Not only that, but the article itself is a retelling of a story that would have happened two years ago [0], and the GitHub repo he links at the end is a clone of the repo in [0] (which the author himself is the sole contributor to).
Let's put this into context. It looks like LinkedIn is trying to detect specific plugins which affect the page/UX. The plugins the author links to are for scraping personal emails for email marketing "leads." This is totally common, so I'm not making any kind of judgement here, but I think LinkedIn has a right to protect its service and users. I can imagine the support requests that happen where the LinkedIn the person is seeing isn't the same as LinkedIn would be pretty confusing. Not all people are smart enough to know what all their extensions do, especially if they use them for their job and were told to install and use them.
With all that said, I also think people have a right to use the extensions they want to scrape or block content on sites they visit, so catch 22 I guess.
It's worth thinking of this from both angles before getting angry at LinkedIn, or the author of this post :)
>I also think people have a right to use the extensions they want to scrape or block content on sites they visit
Do you also think people have a right to record movies they watch in the theater?
I think people are free to run whatever extensions they want in their browser. I think companies are also free to tell people they aren't welcome if they're going to use that extension.
Why should a company like linkedin be FORCED to serve anyone? It's not a public service, they aren't a government entity, you have no right to their service.
> I think companies are also free to tell people they aren't welcome if they're going to use that extension.
Or a particular browser. Or a specific operating system. Or the wrong brand of device.
You can probably see where I'm going with that, but in case it's not perfectly clear, I'm trying to say that a company might want to dictate a lot more than just what extension you're using in a browser. Not everyone is going to agree that they are right to do that.
Bear in mind that there's more to consider here than the legality of what they're doing. The openness of the Internet, the interoperability of different operating systems and devices over a particular somewhat-standardized protocol -- these aspects aren't regulated by a law, but they're still important. I'm one of those people who remember the Browser Wars and I don't remember them fondly.
Of course, it's not just about technical aspects, either. There's the whole grey area of whether it's okay for LinkedIn to metaphorically rifle through our proverbial pockets, looking for stuff they don't like and don't want to admit on their virtual premises.
So no, I wouldn't agree that things are as clear cut as you present them.
There is a balance. A theater probably shouldn't discriminate based on the shoes you wear, but may not offer a rewards app for FirefoxOS. Or a restaurant may not accept customers without shirts.
Of course where to draw the lines is important and up for debate
Not providing an app for FirefoxOS is not the same as refusing entrance because your phone runs FirefoxOS. The LinkedIn case seems to be closer to the latter.
As long as those companies do not have any monopoly[1] and do not offer any public service, why not?
They are not free to snoop into information that isn't standard or reasonable. But if they aren't running spyware on my computer[2], they can decide whatever they want with the information my browser send to them.
[1] Do they? I'm not sure wether Linked-in has a monopoly as middleman in job searchers.
[2] How does invasive Javascript stands here? I'm inclined to consider that it's my browser's job to protect me, not theirs. But if they do some very unreasonable things, the blame is on them again.
AFAIK the current state of things is that LinkedIn is welcome to try and stop people from scraping the site, but it can't criminally charge them or try to legally block them from the service. Roughly the same situation as adblockers -- you can detect them and stick banners all over the place, but you can't outright bar someone from running uBlock Origin on your domain.
> I also think people have a right to use the extensions they want to scrape or block content on sites they visit
> Why should a company like linkedin be FORCED to serve anyone?
Companies are routinely forced to serve people per the ADA and CRA. There are various rationales for them; I favor them because they cause a degree of integration that helps to disrupt identity politics.
I think, beyond that, if a company has clearly advertised terms of service and sticks to them (it should be possible to sue a company for violating its stated policies) then they should be able to reject customers if they want. Especially, it's often a reasonable engineering/business tradeoff to not support a customer over delivering a buggy product.
What are you talking about? Anything you post on LinkedIn is their property. You can't legally access anything on their site without agreeing to their policy. Did you not read the agreement when you signed up for the site?
