Sophos Cloud Optix
Yesterday, I wrote about LinkedIn’s recent Privacy Policy changes, by means of which the company snuck in the right to use your name and photo in adverts placed by third parties.
You weren’t offered the choice to enable this new feature at will, because it was turned on by default for everyone.
And LinkedIn didn’t warn you directly – which it could easily have done by email – that you might very well want to turn it off.
Crudely put, and in my own words, LinkedIn gave itself the right to mine your usage habits to determine what products and services you’re interested in, and then to use your name and photo in what amounts to an endorsement for those products and services when they’re advertised to other users.
If you were to put a positive spin on this sort of policy change, you might call it something like an exciting new feature which automatically improves your online experience with no cost or effort on your part.
But you might equally well describe it much less flatteringly as a terms-and-conditions land-grab or as a privacy policy bait-and-switch.
And, as regular readers of Naked Security will know, we aren’t big fans of privacy changes that are used by service providers as a vehicle to introduce a brand-new ‘opt-out’ feature. (Opt-out means it is on by default until you get around to turning it off.)
We think that a better business standard would be to make this sort of new feature opt-in. We accept that short-term sales goals might be easier to achieve with opt-out, but we know that opt-in would be safer for users. Indeed, users with strong opinions about privacy would become strong advocates for a service provider which set this sort of standard. The privacy regulators would be pretty impressed, too.
So we feel sure that adopting an opt-in model would actually be better for a service provider’s business value in the long term.
With this in mind, we invited our readers to email LinkedIn with words to this effect:
Dear LinkedIn,
Why not lead the way on privacy?
Become truly opt-in - not just on the basis that a new user opts in altogether by joining up in the first place, but on the basis that everything is locked down until a new user opens up each feature.
Many of you let us know you’d asked LinkedIn to do just that.
The good news is that LinkedIn’s Director of Product Marketing, Ryan Roslansky, has already responded publicly to the complaints the company has been receiving.
Roslansky has also recognised that the company should have been more open about its new ‘social ads’ feature, and has even agreed to make some changes to the system.
In particular, LinkedIn has quickly admitted that it took a step too far, respectfully conceding as follows:
Most importantly, what we've learned now is that, even though our members are happy to have their actions, such as recommendations, be viewable by their network as a public action, some of those same members may not be comfortable with the use of their names and photos associated with those actions used in ads served to their network.
And LinkedIn has agreed to changed the look-and-feel of its ads:
I suspect that many companies would find it really hard to react this quickly – except perhaps to say, “We are taking your comments seriously and will determine a course of action after a series of internal business committees have anguished over the implications of any changes, when the economic simulations are complete, and once the lawyers are happy.”
So, from Naked Security to LinkedIn, “Well done!”
There is some bad news, however. There’s still no sign that LinkedIn is willing to go down the opt-in path. The company still seems happy with opt-out, though I must admit that it has made opting out of social ads fairly straightforward. A couple of clicks will do it.
Nevertheless, I’d say this is a real result. It may be just a first step towards stronger privacy standards, but it’s good for you, and it’s good for LinkedIn. Respect!
If you’re on LinkedIn, and want to keep up-to-date on the latest security news, join the Naked Security LinkedIn group.
right on!! power to the people!! 😀
The best part here is the link at the bottom to let us quickly and easily turn it off! Thanks!
Thanks for the heads-up on this one! I recently set up a LinkedIn profile. I had no intention of LinkedIn using my photo to promote ads with which I may or may not agree. This is a serious privacy issue, and exactly the kind of irresponsible conduct that will eventually result in stricter privacy legislation because companies cannot control the urge to make a quick buck with an ethically questionable privacy violation.
I updated my preferences and fired off a letter to LinkedIn.
Why doesn't the US (which is home to most of these companies) fix their privacy laws so that any changes to a websites existing privacy policy cannot be implemented until after all current members have been notified of the changes and provided with a simple option to either accept the changes and continue using the service or to decline the changes and close their accounts.
I realise the companies won't back this but to be frank, screw them. they want our data and our attention they need to be more customer oriented and realise that their "stock" is their members not just their advertisers.
If the local supermarket started changing prices on goods after you had picked the item off the shelf and before you got to the checkout without providing any notice, they would quickly lose their membership base.
Unfortunately not enough people are leaving facebook or linkedin for them to care how they treat their customers. One day their growth will slow and their focus will have to shift into nurturing and retaining their members.
In yesterday's article, the email I suggested people send to LinkedIn was slightly longer than what I quoted above. It also said:
"Don't wait until the regulators in the world's developed economies start legislating to make you do so. Take the lead. People will love you all the more in the end."
One problem with this is that as long as neither the regulators nor the social networks change, the lower the pressure on either of them to do anything 🙁
I work in marketing for an online company and so I say this knowing full well that it will make my job only more challenging.
Some sort of regulation needs to occur internationally for the internet. It needs to be a cooperative effort like the United Nations. If there was a regulator (and i'm not talking censorship here at all) that could force companies to comply with some international standards and to provide a central point for governments to escalate matters when direct communication is not possible (eg online companies refusing to respond to law enforcement requests) or have their domains suspended, then consumers would get a much better, safer online experience.
As it stands in real life, any industry without some sort of regulation eventually becomes a haven for criminal activity. This has happened much faster online and will only continue to worsen unless something is done.
Ultimately I think blaming the social media companies is like banging our heads against the wall. Perhaps its time the focus shifts to forcing ICANN into actively developing an international ombudsman and to become far more proactive in estasblishing some regulation. For too long ICANN have sat idly by with the power to force change and yet they have done nothing. Governments around the world have trouble convincing domain registrars and websites to comply with their requests. ICANN could easily make it a requirement for websites to assist governments with upholding their local laws (especially consumer laws, privacy laws & child protection laws etc) or to lose their domain.
Too little too late for me on their part. I deleted my account as I am still not impressed by their changes nor their new business tactics.
Paul,
Nice work. We picked up your coverage over at Marketing Pilgrim. I will say that I am not as forgiving as you are in this one, though. If not for the recognition and pressure LinkedIn would haven "gotten over" on this one and they did for a little while. This behavior signals a change in how LinkedIn is doing business moving forward and I can't help but wonder if this is due to it being public and new pressures for quarterly results being a part of their everyday existence.
In the end, it's good they made A change but the big one that you speak of, which is an opt-in policy is not likely to ever happen. Just as most people don't pay attention to privacy updates like you do they also won't see even the chance to opt in so LinkedIn won't be able to scale these efforts to the point where it can be a viable option for advertisers. As a result, working backwards by having everyone in gives them an instant product and scale to boot. I suspect that they are still happy even after this negative publicity.
Great job and thanks again.
I gave up on LinkedIn the day I received an ad which included a picture of me I had deleted several months ago. The site's terms of use stipulate that you can modify your profile content but doesn't explicitly mention the ability to permanently remove some information. The only way to do that is to terminate the account. So they feel they can reuse at will any piece of data you've ever sent to their systems. Scary.