Creating a LinkedIn account was by far the creepiest thing I've ever experienced when signing up.
I signed up using email address A, and when I signed in I saw suggestions for "people you may know", but it included people I had only every corresponded with via email address B (bear with me here, it gets more interesting...). It wasn't even people any of my contacts know. From what I can tell people I had corresponded with using email address B (which incidentally doesn't even have a real name associated with it) had given their password to LinkedIn (probably via 'find people you know' or whatever). It seems that LinkedIn went through my friends' gmail contacts and one or more of my friends had probably annotated me in their contact list with my actual name. LinkedIn then associated my name with email address B. From that LinkedIn combined it with more info from people who gave them their gmail address and password who I'd only ever corresponded with a few times anonymously via my unnamed address (B, which LinkedIn has now linked with my name).
Net result is "people you may know" including people I had only corresponded with anonymously via email address B with full details of their name and place of work etc. What makes it creepy I used email address B when I tried online dating a few years ago. I used email address B to first get to know people before deciding whether to give them more info about me etc. Now LinkedIn has kindly provided me with the full name and place of employment of the women I chatted to via "people you may know" (I recognised their photos from the dating site from a few years ago) and vice versa (yikes! a great way to wind up getting stalked). The only link between me and "people you may know" is that I corresponded with them via an email address not even associated with my LinkedIn account, and none of my friends or contacts is in any way associated with them. If that isn't creepy I don't know what is.
Probably you already had an account, called a shadow account -- when signing up, you merely asked for your password for a limited access login.
So the primary form of collection that should concern us most is media that spy on us while we use them. Books that watch us read them, music that’s listen to us listen to it. Search boxes that report what we are searching for to whoever is searching for us and doesn’t know us yet.
There is a lot of talk about data coming out of facebook: is it coming to me? is it coming to him? is it coming to them? They want you to think that the threat is data coming out. You should know that the threat is code going in.
For the last 50 years what has been happening in enterprise computing, is the addition of that layer of analytic on top of the datawarehouse that mostly goes in enterprise computing by the name of "business intelligence". what it means is you’ve been building this vast datawarehouses in your company for decade or 2 now you have only information about your own operations your suppliers your competitors, your customers now you want to make that data start to do tricks. By adding it to all the open source data out there in the world, and using it to tell you the answers to questions you didn’t know you had. That’s business intelligence.
The real threat of facebook is the BI layer on top of facebook warehouse. The facebook datewarehouse contains the behavior not just the thinking but also the behavior or somewhere nearing a billion people. The business intelligence layer on top of it which is just all that code they get to run covered by the terms of service that say "they can run any code they want for improvement of the experience". The business intelligence on top of facebook is where every intelligence service of the world wants to go.
Imagine that you are a tiny little secret police organisation in some not very important country. Let’s put ourselves in their position Let’s call them I don’t know what, you know ... "kirghista".
You are a secret police you are in the "people business" secret policing is "people business". You have classes of people that you want you want agents, you want sources you have adversaries, and you have influencables, that is people you torture who are related to adversaries wives, husbands, fathers, daughter you know those people.
So you are looking for classes of people. You don’t know their names, but you know what they are like you know who is recrutable for you as an agent you know who are likely sources, you can give the social characteristics of your adversaries, and once you know your adversaries, you can find the influencables.
So what you want to do is run code inside facebook. It will help you find the people that you want it will show you the people whose behavior and whose social circles tell you that they are what you want by way of agent, sources what their adversaries are and who you can torture to get to them.
So you don’t want data out of facebook the day you have data out of facebook it is dead. You want to put code into facebook and run it there and get the results you want to cooperate.
I think that you just have to assume that every internet interaction you have with any service is tracked, indexed, cross-referenced, and then bought and sold. Possibly as aggregated data, but likely traceable to you if someone were so inclined. To think otherwise is just to believe that somehow human nature has changed. Scott McNealy was right, "You have zero privacy anyway. Get over it."
Same. Cancelled my account a year ago, still getting those emails. The worst part? Actually considering getting a new account, as I've been told by multiple people not having a LinkedIn account is 'suspicious' and that it's costing me job opportunities. Genuinely wishing someone would make a (less evil) LinkedIn-killer. At least for the tech world. Was hoping Stackoverflow Careers would do that, but sadly that hasn't happened.
