More than 50% of relevant users in sample affected
This article is for people who think if they set something to “only my friends (connections or network) are allowed to see this,” only their friends should be able to see it.
I have recently learned that my privacy settings on LinkedIn have been ineffective for some time. Information that several of my connections and I set to be private within LinkedIn has been copied over to at least one other website and can be found on Google.
For reasons from identity theft to risk calculations, some people create a very limited Public Profile (currently http://www.linkedin.com/profile/public-profile-settings) on LinkedIn, such as Basics (Name, industry, location, number of recommendations) and Headline only.
Not only have I created a limited Public Profile, I’ve restricted access to my Photo (currently http://www.linkedin.com/profile/edit-picture-info) so that “In addition to users I message, my profile photo is visible to… (o) My Connections only”.
Despite these precautions, when I performed a Google search for myself in double quotes, as the seventh result on the first page I found my Current Position, my Past Positions, and my Photo, clearly from LinkedIn, served from another website. The French “people-finder” website Yatedo.
The positions were slightly outdated, indicating that Yatedo had grabbed a copy maybe a few weeks earlier. Yet the photo was served via an URL from LinkedIn, which shouldn’t work with the privacy settings in place.
After checking a sample of my connections who have privacy protections on their LinkedIn information, I find that, scarily, five of them have also had their supposedly private information leaked to the other site. Five leaks out of fewer than 10 users who have chosen to actually use privacy settings.
(I did not count the users who didn’t use privacy settings. I did not count those for whom a link to LinkedIn was provided instead of a copy of data. I only counted copies of data of users who want privacy. As sample size I only checked a total of less than 50 of my connections.)
How do you know a connection of yours has privacy settings? Compare what you see in a browser that is logged into LinkedIn versus a browser that isn’t. If the one that’s not logged in doesn’t show work history, privacy settings are tighter for that user. That user really cared. Hence that other website must have “got into LinkedIn” somehow if it has that user’s more detailed LinkedIn information.
How do you know info has been copied? Several ways: Firstly, the info matches exactly some peculiar details a person has written. Between typos, oddities, repetitions, overlaps, funny ways to describe themselves, you can tell. Secondly, in my case I also knew it was slightly outdated, because I had since added a long-term contract to my LinkedIn page, which the other site didn’t show. Thirdly, the info comes up as text in the page’s HTML, not as linked info from LinkedIn.
Maybe LinkedIn can explain their way out of this. Maybe they will try to maintain that they never promised your info won’t be published and they can’t control what others do with info. Yatedo apparently has been catching unfavorable attention for some time already, per http://closeyatedo.blogspot.com/ and http://www.linkedin.com/in/closeyatedo (as always I can’t know what will be at those links the day you click them).
From a user point of view, particularly those with paid accounts who expect the privacy tools to work as advertised, this can be very disappointing.
You could say that should be for LinkedIn to investigate and fix how the bad guys are able to do this. Some people are paying enough for their LinkedIn accounts (it adds up through the years) so they can expect decent service.
One possible explanation is that some users hand out LinkedIn account credentials to websites that promise services, and those websites then use those credentials to steal info from whomever that account is connected to. LinkedIn keeps this process remarkably opaque.
For example, in my Account Settings, I have previously puzzled over https://www.linkedin.com/secure/settings?userAgree= Why no links to those “External Websites”? I have to guess what LinkedIn Developer Network, Engineering Microsite etc. do for me in return for my authorizing them. And why not an explanation what “data” they have access to, e.g. contacts, work history, etc.? “Your LinkedIn data” could be all of it, or little of it.
I have also puzzled over https://www.linkedin.com/settings/data-sharing “[x] Yes, share my data with third party applications.” What data, what applications? How do I know what would break if I switch it off? Who switched it on? Default? Me? Some app?
In light of what looks like theft of information, better explanations are called for.
Was I just plain stupid to leave my information vulnerable? If this leak is the result of trying out an app recommended by a reputable source (i.e. LinkedIn) that turned out to be a bad guy’s app, I’m in the company of smart people: of the five people I identified with clearly leaked info, three are serious level executives, one is a successful security expert. But the more serious issue is:
Information has leaked from LinkedIn.
Do people care? Out of 300+ users who received a first notice about the existence of this kind of leak, one closed her LinkedIn account within 72 hours of publication. Regular citizen. Apparently people do care.
And while Yatedo is certainly the bad guy here, people have signed up with LinkedIn, often paying for its services, in the belief that they’d get the kind of privacy its web pages suggest. It should be LinkedIn’s job to squash Yatedo, and similar scourges.