> As between you and LinkedIn, you own the content and information that you submit or post to the Services, and you are only granting LinkedIn and our affiliates the following non-exclusive license:
Yes. To be clear "non-exclusive license to it" is way different than owning it. Especially when they say "We’ll honor the choices you make about who gets to see your information and content, including how it can be used for ads." That means that they do not have the right to use it "as they see fit" because they agree to use it "as you see fit".
My point stands. They are selling your content without your explicit permission, and against their own terms of service unless you argue that people would agree to their data being sold to recruiters.
That's fine and they're able to do so. But don't say it's also ethical for them to aggressively prevent other services from doing that without paying them.
I notice you keep saying it's against their terms of service, without actually quoting where in the terms of service they say they won't do it. You keep picking and choosing partial quotes to try to prove a point that you can't make. Not sure if you're intentionally or unintentionally being ignorant, but you're wrong. If you don't like them selling your data, don't use the site. You agreed to it when you signed up.
I can just keep quoting it or you can just admit you're wrong:
>We will get your consent if we want to give others the right to publish your content beyond the Services. However, if you choose to share your post as "public", we will enable a feature that allows other Members to embed that public post onto third-party services, and we enable search engines to make that public content findable though their services.
>You and LinkedIn agree that we may access, store, process and use any information and personal data that you provide in accordance with the terms of the Privacy Policy and your choices (including settings).
Literally says right there that they're only getting your permission if they share your content outside of "Services" - meaning outside of the Linkedin Platform. Those recruiters are using the service.
>Services
>This Contract applies to LinkedIn.com, LinkedIn-branded apps, Slideshare, LinkedIn Learning and other LinkedIn-related sites, apps, communications and other services that state that they are offered under this Contract (“Services”), including the offsite collection of data for those Services, such as our ads and the “Apply with LinkedIn” and “Share with LinkedIn” plugins. Registered users of our Services are “Members” and unregistered users are “Visitors”. This Contract applies to both Members and Visitors.
Do you think people have a right to photocopy an entire book from the library? What about part of a book? What if I copy a paragraph by hand into my notebook.
Where is the line?
Also, companies are forced to serve people all the time. That was a large part of the fight for civil rights. At some level we do have a right to the service of a private company.
Sure, but that doesn't make it not wrong. Companies are made of people. Forcing people to do something against their will is aggression; if they haven't started it then it's morally wrong.
That's easy: LinkedIn should simply ask for permission. "Hey, you're about to submit a support request. Can we quickly check your browser for a few plugins that are known to cause trouble?"
"Is that plugin installed" is also a terrible "protection" against scraping.
Probably, but tbh, it sounds like a bad way to combat scraping, much like blocking curl user agent strings.
Looking for access patterns that are typical for automated usage are a much better answer - and not publicly showing email addresses to everyone, of course.
I think detecting extensions would be reasonable if they're doing this in order to figure out what features their users want that LinkedIn isn't providing, so they can start offering those features as first-party features instead.
That's actually a pretty darn good idea, the invasiveness aside, in fact, if they were doing this for that reason, it may be easy enough to let folks know that's why so it doesn't feel so invasive.
In addition to that I can’t help but to feel completely energy depleted after 5min of LinkedIn usage. The feed is just horrible. Everybody is doing great, no real discussions going on, trashy superficial insight videos. I only log in to read messages, but I am not able to ignore the feed.
> ...I can’t help but to feel completely energy depleted after 5min of LinkedIn usage. The feed is just horrible. Everybody is doing great, no real discussions going on....
Sounds like American workplace culture in a nutshell to me. If so, LinkedIn is actually doing it right.
Yeah, I don't really understand the social network features of linkedin. I guess I add people as connections sometimes but even that doesn't really seem important.
The only utility I get out of it is that I can put up my resume and get recruiters to contact me. Which more than makes up for everything else since it has led to job offers
How many of those offers have actually resulted in you taking a position though? I know my LinkedIn signal:noise ratio (where signal is an actual commercial deal of some kind) is extremely terrible
>How many of those offers have actually resulted in you taking a position though?