I've been looking for entry level developer positions as a recent graduate and boy do I hear it repeated so much "Get to me on LinkedIn." "I got my job through LinkedIn". Over and over. I really don't want to create an account either but I suppose I might at some point. Sucks though. Because I get all these e-mails too from people and I've only read somewhat creepy things about LinkedIn.
I think you're correct. Here's the full headers for one of the emails with some added line-breaks to make reading easier. I hope I've redacted enough (someone please tell me if there's stuff here that shoudln't be public)
Received: by 10.216.15.83 with SMTP id e61csp34535wee; Sun, 4 Aug 2013 04:14:33 -0700 (PDT)
Received: from maile-fd.linkedin.com (maile-fd.linkedin.com. [220.127.116.11]) by mx.google.com with ESMTP id ck10si13864843pad.187.2013.08.04.04.14.31 for <[me]>; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
X-Received: by 10.68.135.162 with SMTP id pt2mr17184363pbb.42.1375614872583; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
Yeah, looks like that's coming from LinkedIn's network. They're probably just setting the From: header to your friend's email address -- which is what will then show up in most email clients as the sender -- and then using the Sender: header to pass SPF.
A little sneaky on their part, but nothing too surprising.
I didn't spot any personal / identifiable information in the headers, you should be OK.
> I'm confident you will find a judge out there that considers this wire fraud.
Eek, I hope not. That would make me and anyone else who's ever written a form-mailer or similar with "-email@example.com" or "From: firstname.lastname@example.org" guilty of wire fraud.
> And any email provider should obviously immediately blacklist them. Worse than spam.
I'm a mail provider. I'd like to, but the reality is that a lot of people are on LinkedIn on purpose, and it would be wrong for me to blackhole them just because I don't like them. Fortunately, anybody on my mail system that doesn't like LinkedIn can easily adjust their own SpamAssassin settings right from the webmail interface.
Worse than spam, maybe, but I hope the defense would be able to make a compelling case that using the specification as designed doesn't constitute wire fraud...
This wouldn't be terribly different from (not that I know an example) me sending a letter to friend A and putting friend B as the return address, sending a letter by proxy. Of course in that case, there isn't even a method to see who actually sent the letter, whereas the information on who sent the email is still contained in the email.
I made the mistake of authorizing LinkedIn to fetch contacts from my Gmail account ages ago - atleast 4-5 years back. If you are like me, here is a link to delete the contacts that you have not explicitly added on LinkedIn:
You have to go through every damn letter of the alphabet, and click like 4 different buttons, and wait for 2 page refreshes for each letter. Half the time it doesn't work and you have to refresh the page and try again.
I've gotten through "L" and now their server is giving me errors.
Linked in is the only social network that's managed to link me to other people in ways i cannot explain.
An example: I had a real life connection to a trainer, i studied for an industry qualification with him. I had zero online line connections to him. Somehow linked in put us together.
His profile mentioned nothing about taking that course, mine mentioned nothing about attending his course. My work handled all the procurement side of things so he had no access to my email address or anything like that.
In credit to linked in, this guy happened to be the best trainer i'd ever studied with so i was actually pleased to see the recommendation. Still wondered how they managed it though!
I abstain from LinkedIn deliberately and I can confirm that I am sick from their spam.
Every time a friend joins their network, I get tons of “invitations to connect”, despite the fact that I have “unsubscribed” from their spam-list (to which I never subscribed in the first place) enough times.
Real professionals should not need spammy social networks to prove themselves.
This is somewhat off-topic, but has anyone felt like they are "typecast" into a certain industry or job position by their LinkedIn profiles?
What if you don't want to stay with the same industry for the rest of your life? All your contacts probably already endorsed you for your skills in a that industry. It seems like a situation that increases friction in trying to move between fields, industries, and job positions.
Should you delete your profile? Would it seem weird to potential employers/business relationships that you are missing a LinkedIn profile?
I think this will become a more visible problem in the near future.
Totally agree with your concerns. There's also another piece to this that I've run into: Deliberately focusing my profile on specific skills increased the number of recruiters that contact me for job opportunities. One might say that this is just marketing on my part, but with LinkedIn, your profile actually functions like a webpage would where you need to optimize the keywords and information for their search engine. By being more focused, you rank higher in searches.
