Subject: [Freind]'s invitation is awaiting your response
Body: [Friend] would like to connect on LinkedIn. How would you like to respond?
[Photo of friend] Confirm you know [Friend]
... and ...
Subject: Invitation to connect on LinkedIn
Body: [Photo of friend]
I'd like to include you in my network to share updates and stay in touch.
All emails sent from friend's email account, not LinkedIn. I've confirmed with friend that they were completely unaware of this and were quite embarrassed.
Not cool, LinkedIn, and most definitely dishonest.
I signed up using email address A, and when I signed in I saw suggestions for "people you may know", but it included people I had only every corresponded with via email address B (bear with me here, it gets more interesting...). It wasn't even people any of my contacts know. From what I can tell people I had corresponded with using email address B (which incidentally doesn't even have a real name associated with it) had given their password to LinkedIn (probably via 'find people you know' or whatever). It seems that LinkedIn went through my friends' gmail contacts and one or more of my friends had probably annotated me in their contact list with my actual name. LinkedIn then associated my name with email address B. From that LinkedIn combined it with more info from people who gave them their gmail address and password who I'd only ever corresponded with a few times anonymously via my unnamed address (B, which LinkedIn has now linked with my name).
Net result is "people you may know" including people I had only corresponded with anonymously via email address B with full details of their name and place of work etc. What makes it creepy I used email address B when I tried online dating a few years ago. I used email address B to first get to know people before deciding whether to give them more info about me etc. Now LinkedIn has kindly provided me with the full name and place of employment of the women I chatted to via "people you may know" (I recognised their photos from the dating site from a few years ago) and vice versa (yikes! a great way to wind up getting stalked). The only link between me and "people you may know" is that I corresponded with them via an email address not even associated with my LinkedIn account, and none of my friends or contacts is in any way associated with them. If that isn't creepy I don't know what is.
So the primary form of collection that should concern us most is media that spy on us while we use them. Books that watch us read them, music that’s listen to us listen to it. Search boxes that report what we are searching for to whoever is searching for us and doesn’t know us yet.
There is a lot of talk about data coming out of facebook: is it coming to me? is it coming to him? is it coming to them? They want you to think that the threat is data coming out. You should know that the threat is code going in.
For the last 50 years what has been happening in enterprise computing, is the addition of that layer of analytic on top of the datawarehouse that mostly goes in enterprise computing by the name of "business intelligence". what it means is you’ve been building this vast datawarehouses in your company for decade or 2 now you have only information about your own operations your suppliers your competitors, your customers now you want to make that data start to do tricks. By adding it to all the open source data out there in the world, and using it to tell you the answers to questions you didn’t know you had. That’s business intelligence.
The real threat of facebook is the BI layer on top of facebook warehouse. The facebook datewarehouse contains the behavior not just the thinking but also the behavior or somewhere nearing a billion people. The business intelligence layer on top of it which is just all that code they get to run covered by the terms of service that say "they can run any code they want for improvement of the experience". The business intelligence on top of facebook is where every intelligence service of the world wants to go.
Imagine that you are a tiny little secret police organisation in some not very important country. Let’s put ourselves in their position Let’s call them I don’t know what, you know ... "kirghista".
You are a secret police you are in the "people business" secret policing is "people business". You have classes of people that you want you want agents, you want sources you have adversaries, and you have influencables, that is people you torture who are related to adversaries wives, husbands, fathers, daughter you know those people.
So you are looking for classes of people. You don’t know their names, but you know what they are like you know who is recrutable for you as an agent you know who are likely sources, you can give the social characteristics of your adversaries, and once you know your adversaries, you can find the influencables.
So what you want to do is run code inside facebook. It will help you find the people that you want it will show you the people whose behavior and whose social circles tell you that they are what you want by way of agent, sources what their adversaries are and who you can torture to get to them.
So you don’t want data out of facebook the day you have data out of facebook it is dead. You want to put code into facebook and run it there and get the results you want to cooperate.
I had to raise a support ticket to find this link.
You have to go through every damn letter of the alphabet, and click like 4 different buttons, and wait for 2 page refreshes for each letter. Half the time it doesn't work and you have to refresh the page and try again.