2 out of my last 4. There's a huge amount of spam.
Mostly from big Indian firms looking for cheap labor to staff out a contract. But if you filter that out most of the other messages are legit that have a realistic potential of a job offer.
One, which is still enough to make everything else worth it. I get pinged for random contractor positions from bodyshops sometimes but also have gotten pinged by FAANG and hedge funds/trading firms
The only reason I have one is that I think potential employers would find it weird if I didn't. Many online application forms have fields for linkedin profile url. I may be mistaken, but I think sometimes it was even required.
I used to work on one of those extensions. The lengths linkedin goes to "protect" public data is kind of absurd. If they poured those resources into building tools for salespeople the site would be far more valuable. Or, they could reopen their now closed developer program. It has also been established by lawsuit that those extensions have a right to do what they do.
Those extensions would break the site far less frequently if linkedin would stop trying to break them. And, our users definitely knew when it was us breaking linkedin.
I'm not sure it's as much a catch 22 as it is a self inflicted wound.
It's data you made public by publishing it to LinkedIn, where default privacy settings is "anyone who can log into linkedin can view this content."
It gets complicated when you start thinking of things like blocking other accounts from viewing your profile, or adjusting visibility settings. Arguably LinkedIn has a duty to protect the integrity of their privacy controls, which would entail implementing anti-scraping measures.
There’s actually quite a bit of data that’s viewable to anyone, logged in or not, that’s public. All we did was speed up what was happening anyway. Sales people all across the world copy and paste data from LinkedIn to sales force every day. They either do it manually, using the app I worked on, or one of the literally hundreds of competitors.
I disagree with your implicit assumption that automated access is equivalent to a person viewing the data. Scale changes the results. Technology is making things possible at scales and economies that were not viable before, and people are slow to adjust.
It's one thing to have police stationed at a bus stop, waiting for a suspect to emerge. It's another to network facial recognition cameras across a city or country and log the motions of the entire population.
It's one thing to greet people in a grocery store and offer coupons for your product. It's another to (as discussed a couple days ago) install Bluetooth beacons in a variety of stores, install trojan packages in popular phone apps, and track people moving through stores.
It's one thing to browse LinkedIn for a person's profile, read the bio of an interesting candidate, and email them. It's another to slurp up 2000 candidates and send an email to all of them.
If you don't want your data scraped for collection, you wouldn't put it on Linkedin. Really the only argument is, is it more moral for Linkedin to do it instead of a plugin?
There's no moral issue here. Sales people are going in and copying and pasting data field by field, and we made that process more efficient. All that software did is replace multiple clicks with one. Scrape the DOM and dump it into their salesforce instance. A sales person still needs to initiate the action. I'm happy to admit that I don't like sales people, I don't like cold calls, and what we did made it slightly more efficient for them to cold call people. But calling it a/immoral or an invasion of privacy is silly, unless you've already established that cold calls are immoral and I missed that.
This situation kind of falls into a grey area. The code in question is running locally in the web browser, most likely whether you have an account or not. If someone didn't create an account then they couldn't have agreed to allow this and most likely wouldn't have even been aware of this intrusive data mining script running in their browser. If there's nothing surreptitious or suspect about the code in question, why all the obfuscation and oddly specific legal clauses against "reverse engineering" LinkedIn's "source code", i.e. the script that's now running on my computer and/or device without my permission or knowledge. This all seems done in bad faith and exceeds a reasonable protection of a businesses intellectual property. I find it disconcerting that major corporations like LinkedIn get away with things that could have major legal repercussions if you or I did them.
It doesn't seem wrong to me that a salesperson would find your email on a business site so that they could sell to you. Cold contacts are annoying when your answer is no, but morally wrong? Just use a burner email for every public location.
LinkedIn epitomizes everything wrong with todays front-end.
Npm,grunt,gulp,es6,ts,babel, webpack, yeoman, browserify, reactjs, reacts mother and its dog, yarn, bower, jsx.. and so on.
I can certainly chime in on this. Yes it is Ember but I'd blame that on the way it is "abused".
