Sophos Cloud Optix
I’m not a LinkedIn user – at least not yet, though I suspect that like many of my friends and colleagues I may eventually feel compelled to “be there or be square”. As a non-user I haven’t been tracking changes to the default privacy settings of the service, or the implications of those changes.
Neither, it seems, has most of the rest of the world.
Nearly two months ago, LinkedIn updated its Privacy Policy. To give the company credit, it did prefix its official policy with a summary, and it provided a link at the top of the policy page to show you the changes since last time. (For programmers: this takes the form of a changelog, not a diff.)
That’s just as well, because LinkedIn’s Privacy Policy runs to almost 6400 words – that’s about 10% of the length of a respectable novel.
Even the summary and the changelog top 1000 words each.
And, as blogger Steve Woodruff pithily points out, amongst the changes is an on-by-default new feature that you may not yet have seen, definitely need to know about, and almost certainly want to turn off:
LinkedIn may sometimes pair an advertiser's message with social content from LinkedIn's network in order to make the ad more relevant. When LinkedIn members recommend people and services, follow companies, or take other actions, their name/photo may show up in related ads shown to you. Conversely, when you take these actions on LinkedIn, your name/photo may show up in related ads shown to LinkedIn members. By providing social context, we make it easy for our members to learn about products and services that the LinkedIn network is interacting with.
Crudely put, LinkedIn will mine your usage habits to determine what products and services you’re interested in, and then use your name and photo in what amounts to an endorsement for those products and services when they’re advertised to other users.
This feature is opt-out, even though it reduces your privacy and infers your goodwill, and even though it wasn’t part of LinkedIn’s service when many current users signed up.
Like Facebook with its controversial and much-dissected opt-out facial recognition functionality, LinkedIn has snuck this one in under the radar.
As we said on Naked Security nearly two years ago – this time with Facebook crossed out, and LinkedIn written in in crayon [*]:
Dear
Why not lead the way on privacy?
Become truly opt-in - not just on the basis that a new user opts in altogether by joining up in the first place, but on the basis that everything is locked down until a new user opens up each feature.
Don't wait until the regulators in the world's developed economies start legislating to make you do so. Take the lead. People will love you all the more in the end.
You can do your bit to get the message across.
Firstly, you can cut-and-paste the above letter and email it to LinkedIn at abuse@linkedin.com. As a subject line, try something like this: An observation about your new opt-out Manage Social Advertising option.
Secondly, you can turn the offending option off. From the pulldown menu under your name at the top right of your LinkedIn pages, choose Settings. Then choose the Account tab at bottom left, and click Manage Social Advertising.
Or you can visit the Privacy Policy, in which LinkedIn has (to its credit) included a link in the relevant part of the policy which takes you directly to the above opt-out dialog.
If you’re on LinkedIn, and want to keep abreast of the latest security news, join the Naked Security LinkedIn group.
–
* With apologies to the Fish Licence sketch by Monty Python’s Flying Circus.
Opted out. Thanks for that!
Any idea what happens for those who don't log in regularly? Can they expect an e-mail notice of the change to give them an opportunity to opt out, or are they hoping to ninja it past us all?
Steve Woodruff (article linked to above), who's a LinkedIn user, writes that he found out about only it via a private notification – a friend of a friend of a friend who'd noticed and thought it worth pointing out to his chums.
The privacy policy changed back on 16 June – LinkedIn obviously hasn't emailed you yet, and no-one else I've spoken to who's a LinkedInner has been alerted, other than implicitly by means of the new privacy policy.
Even if there were an email in transit as we speak, it would be a bit late IMO 🙂
I can confirm that;
* I was not aware.
* I was not informed in any way, shape or form.
* I have sent them a copy-paste of the e-mail text and suggested subject.
* I have opted out of both their social advertising offerings.
Following that; Thank you, Paul & Steve – good looking out!
Thanks to both of you for catching this one. I have done the same as BFroberg above.
regards Martin
My opinion is that once you start putting your information out there on the Social Web it becomes your responsibility to pay attention when changes occur. LinkedIn has a habit of improving and changing their UI almost weekly which alerts me to use my common sense and check my security settings. It only makes sense. Your information out there, is still your information and it is your responsibility to monitor the use.
Put your 'big boy' pants on and take responsibly for your own information. If you are concern with how your information is being used why aren't you monitoring it? LinkedIn and Facebook are not obligated to tell you when they make changes. It would be nice but we live in the reality of the real world.
In the real world we don't actually have the time to spend monitoring all sites just in case there is a change : that's a full time job in itself. Changes should be opt-in – the only reason these changes are opt-out is because they know full well that nobody in their right mind would *ever* opt-in to them so the only way they can deliver any people to the advertisers is by hoping users don't notice. Underhand and dishonest.
It's not just that it would be 'nice'. It would also be fair, and reasonable, and respectful, and compliant with both the letter and the spirit of the law.
I think it's time that the large and successful social networking companies – which have, after all, grown wealthy thanks to your unpaid traffic-generating labour – started behaving in ways which set higher privacy standards, and which more clearly differentiated them from the many "bait-and-switch" scammers or shonky marketing affiliate networks we see online.
Of course we should all be vigilant – and I am glad that you are. But is it really asking too much to expect the social networking giants to be a bit more proactive and open when they plan to shift the legal goalposts of the undertaking you entered into with them – at their insistence – when you joined the club?
The fact that they can get away without doing so doesn't mean they ought to.
Clearly you're a more avid user than I. I hardly go on there at all, I have LinkedIn in my system tray for connections-updates, other than that I find little actual reason to visit the site unless I need to update my job info or yell at James Lyne for no clear reason. ^,^
Excellent posting!! I love LinkedIn, but this is nasty!!
Hank Arnold (MVP)
What else can you expect from a service that:
1. Encourages wholesale linking of users' entire addressbook for spamming of invites,
2. Does not include a decline/I don't know this person option in the invitation emails,
3. Does not include the ability to opt an email address out of invitations without creating a profile.
4. Sends multiple reminders to the captive audience of invitees.
Thank goodness for spam rules, but I shouldn't have to set up rules to avoid harassment from services I don't even use.
Thank you! Opted out and sent the email.
Thanks! No way do I want my photo showing up in a competitor's ad!!!!!!
What were they thinking?
What BFroberg just wrote above. Me too.
Thanks. Good to see you guys are on their tales – email sent!
Opted out earlier today and sent the email. I got one email back saying they'd gotten it, and got another one about 4 hours ago:
We want to apologize for any inconvenience and misunderstanding that may have taken place with our Privacy Policy update in regard to Social Advertising.
Although we did publish a Blog Posting http://blog.linkedin.com/2011/06/23/social-ads/
in regard to this change and also alerted members with a link at the top of their Account Homepage, we understand your frustration in feeling it was not communicated strongly enough. We have provided this feedback to our Executive teams in charge of such changes in an effort to avoid similar inconveniences in the future.
In regard to the information shared, the ads show how public actions of your network, including product recommendations and the number of followers of that company, can help you decide whether or not you should take the time to learn more about the product or service. Information is pulled from Companies you "Follow" or "Recommend". Furthermore, you always maintain full control over your privacy settings on LinkedIn, and can opt out https://www.linkedin.com/settings/?tab=account
of these ads anytime.
Once again, we apologize for any inconvenience this may have caused and please let us know if you have additional questions in regard to Social Advertising on LinkedIn
If you have further questions, please feel free to reply to this message.
Matthew
LinkedIn Ads Specialist.
So there you go.
Really great work, Naked Security! I love Social media in general, but freak me out when they make these sort of changes and not letting users know about it, that's really BAD intention!
Thanks for having drawn my attention to the opt-out issue. I opted out this morning, sent an e-mail to LinkedIn and just got the following reply :
"Thank you for your questions and feedback related to our privacy policy and social advertising platform. Please see our latest blog for clarification on and update to our social ads approach: http://blog.linkedin.com/2011/08/11/social-ads-up…
If you have additional questions in regard to this, please reply to this message and we’ll be more than happy to assist."
LinkedIn updated their policy not to do this anymore: http://blog.linkedin.com/2011/08/11/social-ads-up…
So they push us to publish full name, face picture, title, qualifications, work story, etc. etc, yet their staff only sign as “Matthew –
LinkedIn Ads Specialist.” ???