I've gotten through "L" and now their server is giving me errors.
Are you sure about this? LinkedIn could just be using the friend's email address as the envelope sender; the email would still be coming from LinkedIn's mail server network.
I'd really love to see the headers of one of these messages.
Received: by 10.216.15.83 with SMTP id e61csp34535wee; Sun, 4 Aug 2013 04:14:33 -0700 (PDT)
Received: from maile-fd.linkedin.com (maile-fd.linkedin.com. [220.127.116.11]) by mx.google.com with ESMTP id ck10si13864843pad.187.2013.08.04.04.14.31 for <[me]>; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
X-Received: by 10.68.135.162 with SMTP id pt2mr17184363pbb.42.1375614872583; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
Received-Spf: pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 18.104.22.168 as permitted sender) client-ip=22.214.171.124;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 126.96.36.199 as permitted sender) smtp.mail=s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com; dkim=pass email@example.com
Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-
Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=q1KRuTf4aDEOi5VREcMRO4Doq6XyksTGxJVZMaRGMds1RAi/nevXn8l1yGjBp3ed bSZCOz8kdSYBSnp8/gVqQ0UxpsSpQsAaZFrz1yvWjphpr7/DJKaD7Ap6sSUofZ13
Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; firstname.lastname@example.org; t=1375614871; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=+IqpICLV7N0HAZ46nQfd4mjluOA=; b=dh0hTwqcAoV966RGjsPQexTPDRGSX7o0W9IXG6sWZeDO55b4Xo8Z5riP6dRkYtbu /OO5DxfX1/8F8NHDoxK+3KR+YREUY/r0soM2EySz3S8yWd0CkVWMfpxhzRJzDTap zk0xKG+Oz3Y3jNFg+IQtv/R4uPXo83Cn1OetkC6jKfo=;
Content-Type: multipart/alternative; boundary="----=_Part_76554966_2133229866.1375614871641"
A little sneaky on their part, but nothing too surprising.
I didn't spot any personal / identifiable information in the headers, you should be OK.
And any email provider should obviously immediately blacklist them. Worse than spam.
Eek, I hope not. That would make me and anyone else who's ever written a form-mailer or similar with "-email@example.com" or "From: firstname.lastname@example.org" guilty of wire fraud.
> And any email provider should obviously immediately blacklist them. Worse than spam.
I'm a mail provider. I'd like to, but the reality is that a lot of people are on LinkedIn on purpose, and it would be wrong for me to blackhole them just because I don't like them. Fortunately, anybody on my mail system that doesn't like LinkedIn can easily adjust their own SpamAssassin settings right from the webmail interface.
This wouldn't be terribly different from (not that I know an example) me sending a letter to friend A and putting friend B as the return address, sending a letter by proxy. Of course in that case, there isn't even a method to see who actually sent the letter, whereas the information on who sent the email is still contained in the email.
An example: I had a real life connection to a trainer, i studied for an industry qualification with him. I had zero online line connections to him. Somehow linked in put us together.
His profile mentioned nothing about taking that course, mine mentioned nothing about attending his course. My work handled all the procurement side of things so he had no access to my email address or anything like that.
In credit to linked in, this guy happened to be the best trainer i'd ever studied with so i was actually pleased to see the recommendation. Still wondered how they managed it though!
Except I have never sent any LinkedIn invitations ever, nor connected LinkedIn to my GMail account.
Not only is LinkedIn forging e-mails and deep-mining connections, they're moronic enough to treat those forged e-mails as organic.
Incompetence vs. malice… why choose?
Every time a friend joins their network, I get tons of “invitations to connect”, despite the fact that I have “unsubscribed” from their spam-list (to which I never subscribed in the first place) enough times.
Real professionals should not need spammy social networks to prove themselves.
Yup. As far as I can tell/am concerned, the old fashioned 'meatspace'-networking method never stopped working.
I get recruiter spammed without them, so even for that they don't seem necessary.
What if you don't want to stay with the same industry for the rest of your life? All your contacts probably already endorsed you for your skills in a that industry. It seems like a situation that increases friction in trying to move between fields, industries, and job positions.