At one point it had become so bad that we had purge the excess whitespace from the HTML at the traffic layer with middleware. It actually had megabytes of whitespace.
Not to mention the server side rendering mess.
However when it comes to the subject matter of this thread, I don't think this is as sketchy as the OP makes it sound to be. This is LinkedIn's anti-scraping team at work, and nothing nefarious is going on.
This would be the application security team's work. They have a pretty extensive anti-scraping initiative and I know for a fact that these are used to determine if the account is scraping or not.
Someone on a different comment mentioned the "email-hunter" extension. That's exactly the kind of extension they are targeting. I remember many requests sent to support, asking why their account is terminated, and the response was usually "oh you used email-hunter" etc.
It was probably a combination of bad practices. However it came to the traffic layer to fix it because the problem was with many application origins and it would have been a huge horizontal initiative otherwise to address it.
I don't have any examples from the past because I no longer work there but when this middleware was turned off for a few days by ommission, homepage would become 2/3 whitespace. DOM would render correctly of course and the user wouldn't notice anything is wrong however if they were to "View Source", they'd realize they just downloaded a bunch of whitespace.
Imagine having 5 kilobytes of "\n" after each HTML element kind of thing.
When it comes to the middleware, it is just parsing and minifying the HTML source, in the form of an Apache Traffic Server plugin/middleware.
LinkedIn quietly continues to be one of the creepiest products around. I still remember their dark patterns around obtaining your contact list[1]. It's not surprising that little has changed under the new Microsoft which has equally little respect for user privacy and choice.
LinkedIn started out seeming OK, IMHO, then got conspicuously creepy, and that was before the sale to MS.
I deleted LinkedIn as soon as it started seeming creepy, since I didn't need to hear from recruiters, at the time.
I'm currently resisting LinkedIn, and trying to skim angel.co, which doesn't seem too creepy. (Though many of the hiring startup blurbs on there are creepy, like "What Up is disrupting at the intersection of blockchain and marketing insights from intimate medical devices!".)
In the relationship graph that Linkedin builds, suggested connections could be based on a lot of things other than shared connections. Just speculating here, but it could be based on shared email address, shared IP address, shared physical address, membership in same groups, linkedin messages by you and wife to other people within 1-2 degree of either of you .. or some combination thereof for higher confidence.
The real question here is why LinkedIn should even need this information. This represents significant engineering work to develop, so obviously at some point they decided that knowing which extensions are present had value. However, I cannot think of a single non-malicious reason to want this information; the malicious reasons that spring to mind are browser fingerprinting and ad targeting.
1. Support requests because site is broken, but it turns out you are using an extension that breaks the site.
2. Extensions are exfiltrating data to the extension owners, against LinkedIn's TOS, and they are trying to protect their users, or rather, they don't want competition :)
OK, that was two.
They aren't blinding probing for any and all extensions, only a specific set, which shows restraint and implies to me they are having a sort of arms race with extensions that scrape contact info.
Yeah, just like Google bot crawls the web putting enormous load on people's servers (G-Bot can pull hundreds of thousands of pages per day from a single server), while being very sensitive to automated searches and banning your ass (IP) in a heart beat. They sure don't want to be crawled by anyone.
If your site cannot handle the moderate 3-5 requests per second it would take for google to make hundreds of thousands (500k) of requests a day, then I hate to break it to you but you have bigger problems at hand.
There are a lot of extensions built for networking professionals (recruiters, marketers, sales people) that automate browser behavior on LinkedIn in an attempt to drum up attention. For example: automatically viewing profiles of candidates, so that the candidate sees the recruiter/sales person on their "who's viewed my profile" page.
A cursory google-search for something like "linkedin browser plugin" yields tons of these types of products.
> They aren't blinding probing for any and all extensions, only a specific set, which shows restraint and implies to me they are having a sort of arms race with extensions that scrape contact info.
I agree that the goal here is likely to combat scraping, but I don't think we can use this behavior to draw that conclusion. From the article:
"I recommend not using web accessible resources. Out of all extensions LinkedIn finds, a majority of them are due to web accessible resources."
There's no trivial way to get a list of all the user's extensions, so they needed a side channel that they could use to detect them on a case-by-case basis. The only extensions that they can detect are ones that feature this side-channel. Even if Linkedin did want to know all your extensions (which, again, I think is less plausible than an arms race) we would see this same sort of behavior due to the limitations imposed by the browser.
I am in the "Sales Engagement" space, and most of the extensions I'm seeing are sales-based. Sales Navigator is
LinkedIn's (less sophisticated) sales engagement tool. I understand they use a heuristic to determine which extensions to look for, so my set may be based on my industry.
My take is that some motivation comes from LinkedIn seeing which Sales Engagement company they want to buy in order to replace Sales Navigator. Therefore by extension they are probably seeing what extensions people are using most commonly with LinkedIn in order to either beat or buy them.
I would guess this is not just to protect user data from being scraped.
LinkedIn earns a lot of money from users paying for recruitment services (as in get advanced filters to search for candidates and to send them job proposals). This costs 4 figures per month.
So the LinkedIn product management has a high value from learning which extensions people are using to substitute or enhance their paid services even if the extensions don't violate the ToS.
This seems like the most likely reasoning; some of these extensions probably do allow certain uses that LinkedIn charges for. Still shady behavior, but this is at least more reasonable than user fingerprinting.
Linkedin is used for lead generation, for more than just recruitment. OP touches on it when he hints at the email-hunter extension.
Linkedin can skew results and obfuscate data to users who are heavily digging for lead data. Remember, Linkedin's main value proposition is that it has a wealth of user-submitted data, and if it loses that it loses some of it's value.
I hope that's true. Social networking companies have a history of (ab)using security features to enhance tracking. E.g. Facebook using 2-factor phone number.
Not only that. I believe LinkedIn also harvests data from your calendar. I remember seeing LinkedIn notifications about the person I’m meeting without even asking for it. Kind of creepy and unwarranted unless they asked me to.
To be fair I'm aware that they keep asking me to sync my calendar but deny it every time, I'm quite sure that function would have to be explicitly allowed.
I find it interesting that the author of this blog post does not openly disclose that they write/own a service that effectively does mass mailing, scraping, bruteforcing of email.
"Exfiltrates files from your system" is a very alarmist way to say "checks the list of installed browser extensions". Not that it isn't creepy, but let's calibrate, shall we?
This is worrying, yet unsurprising. LinkedIn has become a necessary evil for most professionals, unfortunately. The quality of IT opportunities isn't as high as on other smaller job boards in my experience, but I still keep my LinkedIn profile up to date, to get a feel of the market mostly. I look forward to the day I can disable that social network as well.
In the meantime, we should build and use simpler web browsers, without extension support for one. I've found surf[0] to be the most usable of all WebKit wrappers. Without much C experience, I've managed to use my own fork[1] for a few months now, which wasn't much work thanks to the lean sub-3KLOC codebase of very readable C code and helpful comments.
I imagine that an experienced group of C programmers could take surf as base and easily build a secure and user-friendly web browser with most of the features of the big boys. WebKit is still a concern, but with some work it too could be abstracted away and made easily replaceable.
For LinkedIn specifically, I use a separate cookie file, and with the surf process isolation it gives me a degree of sandboxing similar to Chrome. A modern browser should be built on sandboxing principles for web content, and expose this functionality for each site by default.
LinkedIn offers a marketing feature where users can opt to prefill forms and etc using their LinkedIn data. But not OAuth based (a quick and dirty workaround, perhaps).
Our privacy team took one look at the code and said to stay 100 feet from it.
> How would you feel if you opened a program and the program started to check your file system to see what other programs you had installed?
Slightly tangential but does anyone know if this is what Chrome does? It has a software reporter tool. Also Windows seems to do this too :/ though I'm not 100% sure.
I've been freaking out for two decades now. First the response was "yeah, that's tin-foil-hat stuff", sometime around FB it changed to "yeah, that's old hat, so what?"
Wow, this is disturbing. Lest we forget that LinkedIn has been a Microsoft subsidiary for three years now. I wonder if Microsoft is doing this elsewhere too?
LinkedIn has been doing this (and a few other shady dark patterns) since way before being acquired by MSFT. And MSFT seems to be letting the recently acquired companies do their own thing and not interfere, which is what employees of those startups would most likely prefer. Not saying that this kind of hands-off approach is the best idea here (because i dont have a strong opinion on that), but i dont think it is fair to extrapolate the shady behavior of LinkedIn (that has been documented since a very long time ago) to the rest of MSFT
I haven't had LinkedIn for almost 10 years now, and I haven't had Facebook for at least 6 months now.
Explaining why I don't have either is a burden I live with in my professional life, but the degree to which even other technical professionals don't sympathize with not having accounts on LinkedIn is pretty amazing.
I guess I'm relegated to a bit of sub-culture-ness. I'm self-employed, so I'm okay with that, but I guess others might find it challenging.
Nah. Perhaps I have a more strict work/not-work separation than many, but I am 9-5:30 plain-ol'-employed here, and from what I have seen of LinkedIn I am absolutely not challenged by this. I care about doing a job well, but watching a bunch of people advertising themselves to future employers by pretending to give far more a shit about The Haps in their industry than they actually do is, while almost charming, not something I would care to spend more than about two minutes every two years doing.
Lately I've been telling people who question me about this, "I know some people who work there. They won't say why because of NDA, but they tell me it's better that I don't have an account. They say they wouldn't have one if they didn't work there. I trust their judgement."
This addresses the two greatest threats to their business model:
- users associating spam received to their use of LinkedIn
- undermining the value of LinkedIn paid services
I'm more upset at browser vendors for creating such an obvious security/privacy hole than at LinkedIn for using it. And now Chrome will use this as subterfuge for nerfing adblock. This is why we can't have nice things.
How are browsers supposed to prevent the page from detecting that an extension changed the page's DOM, or that the extension explicitly made URLs accessible to it?
As the author points out, there are mechanisms for showing extension UIs that don't rely on DOM manipulation.
Some websites (for example Aliexpress) scan local ports to check whether you are running something like RDP, SSH or VNC server. They try to open websocket connection to those ports and measure how much time it takes to establish (or to be rejected).
Sites we interact with may become adversarial towards us at any time they see fit. I wish my browser and the extensions I use were sacrosanct and outside the purview of other companies/sites.
I wouldn't be surprised if LinkedIn sent this data back, but browser plugin detection sounds like a common ingredient in browser fingerprinting, which can be pretty useful for things like A/B testing signed-out users or detecting ad fraud. I don't place LinkedIn in very high regards, and I'd be surprised if they ever asked a user if they could fingerprint their browser in an unambiguous way, but I don't know if I find this particular thing to be exceptionally evil.
(FYI: Perma.cc, an anti-link-rot service run by Harvard Law School, is free for up to 10 links per month. The project is run by my department, but I'm not on the Perma team.)
Same. Many many years ago I straight-up deleted my LinkedIn account (in an attempt to cut down on recruiter cold-calls, which didn't work) and I've never suffered as a result.
Can’t you just not use it at all? I’ve never had an account (indeed I got them to blacklist me) and I can’t say that I’ve suffered. Though I guess I’ve had the benefit of being white / male / etc etc.
LinkedIn constantly gets me interviews for jobs paying 40% more than what I see listed on Stackoverflow /job sites / through recruiters, etc. I didn't realize what I was missing out on before I made a profile.
I threatened them with a court appearance if I ever had another email from them (never had an account, was hitting unsubscribe from every mail I had from them which lasted for exactly 30 days before the next). Voila, never saw another email; they must maintain some internal do-not-email list.
But why would people move from linkedin to another platform? Most people that use it are not really concerned with privacy, so they'll need a better reason to switch.
The whole thing is weirdly deceptive.
[0] https://news.ycombinator.com/item?id=18853607