I don't think not having a LinkedIn profile is weird unless, perhaps, you were applying to run my social media campaigns. (And even then, hardly a deal breaker.)
BUT... I don't think you should delete it. I think mastery of one job speaks to the type of person who can master another. The real red flag is people who can't point to any big accomplishments in anything...
To be fair, yes, there are these people, but I think the general public wouldn't mind given the technology nature. Even among programmers people tend to claim to have multiple skillsets. When I write my resume / cv I am very conservative. I only mention the one I am confident (and omits ones that I only have a glance or very minimal usage). For example, my first web framework is Django but I don't even put Django in my resume only because I barely do any real Django development.
I think in the long run, I don't really want to believe what people said on LinkedIn. I just don't. We all have those moments where we just want to say Yes to every question LinkedIn ask "Does so and so have this skill?"
The "People You May Know" feature of LinkedIn is downright disturbing. Everyone in my third-party email's Address Book shows up as a person I may know. This includes people without LinkedIn accounts, people who've been dead for years that I never removed, people that I've only ever exchanged a single email with.
I never gave LinkedIn my email creds (I'm astounded that they have the gall to ask for my email password). Also, it is 100% inconceivable to me that all of these people would have given LinkedIn access to their email accounts.
People without LinkedIn accounts? Are you quite certain? I worked at LinkedIn and know exactly how People You May Know used to work (I've looked at the code). Unless they changed something in the last couple years (and given their dev cycle, I doubt it), every single person who it recommends has signed up to LinkedIn. Of course, I heard people make these claims while I worked there too.
Also, it really isn't that hard to guess how it works (hint: are you sure you need every single person to give address books access to build a graph?).
What an appropriate comment for your username. I'm still trying to figure out what LinkedIn have done to my email, but basically my wife and I are inundated with spam from them. It's non stop. I only signed up to learn more about the person who hit our car and has been slow to pay. It was helpful, but despite opting out of every option I could, somehow its learnt that my wife exists and is nailing us both with spam.
If I click 'see more' under the 'people you may know' list on the homepage, fully half of the eight people above the fold are without LinkedIn accounts. These include family members who I can be certain don't have accounts. I assume clicking 'add to network' (rather than the 'connect' for those who do have accounts) would generate an invitation to join LinkedIn.
It suggests 'people' by email address that are my own. In the past I used gmail as a Dropbox together with a friend and it always shows name1 + name2 @ gmail.com as someone I might know. I'm pretty sure everyone involved has forgotten the password for that account.
If you are linked to 100 people on your LinkedIn account, and 10 of them have the same set of people in the address book they imported into LinkedIn, it's not hard for LI to figure out you might also know people in that overlapped set, and recommend them. You don't need to import your address book for this to work -- just enough of your connections, who have connections in common with you, need to do it.
It isn't that they are stealing credentials on behalf of users; even today the UI is confusing and too verbose. It's clumsy. It's like reading credit card statements with tiny fonts. I am very caution about what I do on a web service but LinkedIn bit me once. If you happen to did one step wrong (even when you thought you override that decision already), LinkedIn will somehow send invite to everyone. Whatever the step might be or whatever bug there is. Just plain annoying. And this happens to many LinkedIn user on planet earth.
It may not be necessary for all those people to give LinkedIn access to their email address books. Say you're A and you see a suggestion for B. Maybe a mutual friend C uploaded their email address book, which includes both A and B in it, and LinkedIn's PYMK can use the feature "A and B have a mutual email-network-friend", which might be useful.
Given that email address books are really large, only a few of them might give lots of these sorts of second-order connections.
Second order connections on the LinkedIn network could be driving these recommendations too. People's friend-of-friends sets can be really large, like typically tens of thousands if I remember right...
> I never gave LinkedIn my email creds (I'm astounded that they have the gall to ask for my email password)
Well, why not? I've recently given in and created a Google account again; they're doing the same thing. I even had to confirm in a pop-up box that I really don't want to give them access to my emails. (And that I really don't want to follow celebrities on G+.)
I don't know why the EU goes after cookies but not after the practise of asking for email passwords.
LinkedIn is the primary reason I'm cautious to link my different services to something external (facebook, twitter, etc.). Even those I'm a bit more lax on compared to my email.
