting LinkedIn profiles, and then all of these people would be bombarded with misinformation about who's viewed their page.

Want to confuse sales team at XYZ Startup Corp., sure have all of their profile links in hidden IFrames too...

If all you need to get onto the list is a request to the profile page URL, even a simple image link in a forum signature/profile image/etc. might be enough...

Hmm so you could then see everyone who loaded that page/comment?

This has probably already been an exploit used by some people..

That's one more reason to use extensions like Ublock and Ghostery.

And one more reason to avoid linked in! If this actually works.

This is terri(fic|ble).

The essence of this hack is "turn LinkedIn into a tracking pixel." I suppose it's possible to do it with some other social-network-type sites too.

I have a LinkedIn profile that I've not updated for a long time. Have programmers here found it to be of any value, apart from being in the know of what your friends/colleagues are up to in their careers?

Being able to contact former co-workers is invaluable. I moved out of New York in 2009 and moved back in 2012. In between the startup I had worked at basically gone out of business and everyone had new jobs. I didn't have anyone's email address or phone number or even Facebook connection, but I was connected on LinkedIn. I was able to reach out, find out what companies were hiring, get some interviews, etc. It massively helped in my move back and I'm in a far better place because of it.

All the recruiters, resumes, cover letters, and interview prep pale in comparison to just having a bunch of people that want to work with you again. Ultimately whether you use LinkedIn or Facebook or a paper rolodex of phone numbers, the key thing is that you need that collection of weak connections. These are not my 20 friends, these are the 150 people that have been in a company with me and know my reputation but probably don't know much more than that.

I find LinkedIn is a good tool for that. Sure there are some negatives, but I haven't found anything better. I don't necessarily want to be Facebook friends with all of the people I currently or previously worked with, and there is no way to keep an up to date contact list by yourself.

> Being able to contact former co-workers is invaluable.

Agreed. Maybe I never felt the need of using LinkedIn for this because I'm already well connected with most of my former colleagues via other channels, since before this, I was at a pretty small startup.

My friends with management jobs love LinkedIn as a job finding tool, and some even claim that being connected to influential people in the industry on LinkedIn helps them stand out somehow, but most of my programmer friends do not like the type of recruiters on LinkedIn. In my personal job searches, I almost never needed anything other than a CV, a cover letter and Github/StackExchange accounts (as opposed to "connections" with famous people).

Yes, I got quite a big contract out of it when an old customer from my previous job noticed that I had set up on my own. Essentially they liked my work but hated dealing with my employer, hence they had taken their business elsewhere over a year previous.

Other than keeping my profile up to date I'm a very passive LinkedIn user though - I don't use it to look people up. It's also a source of a huge amount of worthless recruiter spam.

Creepy. I hope LinkedIn breaks this soon.

I read about this over a year ago (I think it may have been on HN, though the article was different). It seemed like it might be a security flaw and that it would get resolved, but I guess not.

Interesting, I just tested this. It doesn't work as an image or an iframe on Chrome.

iFrame wont work on modern browsers: Refused to display 'my linkedin url' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Image also probably did not work, though Linkedin might delay reporting profile visits, any ideas?

Neat one! Not sure it will work too great for a hacker audience -- all sorts of content blockers, and they probably aren't logged into Linkedin 24/7 anyway -- but I really like the idea.

The only issue I have with this is that it tracks people on yet another part of the Internet. Same reason as why I don't have Google Analytics or Youtube embedded videos or embedded Google Maps on my website (let alone Google Ads).

I've been thinking about creating a separate Chrome login for use on any browsing on social sites (FB, Twitter, LinkedIn) - maybe even a unique login for each. Would that be an effective way to isolate this type of thing?

You could just combine two separate browsers and use one for Facebook, Twitter, LinkedIn, Google and whatever else you wish for and use the second one while being logged out of social networks.

Why not a create a new Chrome profile that's not signed into Google, and use its Incognito mode?

That's what I meant by Chrome login - a separate Chrome user profile, and wouldn't incognito mode require that I authenticate each time I visit these sites since any authentication cookies would be disposed of at the end of a session?

This is interesting; I was wondering though are you really using the Chrome Scraper extension to get this data? Is there some way to run that on a schedule, or are you manually scraping periodically?

That's actually a sneaky way of following up with people who visited your carrers page. Check their linkedin and if they are a nice candidate send them a message through linkedin.

You might not need a whole iframe. Why not just an img tag like a regular cross site request forgery over GET.

If the WHO isn't logged with any js Magic it will work all the same.

I wonder what impact it has on page rank? I remember playing with 1x1 pixel links a few years back and finding my page completely disappear from Google.

I love it when people use meaningless phrases like "reach out to you". It makes spam filtering so easy!

I think there are some ethical issues with this, but the idea is brilliant.

What size is the request / overhead?

The size of a LinkedIn profile page:

    <iframe src="LINK TO YOUR LINKEDIN PROFILE" height="1" width="1" frameBorder="0"></iframe>

Can someone kill this news immediately, please?

We fear for our current business model.

You need a new business model.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact