LinkedIn launched an innovative new feature yesterday that brings its network of business information and contacts right into Apple’s native iOS email service, but there are already alarm bells ringing about potential pitfalls.
Update: LinkedIn has provided further details of the process, which we’ve included at the bottom of this post. Chiefly it says that user data is “not permanently stored anywhere inside LinkedIn data centers.”
The key part is that LinkedIn — a company that has suffered high profile privacy breaches in the past, which we’ll come to later — wants you to trust it with your email credentials. That’s hugely personal data so it’s understandable if many people are once bitten, twice shy.
LinkedIn Intro is essentially a service that sits between iOS devices and their owners’ email accounts, pulling in data from LinkedIn — such as photos, connections and work details — to deliver “insights in your inbox”. The concept originates from Rapportive, a startup LinkedIn acquired last year, which developed a browser extension that modified Gmail.
The technical details are explained in some detail in a (rather self-congratulatory) post on the LinkedIn engineering blog.
The company is using OAuth, an established security protocol, to manage access to Gmail and Google Apps accounts, but it seems that those who use all other email services will need to trust LinkedIn to handle their precious log-in details with caution.
The Intro proxy server speaks the IMAP protocol just like an email provider, but it doesn’t store messages itself. Instead, it forwards requests from the device to your email provider, and forwards responses from the email provider back to the device. En route, it inserts Intro information at the beginning of each message body — we call this the top bar.
That requirement of trust should be a concern if any third-party or company wants to get involved in your email — or any other personal data, for that matter — but it’s even more of a worry because LinkedIn has made some high profile privacy and data gaffes in the past.
Hackers got access to 6.5 million passwords in June of last year, while it was also found to have collected and transmitted names, emails and notes from users’ calendars without explicit permission — and in plain text.
It’s unclear how Apple feels about LinkedIn essentially hacking its email service to promote its social network. Given how rigidly it polices the App Store and its own ecosystem, it’s almost certain that Apple doesn’t want the security of its users put in the hands of another company
We’ve reached out to LinkedIn for further clarification on the security processes behind Intro and its correspondence with Apple, we’ll update this article with any details that we’re given.
Already many people are raising concerns and, personally speaking, while I appreciate the technical prowess behind LinkedIn’s new feature — I’ll be giving it a miss.
I don’t know quite what to think about this. But my first reaction is “ick.” http://t.co/Vz5JTo6KSy
— Lessien (@Lessien) October 24, 2013
LinkedIn’s new ‘feature’ for iOS mail is nutballs http://t.co/Jn89N9qKD3 “Hi, we lost all of your passwords pls give us your email logins.”
— Matthew Panzarino (@panzer) October 24, 2013
— Kos (@theKos) October 23, 2013
So Linked In wants to sit in between you and all your email. Hmmmmm. Uhm….nope.
— Dave Oliver (@daveoli) October 24, 2013
Update: LinkedIn has made the following addition to its blog post:
We wanted to provide additional information about how LinkedIn Intro works, so that we can address some of the questions that have been raised. There are some points that we want to reinforce in order to make sure members understand how this product works:
- You have to opt-in and install Intro before you see LinkedIn profiles in any email.
- Usernames, passwords, OAuth tokens, and email contents are not permanently stored anywhere inside LinkedIn data centers. Instead, these are stored on your iPhone.
- Once you install Intro, a new Mail account is created on your iPhone. Only the email in this new Intro Mail account goes via LinkedIn; other Mail accounts are not affected in any way.
- All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted.
- Your emails are only accessed when the Mail app is retrieving emails from your email provider. LinkedIn servers automatically look up the “From” email address, so that Intro can then be inserted into the email.
For any additional questions, please visit the LinkedIn Intro Pledge of Privacy which provides more details. We hope that this gives you all the information about how Intro works. It is our goal to make our members more productive and successful, and we think LinkedIn Intro helps us towards achieving that goal.
Headline image via Ben Scholzen / Flickr