Nothing, but me and my devices, should ever have a reason to access my email. If someone or something is trying to access my email, even with explicit permission, there's no way they can be up to anything good.
The activities that originate from LinkedIn touching your email account is definitely sketchy at best, and definitely spam. There doesn't seem to be a good way to stop unwanted emails going to a single address.
Hell, I've found that even getting them to stop sending you emails regarding your account / groups you joined doesn't always work. Speaking to their support department ends in a response with something like "our engineers are aware" with no change in behavior.
Half of me wants to just get rid of LinkedIn, the other half of me likes seeing old acquaintances getting promotions/moving on to greener pastures.
Please stop being scummy...we'd all appreciate it.
> LinkedIn is the primary reason I'm cautious to link my different services to something external
I've gone further. I routinely create email aliases for any new services I may need to use. (Yes, I have one dedicated to HN too.) That gives me quite a few nice features:
1) My email addresses are not generally cross-service
2) It's somewhat harder to consolidate my data even when the addresses are "leaked" (read: sold) from one service to another
3) I see with absolute clarity which service my email address was siphoned from.
4) I can trivially delete the address. It's just a line in /etc/aliases.
For #3, I haven't done any accurate measurements but it seems that an address finds its way to spammer lists about as often through the service selling it as it does from a user of that service inadvertantly placing it on one.
Yep, the '+' as a separator is one of the many Postfix features.
However, the problem with using the "account+identifier" is that the identifier is simply ignored when delivering mail. With a real alias I can actually revoke an email address, by simply removing it from the aliases. With an identifier I would have to explicitly reject mails for a given recipient part.
I prefer to keep things simple. Bouncing spam is a bonus.
gam create alias idontwearseatbelts user crashtestdummy
The only problem with aliases is that it completely breaks using email as a unique id to link you with people. You basically fix spam but lose the "people you may know" feature on social sites where you actually care about knowing who you may know on it (i.e. not linkedin).
Explicitly reject / add a 'move to spam folder' filter, but yeah. And some places I've given +names have sent to my un-suffixed address (I mostly suspect bad email sanitizing / filtering due to Hanlon's Razor, but ya never know).
Right after you log in, they display a page that looks almost exactly like a login page asking for your email address and password.
I didn't read the page -- I assumed it was either a "verify your email" or "authentication failed" page of some sort, so I entered my Gmail email address and password. (No, I didn't enter my Gmail password. Read below.)
There is REALLY easy-to-miss "skip" link (I forget the exact text) on the page, but the page looks so much like a login window or "verify your address" window or some other window like that that you don't realize it (and think the "skip" link is probably saying something typical like "Forgot your password?"), so you go ahead and type your credentials -- even though you've already logged in.
The only thing that saved me was the fact that Google asked me if I wanted to "Allow Access" or not, and that made my heart skip a beat and I finally realized what had happened. Thanks Google.
The scary part is that you DON'T have to type in your Google password for this to work! In fact, I typed in my LinkedIn password (I'm not quite stupid enough to type in my Google password on LinkedIn's website) -- but Google still popped up a window asking me for permission, because I was already logged into Google and it didn't even bother checking my password.
So LinkedIn almost got my permission without me ever entering my Gmail password... I almost granted access (thinking it might have been an OpenID thing) before I came to my senses and thought, WTF just happened right now?! Hell no!
This is really the heart of it isn't it? Even if LinkedIn has text in a 40pt font that says, "Import your address book, we're going to log into your email account and download your contacts so that we can link you with them and here is exactly what we're going to do with them," you probably still wouldn't have read it.
LinkedIn went significantly out of their way to position and format that page to phish people. I used to fall for it periodically because I just assumed I'd been signed out and my linkedin credentials were pre-filled in waiting to fail to gain access to my email fortunately. That is the heart of it.
If they'd put a 40pt font message, or simply not positioned the "other" email + password sign in screen straight after the "real" email + password sign in screen, we wouldn't be having this discussion.
The most damning part is that's not even what they're being sued for - they're being sued for another way they scammed their way into people's email accounts.
It might be a good time for you to pick up the dictionary and look up what "deception" or "misleading" means.
> even if [...] you probably still wouldn't have read it.
Wow, so you've read a few words of my writing and you already know me so well, so much better than myself? Well, even if you look those words up in the dictionary, you still probably won't understand what they mean.
