LinkedIn Intro? No thanks. My email security is too important

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

LinkedIn IntroLinkedIn wants iPhone users to sign-up for a new service called Intro. My advice? Don’t.

LinkedIn Intro extends the standard iOS Mail app in ways that Apple never intended to be possible, injecting HTML code into the top of the emails you receive so you can view someone’s LinkedIn profile alongside their message.

In a fairly self-congratulatory blog post entitled “LinkedIn Intro: Doing the Impossible on iOS”, LinkedIn engineers explain just how clever they have been.

And yes, to give them credit, from the engineering point of view it is pretty nifty. But from the security and privacy point of view it sends a shiver down my spine.

Sign up to our free newsletter.
Security news, advice, and tips.

Rather than your iPhone connecting directly to your email provider’s servers (Gmail, Yahoo, etc), it will be connecting via LinkedIn’s proxy server instead – which will act as a middle-man in your email communications.

LinkedIn will then look at your email messages, and insert Intro information into each one.

The iPhone Mail app, before and after LinkedIn Intro
The iPhone Mail app, before and after LinkedIn Intro

In case you’ve forgotten, LinkedIn is the company which lost the passwords of over six million users last year.

LinkedIn also scooped up the contents of users’ iOS calendars, including sensitive information such as confidential meeting notes and call-in numbers – which they then transmitted in plain text, not encrypted.

LinkedIn is also, currently, the subject of a lawsuit alleging that they hacked into email accounts, in an attempt to mine address books.

Whether you believe that that lawsuit has merit or not, it’s clear that LinkedIn doesn’t have a spotless record when it comes to security and privacy.

I’m not suggesting that it has created LinkedIn Intro with any malicious intentions (unless you consider them injecting an advertisement for their its brand in every email malicious), but clearly security is not part of the company’s DNA – and that troubles me.

Furthermore, I find it hard to imagine any security-conscious firm being comfortable with its employees handing LinkedIn access to its emails.

And *why* do you even *need* LinkedIn Intro anyway?

If you receive a business email from someone, don’t they normally have a sig at the bottom explaining who they are, and who they work for?

What *real* advantage are you getting by having LinkedIn rifle through every email you receive? Is it just that they put it at the top of the message, rather than require you to scroll to the bottom?

The company says that you can trust them with LinkedIn Intro:

LinkedIn Intro integrates with your email, and we understand that this carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe..

Well, the first thing to do if you want to keep your very personal or sensitive information safe is to reduce the chances of a breach. Adding another link in the privacy chain which could be potentially exploited is not the direction you should be going in.

Don’t use LinkedIn Intro.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “LinkedIn Intro? No thanks. My email security is too important”

  1. Spryte

    A few years back, in his blog, Steve Gibson posted the following comment about another company, but it applies equally to LinkedIn…

    He states that the company has no assets exept our personal information and to make mony they have to “Monetize” it.

    The complete post is available at:
    http://steve.grc.com/2010/05/24/facebook-and-the-ford-pinto

    A interesting read.

    1. GlassSneakers · in reply to Spryte

      I'm not sticking up for LinkedIN but that's not entirely true in there case. They monetize their platform by charging users.

      1. AndyP · in reply to GlassSneakers

        No, LinkedIn monetize their platform by charging companies
        huge amounts of money for access to the data about users. At the
        moment this seems to be mainly for recruitment and advertising
        purposes, but with email data as well it can go way beyond
        that.

  2. Alex P

    Wait, so they alter any message you *retrieve*? That means
    that even if I refuse to install this, they'll still have
    access to any email I send to someone with this app
    installed!

  3. Jim Dibb

    How do you feel about the Mailbox app in this respect?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.