With more than 100 million registered user scattered across 200-plus countries worldwide, LinkedIn is a social network with a bit of clout. Used for business professionals for networking purposes the site has exploded over the past few years. On May 19, the business-oriented network went public, making it the first of all social media sites to offer an initial public offering (IPO) when it sold shares for $45 each. As the stocks were purchased, the spotlight on LinkedIn got brighter. Initially there was talk that the company could, according to Business Insider, have sold its shares for higher and made bigger profits.
And then another conversation started brewing; a conversation about a topic that is the central controversy among all social networking sites: privacy.
LinkedIn, Need to Succeed and API Privacy Questions
Just a day after the IPO raised billions of dollars, Ted Samson of Infoworld published an interesting article about whether LinkedIn would, like other social media sites such as Facebook, be tempted to treat its site with a “lack of discretion.” The story gives a thoughtful analysis of LinkedIn’s privacy history stating that the site has a “a solid track record of taking user privacy seriously.” It also notes that the network’s privacy settings are not convoluted and very easy to navigate. For example, it is easy to limit the data that can be accessed by advertisers on the site.
Samson then continues to discuss that the site’s API might be of interest privacy buffs. He explains that the API is connected to third parties and that opening up any kind of data is “inherently risky.” However, he also mentions that LinkedIn does provide protection since it limits what kind of data these third parties can view. Also there are limits on who can see your data; meaning that if you aren’t in a user’s professional circle, you are blocked from seeing their information.
Yet, Samson still has concerns. He writes that LinkedIn admits to not screening all third party applications and services that use the API and thus, the company cannot guarantee that they all follow the rules. Also as the site continues to grow and has a greater revenue flow, Samson believes that more and more of these non-vetted third parties will show up to take advantage of the sea of data that lives on the network.
He ends with this interesting thought, “The real risk… is in how LinkedIn will respond to the pressures of being a public company that needs to show growth and profitability…The temptation to monetize with targeted ads and the brokering of enriched user data will be strong. Let’s hope LinkedIn does not heed that call.”
Security Woes Come True
As many LinkedIn users pondered Samson’s worries, a real security issue came to the surface. On Sunday, May 22, just days after the company went public, Reuters broke a story from security expert Rishi Narang who states that site has severe vulnerabilities and is an easy target for hackers.
If you have ever logged into LinkedIn, you might remember that once you have signed in, you never have to do so again in you are using the same computer. That is because the site created a cookie that lasts for a year. Another Reuters‘ blog puts this this into perspective. When you use an online baking site, your cookie is stored for ten minutes and after inactivity beyond that, your session times out. Yahoo cookies have a lifespan of two weeks.
The longevity of the LinkedIn cookie means that anyone who gets hold of that file can load it on to a computer and easily gain access to the original user’s account. Narang believes that the biggest problem is that LinkedIn’s users are not aware they should be protecting those cookies. According to Reuters, Narang easily hacked into four different LinkedIn accounts by simply finding their access token that had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.
“With LinkedIn, the purpose of the cookie is mainly for convenience. Sometimes these conveniences pose security risks,” said Robert Siciliano CEO of IDTheftSecurity.com to Reuters. “LinkedIn needs to scale back on the time it allows for the cookie to maintain data and provide quick logins. They need to make sure an old cookie doesn’t provide logins with a new password.”
The site issued a statement after the security issue came to light: “Whether you are on LinkedIn or any other site, it’s always a good idea to choose trusted and encrypted WiFi networks or VPNs whenever possible. If one isn’t available, we already support SSL for logins and other sensitive web pages.” The company concluded that it will change the lifespan of its cookie from twelve months to 90 days.
At publication time, it has been only a week since LinkedIn went public and the social networking site for professionals has already had some issues. Experts are concerned whether the site will exploit its goldmine of data in order to show more gains. Security leaders have also come forward to say that the site has vulnerabilities. Do these things make your hesitant to use LinkedIn? Will you continue to maintain a profile on the site?