Oct 24 2013
“I know! Let’s build a man in the middle (MITM) attack into our iPhone app so that we can inject small bits of information into their email that show how useful our site and service are. At the same time we’ll now have access to every piece of email our users send, and even if we only have the metadata, well, that’s good enough for the NSA and other national spying agencies, isn’t it? Let’s do it!”
I have to imagine the thinking was nothing like that when LinkedIn decided to create Intro, but that’s basically what the decided to do anyway. If you read the LinkedIn blog post, you can see that they knew that what they were doing is a MITM attack against your email, even if they are calling it a proxy. They’ve broken the trusted, or semi-trusted, link between you and your IMAP provider in order to get access to your email so they could insert a piece of HTML code into each and every email you receive. Additionally, they’ve figured out how to make it so that this code is executable directly in you’re email.
Basically, what LinkedIn is asking you to do is create a new profile that makes them the proxy for all your email. This is similar to what you do for your corporate email when setting it up on a new phone, but rather than having something that’s finely tuned for that corporation, LinkedIn makes the new profile on the fly by probing your phone’s configuration and basing it on the settings it finds.
I have a hard time believing that someone at LinkedIn didn’t wave a red flag when this was brought up. You’re asking users to install a new profile making you their new trusted source for all email, you’re asking that they trust you with their configuration and you’re capturing, or at least having access to the stream of all authentication data for their email. Didn’t anyone at LinkedIn see a problem with that? I have to imagine there are plenty of corporate email administrators who’ll have a problem with it.
Given recent history and the revelations that metadata about a person’s communications, LinkedIn is audacious to say the least. They know what they have, or at least want to have: information similar to what Google and Facebook have about your daily contacts and habits. This is a huge data mining operation for them, aimed at learning everything they can about their users and applying that to advertising. But I think they have overreached in their their desire to have this information and are going to get shut down hard by Apple. And this doesn’t even take into account the fact that they’ve already had data breaches and are being sued for reaching into consumers’ calendars and contact information.
I don’t think LinkedIn has been a good steward of the information they’ve had before, and there’s no way I’d install Intro onto one of my iDevices if I was a heavy user. The fact is, I have an account that I mostly keep open out of habit and this is nearly enough to make me shut it down for good. If I wanted my every move tracked, I’d just keep open a Facebook tab in my browser. And while they may not be much of an example when it comes to privacy, I guess Facebook is a great example when it comes to profitability. Way to go LI.