Should you delete your profile? Would it seem weird to potential employers/business relationships that you are missing a LinkedIn profile?
I think this will become a more visible problem in the near future.
BUT... I don't think you should delete it. I think mastery of one job speaks to the type of person who can master another. The real red flag is people who can't point to any big accomplishments in anything...
I think in the long run, I don't really want to believe what people said on LinkedIn. I just don't. We all have those moments where we just want to say Yes to every question LinkedIn ask "Does so and so have this skill?"
I never gave LinkedIn my email creds (I'm astounded that they have the gall to ask for my email password). Also, it is 100% inconceivable to me that all of these people would have given LinkedIn access to their email accounts.
Also, it really isn't that hard to guess how it works (hint: are you sure you need every single person to give address books access to build a graph?).
Explain that one.
I doubt they are using anyone's credentials without permission, or "hacking" accounts either, but their mobile apps do have full access to your contact list.
Given that email address books are really large, only a few of them might give lots of these sorts of second-order connections.
Second order connections on the LinkedIn network could be driving these recommendations too. People's friend-of-friends sets can be really large, like typically tens of thousands if I remember right...
Well, why not? I've recently given in and created a Google account again; they're doing the same thing. I even had to confirm in a pop-up box that I really don't want to give them access to my emails. (And that I really don't want to follow celebrities on G+.)
I don't know why the EU goes after cookies but not after the practise of asking for email passwords.
Then I got a LinkedIn account and almost got tricked into typing my credentials... it was only when the Google authorization screen came up that I realized what had happened.
More detail needed here. how did they almost trick you? what did they say or what did they display that made you think it was something different.
surely when you were entering the details, it was still clear you were on linkedin's website? No? (this is a genuine question.. I don't have a linkedin account)
I didn't read the page -- I assumed it was either a "verify your email" or "authentication failed" page of some sort, so I entered my Gmail email address and password. (No, I didn't enter my Gmail password. Read below.)
There is REALLY easy-to-miss "skip" link (I forget the exact text) on the page, but the page looks so much like a login window or "verify your address" window or some other window like that that you don't realize it (and think the "skip" link is probably saying something typical like "Forgot your password?"), so you go ahead and type your credentials -- even though you've already logged in.
The only thing that saved me was the fact that Google asked me if I wanted to "Allow Access" or not, and that made my heart skip a beat and I finally realized what had happened. Thanks Google.
The scary part is that you DON'T have to type in your Google password for this to work! In fact, I typed in my LinkedIn password (I'm not quite stupid enough to type in my Google password on LinkedIn's website) -- but Google still popped up a window asking me for permission, because I was already logged into Google and it didn't even bother checking my password.
So LinkedIn almost got my permission without me ever entering my Gmail password... I almost granted access (thinking it might have been an OpenID thing) before I came to my senses and thought, WTF just happened right now?! Hell no!
It was partially my fault, because I used the same password for my Gmail account as I did for my LinkedIn account. Never again.
This is really the heart of it isn't it? Even if LinkedIn has text in a 40pt font that says, "Import your address book, we're going to log into your email account and download your contacts so that we can link you with them and here is exactly what we're going to do with them," you probably still wouldn't have read it.
If they'd put a 40pt font message, or simply not positioned the "other" email + password sign in screen straight after the "real" email + password sign in screen, we wouldn't be having this discussion.
The most damning part is that's not even what they're being sued for - they're being sued for another way they scammed their way into people's email accounts.
It might be a good time for you to pick up the dictionary and look up what "deception" or "misleading" means.
> even if [...] you probably still wouldn't have read it.
Wow, so you've read a few words of my writing and you already know me so well, so much better than myself? Well, even if you look those words up in the dictionary, you still probably won't understand what they mean.
(And FYI, no, I would have read it if it didn't look like another of the same login page.)
Nothing, but me and my devices, should ever have a reason to access my email. If someone or something is trying to access my email, even with explicit permission, there's no way they can be up to anything good.
The activities that originate from LinkedIn touching your email account is definitely sketchy at best, and definitely spam. There doesn't seem to be a good way to stop unwanted emails going to a single address.