(And FYI, no, I would have read it if it didn't look like another of the same login page.)
They display a prompt asking for a username and password. It is easy to think that it is asking the person to log into the site. If somebody uses the same password for their email and LinkedIn, it can trick that person into giving LinkedIn permission to read their email.
This happened to me. I'm not an idiot, I always intended to specifically avoid giving them my email credentials. I just discovered that I had indeed done it at some point. This is grounds for me terminating my account with them.
I had always purposefully avoided giving LinkedIn my email password, but when I just clicked the link to remove contacts given upthread, somehow LinkedIn magically had all of my email contacts. So, I gave it to them at some point. I am really displeased.
I really do not understand how LinkedIn is still in business after all the crap they have pulled over time: they have been trampling on their users for years.
Is everyone so cheap that they wouldn't pay for a professional that would not have to resort to these fishy and downright scammy (scummy) tactics?
What does it say about the value of your professional life when all you can afford to further it is to give that much power to an organisation whose sole incentive is to make money off your back by whatever means necessary?
Maybe because most professionals think the costs outweigh the benefits, and because there are no suitable alternatives?
LinkedIn's value also seems to become dearer the higher up you go in organizational hierarchies. And their canny strategies to hook more of the C-suite (e.g. 'Influencer Posts') seem to be working quite well. I see superbly shitty posts like Vivek Wadhwa's "Facebook is Doomed" (https://news.ycombinator.com/item?id=6424292) doing great on the 'LinkedIn Today' home page for days [Edit: Just checked. It's been on my home page for 4 days now!]. Thus proving that the mediocrity (which tends to be rise to the top in large organizations) is truly flourishing at the top of LinkedIn's food chain :)
I would presume that their acquisition of Rapportive plays some part in their use of emails and recommendations.
I know for a fact I have never given them access to my email accounts but they have started surfacing 'people you may know' recommendations that are actually email addresses from my contact book where I have Rapportive installed.
Agreed. LI has become far too intrusive as of late, and I really hate that some folks in different industries, specifically tech, value this as the end-all, be-all. If I have to miss out on certain opportunities due to my lack visibility on LNKD, then so be it. Just not a fan of what they're doing over there-at all.
Does anyone have any alternatives to LinkedIn? I think it plays a function that's useful, particularly the floating, easily discoverable resumes you can point people at plus recommendations. But the cons just drastically reduce its overall value well below zero.
The resume aspect is easy enough to host yourself, and the searchability is not clearly an overall pro anyways: I really don't want to be harassed by random recruiters who found me using a keyword search.
But would it be weird to host your recommendations of others on your own site? I.e. include a link to some canonical representation of their identity and vouch for them? That may be getting into the weird territory. And what about hosting their recommendations of you? That seems well into the weird territory.
Maybe the best thing that LinkedIn offers is a willingly creepy networking site that gives you an excuse to ignore social norms.
"To see my current online profile, please visit http://..." (link to careers.so)
I lost my first job after uni three months ago and started looking. People told me I'm severely limiting my chances by not having a full LinkedIn profile. They were wrong, I found an amazing job and the bulk of interview offers came from people seeing my SO, C.SO or GitHub profiles.
C.SO doesnt have all the meaningless social bullshit, also top companies and recruiters pay a lot of money to just use their search engine.
Also, all LinkedIn mail gets redirected to the bin.
Gmail has a feature that lets you see what IP addresses you have logged on from. (Look for the little link at the bottom right.) Would LinkedIn's IP show up there if they are using your google password? Has anyone ever seen this behaviour?
Any person who used their company email to sign up to linkedin and then leaked the password by giving it to linkedin should be sued by the company that employs them for negligence. They are the same people who re-use their passwords and write them on post-it notes.
Frankly I have no sympathy for them at all. As you can probably tell.
Sorry, I am probably overreacting. It does annoy me every time people complain about security or privacy when they themselves hold those two in the lowest regard possibly crossing over to contempt. And in some cases those people know what they are doing is lazy and wrong and do it anyway. I start looking for the bottle just thinking about it.
thank god someone took this step. LinkedIn. I will never work for you. I don't like your service. One time I chose to only send invite to several friends. Instead, Linkedin sent out invites to every single person on my gmail contact list, some are public mailing list and it was embarrassing. Linus way: FU LinkedIn. Your UI sucks.