Oops! LinkedIn (NYSE:LNKD) has been caught copying sensitive data from users' iOS and Android calendars, allegedly without permission. Some say the data are sent in plain text. In IT Blogwatch, bloggers posit another post-PC pandemonium.
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Let's bomb The Queen!..
Matthew Panzarino breathlessly reports:
The LinkedIn mobile app...collects full meeting...details from your device’s calendar and sends them back to the company...without explicit permission...in plain text.
The calendar viewing feature is completely opt-in. ... But, after it has been enabled the app reads...any notes and details [from] personal calendar entries and ones that may be for work. ... This includes: the meeting’s title, organizer, attendees, meeting times and, most importantly, the notes...even for those entries which are not attached to any LinkedIn account.
Nicole Perlroth puts it in context:
That practice...may violate Apple’s privacy guidelines, which expressly prohibit...transmitting users’ data without their permission.
[E]arlier this year...a developer noticed that Path...was uploading entire address books to its servers...[which] came under scrutiny by...Congress.
Last year, users were incensed to learn that Color...could activate the microphones on their phones and record their conversations. ... And in December, Carrier IQ...got hit with several class-action lawsuits after a developer noticed that it...could record a user’s keystrokes...on 140 million smartphones.
Yair Amit and Adi Sharabani discovered the security glitsh:
LinkedIn have decided to send detailed calendar entries of users to their servers...[including] personal meeting notes, which tend to contain highly sensitive information. ... [M]oreover, this action is...without a clear indication...to the user, thus possibly violating Apple’s privacy guidelines (section 17.1).
[M]ost of the transmitted information is not required for the app’s functionality. ... To the best of our knowledge...we do not believe it utilized the collected information in a malicious way.
The following instructions cover the actions...to verify your calendar(s) information is not being transmitted to LinkedIn’s servers.
And LinkedIn's Joff Redfern hold his hands up, but denies the plain-text allegation:
In order to provide our calendar service...we need to send information...to our servers. ... That information is sent securely over SSL and we never share or store [it].
Researchers have pointed out that some people might be uncomfortable...with meeting notes. ... We will no longer send data from the meeting notes section. ... [This is] live on Android now and have been submitted to the Apple store.
Meanwhile, Marco Arment is slightly sarcastic:
Surprise: LinkedIn, the king of spamming...people with no complete opt-out, transmits calendar data.
Let's bomb The Queen!
Don't miss out on IT Blogwatch:
Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch, for which he has won ASBPE and Neal awards. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can read Richi's full profile and disclosure of his industry affiliations.