Paul's Internet Landfill/ 2016/ LinkedIn


For reasons that are fairly obvious, I have been spending time on LinkedIn recently. It makes me feel gross. I am actively upset that LinkedIn has become the default social network for our work personas. Job application sites like include a field for your LinkedIn profile, and it hurts you if you don't include one. Job applications require you to "Connect with LinkedIn" in order to complete their applications. Recruiters on panels say that not having a LinkedIn profile is a "red flag". For better or for worse, LinkedIn has the network effects and has the mindshare, and it is not clear that there are any viable competitors in this niche.

But LinkedIn is a deeply unethical company, and it upsets me that they are so successful. They became successful via spamming. At the time I first signed up for an account, LinkedIn was notorious for going into the address books of your email and then sending out "invitations" to all of your contacts. The "From" names of these invitation emails was deeply misleading: they would appear to come from the victim ("From: Paul Nijjar") and not LinkedIn. The people on your contact list would get a misleading email appearing to have been written by you. In any other context we would call that phishing. In LinkedIn's case we called that effective marketing, and we then rewarded LinkedIn by signing up so that it eventually could be successfully sold to Microsoft.

As an email administrator, I tried to teach my users how to identify spammy and malicious emails. The kinds of techniques LinkedIn used to grow its network (harvesting address books, sending misleading emails) are exactly the techniques I would warn users about. By using these spamming techniques, LinkedIn undermined my message that users should never trust such emails.

LinkedIn still wants to rifle through your address books, but at least they have changed the From header to identify themselves ("From: Paul Nijjar via LinkedIn"). It is easy for them to do so now, because they won the network war. That does not make their growth tactic any more ethical.

It doesn't end there. When I signed up for LinkedIn they had a ridiculous restriction on password length. I think the password had to be between eight and fourteen characters, which was a trivially small length even in 2006. I distinctly remember being incensed by this, and at the time I was not even using a password manager. Did LinkedIn care? Nope. Then (surprise, surprise) they got compromised in 2012, and it was revealed that they were storing these passwords in a terrible way (namely, with no salting). Then in 2016 it was revealed that instead of 6.5 million credentials being stolen, 117 million had been stolen. Did they care? Not much. We have continued to trust LinkedIn with our passwords AND a bunch of information that many people wish to keep private (namely, that they are sneaking around behind their employers' backs looking for other jobs).

LinkedIn STILL hasn't learned its lesson. Although passwords can now be a little longer than they were before, they are still limited to 47 characters. That is not long enough. Microsoft has allowed Active Directory passwords to be 255 characters for years.

None of this is 20/20 hindsight reasoning. The day I signed up for LinkedIn I saw their password restrictions and knew they did not take security seriously. Then they had a huge compromise of 6.5 million passwords and said they were very very sorry, but instead of being safe and forcing password expiry for ALL their users, they tried to minimize the impact, which burned them a SECOND time when it was revealed that way more accounts had been compromised than they first realized. Now I am supposed to believe that they really really care about security, but the only evidence I have for this is that they were bought by Microsoft (which really does care about security, having been burned multiple times itself). Is that enough? Not in my view. LinkedIn has little incentive to focus on security, because they have the network effect on their side and have no real competitors. It is not as if people are going to switch away from LinkedIn if/when they have another giant breach.

And then there is the surveillance. LinkedIn is a poster child for the surveillance economy. It tracks everything you do while logged into the site: if you visit a profile, if you click a link, and of course if you make a connection. It then turns around and teases potential customers with that data: "7 people looked at your profile this week! Buy LinkedIn Premium to find out who they are!" LinkedIn does not pay us for the privilege of collecting this data, but it does its best to monetize it. In return for giving it our data we supposedly get benefits back, such as being able to apply for jobs.

You probably don't think this is so bad. But consider the adversarial aspects of the job search. People search for jobs while they are still employed (in fact, it is much easier to get a job when you are employed than when you are not), but employees don't want to let their employers know that they are looking. But LinkedIn knows, and it tracks this data. Furthermore it has no compunctions about making this data available to others -- for a price. Wouldn't it be valuable for employers to know which of their employees are currently seeking other employment opportunities? Wouldn't it be convenient for LinkedIn to sell this information to employers, provided they could do so without scaring away the job searchers? Yes, yes it would. And although I am guessing they do not have such a membership available for employers yet, I am sure they will as soon as they can get away with it. As far as I can tell it is completely fine for LinkedIn to implement such a service so long as they only provide it to other LinkedIn customers (eg managers at companies).

Wouldn't it be useful if businesses could use LinkedIn to gain intelligence about their competitors? Which competitors have troubles retaining employees? Which employers are hiring, and what are the skillsets of those hires? LinkedIn tracks this information. Why would it not make it available to the highest bidder? There could be a paid membership tier that allows you to track the employees at a particular company, and a different more expensive tier that allows your company not to show up in such reports. LinkedIn claims to serve the interest of its Members foremost, but it does not specify which members.

Why should any of us believe that LinkedIn has our best interests at heart? LinkedIn is a surveillance company, and its job is to collect our data and synthesize it into insights they can sell to others. In their privacy policy they state that "maintaining your trust is our top priority" and then proceed to undermine that trust by stating that they do not comply with "Do Not Track" (DNT) requests from web browsers because there is not DNT standard. It isn't that they are doing the best they can to honour the spirit of DNT requests subject to a standard being finalized; it is that they are ignoring the standard completely.

At the end of the day this comes down to trust. I only trust LinkedIn to the extent that it can be punished for doing untrustworthy things, and to the extent that their interests align with mine. Given that they have a near-monopoly on the "employment social network" niche, and given that avoiding LinkedIn is a real liability when looking for jobs in this area, it is clear that I have no real way to punish them for misdeeds. Given their lackadaisical treatment of security and the way in which their business model depends on tracking me, their interests do not align with mine much at all.

None of this argument has to do with the quality of LinkedIn itself. It is clear that LinkedIn fills a niche. I recently re-read the 2000 edition of What Color is Your Parachute, and it is amazing at how many of the research steps advocated by that book (finding hiring managers, finding people at target companies to extract information from) are addressed by LinkedIn. But just because LinkedIn fills a niche does not mean it is ethical, and it does not mean that we ought to have rewarded it with our trust and attention.