Hell, I've found that even getting them to stop sending you emails regarding your account / groups you joined doesn't always work. Speaking to their support department ends in a response with something like "our engineers are aware" with no change in behavior.
Half of me wants to just get rid of LinkedIn, the other half of me likes seeing old acquaintances getting promotions/moving on to greener pastures.
Please stop being scummy...we'd all appreciate it.
-Everyone from the Internet
I've gone further. I routinely create email aliases for any new services I may need to use. (Yes, I have one dedicated to HN too.) That gives me quite a few nice features:
1) My email addresses are not generally cross-service
2) It's somewhat harder to consolidate my data even when the addresses are "leaked" (read: sold) from one service to another
3) I see with absolute clarity which service my email address was siphoned from.
4) I can trivially delete the address. It's just a line in /etc/aliases.
For #3, I haven't done any accurate measurements but it seems that an address finds its way to spammer lists about as often through the service selling it as it does from a user of that service inadvertantly placing it on one.
Later this +postfix makes it easier to find out which source is the leak.
Most of the websites let you sign up with "+" in your e-mail but unfortunately not every site.
The other trick is that GMail ignores "." in email user so my.name can be just as well "myname". Not that it helps with the spam, just a sidenote.
However, the problem with using the "account+identifier" is that the identifier is simply ignored when delivering mail. With a real alias I can actually revoke an email address, by simply removing it from the aliases. With an identifier I would have to explicitly reject mails for a given recipient part.
I prefer to keep things simple. Bouncing spam is a bonus.
gam create alias idontwearseatbelts user crashtestdummy
I really scared on it when I discovered it. I could avoid this because I was using different password for mail account, anyway I think many people gave their email account to LinkedIn silently.
And now they are finally getting punished.
Is everyone so cheap that they wouldn't pay for a professional that would not have to resort to these fishy and downright scammy (scummy) tactics?
What does it say about the value of your professional life when all you can afford to further it is to give that much power to an organisation whose sole incentive is to make money off your back by whatever means necessary?
LinkedIn's value also seems to become dearer the higher up you go in organizational hierarchies. And their canny strategies to hook more of the C-suite (e.g. 'Influencer Posts') seem to be working quite well. I see superbly shitty posts like Vivek Wadhwa's "Facebook is Doomed" (https://news.ycombinator.com/item?id=6424292) doing great on the 'LinkedIn Today' home page for days [Edit: Just checked. It's been on my home page for 4 days now!]. Thus proving that the mediocrity (which tends to be rise to the top in large organizations) is truly flourishing at the top of LinkedIn's food chain :)
Is this a thing? Can any website slurp my contacts if i have hotmail or gmail open in the same browser? How are they doing this?
I know for a fact I have never given them access to my email accounts but they have started surfacing 'people you may know' recommendations that are actually email addresses from my contact book where I have Rapportive installed.
The resume aspect is easy enough to host yourself, and the searchability is not clearly an overall pro anyways: I really don't want to be harassed by random recruiters who found me using a keyword search.
But would it be weird to host your recommendations of others on your own site? I.e. include a link to some canonical representation of their identity and vouch for them? That may be getting into the weird territory. And what about hosting their recommendations of you? That seems well into the weird territory.
Maybe the best thing that LinkedIn offers is a willingly creepy networking site that gives you an excuse to ignore social norms.
"To see my current online profile, please visit http://..." (link to careers.so)
I lost my first job after uni three months ago and started looking. People told me I'm severely limiting my chances by not having a full LinkedIn profile. They were wrong, I found an amazing job and the bulk of interview offers came from people seeing my SO, C.SO or GitHub profiles.
C.SO doesnt have all the meaningless social bullshit, also top companies and recruiters pay a lot of money to just use their search engine.
Also, all LinkedIn mail gets redirected to the bin.
Frankly I have no sympathy for them at all. As you can probably tell.
It has become abundantly clear this is a pet peeve of yours!
It seems all of the technology companies are givin their best effort to invading privacy and undermining trust on a societal level. There will be lasting consequences for these behaviors.
self updating rolodex for people that change employers frequently.